WhatsApp can’t start payments business, RBI tells SC

BENGALURU: As WhatsApp battles the Israeli spygate (Pegasus) controversy in India, the Reserve Bank of India has told the Supreme Court that the messaging platform, owned by Facebook, is non-compliant with data localisation norms and that it has directed National Payments Corporation of India (NPCI) to not allow a full-scale launch of a payments business by WhatsApp on the Unified Payments Interface (UPI).


NPCI manages UPI, which clocked over a billion transactions last month. The SC had recently asked RBI to update it on WhatsApp’s data localisation status.

WhatsApp could be hit in its biggest mkt

This was RBI’s response dated November 6 to the SC as the apex court had asked it to update it on WhatsApp’s data localisation compliance status in August.

TOI has seen RBI’s response to SC along with a letter, dated November 1, sent to NPCI MD & CEO telling it to not allow WhatsApp’s full-scale payments launch in India.

Earlier this year, the Centre for Accountability and Systemic Change (CASC), a think-tank, had filed a petition in the SC challenging WhatsApp’s compliance standards and absence of a local grievance officer in India. RBI was made a party to it.

The latest development formally damages WhatsApp’s aspirations to have a payments play here on the fast-growing UPI network.

In July, WhatsApp’s global head Will Cathcart had told TOI that the company was compliant with local laws and that he couldn’t wait to launch payments here as everything the company does is centred around India, its largest market with 400 million monthly active users. WhatsApp Pay is restricted to 1 million users in beta-mode since February 2018.

“The RBI has examined the said reports (by NPCI) and the responses of NPCI and is of the considered view that WhatsApp is storing the following payment data elements outside India beyond the permitted timelines indicated in the circular and frequently asked questions (FAQs) on storage of payments system data issued by RBI on June 26, 2019,” the banking regulator has said. Further, NPCI has been advised by RBI not to permit WhatsApp to go live for full-scale operations on UPI payments system, till the time they are fully compliant, it added.

Emails sent to RBI and NPCI did not elicit a response at the time of filing this article. WhatsApp India spokesperson said they don’t have any new comment on the matter.

According to RBI, WhatsApp is storing various payment data elements outside India which include transaction ID, expiry of collect request, retrieval reference number among other data elements. “When a customer raises a dispute, WhatsApp application (client) logs, query screenshots uploaded by a customer, and consumer email message are shared with the support team located in Hyderabad and USA and are stored for a period of 90 days. Although the logs do not contain payment data as contended by auditor, screenshots uploaded by customers and customer email message may contain payment data,” RBI added.

While WhatsApp has sued Israel’s NSO group in a US district court for placing spyware ‘Pegasus’ on its users across the world, including India, the matter has raised serious questions over the security of the platform for users and their data. However, RBI’s response does not mention the spyware attack.