The Reserve Bank of India has told the Supreme Court that WhatsApp was only allowed to “go live” on UPI by the National Payment Corporation of India (NPCI) after ensuring that it was completely compliant with its circular.
The central bank also stressed that the NPCI is responsible for responding to the enforcement status of WhatsApp, Google, and Amazon with the Unified Payments Interface system rules/procedural guidelines (UPI).
The RBI stated in an affidavit: “NPCI is the system provider of UPI and, therefore, comes under the regulatory radar of the RBI. Since it was NPCI that allowed Amazon, Google, and WhatsApp to operate under UPI, the responsibility to ensure that these entities comply with all the rules/regulations/guidelines governing UPI lies with the NPCI.”
The RBI added that until they are fully compliant with the requirements of the RBI directions, the NPCI was advised not to allow full-scale WhatsApp operations.
“NPCI subsequently allowed `go live` of WhatsApp on UPI only after ensuring that WhatsApp was fully compliant with the circular,” it said in the affidavit.
On April 6, 2018, the RBI issued guidance via a circular on the storage of payment system data and not the sharing of data or privacy. It claimed that it did not issue any data sharing guidelines from Third-Party App Providers (TPAPs) or UPI members, and that data privacy and data sharing matters fell under the Centre’s domain.
“It may also be noted that Amazon was permitted by NPCI to operate as a UPI TPAP only after compliance with the RBI circular dated April 6, 2018. Whereas the other two TPAPs, i.e. WhatsApp (Beta Mode with a cap of one million users) and Google, were already functioning as UPI TPAPs at the time of issuance of the RBI circular,” the affidavit said.
The central bank stressed that no data sharing guidelines were provided by the TPAPs or the UPI participants. Therefore, since WhatsApp and Google were already operating as TPAPs and offering customer services at the time the circular was released, no disruptive action was envisaged against them in the interest of the general public,” it said.
The RBI refuted the claims that it turned a blind eye to the interest of Indian users and undermined it. “It is also denied that the RBI has the responsibility to conduct an audit of the members of UPI ecosystem,” the affidavit said.
The central bank added that the NPCI had told the CERT-In empaneled auditor (Deloitte) of WhatsApp that they had reviewed the Post Change Analysis Report-III by video letter dated June 5, 2020, certifying compliance with the remaining three items and considered the same to be in order.
As WhatsApp has fully complied with the requirements of the RBI circular dated April 6, 2018, the NPCI confirmed that they are approving ICICI Bank (being the WhatsApp sponsor bank) to go live on UPI of WhatsApp. “Subsequently, the NPCI had, vide letter dated November 20, 2020, informed that they had approved WhatsApp to go live on UPI for a maximum registered base of only twenty million to start with,” the RBI added.
Responding to a plea from the RBI, Rajya Sabha member Binoy Viswam, through lawyer Sriram Parakkat, sought the protection of data from transactions made through UPI. The plea argues that, instead of fulfilling their statutory responsibilities, the RBI and the NPCI are violating the rights of Indian consumers by enabling non-compliant foreign entities to operate their payment services in India.
The plea seeks a response from the RBI and the NPCI to ensure that WhatsApp, Google, and Amazon have not misused the data of Indian people gathered on UPI platforms.
The top court adjourned the matter on Thursday for a further hearing on February 1.