The Reserve Bank of India has told the Supreme Court that the National Payment Corporation of India (NPCI) allowed WhatsApp to “go live” on UPI only after ensuring it was fully compliant with its circular.
The central bank also stressed the onus is on the NPCI to respond on the status of compliance of WhatsApp, Google, and Amazon with the system rules/procedural guidelines governing the Unified Payments Interface (UPI).
In an affidavit, the RBI said: “NPCI is the system provider of UPI and, therefore, comes under the regulatory radar of the RBI. Since it was NPCI that allowed Amazon, Google, and WhatsApp to operate under UPI, the responsibility to ensure that these entities comply with all the rules/regulations/guidelines governing UPI lies with the NPCI.”
The RBI added that the NPCI was advised not to permit full-scale operations of WhatsApp till the time they are fully compliant with the requirements of the RBI directions.
“NPCI subsequently allowed ‘go live’ of WhatsApp on UPI only after ensuring that WhatsApp was fully compliant with the circular,” it said in the affidavit.
The RBI issued directions through a circular on April 6, 2018, on storage of payment system data and not data sharing or privacy. It said it has not issued any instructions on data sharing by Third-Party App Providers (TPAPs) or the participants of UPI, and matters related to data privacy and data sharing come under the domain of the Centre.
“It may also be noted that Amazon was permitted by NPCI to operate as a UPI TPAP only after compliance with the RBI circular dated April 6, 2018. Whereas the other two TPAPs, i.e. WhatsApp (Beta Mode with a cap of one million users) and Google, were already functioning as UPI TPAPs at the time of issuance of the RBI circular,” the affidavit said.
The central bank emphasized that it has not issued any instructions on data sharing by TPAPs or the participants of UPI. “Accordingly, as WhatsApp and Google were already functioning as TPAPs and providing customer services at the time of issuance of the circular, no disruptive action against them was contemplated in the interest of the general public,” it said.
The RBI denied the allegations that it has turned a blind eye and compromised with the interest of the Indian users. “It is also denied that the RBI has the responsibility to conduct an audit of the members of UPI ecosystem,” it said in the affidavit.
The central bank added that the NPCI had, vide letter dated June 5, 2020, informed that they had reviewed the Post Change Review Report-III from the CERT-In empaneled auditor (Deloitte) of WhatsApp certifying the compliance with the remaining three items and found the same to be in order.
The NPCI had stated that as WhatsApp has fully complied with the requirements of the RBI circular dated April 6, 2018, they are giving ICICI Bank (being the sponsor bank for WhatsApp) the approval to go live of WhatsApp on UPI. “Subsequently, the NPCI had, vide letter dated November 20, 2020, informed that they had approved WhatsApp to go live on UPI for a maximum registered base of only twenty million to start with,” the RBI added.
The response from the RBI has come on a plea by Rajya Sabha member Binoy Viswam, through advocate Sriram Parakkat, seeking protection of data of transactions made over UPI. The plea contended that the RBI and the NPCI instead of fulfilling their statutory obligations are compromising the interest of Indian users by allowing the non-compliant foreign entities to operate their payment services in India.
The plea seeks response from the RBI and the NPCI to ensure that the data of Indian citizens collected on UPI platforms was not misused by WhatsApp, Google, and Amazon.
On Thursday, the top court adjourned the matter for further hearing on February 1.