Introduction

One97 Communications Limited owns the brand Paytm (a partial abbreviation for "pay through mobile") was founded in 2010, and is an Indian multinational technology company that specializes in digital payment system, e-commerce and financial services, based in Noida, India. Paytm offers online use-cases like mobile recharges, utility bill payments, travel, movies, and events bookings as well as in-store payments at grocery stores, fruits and vegetable shops, restaurants, parking, tolls, pharmacies and educational institutions with the Paytm QR code. Today, Paytm is one of the highest valued fintech companies in the world.

One97 Communications Limited and Vijay Shekhar Sharma, Founder & CEO of Paytm jointly own Paytm Payments Bank Ltd. which is the country's largest digital bank with over 58 million account holders

Recently, Paytm Payments Bank Ltd. has been facing data breach and KYC related issues with the Reserve Bank of India (RBI).

Data breach issue

On 11 March 2022, the RBI, in exercise of its powers, inter alia, under section 35A of the Banking Regulation Act, 1949, directed Paytm Payments Bank Ltd. to stop, with immediate effect, onboarding of new customers. The bank has also been directed to appoint an IT audit firm to conduct a comprehensive system audit of its IT system. Onboarding of new customers by Paytm Payments Bank Ltd will be subject to specific permission to be granted by RBI after reviewing report of the IT auditors. This action is based on certain material supervisory concerns observed in the bank.

It is reported that, Paytm Payments Bank Ltd., which processes transactions for India’s digital payments giant Paytm, was barred from taking on new customers because it violated rules by allowing data to flow to servers abroad and did not properly verify its customers, according to a person familiar with the matter.

It is further reported that annual inspections by the RBI found that the company’s servers were sharing information with China-based entities that indirectly own a stake in Paytm Payments Bank (namely Alibaba). Paytm Payments Bank Ltd., being a regulated financial institution, was required to maintain a so-called service level agreement with its technology vendor that would ringfence the entity from its owners.

The bank clarified that, the location of the servers was not known and there is no implication that Paytm Payments Bank Ltd. was storing information abroad. Paytm Payments Bank Ltd. had also onboarded thousands of clients without adequate know-your-customer (KYC) documentation and the concern was that some of these could have been mules for money laundering.

Recently, the founder of Paytm, Vijay Shekhar Sharma said Paytm Payments Bank is fully compliant with India’s data-storage rules and the RBI has not mentioned data-access concerns. Without detailing the RBI’s concerns, the founder said that no fine had been levied for KYC compliance and no issues were raised with the bank ownership structure. The founder gave a public statement that the “concerns are IT related. They want systems to be audited by a third party and confirmed to them”.

It is pertinent to note that Chinese entities such as Alibaba Group Holding Ltd. and its affiliate, Jack Ma’s Ant Group Co., are shareholders in Paytm.

This issue regarding Paytm becomes especially significant in light of the RBI directive requiring payment systems to store data locally.

On 6 April 2018, the RBI issued a circular stating that in order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with systems that are highly technology dependent and necessitate adoption of safety and security measures, as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem. The RBI, therefore, decided that:

  1. All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
  2. System providers shall ensure compliance of (a) above within a period of six months and report compliance of the same to the Reserve Bank latest by 15 October 2018.
  3. System providers shall submit the System Audit Report (SAR) on completion of the requirement at (i) above. The audit should be conducted by CERT-IN empanelled auditors certifying completion of activity at (i) above. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank not later than 31 December 2018.

During this period, the RBI gave entities, ranging from Alphabet Inc’s Google Pay to Walmart Inc.’s PhonePe until the year end to comply with the aforementioned circular and appoint auditors.

Given the recent issues, the shares of Paytm, have also taken a major hit as has their market capitalisation.

Conclusion

While the RBI had similarly punished companies including American Express Banking Corp. and Mastercard Inc. for violation of data-storage rules, the concerns around Paytm Payments Bank Ltd. are particularly sensitive given India’s hostile political relationship with China. India has banned a plethora of apps linked to or originating from China over the past two years following a clash at the nations’ disputed border.