RBI mandate spurs banks to halt OneCard partnerships over data storage concerns

In response to concerns raised by the Reserve Bank of India (RBI) regarding data storage practices, several banks have suspended their partnerships with the co-branded card fintech firm OneCard. 

The RBI issued a circular on March 7, 2024, emphasizing that card-issuers must retain ownership and control over cardholder data. It stated that sharing card data, including transaction information, with outsourcing partners should only occur if essential for their assigned functions and with explicit consent from the cardholder.

This directive led to actions by Federal Bank and South Indian Bank, who halted the onboarding of new customers for their co-branded credit cards with OneCard. These decisions were made to ensure compliance with the RBI’s regulations on data security. While other banks with partnerships with OneCard have not yet taken similar steps, it is anticipated that they may follow suit.

The concern stemmed from the indirect access OneCard had to customer data through the credit card software stack provided to partner banks. Although OneCard did not directly access customer data, its involvement in providing the software stack raised regulatory scrutiny due to potential data access.

However, industry insiders suggest that the pause in partnerships may be temporary. Once OneCard implements measures to access customer data in encrypted form, banks are likely to resume issuing co-branded cards. The technology stack provided by OneCard enables features such as real-time transaction tracking, spending management, EMI conversion, and payments through a dedicated app, making it a unique proposition in the card business.

FPL Technologies, the holding company of OneCard, founded in February 2019, has garnered significant funding from investors like Temasek, GIC, Matrix Partners, QED Innovation, Hummingbird Ventures, and Sequoia Capital, totaling $227 million.