Arbitrability Of Disputes Over Compliance With India’S Digital Payments Security Norms
Arbitrability of Disputes over Compliance with India’s Digital Payments Security Norms
1. Introduction
India’s digital payments ecosystem—covering UPI, payment gateways, wallet providers, card networks, banks, fintech companies, and payment aggregators—is governed by stringent security and data protection norms issued by regulators such as the Reserve Bank of India (RBI). These norms relate to:
Data localisation and storage
Cybersecurity controls
Transaction authentication and encryption
Incident reporting and audit compliance
Fraud prevention and consumer protection
Disputes frequently arise between regulated entities and their technology vendors, or between fintech service providers inter se, when there is alleged non-compliance with digital payments security norms. The central legal issue is whether such disputes are arbitrable under Indian law.
2. Legal Framework Governing Arbitrability
Arbitrability in India is governed by the Arbitration and Conciliation Act, 1996, as interpreted by the Supreme Court.
The settled principle is:
Disputes involving private contractual rights are arbitrable; disputes involving public rights, sovereign functions, or exclusive statutory remedies are not.
Digital payments security disputes often lie at the intersection of:
Contract law (outsourcing, technology, cloud, and compliance agreements), and
Regulatory law (RBI directions and supervisory powers).
3. Nature of Disputes in Digital Payments Security Compliance
Typical disputes include:
Failure of a technology vendor to meet RBI-mandated security standards
Allocation of liability for cybersecurity breaches or payment fraud
Non-compliance with data localisation obligations
Breach of audit, reporting, or certification requirements
Indemnity claims arising from regulatory penalties
Termination of contracts due to alleged compliance failures
These disputes usually arise between private parties under commercial contracts, even though the underlying obligations stem from regulatory norms.
4. Core Test: Contractual Compliance vs Regulatory Enforcement
Arbitrable
Disputes on whether a party complied with contractual obligations to meet RBI norms
Claims for damages, indemnities, penalties, or termination
Allocation of responsibility for compliance failures
Non-Arbitrable
Direct enforcement actions by RBI
Imposition of statutory penalties
Cancellation or suspension of licences
Determination of regulatory violations by statutory authorities
Thus, arbitration can decide contractual consequences of non-compliance, but cannot replace regulatory adjudication.
5. Supreme Court Tests for Arbitrability
Indian courts apply the following principles:
Whether the dispute involves rights in rem or rights in personam
Whether adjudication is expressly barred by statute
Whether the dispute involves sovereign or public authority functions
Whether exclusive jurisdiction is vested in a statutory forum
Digital payments compliance disputes under contracts generally involve rights in personam, making them arbitrable.
6. Key Indian Case Laws
1. Booz Allen and Hamilton Inc. v. SBI Home Finance Ltd.
Principle:
Disputes involving private contractual rights (rights in personam) are arbitrable, while those involving public rights (rights in rem) are not.
Relevance:
Compliance disputes between fintech companies and vendors concern private contractual liability, not public enforcement.
2. Vidya Drolia v. Durga Trading Corporation
Principle:
Laid down the definitive four-fold test for arbitrability and affirmed a strong pro-arbitration approach.
Relevance:
Disputes over contractual compliance with RBI security norms satisfy the arbitrability test.
3. Olympus Superstructures Pvt. Ltd. v. Meena Vijay Khetan
Principle:
Disputes arising from contractual performance and obligations are arbitrable.
Relevance:
Technology and compliance service agreements in digital payments fall squarely within arbitrable commercial disputes.
4. Ayyasamy v. A. Paramasivam
Principle:
Only serious and complex fraud involving criminal elements is non-arbitrable; contractual allegations of fraud remain arbitrable.
Relevance:
Claims of misrepresentation regarding security readiness or compliance certifications are arbitrable.
5. Swiss Timing Ltd. v. Commonwealth Games Organising Committee
Principle:
Mere allegations of fraud or illegality do not bar arbitration unless they involve grave public wrongdoing.
Relevance:
Cybersecurity or compliance failures alleged in payment systems should still be referred to arbitration.
6. Associate Builders v. Delhi Development Authority
Principle:
Courts cannot re-appreciate evidence or technical findings of arbitral tribunals.
Relevance:
Arbitral determinations on encryption standards, system architecture, or audit compliance are protected from excessive judicial interference.
7. Ssangyong Engineering & Construction Co. Ltd. v. NHAI
Principle:
Clarified the narrow meaning of “public policy” and “patent illegality” under Section 34.
Relevance:
Awards deciding contractual liability for security norm violations are unlikely to be set aside merely due to regulatory complexity.
7. Interaction with RBI’s Regulatory Powers
Arbitration cannot determine whether RBI norms were violated in the regulatory sense
Arbitration can determine contractual breach and liability arising from non-compliance
Regulatory proceedings and arbitration may run parallel without conflict
This dual-track approach preserves both regulatory supremacy and contractual autonomy.
8. Role of Arbitral Tribunals in Such Disputes
Arbitrators typically assess:
Contractual obligations to comply with RBI norms
Whether reasonable security measures were implemented
Allocation of liability for breaches or fraud losses
Indemnification for regulatory penalties
Termination and damages claims
Expert evidence from cybersecurity auditors, payment system specialists, and compliance professionals is commonly relied upon.
9. Drafting Considerations for Payment Security Contracts
Clearly define security and compliance obligations
Allocate responsibility for regulatory penalties
Include audit and incident-reporting obligations
Carve out regulatory enforcement actions from arbitration
Provide for technical or industry-expert arbitrators
10. Conclusion
Disputes over compliance with India’s digital payments security norms are largely arbitrable when they concern contractual obligations and inter-party liability. Indian courts consistently uphold arbitration in such matters while preserving the exclusive authority of regulators like the RBI to enforce statutory norms.
Arbitration thus offers a specialised, confidential, and efficient forum to resolve complex compliance disputes in India’s rapidly evolving digital payments ecosystem.
RELATED Blog
comments