Issuing a clarification on the directive related to data localisation, the Reserve Bank of India (RBI) said all payments-related data must be stored in India, however, under special circumstances, a copy of the data can be stored abroad.
An RBI statement said, “For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad if required.” The central bank further explained that there is no bar on the processing of payment transactions outside India, however, the data shall be stored only in India after the processing which should include complete end-to-end transaction details.
For a transaction that is processed abroad, the data should be deleted from the systems and needs to be brought back to India within one business day or 24 hours after the process is completed. Having said, in case of settlement-related issues and other disputes, the data can be accessed anytime from India.
Additionally, in the case of foreign banks, they can store banking data abroad but domestic payment transaction data should be stored in India whereas, for cross border payment transactions, the data may also be stored abroad.
“The data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/processed as part of a payment message/instruction,” the apex bank clarified. This data also includes customer data, payment sensitive data, payment credentials and transaction data.
So Far, So Good
Last year, in April, the banking regulator notified all the payment processing entities to start storing data in India. “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India,”
the RBI directive said. The service providers were given six months to execute this.
Talking about the data localisation norms, Abhishek Ray, Head Legal, ePayLater agrees with RBI’s terms and supports the intent behind the measures announced.
“Data privacy and security deserve utmost attention of one and all, and the RBI taking concrete steps in this direction with crystal clear requirements from the industry helps retain the focus in addition to compliance. We believe such steps would also prepare India Inc., especially startups to design systems that are congruent with global best practices, and would boost investor confidence in the near term and ensure customer trust,” he said.
Previously, the payment industry has expressed its concern related to data localisation citing innovation and customer experience-related limitations. Since then the industry has been perusing RBI to soften its outlook on data storage, however, the regulator has been showing a strong stance as a security measure.
However, clarification on cross border payments come as a relief to the industry.
Bhavin Patel from LenDenClub says RBI has made a good case out of the queries raised by payment players on data localisation. This FAQ answers the majority of the answers and removes a lot of ambiguity around the guideline. However, there are some queries revolving around data to be brought back to India within 24 hours.
“I think it’s a very reasonable proposition by RBI. They have allowed players who are in overseas payment operations to use their systems and bring that data back to India so that India can fetch that data if needed in future. However, the government has allowed payment companies to share data with any other regulator if required. There are various global regulators who have set a different kind of guidelines for financial transactions incurred in their country. India is following global developed peers. Summarizing today’s FAQ release, its a good step towards making things clarified and clear to all operators,” he added.