Decrypting RBI Data Localization Policy for Payment Companies
Over the past few years, we have been witnessing ongoing digital advancements, ranging from communication to the way we transact. Out of these advancements, cashless transactions are reigning supreme and are further fueled by this raging pandemic. They have taken over traditional payments and banking practices.
Also, there is a multitude of payment options available today. Major players such as Google Pay, Apple Pay, PayPal have access to sensitive user data stored across international servers. These actions led to many raising their voice about user data security and privacy.
Being a global concern, RBI brought forth the concept of Data Localization to protect user data from potential threats.
What is Data Localization?
Data protection created a buzz way back in 1993 when Public Records Act ensures the data transfer is restricted outside India for security purposes from surveillance of other countries.
Data Localization is the act of storing citizens’ data within the country’s geographical boundaries to avoid any foreign accessibility.
It also plays a crucial part in the government’s cloud computing policy.
RBI guidelines on the Data Localization Policy
Reserve Bank of India (RBI) issued a circular dated April 6, 2018, stating that all authorized Payment System Operators (PSOs) in India to ensure that the data related to payment systems such as customer data, payment sensitive data, payment credentials, and transaction data should be mandatorily stored within India itself under the Payment and Settlement Systems Act, 2007.
A deadline of six months was tagged along with the Data Localization policy. Since the payment ecosystem has ballooned in the last few years, RBI was pushed to undertake this crucial step in protecting consumers’ data.
All payment firms, including American Express, Master Card/Visa, PayPal, Google Pay, WhatsApp Pay, Paytm, and Phone Pe, should adhere to the RBI’s data localization rule. Subsequently, RBI insisted system providers for unfettered access to all data on complete end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction by submitting Audit Report (SAR) conducted by CERT-IN.
As per the RBI’s Data Localization Policy
- There is no bar on payment processing outside the country, but post-processing, the data should be deleted from the foreign systems and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.
- However, any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken/performed on a near real-time basis by storing it only in India.
- In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India, where it is stored.
- RBI’s prior approval is necessary for sharing the payment system data with overseas regulators.
- The banks operating in India must strictly adhere to the storage norms.
- Exceptionally, a foreign leg of a transaction is permitted to store their banking data abroad. However, the domestic payment transactions should be stored only in India along with the details which include end-to-end transaction, payment, and settlement transactions — customer name, mobile number, e-mail address, Aadhar card number or PAN, beneficiary details, and payment credentials like One Time Password (OTP), PIN and passwords.
- For cross-border transactions that include data with a foreign and domestic component, a copy of the domestic component may be stored abroad, if required.
- System providers were given six months to ensure the directive’s compliance and report the same to RBI.
The RBI guidelines on storing payments data provoked a noteworthy impact on Payment System Operators. Indian payment firms, viz. Paytm, PhonePe, and MobiKwik backed the RBI regulations on data localization policy in protecting citizens’ data and restricting any foreign accessibility.
But the representatives of top leading companies such as Amazon, Flipkart, Google, Microsoft, Facebook, and American Express met with government and RBI officials to raise concerns regarding the stringent nature of this policy (2019).
Later the Indian government took the responsibility to determine the category of data to be stored locally. This categorization ensured that the data is not misused by various companies, which involves transferring it to third-party providers.
Personal Data Protection Bill
The Personal Data Protection Bill (PDP Bill) applies to the processing of personal data by the companies registered in India, foreign companies dealing with personal data of individuals in India, and the Indian Government. The PDP bill categorizes the collected data into three categories:
- Personal data,
- Sensitive personal data and
- Critical personal data.
The PDP bill is not applicable for the processing of anonymous data.
The PDP bill proposed to store sensitive personal data and critical personal data in India. However, it permits the processing of sensitive personal data by transferring it to outside of India in certain cases provided that at least a copy of that data continues to be stored in India and explicit consent is needed for the same. Whereas critical personal data can only be stored and processed within India.
The impact on payment industries
Multinational payment systems located in India faced a major impact after the RBI’s intervention on Data Localization. Popular foreign credit card companies such as Visa and Mastercard missed the strict six-month deadline set by the RBI (2019). Usually, International payment companies store their data on global servers, but this rule made them store data locally with an additional investment.
India is the fastest-growing market for mobile apps and digital banking. The Indian start-up companies in the FinTech sector often go through the toughest challenge of outsourcing technical support and shifting from cloud services to cheaper and cost-effective services.
Data Localization Policy will prohibit these start-ups from opting for cost-effective cloud service providers globally and choose localized alternatives, which ends in high operational costs. But this will be a fruitful drift that leads to shielding of payments data from identity fraud and other digital breaches associated with it.
The Current Scenario
RBI reiterated its stand on data privacy by issuing a circular stating that from April 1, 2021, all Payment system operators to submit a compliance certificate duly signed by their CEOs or Managing Directors on a half-yearly basis adhering to the RBI’s regulations on securing payments data.
This again triggered an active interest in RBI’s continuous intervention on securing and continuously monitoring the data to avoid any future risks to the country. With the advancements in the digital economy, financial data security is a must for the country’s economic growth and development.
Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.
Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.
