The RBI on April 6 directed all payments service providers to make sure "that the entire data relating to payment systems operated by them are stored in a system only in India."
International payments services providers - including foreign banks that have a small number of wholesale branches in India, and switch providers - have asked the Reserve Bank of India (RBI) to reconsider its recent guidelines on data localisation, according to sources in the know.
The affected entities have written separately to the central bank, and have taken up the issue jointly as a lobby group.
A letter Business Standard has seen says that data storage in many cases happens in network clouds provided by third parties and some of these companies are bound by laws of their home countries.
Besides, privacy laws of some countries prevent others’ unfettered access to data, they have said.
While experts say the RBI may have to reconsider its rules, the central bank seems to be in no mood to relent.
At least in one case, the RBI has conveyed its unwillingness to make a compromise.
The RBI on April 6 directed all payments service providers to make sure “that the entire data relating to payment systems operated by them are stored in a system only in India” to enable better monitoring through “unfettered supervisory access to data stored”.
However, the central bank allowed the foreign leg of a transaction to “also” be stored in the foreign location, if required.
The guideline has disconcerted the payments industry, especially foreign players.
“It is critical that India benefits from the best of global technology and innovation in meeting the country’s unique needs. This benefit will only come from open and free flows of data. Something that has long benefited India’s information technology industry,” said global card network Mastercard in an email to a Business Standard query.
Mastercard said as a payment service provider, it received the card number; the merchant name and location; the date; and the amount of the transaction.
The information on who the cardholder is, and what the cardholder is buying, sits with banks who manage their customer relationships.
Visa refused to comment on the matter while American Express did not respond to Business Standard’s queries.
Mastercard said it would work closely with the RBI on the directive. Data localisation is not an issue with established foreign banks in India with a vast retail presence.
The central bank had made it clear over a couple of years that it would award a licence for payments only if the data is stored in India.
For example, the global payments messaging service provider, Society for Worldwide Interbank Financial Telecommunications (SWIFT), had to open an Indian subsidiary five years ago with Indian partners (banks) and two data centres in the country, said Alain Raes, chief executive (Europe, Middle East and Africa, and Asia Pacific) of SWIFT, in a recent interview.
An RBI official said the central bank had told payments providers to open data centres in India or have an arrangement by which the data was available to the local authorities.
“Companies like Visa and Mastercard and banks store their data in the cloud, in places like Singapore or other parts of the world. It becomes difficult for regulators and law enforcement agencies to inspect and take action on frauds relating to data theft if it is not subject to local jurisdiction.
"Cross-border transactions are even trickier to resolve,” said Karthik Shinde, partner, cybersecurity, EY.
“Data localisation will require global payment players to re-architect some of their processes and systems when it comes to data, depending on what their flow of transactions is, and where their servers are located,” said Shinde.
Manish Sinha, managing director, Dun & Bradstreet–India, said the unit cost of adding Indian data to their existing data servers was relatively low.
Now, there would be additional security and compliance outlay as well as technology cost.
Photograph: Maxim Zmeyev/Reuters