RBI wants public data to be stored in India: What it means, how it will impact mobile wallet companies

By- Prashant Phillips, Partner, Lakshmikumaran & Sridharan Attorneys

The digital economy in India continues to grow, which is reflected by an increase in the number of digital transactions. With nearly USD 3 billion being transacted through digital payments alone in India, it is estimated that by 2022, the digital economy is likely to contribute nearly 20% of the GDP of India.

India has also seen a healthy growth in the number of payment platforms, which have led to the success of multiple digital platforms in India. A payment platform may be considered as any entity which is involved in payment or transfer of money. Such payment platforms are core to any digital business or any business transaction, and may be used for completing any transaction or simply transfer money over a digital medium.

RBI directive on Data Storage Norms

The Reserve Bank of India (RBI) had issued a directive on April 6, 2018 concerning payment systems and platforms. Through the directive, the RBI had mandated that pertaining to financial transactions data occurring in India, should be stored only in India. A 6-month deadline ending on October 15, 2018 was provided to the payment systems to comply with the directive. Payment systems, as defined under the Payments and Settlement Systems Act, 2007 (referred to as the Act), include systems that allow digital/online transactions as well as system which enable operations involving credit cards, debit cards, smart cards, money transfer operations or any other such transactions.

The directive had further required that payment system providers are also obligated to submit an audit report on adherence with the directive. The directive only provided a very limited exception in relation to transactions which may occur partly in a foreign territory. To such an extent, the transaction data could be stored outside India.

Possible Impact on Payment System Providers

Many payment platforms had expressed concerns as to the likely impact of the directive on the digital payment industry. It was felt that the directive would have limited impact on payment systems or platforms which are already based in India. It has been reported that nearly all such Indian payment platform have data centres in India, with the payment data being collected, processed and stored within India. To a large extent, such domestic platforms had a good head-start in terms of compliance with the directive. Considering that the directive required that financial data should be stored only in India, the domestic platforms may have to take steps to ensure that any copies which might be available outside India, are also migrated to India.

However, it was a completely different situation for non-domestic platforms. Generally, non-domestic platforms include cards payment networks, such as MasterCard, Visa, etc. Such platforms had stated that compliance with the directive would require a complete architectural level overhaul at their end. Many of such card payment networks had reported that it would be difficult for them to meet the October 15 deadline as set by the directive.  We will now take a quick overview of challenges that any platform is likely to face in order to ensure compliance with the directive.

Implementation Challenges

For domestic platforms, the situation appears to be better as most of such platforms store data within India. For sake of backup, in some cases copies of data may be stored at multiple storage locations possibly outside India. In cases where the copies of the data are being maintained outside India, to such an extent the domestic payment platform may have to eventually plan to have the data migrated to India by the deadline. This comes with additional costs in setting up the storage infrastructure by the concerned payment platform. Such data migration has their own challenges as issues pertaining to data integrity and security have to be kept in mind considering the sensitivity and volume of data involved.

The challenge for payment platforms, such as card payment networks, not based in India is, substantial. These payment networks have been used extensively and for a considerably longer period of time when compared with digital payment platforms, such as online wallets. Card payment networks, however, employ a different payment processing framework which extends beyond territorial boundaries of our country. Correspondingly, the transaction data that they are known to process and generate, is not entirely stored in India.

With huge volumes of transactions being processed by card payment networks every month, occurring every month, volume of data involved would be mind boggling. Furthermore, the card payment networks to undertake an entire overhaul of their payment processing systems to ensure that all transaction data is stored only in India. Such an overhaul predictably cannot be brought about hastily considering that level of security that is the norm for cards payment networks across the world. In addition, the companies may also have to set-up infrastructural resources and a compliance machinery in India to ensure that all data security measures are in place replicated and implemented in India. With the Draft Bill on Data Privacy been released, such payment platforms may have to be ready for data privacy compliance as well.

What lies ahead!

At the time of its issuance, many operators foresaw the challenges and had speculated that the October 15 may not be sufficient to ensure compliance with the directive. This has come true as many payment platforms have requested an extension for complying with the directive. However, despite such challenges, the payment platforms are keen on implementing the RBI’s directions. The RBI has not yet allowed such an extension till now. However, it is largely felt that the RBI may provide the extension considering that non-compliance may run a risk of deauthorization of many existing card payment networks in India.

Although a very remote possibility, if such a thing happens, it may be a cause of substantial uproar as the October 15 deadline approaches. Considering the general acceptance of the directive and keeping in mind the practical challenges it is quite likely that the RBI may grant the extension as sought by the payment platforms. The increase and pervasiveness of digital domain has given, and will continue to give, rise to different issues. Such issues will have to considered and settled through collaborative efforts of both the industry as well as the regulators.