On Wednesday, RBI barred Mastercard from adding any new customers for not complying with data storage regulations. This is not the first time the central bank is penalising payment operators for such violations; in April this year, it had stopped American Express and Diners Club from signing on new users. Following the rules imposed on localisation of payments data, in April 2018, the regulator had given the system-providers six months to make sure the data was being stored solely in India. However, clearly, the providers don’t seem to have taken the regulations seriously. There can be absolutely no doubt the regulator needs to have ‘unfettered supervisory access’ to payment intermediaries at a time when digital transactions are growing exponentially, thereby opening up room for fraud and money laundering.
When the circular was issued on April 6, 2018, it was pointed out that the directive had been given without any public discussion; it was argued the central bank needed to have explained its decision in greater detail. Given the speed at which the volumes of digital payments are going up, there was little point—and a lot of risk—in delaying the notification.
There is nothing to stop debate and deliberation from continuing; any meaningful suggestions can be considered and the rules modified accordingly. RBI has clarified that, for cross-border transaction data, a copy of the domestic component may also be stored abroad if required. Also, operators may send the data abroad for processing, but must bring it back within 24 hours; the data overseas should be deleted.
RBI has explained the need for data security, saying it was important to minimise the risks of breaches. It had also noted there was a need to match global safety standards. These are good enough objectives, and given we are talking about the country’s payments system, no amount of caution can be too much. The central bank is not obliged to answer questions on whether any intermediaries dishonoured requests by it to provide relevant information. It is also not obliged to make public any information relating to any security breaches if they took place. Since it is responsible for the country’s payments systems, it is justified in setting the rules. While earlier laws may not have called for payments operators to localise data, these were framed nearly 15 years back, when digitisation had not taken off. It is obvious the laws need to be updated.
Large technology companies have voiced their concerns about mandatory data localisation. The Justice Srikrishna report had observed that locally-stored data would assist law enforcement agencies in their work; it would be easier for them to access information within their jurisdiction than from overseas since that would make them dependent on responses to their requests. The logic holds for payments data, too.
As for the costs, the Srikrishna report noted that the real question is whether the actual costs of local processing will be such that it overrides the benefits of companies having access to the burgeoning consumer database in India. To be sure, the data would be encrypted and RBI may need assistance from the operator to read it. If the payments players want to do business in India, they must comply with all regulatory requirements. There’s no free lunch.