Recently, India’s Central Bank, Reserve Bank of India (RBI) came out with a directive on April 6, 2018 related to “storage of payment system data”. This order makes it mandatory for all system providers (as well as their service providers/intermediaries/ third party vendors and other entities) to ensure that all data relating to payment systems operated by the provider are stored in a system only in India. Interestingly, by virtue of this regulation, RBI is seeking storage of all data, which includes the entire payment processing cycle from request to final payout. In a way, this directive allows RBI to be in a position to supervise the entire payment processing cycle.
A careful reading suggests that this directive has divided payment transactions into two legs, i.e., an Indian leg and a foreign leg. If a system provider’s entire payment processing cycle, including that of its service providers, intermediaries, etc. is happening within India, then such a system provider (and related entities) can store entire payment transactions in India only. However, if a part of the transaction process is happening in a foreign territory then the data from that part of the transaction would be out of the purview of this directive.
This directive may lead system providers, including the companies offering and selling retail/business services to Indian consumers, to reassess their payment transaction models. The location of payment gateways and such intermediaries, whether within or outside India, is now a critical business decision for foreign e-commerce companies to consider in the near future.
This directive may be seen as one measured step towards data localization. It should not be seen as disruptive, as its focus is on payment transactions and processes located in India. However, the time period given by the RBI of compliance by October 15, 2018 is ambitious and fast approaching. Further, to assist with compliance it would be helpful to have further granularity for a directive of this nature.