The Reserve Bank of India (RBI), India’s central bank and the regulator for payment systems in India, in its press release dated 5 April 2018 (Press Release) on Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19, had announced that all payment system operators would need to ensure that data related to payment systems operated by them are stored only within India within a period of six months. RBI had indicated that detailed instructions would follow in a week’s time.

On 6 April 2018, RBI released a directive (Directive) with detailed instructions, which are discussed below:

What Payment Systems need to do?

  • All payment system providers will need to ensure that the entire data relating to payment systems operated by them are stored in a system only in India;
  • System providers need to ensure compliance of (a) above within a period of six months i.e. latest on or before 15 October 2018. Such compliance will also need to be reported to the RBI;
  • System providers will need to submit a System Audit Report (SAR) on completion of the requirement at (a) above. Such audit needs to be conducted by Indian Computer Emergency Response Team (CERT-In) (Ministry of Electronics and Information Technology) empanelled auditors certifying completion of compliance in (a) above;
  • The SAR duly approved by the board of the system providers will need to be submitted to RBI, not later than 31 December 2018.

What Data needs to be stored in India?

RBI’s Press Release did not elaborate on the nature of data that needs to be stored within India. However, in the Directive, RBI has clarified that data would include the full end-to-end transaction details, information collected, carried or processed as part of the message or payment instruction. Further, it has been clarified that if there is a foreign leg of the transaction, then the data can also be stored in the foreign country, if required.

Comment

RBI’s move on data localisation to payment systems comes as a probable aftermath of the recent data breach that has allegedly impacted elections in US and India.

The payment system ecosystem in India has developed considerably in recent times with the emergence of new players and technology in this space. With rapid growth, it is pertinent that data stored by payment systems is indeed secure and best practices and standards are followed for securing it so as to ensure a sound digital economy. This seems to be the thought behind RBI’s sudden mandate for making local storage compulsory by payment systems in India. Data localisation by payment systems will ensure supervision and greater control over such data by RBI. The detailed instructions on compliances and reporting will help RBI enforce the Directive effectively.

However, one must consider the downside of data localisation measures, which have historically culminated in economic isolation and stifled growth for countries that have adopted them. To add to the above, the Directive is likely to largely impact the foreign players in this segment, who will now not only have to invest in infrastructure to comply with this Directive, but will also have to bear additional compliance and administrative costs. Also, the nature of data that needs to be stored locally is also wider, and would restrict the ability of foreign players to undertake other incidental support services offshore using this data, which was otherwise possible so far. Industry players may also be concerned with the mention of ‘RBI’s unfettered supervisory access’ to such data in the Directive given that India’s new data protection law is yet to be released. It will therefore be interesting to see how the Directive is implemented in practice.