Data Localisation: RBI Allows Offshore Processing Of Payment Transactions But Insists On Local Storage
RBI has clarified that payment operators can process transactions overseas but must bring data to India within 24 hours
.jpg?rect=0%2C0%2C4000%2C2250&auto=format%2Ccompress&w=200)
More than a year after the Reserve Bank of India asked all payment system operators to store transaction data only in India, the regulator has issued clarifications on some aspects of its rules. The clarifications allow payment companies to process transactions overseas but say that the data must eventually be stored in India.
In a set of FAQs issued on Wednesday, the RBI said that payment operators are permitted to process data abroad if they so desire. However, if transactions are processed overseas, the data on overseas servers will have to be deleted within 24 hours, the RBI said.
The FAQs specified the following conditions:
- While there is no bar on processing of payment transactions outside India by PSO’s, the data shall be stored only in India after the processing.
- In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India withing one business day or 24 hours from payment processing- whichever is earlier. Thereon, it will only be stored in India.
- However, any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken / performed on a near real time basis. The data should be stored only in India.
- In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India where it is stored.
- For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.
The RBI has also clarified that data can also be shared with overseas regulators depending on the nature of the transaction and with due approval of the Indian regulator.
“The earlier notification did not specify processing of data unlike the clarification, indicating that the RBI has chosen a middle path,” said Supratim Chakraborty, partner at Khaitan & Co. He added that the directive to delete data within 24 hours and sharing data with the RBI’s due approval are conditions that may fall foul with laws in other countries.
What Data Needs To Be Stored?
Some payment operators had expressed uncertainty about what data needs to be stored in India.
The RBI clarified this and said the data should include end-to-end transaction details and information pertaining to payment or settlement transaction.
This may include:
- Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable)
- Payment sensitive data (customer and beneficiary account details)
- Payment Credentials (OTP, PIN, Passwords, etc.)
- Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).
Certain people in the sphere were on the fence on their coverage under the directive issued, said Chakraborty, adding that the complete list of aspects covered under the RBI’s rules will reduce ambiguity.
Where Things Stand
The RBI’s demand for data localisation has been hotly debated with large payment firms like Visa, Matercard and Whatsapp seeking additional time to meet the rules.
Last week, Commerce Minister Piyush Goyal met technology companies and assured that the RBI would look into their concerns. US Secretary of State Mike Pompeo, who is currently visiting India, has also been expected to discuss the issue with Indian government representatives.
Most large payment firms have sought time till September 2019 to meet the RBI’s new rules. While the RBI has not imposed any restrictions on non-compliant firms who are already operating in the payment market, it has restricted the expansion of newer entrants till they comply with the rules.