A construction worker adjusts scaffolding outside the clock face on Elizabeth Tower, also known as ‘Big Ben’, in London. (Photographer: Luke MacGregor/Bloomberg)

Payment Firms Still Await Clarity On Data Localisation Rules As Deadline Looms

With less than a month to go before the Reserve Bank of India’s new data localisation rules kick in, the industry is still awaiting clarity on the final stance taken by the regulator.

  • Is it willing to accept a compromise proposal under which data is stored ‘also’ in India as opposed to ‘only’ in India?
  • If not, will the RBI relax the deadline for implementing its new rules to avoid a disruption to payment systems?

The RBI first drew attention to the issue of local storage of payments data in April when it noted that only a few firms are storing such data in India. Local storage and access to such data, the RBI said, was essential for supervisory purposes. It went on to say: “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.”

A six month period was given to firms to comply with this directive and a deadline of October 15 was set. The regulations will impact a whole host of payment firms, including MasterCard, Visa and American Express, which have a wide network of credit and debit cards in India.

‘Only In India’ vs ‘Also In India’

A number of payment firms are arguing that an acceptable middle ground can be reached between the regulator and the industry if the RBI changes one word in its directive. Should the RBI say that data should be stored “also in India” as opposed to “only in India”, the burden of complying with the new rules would reduce.

This change would allow for the mirroring of data. Data is mirrored when it is copied to a storage device in real time.

This possible solution was discussed at a meeting between the government, the RBI and industry representatives on July 11. According to the minutes of the meeting, a copy of which has been reviewed by BloombergQuint, a representative of the US-India Business Council (USIBC) suggested that firms can “mirror the data to be stored both in India and the country where the data is being stored currently.”

Industry representatives also sought clarity on the kind of data that RBI wanted stored and added that the time needed to comply with the rules can only be ascertained after clarifications from the regulator.

In response, the RBI representative said a clarification may be issued soon, showed the minutes. However, there has been no clarification so far.

AP Hota, former chief executive officer of National Payments Corporation of India, noted that data mirroring is a middle-ground. Should that be accepted by the RBI, an extension in the deadline may not be required.

Some companies are still seeking clarity, some want an extension of the deadline, and some are seeking a rectification, Supratim Chakraborty, Associate Partner at law firm Khaitan & Co told BloombergQuint. At this stage, it appears that such discussions, deliberations and lobbying will continue, Chakraborty added.

American Express, Mastercard and Visa declined to comment. The USIBC also said that it would not be commenting on the issue at this point of time. An email sent to the RBI was not answered.

A Two-Sided Debate

There are arguments on both sides of the debate.

Data localisation with the specific policy of ‘only in India’ may not be practical, said Navin Surya, Chairman Emeritus of the Payments Council of India. Entities taking full responsibility for security and privacy of data they store, should do, he added.

Others say that the RBI move maybe a disincentive for global companies to build products for India.

Global technology companies usually look to normalise user experience across the world, said an expert in the space of payments technology, who spoke on condition of anonymity. This person added that should the RBI insist on data storage only in India, global firms would need to decide whether they want to build a local product conforming to those requirements.

Others say the regulator’s concerns are genuine.

Payment applications can create a digital profile of a person in entirety. The RBI is right in its concern about where this data resides and what’s made out of it, says Puneet Bhatia, a fintech expert who formerly worked with a large consulting firm.

Bhatia pointed to the fracas around Cambridge Analytica to highlight this concern.

Imagine the possibilities for misuse of user profiles like we have seen in case of Cambridge Analytica. With data located offshore, what recourse would the RBI then have?
Puneet Bhatia, Independent Fintech Expert

The Possible Fallout

Should the RBI hold on to its stance that payments data must be stored only in India, some firms could see temporary disruptions in services while others may see an increase in costs.

Vivek Belgavi, partner at PwC India explained that part of the decision to store data outside India is linked to costs. “As cost of processing falls with higher volume, most international and some Indian operators choose to outsource data processing to centers outside the country,” he explained while adding that eventually data can be moved onshore if required.

Technologically, moving data to Indian servers and data centers is possible. Several such facilities are already in operation in India and operators could choose between setting up their own data center or leasing out an existing facility.
Vivek Belgavi, Partner, PwC India

However, the cost to set up a new data center may be significant, added Bhatia. Apart from land, people and uninterrupted supply of electricity, you need top-end cyber security and seamless infrastructure, he explained.

In the event that global card companies are unable to comply with the rules in time, there could be some disruption in services. This, in turn, could lead to another jump in usage of e-wallets by India operators, explained Kalpesh Mehta, financial services expert and Partner at Deloitte.

To avoid a disruption to services, particularly card services, an extension of the deadline may be necessary, said Bhatia. A six month deadline may be unrealistic, he said.