You are here: Home » Companies
Business Standard

Payments providers write to RBI to reconsider data storage directive

The RBI on April 6 directed all payments service providers to make sure "that the entire data relating to payment systems operated by them are stored in a system only in India."




International payments services providers — including foreign banks that have a small number of wholesale branches in India, and switch providers — have asked the Reserve Bank of India (RBI) to reconsider its recent guidelines on data localisation, according to sources in the know.


The affected entities have written separately to the central bank, and have taken up the issue jointly as a lobby group.

A letter Business Standard has seen says that data storage in many cases happens in network clouds provided by third parties and some of these companies are bound by laws of their home countries.

Besides, privacy laws of some countries prevent others’ unfettered access to data, they have said.

While experts say the RBI may have to reconsider its rules, the central bank seems to be in no mood to relent. At least in one case, the RBI has conveyed its unwillingness to make a compromise.

The RBI on April 6 directed all payments service providers to make sure “that the entire data relating to payment systems operated by them are stored in a system only in India” to enable better monitoring through “unfettered supervisory access to data stored”.

However, the central bank allowed the foreign leg of a transaction to “also” be stored in the foreign location, if required. The guideline has disconcerted the payments industry, especially foreign players.

“It is critical that India benefits from the best of global technology and innovation in meeting the country’s unique needs. This benefit will only come from open and free flows of data. Something that has long benefited India’s information technology industry,” said global card network Mastercard in an email to a Business Standard query.

Mastercard said as a payment service provider, it received the card number; the merchant name and location; the date; and the amount of the transaction. The information on who the cardholder is, and what the cardholder is buying, sits with banks who manage their customer relationships.

Visa refused to comment on the matter while American Express did not respond to Business Standard’s queries.

Mastercard said it would work closely with the RBI on the directive. Data localisation is not an issue with established foreign banks in India with a vast retail presence.

The central bank had made it clear over a couple of years that it would award a licence for payments only if the data is stored in India. For example, the global payments messaging service provider, Society for Worldwide Interbank Financial Telecommunications (SWIFT), had to open an Indian subsidiary five years ago with Indian partners (banks) and two data centres in the country, said Alain Raes, chief executive (Europe, Middle East and Africa, and Asia Pacific) of SWIFT, in a recent interview to this paper.

An RBI official said the central bank had told payments providers to open data centres in India or have an arrangement by which the data was available to the local authorities.

“Companies like Visa and Mastercard and banks store their data in the cloud, in places like Singapore or other parts of the world. It becomes difficult for regulators and law enforcement agencies to inspect and take action on frauds relating to data theft if it is not subject to local jurisdiction. Cross-border transactions are even trickier to resolve,” said Karthik Shinde, partner, cybersecurity, EY.

“Data localisation will require global payment players to re-architect some of their processes and systems when it comes to data, depending on what their flow of transactions is, and where their servers are located,” said Shinde.

Manish Sinha, managing director, Dun & Bradstreet–India, said the unit cost of adding Indian data to their existing data servers was relatively low. Now, there would be additional security and compliance outlay as well as technology cost.

Anup Roy contributed to this story


Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.

We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Wed, May 23 2018. 07:01 IST