Mastercard has called for the Reserve Bank of India (RBI) to relax its guidelines on storage of payment system data, which comes into effect from October 15, 2018, a report by the Economic Times said. In particular, Mastercard is hoping that payment companies are allowed to transfer or store user data outside India in a bid to help prevent international fraud.
The Central bank, in April, has mandated all payments system operators working in India to ensure that data related to payment systems operated by them is stored in the country. “It is observed that at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country,” the RBI said in a report during April’s Monetary Policy meeting. “In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of six months,” the report added. It is important to note that the RBI has allowed data of international transactions to be stored outside the country if need be.
While the directive is considered to be on par with data storage and oversight rules followed in other Asian countries like China, Japan, Malaysia, another report by ET said that it is a standard practice, globally, to have backup data centres in another location for disaster recovery and ensure business continuity in case of catastrophe.
Relaxing norms will help contain cross-border fraud
According to Mastercard division president (South Asia) Porush Singh, by having user data located only in India, measures to contain cross-border fraud will be diluted as the analytical software which identifies suspect transactions will not be able to match fraudulent incidents in one part of the world with transactions elsewhere.
“The point we are making is that storing in India versus storing only in India will enable measures to help contain cross-border fraud,” he said to ET. According to Singh, if the RBI directive stated that data should be stored in India rather than ‘only in India’, compliance would be easier by having servers mirror the transactions.
Industry divided over RBI’s norms
Media reports earlier in the year also pointed out that multiple international payment service providers wrote to the RBI, asking the central bank to reconsider its guidelines. Furthermore, The Payments Council of India (PCI), which has around 100 payments firms as its members, has sought a meeting with the RBI to suggest “alternative solutions which can meet the RBI requirements of unfettered access”, according to a report by Money Control. According to the report, PCI has stressed that many online payments companies and members are not convinced by this decision. It says that while some of its members are fully in favour of storing data within the country, a bunch of them want some relaxations. There are also members who are completely not in favour of the same.
It is widely believed that Indian payment players like Paytm and PhonePe are in support of the central bank’s regulation, while foreign firms like MasterCard and Visa are against it as they store transactions data outside of India. Some media outlets went on to say that data is often stored on cloud networks and that some foreign firms were bound by laws of their home countries.
“What RBI is doing is heavyhandedness. A regulator should not bring about such fundamental changes without consultation with a cross section of affected parties,” said Subho Ray, president of Internet and Mobile Association of India (IAMAI) according to a report by ET. American technology corporations such as Google and Facebook are members of the IAMAI.
On the other hand-
“The directive to process and store data only in India will help curb the potential misuse and enable active regulatory monitoring. It will definitely boost customers’ confidence in moving to digital payments without worrying about the security of their personal data,” said Kiran Vasireddy, the chief operating officer of Paytm.