International payment companies operating in India are worried that they will not be able to adhere to the RBI’s deadline of storage of payment system data in India. The deadline for this action is less than 2 months away.
Payment company executives who did not want to be named told MediaNama that they thought that after a Finance Ministry intervention, it would be okay to mirror user data in India, and that was the end of it. The companies were awaiting a circular from the central bank to this effect. However, the RBI’s silence on the matter has turned into a major reason of worry for, especially since the deadline is looming.
“…We’ve been making our case heard for a good period of time and the government was very receptive to our case,” a senior executive of a global payments company told MediaNama. “So, it seemed only a matter of days before the RBI amended its norms. But there’s been absolutely no communication from them (RBI). Infact, we don’t even have a clear idea of exactly what kind of data needs to be stored. There is a lot of confusion regarding the data protection bill as well,” he added.
In April, the RBI, mandated that all payments system operators working in India had to ensure that data related to payment systems operated by them is stored in India only within 6 months. The move would have come into effect from October 15 this year, according to a report by the Economic Times.
The draft Data Protection Bill 2018 added an additional layer of confusion to the matter. The bill, which was submitted to the government last month, reportedly overrides all sectorial regulators and therefore all their directives. The bill requires all data fiduciaries to store a copy of users’ personal data in India and worryingly, it also requires mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to state explicitly the definition of ‘critical data’.
A regulatory mess
Most industry players have grown concerned over multiple sectorial regulatory bodies issuing their own versions of norms, often overlapping each other, sometimes even in contradiction with one another, but always lacking in clarity. This, on top of the government’s indecisiveness could have a major impact on multinational companies operating in the country, according to the aforementioned executive.
At the moment many bankers claim that there is little clarity on the type of data that needs to be stored and therefore, the time needed to implement the said rules. “We have had the RBI’s guidelines, then my company will also have to keep a watch on the e-commerce policy because of obvious reasons, TRAI also had points on the matter. Then we have the (Justice) Srikrishna committee’s report (bill) which apparently overlaps all these other regulations. We need the government to issue proper and clear regulations or risk all this becoming a circus,” he said.
Industry participants felt that the union government should declare if the Data Protection Bill indeed overrides all sectorial regulators and if so, all recommendations (regarding user data storage) made by the RBI be struck down and ‘critical’ data be define more clearly. However, if sectorial regulators are entrusted with some powers over such norms, it should be seen that no law overlaps or conflicts with any other prevailing law and companies should be given reasonable time to act on them.
“Many companies have had to stop their products simply due to a lack of clarity. It’s not that we don’t want to comply. Even if it comes down to setting up data centres in the country, we will do that because India is a huge market that not many would leave. But first, at least tell us what the law is, listen to our issues and if its not working out, then give us a reasonable amount of time to comply,” said an executive with a global company that has faced multiple regulatory hurdles over the last few weeks.
Earlier this month, we reported that Amazon’s plan to launch its own UPI-based payments service in the country has been hampered due to RBI’s concerns regarding the storage of user data in India. More recently though, it was reported that the Indian government has asked Amazon to set up a server in India ‘on priority’ basis, to store data of its users within the country.
WhatsApp’s struggle to launch a payments service in India has also been well documented. However, the Facebook-owned company has several other issues halting its foray into the payments sector in India.
On a related note, many Fintech players also called for wider consultations of the data storage norms in the industry as its implementation could have major ramifications on them. Fintech startups, which deal with financial information of users (arguably crucial user data) are growing anxious over the draft bill and seeking more clarity, according to another report by the Economic Times.
“Impractical to set up data centres”
To set up data centres in India from scratch would not only take a lot of time and cost, but regulations in their home countries may not permit them to do so. They also fear that the central bank’s move could also set a precedent for other countries to implement similar rules at a time when there is heightened scrutiny of how companies globally handle their customers’ data. Industry representatives cited that storing the data only in India would also be a security risk, as in the event of a natural disaster, no one would have access to it if it was all stored in one place.
“See, it’s not just an issue of finances; for a company like us, it would extremely impractical to set up a data center here and comply with the local regulations because, it could/would be in violation of the many regulations in our base country,” another executive of a major international finance company told MediaNama.
Mastercard division president (South Asia) Porush Singh said that by having user data located only in India, measures to contain cross-border fraud will be diluted as the analytical software which identifies suspect transactions will not be able to match fraudulent incidents in one part of the world with transactions elsewhere.
Many of these companies have made multiple representations to the central government as well as the banking regulator through the US-India Business Council, a lobby group for US businesses in India. Furthermore, the Payments Council of India (PCI), which has around 100 members, has sought a meeting with the RBI to suggest “alternative solutions which can meet the RBI requirements of unfettered access,” according to a report.
On the flip side, domestic e-commerce/payment firms, most notably Paytm, have been repeatedly pushing for local storage of payment system data, as mandated by the RBI. Consequently, payment firms in the industry have been split into two.