In a blog post, PhonePe has alleged that international payment companies like Google and WhatsApp are trying to evade taxes by having data servers abroad (and not in India). It added that for this reason, these companies are reluctant to have local data servers in India. In April, the RBI mandated that all payments system operators operating in India had to ensure that payment systems data be stored in the country within 6 months. The move would have come into effect from October 15 this year.
PhonePe went on to say, “We believe Google needs to clarify its stand more crisply. Is Google confirming that it will process and store all payment transactions related data only within Indian boundaries?” Google operates a competing service called Google Pay in India. Interestingly, Google said that it would abide by the RBI’s directive, but also asked for a 2 month extension.
The following is PhonePe’s argument for data localisation:
No policy contradiction in FDI and local data storage
PhonePe says that FDI is “important for rapidly scaling the Indian fintech sector. PhonePe itself is majority-owned by a foreign company today.” However, it also adds that,
“We see no policy contradiction in terms of India having a liberal FDI policy, and having a strong data localization policy. Both policies can and should co-exist. FDI helps grow the market faster and allows foreign investors to participate in this growth, while data localization aims to protect the interests of our consumers.”
Why digital payments should be stored and processed locally
According to PhonePe, there are two major implications of RBI’s Data Storage localization policy.
1. National Safety & Security: PhonePe says that without data localisation, the RBI cannot–
- Monitor digital payments activity if all data is stored and processed abroad
- Does not have legal powers and resources to audit or regulate the activities at abroad data centres
- Cannot prevent foreign actors from spying on Indians’ financial data, or thwart cyber warfare attacks if the payments systems are hosted abroad
- Guarantee continuity of critical payments services to hundreds of millions of Indians, if a foreign government suddenly imposes sanctions on India
2. National Wealth Creation: PhonePe says most governments around the world recognize financial data as a massive source of national wealth creation. These governments are actively plugging regulatory loopholes that would allow foreign companies to exploit local market data without paying fair taxes, it adds. India should be no different in this regard, the company argues.
We offer access to the largest open Internet market on the planet today. We are home to 500Mn smartphone users. We are the world’s #1 consumer of Internet data. We also have one of the most dynamic, competitive and fastest growing digital payments sectors in the world. As a market, it simply doesn’t get more attractive than this today.
Why are global companies against RBI’s norms?
RBI norms will protect user data
The Flipkart owned company also claims that the central bank’s mandate would
- protect financial data of Indians from being used to “sharpen user targeting engines” of companies like Google and Facebook.
PhonePe questioned why Google should be allowed to share user data from its payments app with the company’s global monetization platforms for free, when the Indian banks it tied up with to launch the platform are not mandated to do so.
“If WhatsApp Pay & Google Pay (Tez) are forced to process digital payments transactions only in India, then FB and Google cannot claim that the revenues generated from these apps fall under foreign jurisdiction, just because their data servers are abroad. Indian tax jurisdiction gets very clearly established now.”
Relaxed norms for payment networks
PhonePe has said that major payment networks such as Visa and Mastercard should be allowed to mirror user data, so that they could offer uninterrupted services to Indian consumers when they use their physical cards globally. The company, however, made it clear that these companies should primarily store and process user data in India and, only then be allowed to mirror the same to their global servers. RBI’s guidelines say that data pertaining to the foreign leg of transactions can be stored abroad.
- RBI seeks fortnightly updates from payments firms on data localisation: Visa
- Global payment cos still in dark with RBI’s local data storage norms
- Govt says foreign firms storing copies of data ‘locally’ a potential solution over RBI norms
- Amazon India’s UPI payments service launch hampered by data norms
- Paytm says 6 months enough for data localisation norms; fintech cos seeks clarity over privacy bill
- Paytm wants govt to implement local payment data storage norms
- India to ease payment data storage norms for foreign firms: Report
The following is the full text of PhonePe’s blog post –
Context: On April 6th 2018, the Reserve Bank of India issued a circular, which mandates all payment ecosystem players operating in India to store all data related to user transactions within national boundaries only. The deadline to comply with this circular is October 15, 2018.
It’s worth noting that the RBI circular pertains only to payments-related data storage, not all types of consumer data. The Indian government is separately framing a comprehensive Consumer Data Protection Act. The Justice Srikrishna committee was tasked with this exercise and presented its draft Data Protection Bill, 2018 in July 2018.
In this blog, we limit our attention to the RBI Data Storage circular only, and its implications on the digital payments ecosystem of India, of which we are an integral part today.
Our Core Beliefs:
- We believe that FDI is important for rapidly scaling the Indian fintech sector. PhonePe itself is majority-owned by a foreign company today.
- We strongly believe that Data Localization is critical for the long-term security of any country’s financial services sector. For the record, PhonePe processes all payment transactions in India. We also store all our data on India servers only.
- We see no policy contradiction in terms of India having a liberal FDI policy, and having a strong data localization policy. Both policies can and should co-exist. FDI helps grow the market faster and allows foreign investors to participate in this growth, while data localization aims to protect the interests of our consumers.
- We strongly believe in level playing fields in an open market. This means that all payments companies (whether domestically owned, FDI-funded or 100% foreign cos) — doing business in India must:
- Abide by the law of the land in India
- Protect our citizen’s financial data
- Pay fair taxes on income earned in India
Why we believe digital payments data should be ‘processed’ AND ‘stored’ only in India:
There are two major implications of RBI’s Data Storage localization policy. One, it will make India’s digital payments ecosystem much more resilient to foreign attacks and global politics. Two, it will allow for better regulatory oversight and plug business-jurisdiction related loopholes that some foreign companies have long exploited to evade paying fair taxes in India.
- “National Safety & Security” — Financial Services is one of the most sensitive and critical sectors of any economy worldwide. Therefore, as India rapidly shifts towards becoming a less-cash society, it must shore up its digital payments infrastructure equally fast so the country can:
- a) Survive hostile attacks by foreign state & non-state actors alike.
- b) Insulate our payment systems against foreign sanctions and politics.
In India, this responsibility lies with the RBI. Ordinary Indian citizens place immense trust in the RBI to do so because it’s proven to been a pillar of strength of the economy for many decades, and does so by laying down regulatory policies that ensure undisrupted, safe and secure access to financial services for all Indians.
So why is the RBI pushing for payments data localization? Here’s a few reasons we can think of:
- Can RBI monitor digital payments activity if all the transactions are processed abroad & data is stored abroad outside the sovereign boundaries of the country. The answer is NO.
- Does RBI have adequate legal powers and resources to effectively audit or regulate foreign payment companies’ activities at offshore data centers. The answer is NO.
- Can RBI prevent foreign actors from spying on Indians’ financial data, or thwart cyber warfare attacks if the payments systems are hosted abroad? The answer is NO.
- Can RBI guarantee continuity of critical payments services to hundreds of millions of Indians, if a foreign government suddenly imposes sanctions on India? If the data processing and storage is happening abroad, again the answer is NO.
Therefore, in order to improve the national security of our digital payment systems, it makes perfect sense for the RBI to require payment companies, doing business in India, to process and store our consumer’s transaction data within India. This mandate forces all players to be compliant with Indian laws, and minimizes the overall exposure of our payment services getting crippled due to external events.
On this front, we believe Google needs to clarify its stand more crisply. Is Google confirming that it will a) process and b) store all payment transactions related data ONLY within Indian boundaries. Or is Google simply doing data mirroring, but keeping all their processing systems and primary data storage abroad. If processing and primary storage resides outside India, then all the systemic risks mentioned above continue to exist.
Finally, it’s worth noting that India isn’t taking an isolated position on Data Localization. Many foreign governments across the world, such as Australia, Canada, China, Russia etc (see here), have already passed their own versions of Data Localization laws to protect their national interests.
- “National Wealth Creation” — If “data is the new oil”, then “payments data is the new gold mine”. For a large number of Internet companies whose core business model revolves around monetizing user data, payments transaction data is a very precious data signal indeed.
Today most governments around the world recognize financial data as a massive source of national wealth creation, and are actively plugging regulatory loopholes that would allow foreign companies to exploit local market data without paying fair taxes.
India should be no different in this regards. We offer access to the largest open Internet market on the planet today. We are home to 500Mn smartphone users. We are the world’s #1 consumer of Internet data. We also have one of the most dynamic, competitive and fastest growing digital payments sectors in the world. As a market, it simply doesn’t get more attractive than this today.
Which begs the next question…
Why are so many global payment behemoths fiercely lobbying against this mandate?
- It’s definitely not about customer experience. 99.9999% of the time, Indians will make digital payments to other Indian consumers & merchants while being physically present in India. So it makes great product sense to process payment transactions locally because it will reduce network latencies and improve overall consumer experience.
- It’s not about India’s DC capacity either. This is 2018 people. MNCs like Amazon, Microsoft and Google are building/managing massive data centers in India, and selling cloud services with geofencing capabilitiesto other local Indian startups today. These companies are in no real position to claim that DC infra is the problem.
- It’s unlikely that these MNCs are fretting the upfront cost either. Investing a few tens of million dollars on domestic processing & storage capacity is well worth it, if it buys you unfettered access to the multi-billion dollar Indian payments market. The long-term ROI is still very very attractive.
- It not about the migration effort either. Tez launched its UPI services barely 10 months ago, and WhatsApp is still in beta mode. Much older & larger domestic payment companies, with much more complex tech stacks and much larger data archives, have already complied with the RBI circular.
The ‘only’ issue that’s at the heart of the problem
Most of the protests by Internet companies are related to the fact that RBI’s is forcing them to process and store payments data only in India. This word “only” is at the root of the issue, because it also kills most facetious tax evasion arguments in play today. This is most likely an unintended side benefit of RBI’s mandate, but it’s a brilliant outcome as far as levelling the playing field for domestic Internet companies is concerned.
Think about it… If WhatsApp Pay & Google Pay (Tez) are forced to process digital payments transactions only in India, then FB and Google:
- Cannot claim that the revenues generated from these apps fall under foreign jurisdiction, just because their data servers are abroad. Indian tax jurisdiction gets very clearly established now.
- Cannot share Indian user’s financial data with their ‘foreign’ platforms like Adwords and Facebook Ads. This means India’s payment data cannot be used to sharpen user targeting engines of the companies, who have other products/apps spanning sectors like Search, Maps, Social Networks, App Stores etc.
Today we have a peculiar situation, wherein apps like Google Pay (Tez) — built exclusively for the Indian consumer — are owned and operated by foreign entities like ‘Google LLC’ and the data is stored on their foreign servers. Tez, for eg, was launched in partnership with the four largest Indian banks. Each of those four banks is required by law to store their customer data exclusively in India, then why should Tez be allowed to share the same payments data with Google’s global monetization platforms for free?
As for global payment networks such as Visa and Mastercard, or global remittance companies, there is a case to be made for allowing mirroring the payments transaction data to their foreign DCs as well, so they can provide uninterrupted services to Indian consumers wherever they use their physical cards globally. But the primary processing and storage should be in India, and mirroring should be from India to their global DCs, not the other way around.The RBI has already clarified that data records pertaining to the foreign leg of transactions can be stored abroad. This seems to be the only part of the circular where further clarity might be useful in this context.