Earlier in April this year, the RBI passed a directive that all payment providers operating in India have to store payments related data in India. The regulator gave a hard, 6-month deadline for the companies to comply and store all payments-related data locally. The Draft Personal Data Protection Bill, 2018, was released in July, with its own requirements for data localisation, compounding the confusion.
MediaNama held a round-table discussion on localisation of fintech data on 23rd November. What follows are the main arguments made around issues surrounding the policy. The discussion was held under the Chatham House Rule, therefore, quotes have not been attributed to persons, their affiliations or organisations have been withheld. This is the second part of the discussion, read the first part here.
Quotes are not verbatim, have been edited for clarity and brevity, emphasis has been added. Each point was made by a different person.
On the question of data and its storage
- In the e-commerce policy, data would be mandatorily given to a public KYC registry; and startups with revenues of up to Rs 50 crores would be able to get access to data. Some other company’s data is converted to a public asset, step 1, step 2 is, small startups can basically act as someone else’s data. How would that be operationalised? Will this hold up in court?
- Internet companies work on a central, graph API that’s not located in any country, it’s open to all. That’s how good or bad actors can get hold of data. The issue of whether when you bring data to India, how do you ensure other people get access to it is not new.
- (Same person as above) Between 2012 and 2016, Ericsson, the patent holder on most phones, creates a patent block that disallows other companies from even manufacturing smartphones. One of the government’s solutions was nationalizing some of these patents, put them in a pool, and ensure Indian companies get access after paying a fair royalty. The patents are called FRANDs.. and Micromax or Lava can use these patents to make a phone. This whole system was subverted. But if you nationalise data, you’d first have to acquire this data, it’s property. Divest it and put it into a pool and allow third parties to access that data… I don’t think it’d work.
- The primary custodian of payments data is regulated banks, because nobody else can issue debit cards, credit cards, UPI handles, and bank accounts. The regulatory mechanism allows to ask for data whenever it is required. There is regulatory reporting not only to RBI but also to all the law enforcement agencies through FIUs. So even if payment companies are processing overseas, the question of law enforcement getting access is already there. We don’t know what will be achieved by asking payment companies to store one more copy here.
- (Same person as above) When we talk about the cloud, we think infrastructure will be localised. We forget that even if we go down that path, all these are US companies. So even if companies are forced to localise and move their data, it’s moving from a US pocket to another US pocket. The whole logic of India is going to gain a lot is moot.
Financial crime, audits and security of data storage
- (Same person as above) If we do payments data only in India, just as a case, means that India becomes a centre point of attraction by the financial crime world. Second thing: What happens to BCP? If this copy of business continuity planning fails, what is the Indian user going to do? Under the RBI directive, you can’t keep a copy anywhere else. So you’re creating a single point of failure… you’re wondering why the circular was released. This is almost like a solution looking for a problem. It really doesn’t address the real motivation.
- One of the issues is fraud detection. Anti-money laundering processes — the AI that tells you as to what may be going wrong in the entire global financial system, and when you have cross-border financial crimes, your dataset is getting excluded from that dataset, so that intelligence of transactions is missing out. I don’t know if there’s truth in this argument..
- It’s a fallacious argument made by a lot of vested interests. In a prod engine you look for patterns, geosensing… [If the data set is in India]… Transactional data is transitional. When you start doing your transaction right now, the data flows over the wire, it could go into any software residing anywhere across the globe, get validated with engines, and come down and have a local storage copy in India. You should technically have two copies of the data in India, transactional data, while one copy which is used for fraud purposes— Tokenization is an altogether different concept.
- … If we have the same data in India, and the transactional data or wire is cut off, you still have the entire data available for settlement purposes.. your ability to settle for merchants and consumers will be lost… Having only one copy of data only in India is a different approach, as someone said it could be because of worry of authenticity or integrity of data itself. If you create copies you’re not trusting integrity of data. But as long as you trust, and ensure a copy of data is available realtime, come what may, you’re protecting the financial integrity of the country.
- The RBI directive allows for a third party auditor, the auditor would check integrity on both sides. In the RBI circular, banks are exempt though they are the primary custodian of data… There are two other entities who deal with more sensitive data outside the purview of this guideline: NBFC companies and credit bureaus. If it’s just payment companies and not banks and other players in the space, why did this come out in such a major fashion?
How and why did this regulation come about?
- As far as the payment settlement systems are concerned, there is express statutory authority to come up with this directive in the fashion that it did… That could have been the trigger, to have a first-time sectoral regulation when it comes to data localisation and Payment & Settlements Act allowed them to do that while Srikrishna Committee continued a parallel process. So why pre-empt the law then?
- When Watal Committee report came out, this Payment Settlement Act there was always a conflict of interest with the payment ecosystem: Whether the RBI or a sectoral entity should look into payments. The RBI would have mandated. Maybe the RBI wanted to play extra safe with the payments industry. In case of issues or anomalies in transaction, the RBI would like access to data, and for it to be within the Indian community.. or there’d be questions about the RBI’s operational efficiency. But this would be a Payments Regulatory Board question than RBI’s. This has preempted its creation.
The impact of the regulation: businesses and processes
- Maybe Visa, Mastercard, Amex, PayPal, Google, Facebook, Amazon would have data outside the country. Rest of the Indian players are storing in India. (A company) too, which had processing centers in (a country), moved their data centers to India 2.5 years ago, after pressure from banks. There was no RBI regulation that time. From a payment perspective, I don’t think much has changed. Transactions have been flowing as they have earlier.
- A certain amount of time that might be required by a larger major to shift the data in India. If you’re trying to move data, and every piece of data has to be in India, I think a longer amount of time should have been provided.
As of October 15th, networks are only complying with mirroring. There is at least, individual company level discussions on new timelines for only-in-India. One of the unwritten rules is, if you are a company that’s already in business, then you need to comply with the data localisation, and it’s an individual negotiation on what that date is.
- But if you haven’t yet launched, you can’t officially launch until you comply…You’re not telling Visa, don’t sign up new customers till you comply. But you say, hey company XYZ, you can’t launch until you comply. So it’s creating an artificial barrier.
- But the path we’re hearing that most companies take is processing overseas, and deleting data from their overseas data centers.
- A few US medium-sized payment companies who were, over the years, getting more and more excited about India given all the reforms, etc. finally got on board and on UPI and thought about how they would integrate their systems, and this new uncertainty has put their market entry plans on hold, including doing partnerships with local Indian startups.
- How will it affect a much smaller service here if you’re building a fintech platform or company on top of a foreign company’s API. How this uncertainty is affecting your current business?
- We (a company) would only work with Indian data centers, because we thought it’s better to be cautious in case there is some bullet point in the mandate which requires us to do it. While we did not use WhatsApp, Facebook APIs, all the technology that we used to build this platform was foreign.
- I don’t see a challenge in launching a product for India in India.
Fintech startups… they are mentally prepared that in every country you go and launch something, you’ll have to be ready for this kind of regulation… Internally we have to keep our business running so we are prepared for it.
- I think the way the internet platforms are built, you achieve scale of economy, there are a thousand servers in one place. And that economies of scale come to you as an internet platform… You ask an Indian fintech, set up in ten different countries with entire compliances, and let them figure out the math. They’ll figure it out.
Cybersecurity and impacts
- You move out from the core and get into decentralised systems; if something gets broken at some point, the whole system could come down… We know that state-sponsored cross-border and private cross-border attack could have a devastating effect.
This is why an internet architecture on a cloud running off a centralized platform brings in efficiency and security. This has been proven for ages now. GDPR doesn’t insist on data localisation…. Indirectly in the long run you’re stifling choice and competition. If new startups want to expand here, it’ll be a challenge.
- There are two unquestionably negative impacts here: One is the economic impact in the sense that in two ways: there will be some cost of compliance no matter how much you minimize it. Two, this creates barriers to entry which will reduce competition. The benefit of the local industry comes at the cost of the consumer. And you always have to put the consumer and citizen first.
- We (a company) were operating out of (outside India). There was definitely a problem to shift the data (due to regulations). When you look at the way you process information and transactions, you need to create a parallel system. If you’re hosting out of a single premise, you can enjoy the economical scale there. The whole cost was replicated. Whatever we had in data centers, we had to pull out and create a parallel dataset in (another country).
- The RBI could have given a longer timeframe because data movement is a risky process. You could corrupt or lose data. They could have given time for the companies to go around and doing things. The amount of data is voluminous. If you try to get any company to shift their data centers, it takes three to six months. International companies will take longer. The regulators know better why they did it with a hard deadline.
Who owns data?
- The other impact: I am not a subject of the Indian state. The state doesn’t own me and my data. Where my data should be located is a decision only I should make by my choices. To not bring up that aspect and question it in the public discourse is to normalize something that is wrong.
- Even the privacy judgement and the Srikrishna commission report affirm that individuals own the data. It is us who will determine how I want to deal with my data; equally, the point of the data is today the data of business today too. Because business is transactional data. So the data autonomy as to how we manage our data should be left to individuals and businesses to deal with.
Other points raised
- We’re seeing that lots of standards are suddenly being developed in India, where we’re trying to build barriers for goods not coming to India, and this is a barrier. If India really wanted to do this, get investments into data centers, why did we never follow the Make in India scheme? Why did we never say we will give you this concession, tax exemption, please come set up all these businesses? Because there is only one jail card, where no questions are asked: security. The question is, who will pay? Unfortunately the problem is whether it’s security… Slowly we’ll see data being taxed all around the world. Cost of compliance, litigation, it’s the consumers who will pay for it.
- We don’t have a national data center policy, we don’t have a localisation policy, it’s problematic. There may be good reasons to localise. But we need to discuss that. ..If the intention is to keep data in India to enable a local infrastructure, maybe we need to ask ourselves where the infrastructure is going to come from. The barrier to entry is not just to foreign SMEs, it’s also to Indian SMEs. We don’t have large data center companies in this country. So the demand is probably going to be met by large foreign companies.
- EU and Japan signed a bilateral treaty recently in July to save data flows only between those two places, because it was part of the FTA. Now as bilateral and multilateral or regional blocs will start negotiating, one of the parts of the parcel is how data is shared; we accept your privacy regulations, you accept ours, there is protection to the consumer. And if there is any sort of enforcement, we will allow it to reach to Japan and vice versa. At the end of the day, it helps increase trade. We’ll have people, trade, others will have goods. How can we start negotiating those kind of issues which will help us move up the value chain of trade?
- The entire chain of transactions of Indian payments data moves through regulated and licensed entities. The data is in India. Nothing leaves the country without RBI knowing it. They’re the primary custodian. Secondly, is there bilateral agreement between banks and the RBI? We’ve got a bilateral agreement between regulators, which allows them to exchange each other’s citizens’ information. Is there a way to get information? The answer is yes.
- There could have been a better way of engagement and clarity, and opportunity for stakeholders to discuss and find alternative measures.