The RBI has issued FAQs clarifying, among other things, that all payments data needs to be stored in systems located in India. The regulator issued the FAQs in response to implementation issues raised by payments companies.
- Data processed outside: The RBI also clarified that while there is no bar on overseas processing of strictly domestic transactions, the data shall be brought back to India within one business day or 24 hours of payment processing and be stored locally here. The regulator also said that should companies need access to data for payment processing activities, they can access it, at any time.
- Data to be mandatorily stored in India includes i) customer data – name, mobile number, email, Aadhaar number, PAN number, etc. as applicable; ii) payment sensitive data – customer and beneficiary account details; iii) payment credentials – OTP, PIN, passwords, etc.; and iv) transaction data – originating & destination system information, transaction reference, timestamp, amount, etc. It said data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions.
- These norms are applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors and other entities in the payments ecosystem apart from all payment system providers authorised by the RBI.
We would like to thank the @RBI for issuing an FAQ document on Storage of Payment System Data, and Hon’ble Minister, @PiyushGoyal for enabling this initiative: https://t.co/1GD4V8yMyu@PiyushGoyalOffc @CimGOI @debjani_ghosh_
— NASSCOM (@nasscom) June 26, 2019
In a closed door meeting between the commerce ministry and tech and e-commerce companies last week, all the companies raised concerns related to RBI’s data storage requirements and processing related guidelines. The apex bank regulator’s deputy governor BP Kanungo, who was also present at the meeting, had then “assured” these companies that RBI would look into the matter. However, for now, the central bank has only issued these FAQs which are a mere clarification of RBI’s stance on data storage requirements. We are still waiting for the RBI to take a second look at this matter as per its assurance to companies.
The Central bank, in April 2018, had mandated all payments system operators working in India to ensure that data related to payment systems operated by them is stored in the country. “In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of six months,” RBI had said in a report during its Monetary Policy meeting in the April 2018 meeting.
A timeline of the RBI’s localisation mandate for payments data
- April 2018: the localisation circular surfaces: The RBI told all payments system operators in India to ensure that payments-related data was stored within the country and gave the companies six months to comply. The RBI wanted data stored locally “to have unfettered access to all payment data for supervisory purposes”.
- July 2018, Finance ministry tries to step in: The Finance Ministry eased the RBI’s directive for foreign payment firms, saying that mirroring a copy of the data in India would be sufficient. Payments companies were relieved, assuming that the Finance Ministry’s directive stood and that it would be okay to mirror user data in India. The companies were awaiting a circular from the central bank to this effect. However, the RBI’s did not issue any such circular.
- Also in July, the Data Protection Bill mandated localisation : The long-awaited draft Data Protection Bill 2018 was submitted to the government, adding to the confusion. The bill overrode all sectoral regulators and therefore all their directives. It mandated that all data fiduciaries store a copy of users’ personal data in India. Worryingly, it also required mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to explicitly define ‘critical data’.
- September 2018, RBI asks for updates on local storage: The RBI asked payment companies to send it fortnightly updates about their progress on local storage of payments data.
- October 2018, RBI circular comes into effect: The RBI’s circular on localisation of payments data came into effect.
- February 2019: The Department for Promotion of Industry and Internal Trade released a Draft E-commerce Policy, which included strategies for regulating access to data, mandating data storage requirements, and controlling cross-border data flows. Data localisation may now be left out of the e-commerce policy, and left to the jurisdiction of the Data Protection Bill, which is expected to tabled in Parliament’s Budget session.