Post a controversial meeting with the RBI, United States India Strategic Partnership, a think tank, publicly called out iSPIRT, a Bangalore-based private think tank, and also wrote to the Finance Ministry citing a conflict of interest. The USISPF had pointed out that iSPIRT is a private association, is not a stakeholder in the consultation, is not empaneled by the RBI, and isn’t an official technical advisor to the government or the RBI. The think-tank had also pointed out that Reserve Bank of India (RBI) officials had placed “great reliance” on iSPIRT inputs.

Held on October 10, 2018, four days before its payments data localisation mandate kicked in, the RBI meeting with payments companies (that were non-compliant with the localisation directive) focused compliance status with the localisation mandate and on issues faced by payments operators. MediaNama has obtained a copy of the minutes of this meeting through RTI (attached below).

From the RBI, deputy governor BP Kanungo and chief general manager P Vasudevan were present. NPCI and iSPIRT were also present, although its unspecified who represented the organisations. Kanungo had said the meeting was called “mainly to understand” if payments operators were “encountering any technological glitches or issues hindering implementation of requirements”, and that “iSPIRT would help the entities in addressing such issues, if required”.

iSPIRT representatives said data localisation was “very much technologically feasible” and could be implemented in multiple ways; the entities “should seize this opportunity and benefit from the first mover advantage by redesigning not just storage but localise the processing architecture in India as well”. They “volunteered” to assist and “if necessary, collaborate” with the technology teams of the payments companies “to arrive [at] a feasible solution” within the required timeline.

Its worth noting that the RBI redacted a line from the minutes of meeting in the RTI response:

Payments companies had asked for extension of the deadline, and also suggested data mirroring. Kanungo said the option of mirroring does not exist, and that the RBI’s mandate has to be followed. He also said that “supervisory access does not merely mean access to data but implies having complete control over payment data in India”. Some key points Kanungo made were:

  1. NPCI systems compliant, UPI operators partially compliant: ‘NPCI indicated that although they [NPCI] were fully compliant with the [localisation] guidelines for all systems operated by them, their participants, especially those handling UPI transactions were partially compliant as they had implemented data mirroring; and that they were following up with them to ensure full compliance of storage of data only in India’
  2. AMEX hadn’t begun local storage process, Kanungo reiterated RBI mandate: AMEX had admitted that they had not initiated any measures (up till the meeting) for payments data localisation in India so far. Visa and MasterCard had confirmed that they had initiated compliance steps. Kanungo told AMEX that they were permitted to store data overseas at a time when there was no specific regulation in place, but with the RBI’s circular, AMEX being an authorised PSO “cannot but comply” with the mandate.
  3. Kanungo also shot down any requests for extension of the October 15 deadline, which payments companies had been asking for a few months, and had also raised in the meeting. “At this point, a few days before the compliance deadline, there was no scope for any relaxation,” he said. “There was no point in requesting for blanket extension with the expectation the requirements would be relaxed,” he added.
  4. Kanungo also emphasized the need to ensure that there was no laxity in putting in place proper risk management and fraud risk monitoring. Data localisation needs to be complied with by the deadline, and any other architecture changes can be undertaken over time, he said. In case of non-compliance, an internal review would be undertaken, and appropriate regulatory action would ensue, he said.

He had also said that:

  1. There was no need for FAQs or clarifications, since executive director S. Ganesh Kumar had met the entities in May 2018, and had clarified that the circular was clearand did not not require clarifications. It’s worth noting that the RBI did eventually issue FAQs in June 2019, 8 months after the mandate kicked in.
  2. Payments companies should have begun compliance process soon after the circular was issued, and sufficient time of 6 months had been given to them
  3. 60 out of the 78 operational authorized non-bank PSOs had already complied with the mandate, only 16 were non-compliant as of September 28, 2018. USISPF had pointed out in its letter to the Finance Ministry that the compliant companies had largely local operations. This figure was “unrepresentative of the difficulties faced” by global payments companies that were most significantly affected by the localisation directive, the think tank had said.

Issues and concerns raised by Card Networks and PPIs

1. According to the RBI’s recorded minutes of meeting, the card networks and PPIs said the local storage mandate is not present “in any other jurisdiction”, the RBI’s mandate would be the first of its kind in the world, and there being no precedence or global architecture, it could cause data integrity issues.

2. Companies will ensure full compliance, but the challenge is adhering to the deadline of October 15, they said. Extending the deadline “would ensure stability and minimise disruptions while implementing a robust solution with concomitant fraud monitoring and risk management operations”

3. Card networks indicated that the cost involved and technological feasibility of implementation “was not a deterrent for storage of data in India”. “Reimaging the entire architecture and risk management process was a long-term project.

4. VISA also suggested that payments companies “may be permitted” to provide well-defined timelines for compliance with the guidelines and get an independent audit conducted periodically to show compliance

3. Modification in architecture would impact processing capability of downstream applications for the present

4. Data mirroring may be permitted instead of mandating storage “only” in India, as this would lead to:

  • Requirement of new architecture with impact on various existing downstream applications for Indian as well as global operations
  • Requirement to ensure comparable security, fraud monitoring and risk management standards for decentralised data pertaining to India operations
  • Isolation of Indian customers from rest of the world and thus losing out on latest technological development (tokenisation, etc.)
  • Significant effort required in deletion of data, though mirroring of data is no loess technologically cumbersome
  • Storage in India with processing of transactions overseas will mean additional hops and could lead to latencies and drops, thus breaking customer experiece and trust

Issues raised by cross-border MTSS operators

  • Transactions originate offshore and receiver and beneficiary details also form part of the foreign leg and thus needs to stored abroad
  • These is need to comply with requirements of regulators in jurisdictions they operate
  • Screening against international watchlists, etc., is centralised and thus monitoring would not be possible
  • Can comply with mirroring solution

Kanungo clarified that since MTSS operators were permitted to store data pertaining foreign leg of transaction outside, entities would be compliant as long as they ensure that the data is stored in India as well.