RBI mandates data localisation for Payment Systems
The Reserve Bank of India (RBI), India’s central bank and the regulator for payment systems in India, in its press release dated 5 April 2018 (Press Release) on Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19, had announced that all payment system operators would need to ensure that data related to payment systems operated by them are stored only within India within a period of six months. RBI had indicated that detailed instructions would follow in a week’s time.
On 6 April 2018, RBI released a directive (Directive) with detailed instructions, which are discussed below:
RBI’s Press Release did not elaborate on the nature of data that needs to be stored within India. However, in the Directive, RBI has clarified that data would include the full end-to-end transaction details, information collected, carried or processed as part of the message or payment instruction. Further, it has been clarified that if there is a foreign leg of the transaction, then the data can also be stored in the foreign country, if required.
RBI’s move on data localisation to payment systems comes as a probable aftermath of the recent data breach that has allegedly impacted elections in US and India.
The payment system ecosystem in India has developed considerably in recent times with the emergence of new players and technology in this space. With rapid growth, it is pertinent that data stored by payment systems is indeed secure and best practices and standards are followed for securing it so as to ensure a sound digital economy. This seems to be the thought behind RBI’s sudden mandate for making local storage compulsory by payment systems in India. Data localisation by payment systems will ensure supervision and greater control over such data by RBI. The detailed instructions on compliances and reporting will help RBI enforce the Directive effectively.
However, one must consider the downside of data localisation measures, which have historically culminated in economic isolation and stifled growth for countries that have adopted them. To add to the above, the Directive is likely to largely impact the foreign players in this segment, who will now not only have to invest in infrastructure to comply with this Directive, but will also have to bear additional compliance and administrative costs. Also, the nature of data that needs to be stored locally is also wider, and would restrict the ability of foreign players to undertake other incidental support services offshore using this data, which was otherwise possible so far. Industry players may also be concerned with the mention of ‘RBI’s unfettered supervisory access’ to such data in the Directive given that India’s new data protection law is yet to be released. It will therefore be interesting to see how the Directive is implemented in practice.
Harsh Walia (Associate Partner), Supratim Chakraborty (Associate Partner), Shweta Dwivedi (Principal Associate) and Shobhit Chandra (Senior Associate)
For any queries please contact: editors@khaitanco.com
We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.
For private circulation only
The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.
© 2021 Khaitan & Co. All rights reserved.
Mumbai
One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001
Chennai
119/65, First Floor
Dr Radhakrishnan Salai
Mylapore
Chennai 600 004,
India
Noida
Max Towers
7th & 8th Floors
Sector 16B, Noida
Gautam Buddh Nagar
201 301 India
Singapore
Ocean Financial Centre
#37-02 10 Collyer
37th Floor Quay
Raffles Place 049315,
Singapore