loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
Close

Search

See all results for ""

RBI mandates data localisation for Payment Systems

17-Apr-2018

The Reserve Bank of India (RBI), India’s central bank and the regulator for payment systems in India, in its press release dated 5 April 2018 (Press Release) on Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19, had announced that all payment system operators would need to ensure that data related to payment systems operated by them are stored only within India within a period of six months. RBI had indicated that detailed instructions would follow in a week’s time.
On 6 April 2018, RBI released a directive (Directive) with detailed instructions, which are discussed below:
What Payment Systems need to do?

All payment system providers will need to ensure that the entire data relating to payment systems operated by them are stored in a system only in India;

System providers need to ensure compliance of (a) above within a period of six months i.e. latest on or before 15 October 2018. Such compliance will also need to be reported to the RBI;

System providers will need to submit a System Audit Report (SAR) on completion of the requirement at (a) above. Such audit needs to be conducted by Indian Computer Emergency Response Team (CERT-In) (Ministry of Electronics and Information Technology) empanelled auditors certifying completion of compliance in (a) above;

The SAR duly approved by the board of the system providers will need to be submitted to RBI, not later than 31 December 2018.

What Data needs to be stored in India?
RBI’s Press Release did not elaborate on the nature of data that needs to be stored within India. However, in the Directive, RBI has clarified that data would include the full end-to-end transaction details, information collected, carried or processed as part of the message or payment instruction. Further, it has been clarified that if there is a foreign leg of the transaction, then the data can also be stored in the foreign country, if required.
Comment
RBI’s move on data localisation to payment systems comes as a probable aftermath of the recent data breach that has allegedly impacted elections in US and India.
The payment system ecosystem in India has developed considerably in recent times with the emergence of new players and technology in this space. With rapid growth, it is pertinent that data stored by payment systems is indeed secure and best practices and standards are followed for securing it so as to ensure a sound digital economy. This seems to be the thought behind RBI’s sudden mandate for making local storage compulsory by payment systems in India. Data localisation by payment systems will ensure supervision and greater control over such data by RBI. The detailed instructions on compliances and reporting will help RBI enforce the Directive effectively.
However, one must consider the downside of data localisation measures, which have historically culminated in economic isolation and stifled growth for countries that have adopted them. To add to the above, the Directive is likely to largely impact the foreign players in this segment, who will now not only have to invest in infrastructure to comply with this Directive, but will also have to bear additional compliance and administrative costs. Also, the nature of data that needs to be stored locally is also wider, and would restrict the ability of foreign players to undertake other incidental support services offshore using this data, which was otherwise possible so far. Industry players may also be concerned with the mention of ‘RBI’s unfettered supervisory access’ to such data in the Directive given that India’s new data protection law is yet to be released. It will therefore be interesting to see how the Directive is implemented in practice.

Harsh Walia (Associate Partner), Supratim Chakraborty (Associate Partner), Shweta Dwivedi (Principal Associate) and Shobhit Chandra (Senior Associate)

For any queries please contact: editors@khaitanco.com

Harsh Walia (partners) , Supratim Chakraborty (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2021 Khaitan & Co. All rights reserved.

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Chennai

119/65, First Floor
Dr Radhakrishnan Salai
Mylapore
Chennai 600 004,
India

Noida

Max Towers
7th & 8th Floors
Sector 16B, Noida
Gautam Buddh Nagar
201 301 India

Singapore

Ocean Financial Centre
#37-02 10 Collyer
37th Floor Quay
Raffles Place 049315,
Singapore