1. Reads
  2. Lite

RBI Data Localisation: Digital Payments, Data Protection and Right to Privacy

Professor of Financial Economics and Part-time Value Investor, Transfin.
Oct 15, 2018 7:22 AM 3 min read

In light of "new payment systems, players, and platforms" mushrooming in India, the Reserve Bank of India (RBI) i.e. the banking regulator of India directed all relevant providers to localise their data in India within 6 months.


That deadline closes today. Out of 80 service providers under the scope of these rules, 64 communicated that they were ready by last week, including global tech companies (with payments offerings) such as Google, Facebook (owner of WhatsApp), Amazon, and Alibaba. Credit card network companies like Visa, Mastercard, and American Express had till the last moment sought for leeway but the regulator has not budged.


Here are the key developments surrounding RBI's latest rules:


RBI seeks data localisation norms to potentially gain "unfettered supervisory access" to payments data in India.

The Central Bank in this financial year's First Bi-monthly Monetary Policy Statement on April 5 recognized the mushrooming of new payment service providers and the need for local data storage from the perspective of supervision, safety, and security. 


[Listen in from 9:35 onwards to learn more on RBI's tough stance on data] 


80 service providers, including global tech companies (with payments offerings) such as Google, Facebook (owner of WhatsApp), Amazon, and Alibaba, and domestics like Paytm, are included in the scope of these norms.

With today's deadline looming, out of 80 service providers under the scope of these rules, 64 confirmed their readiness by last week. Credit card companies such as Visa, Mastercard, and American Express till the last moment were seeking leeway. However, the regulator has not budged. India's digital payments industry group, Payments Council of India, has been intensely lobbying as well but to no effect.


Companies need to ensure that all of their "payment systems related data" should be stored in servers located only in India. 

This data would include full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction. The RBI allows data relevant to the foreign leg of a transaction, can be stored, in addition, in the foreign country, if required.


The Finance Ministry pushed for a "data mirroring" approach, which was refused by the RBI.

The Finance Ministry suggested a more liberal 'data mirroring' approach i.e. asking providers to merely keep a 'copy' of the original data in India, instead of exclusive storage. This suggestion, whilst preferred by many providers, was refused by the RBI.


US based tech firms most adamant in expressing their disapproval on this move, pushing the US government to apply more pressure on Indian authorities. Security Agencies and RBI disagree. 

Whilst the Finance Ministry appears to be comparatively amiable to the US company point of view, Indian Security Agencies and the RBI disagree. Agencies allege that aside from data protection and supervisory requirements, there have been multiple cases of terror investigations where intelligence on relevant transaction data stored in the US was released after much delay and in some cases denied. US Companies counter by saying intelligence concerns are more relevant for offshore remittance transactions, instead of all payments. At the time of going to press, the US-India Strategic Partnership Forum (USISP), a trade body representing US companies in India, is pushing to get another year for compliance. John Cornyn and Mark Warner, co-chairman of US Senate's India Caucus, wrote a letter to PM Modi last week asking him to relax India's stance on data localisation, arguing the required measures represent "key trade barriers" between the two countries. 


(We are now on your favourite messaging app – WhatsApp. We highly recommend you SUBSCRIBE to start receiving your Fresh, Homegrown and Handpicked News Feed.)