The Reserve Bank of India (RBI) is unlikely to lift restrictions on payment services providers not complying with data localisation norms anytime soon, said two government officials. The banking regulator and the government believe that processing and storage of critical financial data within the country is a “necessity for an effective supervision mechanism as well as for sound regulation.”
“It’s important that payment players adhere to the regulatory guidelines as more than enough time was given for compliance. Processing and storing data locally are essential to ensure safety of customers and the system. Banks are being asked to ensure that customer service is not impacted,” said a senior government official. The RBI rules require all payment system providers to ensure that their entire data, including end-to-end transaction details and information collected and processed, is stored in a system only in India.
The latest draft of the personal data protection Bill also envisages a strict regime for localised storage of sensitive personal and financial data, an IT Ministry official said. “Our learning with non-localised data storage has been the lack of jurisdiction in case of leaks and databases being hacked. Most often the companies that were targeted express helplessness, citing lack of orders from headquarters,” the official said. The IT Ministry had sent suggestions on the norms for local storage of sensitive financial data to the central bank.
The 2018 draft of the personal data protection Bill, which is currently being deliberated upon by a Joint Parliamentary Committee, had suggested that cross-border transfer of personal data, sensitive personal data and financial data of individuals be barred unless specifically allowed by relevant authorities. Such data, the draft Bill said, should not be retained once the purpose for which it had been transferred was fulfilled.
The National Payments Corporation of India’s RuPay card as well as Visa are expected to take fresh business from other players as they are in compliance with the norms. According to RBI data, there were 90.23 crore debit cards and 6.23 crore credit cards in India, as of May 2021. The RBI has so far barred three foreign card payment network companies — Mastercard, American Express and Diners Club — from onboarding new customers over the issue of storing data in India.
On July 14, the RBI imposed restrictions on Mastercard Asia Pacific Pte Ltd from onboarding domestic customers (debit, credit or prepaid) in India from July 22, citing non-compliance with guidelines for storage of data in India. The RBI said it had given almost three years to Mastercard for complying with the regulatory directions, but it was unable to complete the process.
The RBI’s April 6, 2018 circular on Storage of Payment System Data requires all system providers to ensure that within six months the entire data relating to payment systems operated by them is stored in a system only in India. However, credit and card firms with global operations have been resisting the move, citing higher compliance costs, security risk and the possibility of data localisation demand from other countries. Officials clarified that there will be no easing of the data storage norms despite demands for relaxation from global companies.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.