The Reserve Bank of India (RBI) recently commanded the spotlight by disallowing three internationally recognised card payment network firms – Mastercard, American Express, and Diners Club — from gaining any new Indian customers due to issues regarding data storage on Indian soil. The RBI’s decree is set to affect about five private banks, including Axis Bank, Yes Bank, and IndusInd Bank. The current Personal Data Protection Bill also houses clauses allied to ‘data localisation’.
RBI’s Stance on Data Storage
The RBI released a directive in April 2018 instructing all system providers to ensure that data linked with the payment systems they operated would be stored in systems exclusively located in India within a period of six months. This data would comprise end-to-end transaction details and information either collected or processed as part of the message or payment instruction. The firms were also expected to acknowledge adherence to the RBI’s rules and offer a board-approved system audit report compiled by a Computer Emergency Response Team – India (CERT-IN) empanelled auditor within the specified deadlines.
Payment Firms’ Reasoning for Non-Compliance
Payment companies such as Visa and Mastercard, currently storing and managing transactions data of Indian origin outside of the country, voiced concerns over the high costs of data transfer to India. These companies, running centralised systems, estimated millions of dollars in expenses. Additionally, they feared that if data localisation were implemented in India, other countries might demand similar concessions. This potential ripple effect could jeopardise their business strategies. Furthermore, the firms highlighted the RBI’s inflexibility despite the Finance Ministry’s suggestions to ease the norms for data transfers. The RBI maintained its stance, citing the need for closer scrutiny of payment systems due to the digital transactions boom.
The Implications of RBI’s Directive
The RBI’s move to prohibit these entities from accepting new Indian customers is a critical decision taken with the intent to make all payment system operators store or localise their end-to-end transaction data in India. This mandate aims to simplify law enforcement by improving access to data—a long-standing challenge for law enforcement entities.
Regulation of Payment Firms
Companies like Mastercard, Visa and National Payment Corporation of India (NPCI) are authorised Payment System Operators who operate card networks under the Payment and Settlement Systems (PSS) Act, 2007 in India. According to the Act, the RBI is the regulatory and supervisory authority for payment systems in the country. These payment systems enable transactions between payers and beneficiaries through clearing, settlement, or both. The systems can be paper-based (like cheques and demand drafts) or digital (such as the National Electronic Fund Transfer (NEFT), BHIM app, settlement systems). The RBI has also decided to permit non-banking entities like Prepaid Payment Instrument (PPI) issuers, card networks, White Label ATM operators, and Trade Receivables Discounting System (TReDS) platforms to become members of the centralised payment system and execute fund transfers via Real Time Gross Settlement (RTGS) and NEFT.
The Way Forward
All entities must adhere to the RBI’s localisation mandate. However, it’s equally important to consider that stringent localisation might affect India’s payments ecosystem adversely. To establish a more effective law enforcement mechanism, India should consider moving beyond Mutual Legal Assistance Treaty (MLAT), which is slow and ineffective, towards a system founded on bilateral treaties on data transfers with regions like the European Union, UK, and the US. The objective should be to ensure timely data accessibility for Indian law enforcement while simultaneously encouraging data flows to boost innovation and trade in the tech ecosystem.
