RBI slightly eases data storage rules
The Reserve Bank of India on Wednesday cut some slack for banks and payment system providers such as Mastercard and Visa, permitting them to store data relating to certain transactions on their servers abroad under the new data location rules.
The storage of financial transactional data on Indian consumers turned into a contentious issue with the US after India insisted that all the information with banks and payment service providers would have to be kept in a system based only in India.
In a slight modification of the tough rules that were unveiled in April last year, the RBI on Wednesday said that only data pertaining to cross-border transactions, consisting of a foreign and a domestic component, may be stored abroad if required. These would be copies of the data that would necessarily have to be stored in the country.
This is the first time that the central bank has explicitly specified what sort of financial transaction data can be stored overseas.
The foreign payment service giants such as Mastercard and Visa were supposed to comply with the earlier RBI directive by October last year but failed to do so. These players usually store data on global servers and the requirement to store data locally would force them to make additional investments in India which might be recovered over time by taking on a fee from their customers.
Last week, the issue of data localisation was raised by several e-commerce firms during their meetings with commerce and industry minister Piyush Goyal and there was an expectation that the central bank would relax the rigorous April 2018 circular.
The modification was issued in the form of frequently asked questions (FAQs) in response to queries that had been raised by payment system operators on “certain implementation issues”.
The RBI said “the entire payment data shall be stored in systems located only in India” except in certain cases.
These directions would be applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third party vendors and other entities in the payments ecosystem.
The data that would have to be stored in India would include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered, transmitted or processed as part of a payment message or instruction.
This would include customer data such as name, mobile number, e-mail, Aadhaar number, PAN number, etc.
It would also cover payment sensitive data (customer and beneficiary account details); payment credentials (OTP, PIN, passwords, etc.); and transaction data (originating & destination system information, transaction reference, timestamp, amount).
The latest circular re-asserted that there would be no bar on the processing of payment transactions outside India if the payment service providers so desired. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.
If the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier, the circular added.
Any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken or performed on a near real time basis.
In case of any other related processing activity, such as chargeback, the data can be accessed, at any time, from India where it is stored.
The circular added that the data may be shared with the overseas regulator, if so required, depending upon the nature or origin of transaction with due approval of the RBI.
Foreign banks, which were earlier specifically permitted to store banking data abroad, may continue to do so, the circular said with the same rider.
In respect of domestic payment transactions, the data shall be stored only in India. However, data on cross border payment transactions may be stored abroad also.