The Reserve Bank of India (RBI) has asked payment system operators to store the data they collect on transactions in India within databases located in the country.
The move will affect cross-border specialist payment operators and companies like VISA and Mastercard, say experts, because payment operators have to comply with the regulations in six months.
Under the Payment and Settlement Systems Act, 2007, there are 88 certified payment system operators, operating in various categories.
The RBI’s decision comes when the number of cyber-attacks, particularly in institutional and personal data theft, in the country and the world is reaching historic highs.
“Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches,” says the RBI in its statement on the developmental and regulatory policies’ report.
Examples of payment system operations include financial market operators like Clearing Corporation of India; retail payment operators like National Payments Corporation of India; card payment network operators like VISA, Mastercard and American Express; cross-border money operators like UAE Exchange; ATM Network operators which include state-owned banks, pre-paid instrument companies, instant money transfer companies, among others.
“Most domestic players already have data within India. But global players like Visa and Mastercard might be impacted by this. However, Google and Whatsapp are not considered payment operators by the RBI as they are interface for UPI,” says Dewang Neralla, chief executive of Atom Technologies Spokespersons for AmazonPay, Google and MasterCard told Business Standard they were reviewing the RBI’s instructions.
The RBI’s decision is based on the fact that “at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country”.
Some payment system operators have substantial international operations, which include data management and analysis, which involves cross-border information sharing.
Some of these companies may choose to store their data in specific legal jurisdictions or spread it across databases in various countries.
Vivek Belgavi, partner at PwC, told Business Standard: “Typically there are two situations in which a company might want to store data outside India. One is in the case of a joint venture, in which one company rides on the infrastructure and network strength of another, or when a company is using a cloud-based database provider.”
“Such guidelines were issued by the RBI for banks in the past, which made sure that banking data was stored only in India. These conditions were less stringent on payment system companies but now it has been extended,” he said.
The regulator will issue instructions within a week, and the players expect there will be clarity as to how the different payment system operators will be treated under this supervisory mechanism.
“National Payments Corporation of India and the Clearing Corporation of India process data within India, but MasterCard, VISA and American Express may have to invest for doing processing activity (for transactions in India) within country,” said A P Hota, former managing director and chief executive officer of National Payments Corporation of India.
The decision to store data within a country or to adopt a cloud-based database is essentially a commercial one, said Belgavi, as companies might choose to avail of services from specific service providers or form partnerships with companies with a global presence.
“As a business either you do a solution-based implementation or a provisional implementation, but now because of this norm companies will have to assess their current database management practices and undertake migration (to a new system) if necessary,” said Belgavi.
“With this new directive of the central bank, entry will become a bit tougher for a foreign player that generally has unified systems and works across the globe with same application servers,” Jitendra Gupta, managing director of PayU India.