Firms irked by RBI’s order to store payments data in India

While most banks in India store all this data on Indian servers in their core banking systems, the current directive addresses new-age payment and fintech companies operating in the space

Illustration: Dominic Xavier/

Indian financial technology companies don’t seem to catch a breath.

Even as firms operating in the financial space were coming to terms with know-your-customer norms, the Reserve Bank of India’s (RBI’s) directive to store all financial data in India has made them even more resentful of the regulatory environment in India.

The central bank wants the companies to provide “unfettered supervisory access” to their data on payments, customers and all transactions, according to its notification dated April 6, 2018, which asks them to store all data related to transactions in India alone.

While most banks in India store all this data on Indian servers in their core banking systems, the current directive addresses new-age payment and fintech companies operating in the space.

Some of the system providers do not store their payments data in India, the central bank observed.

However, payment companies aren’t entirely pleased with the proposal.

Speaking to Business Standard, mobile application-based lending company CashE said even as it stored all their data in Mumbai, it had to move it from Singapore servers recently.

“We moved it locally but moving involves a lot of time, effort and cost. Since it’s a live platform, you have to operate servers on both locations at the same time, which is costly and at the same time, there is a cost of moving (data) itself,” said V Raman Kumar, chief executive officer (CEO), CashE.

Kumar said most companies these days preferred working with providers such as Amazon Web Services (AWS) instead of trying to build data farms, which is a costly exercise.

Notably, AWS recently entered India with its data centres in Mumbai, and much of the data of Indian companies is still on its US and Singapore servers.

However, that is soon likely to change.

It was only because of requests from multiple companies for having servers in the country that Amazon decided to set up shop in India, it said in a press release on its launch.

“These same 75,000 Indian customers, along with others anxious to start using AWS, have asked for an AWS India Region so they can move their applications that require low latency and data sovereignty,” said Andy Jassy, CEO of AWS.

Moving data from foreign servers to India is both a time-consuming and costly process.

A live server has to run on both geographies to enable a smooth transfer of data and sometimes, the cost of storage runs pretty high, depending on data requirements. For instance, CashE has 1.8 billion call records and that’s just one of the dozens of indicators it collects for checking people’s loan eligibility.

It is in this context that companies are seeking more clarity from the RBI on what the proposal entails even as the central bank has given a deadline of six months to finish the process.

The three big card companies – Mastercard, Visa, and American Express – are learned to have conveyed their reservations to the RBI.

They companies are likely to be the worst-affected because they process the bulk of the country’s digital transactions and their network processors are situated across the world to maintain peak loads.

“We will give a presentation to the RBI. We have never had any breach in data, and there is a substantial cost in shifting data centres here. Ultimately this extra cost will be passed on consumers,” said a senior executive of a leading cards company.

Even as some companies are planning to move their data, others are waiting for clarity.

Amazon Pay, PayPal, and Mastercard told Business Standard that they are reviewing the notification.

“In processing purchase transactions, Mastercard’s network only receives the card account number, the merchant name and location, the date and the amount of the transaction. Mastercard does not know what the cardholder is buying,” said Porush Singh, divisional president, Mastercard (South Asia).

Payment networks have concerns, which the Payments Council of India is considering before its consultation with the stakeholders this week.

International transactions are one of those. Through those, data is carried outside the country and is stored in foreign processors.

There is the issue of having a back-up data retrieval centre, which is usually in a foreign country, according to Naveen Surya, chairman of the council.

“The move is a good step to provide the government access to citizens’ financial data but it needs to be looked at carefully.

“Especially the phrase ‘only in India’ is problematic. People should be allowed to back up their data elsewhere as long as they are running a live server in India,” Surya said.

He added there were other reasons too for holding data abroad such as the technologies available, cost factors and emergency preparedness systems such as disaster recovery centres.

Meanwhile, Sharad Sharma, co-founder of iSPIRT foundation, said data residency was a primitive regime as compared to a consent-based data sharing regime. He said data could be stored anywhere as long as it was safe.

“The problem of data residency is that it doesn’t work unless you have the consent to access the data and encryption keys if the data is encrypted.

“This is why the consent framework is more important than data residency, the data can be stored anywhere but if you can’t access it, then there’s no use,” he said.

“We need to look at making strong contracts with firms and institutions that they will provide data whenever needed without any conditions and allow them to store it anywhere they want.”

Data localisation practices around the world

Malaysia: Act requires personal data on citizens be stored in local servers

Indonesia, Vietnam: In Indonesia, regulation says firms offering internet services to consumers mandatorily must have local data centres. In Vietnam, at least one of them should be in the country

Russia: Law states firms collecting personal information must have servers within the country

China: Has various laws which state personal, financial, and medical data of its citizens have to be stored in local servers. Online web publishers cannot have servers abroad. New law says operators of key information infrastructure store data of citizens, which include personal and business information, in local servers

Canada: No national law, but province of Nova Scotia and British Columbia mandates personal information (utilities school, hospitals) be stored locally

Australia, New Zealand: In Australia, only health records of citizens have to be stored in the country. In New Zealand, it is tax and business records

Europan Union: The new data protection regulation to be implemented from May, which mandates strict privacy protection rules, may force firms to maintain servers locally

Compiled by Surajeet Das Gupta

Go to Source