On 6th April, 2018, the Reserve Bank of India (RBI) issued a notification (Notification) mandating that all data related to payment systems be locally stored only in India (Data Localisation Mandate).[1] System providers were required to comply within 6 months, and report such compliance to the RBI by 15th October, 2018.
System providers must also submit a System Audit Report to the RBI, by auditors empaneled with Indian Computer Emergency Response Team (CERT-IN), by 31st December, 2018.
I. Who is affected by the RBI Circular?
a. The Notification was issued under the Payments and Settlements Act, 2007 (Act). It applies to system providers. A system provider has been defined under the Act to be “a person who operates an authorized payment system.”[2] System providers include all entities that operate payment systems.[3] Therefore, banks and other financial service providers that operate payment systems are obligated by the Notification to store all the data “relating to payment systems” only in India.
II. What is data “relating to payment systems”?
a. The Notification defines data “relating to payment systems” broadly to include “end-to-end transaction details” and information that is either collected or shared or processed as a component of payment instruction[4] within a payment system.
III. Does the Notification apply to foreign data?
a. Data of the “foreign leg of the transaction” may be stored in another country.
b. However, the requirement to store all the data “relating to payment systems” only in India under the Data Localisation Mandate prohibits even copies of such data from being stored outside India.
c. The Notification does not address the conflict between the Data Localisation Mandate and applicable data localisation requirements of another country, if any.
d. The failure to address such a conflict of laws may be a result of the absence of statutory authority of the RBI to regulate data in the “foreign leg of the transaction” under the Act. The statutory provision that allowed the RBI to issue the Notification empowers the RBI to lay down policies for the regulation of payment systems with regard to domestic transactions only.[5]
IV. Other Instances of Data Localisation.
Some other instances of data storage and localisation requirements in the context of financial investments and financial service providers are as follows:
a. Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017[6]: Issuers of Prepaid Payment Instruments (PPI) are required to localize data of all PPI transactions for ten years.
This direction also mandates PPI issuers to comply with the operative regulatory frameworks in relation to cross border flow of data out of India and location of infrastructure.[7]
b. Foreign Direct Investment Policy, 2017:
Under the Foreign Direct Investment Policy, 2017 (FDI Policy), foreign investment in specified broadcasting carriage services is subject to localisation of “subscribers databases” by the beneficiary company in India, unless permitted otherwise.[8] In addition, such beneficiary companies are also required to provide “traceable identity of their subscribers.”[9]
V. What reasons has the RBI given for mandating data localization?
In the Notification, the RBI identifies two main reasons for requiring data localization:
a. Surveillance and Monitoring
Unrestricted surveillance of the data within the payment ecosystem is one of the reasons provided for the Data Localisation Mandate. The Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19 (Statement) referred to continuous surveillance as an essential component to address data protection concerns.[10]
b. Exclusive Control of Data
The Statement also referred to the necessity for “unfettered access to all payment data for supervisory purposes”.[11] Further, recognising the need for robust safeguards in payment systems, the Notification cited the need for effective monitoring through “unfettered supervisory access” to data available with the system providers and their intermediaries in the payment ecosystem.[12]
Reading the two together, it may be inferred that the Statement and the Notification frame the Data Localisation Mandate in context of the ability of the RBI to retain exclusive control over the data within the payment ecosystem for effective monitoring.
[This post is authored by Pushan Dwivedi, Associate, with inputs from Nehaa Chaudhari, Public Policy Lead, TRA.]
[1] ¶2, Storage of Payment System Data (6th April, 2018) available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0.
[2] S. 2(q), Payments and Settlements Act, 2007:
“a person who operates an authorised payment system.”
[3] S. 2(1)(i), Payments and Settlements Act, 2007:
“a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange;
Explanation.- For the purposes of this clause, “payment system” includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.”
[4] S. 2(1)(g), Payments and Settlements Act, 2007:
““payment instruction” means any instrument, authorisation or order in any form, including electronic means, to effect a payment,
(i) by a person to a system participant; or
(ii) by a system participant to another system participant.”
[5] S. 18, Payments and Settlements Act, 2007:
“Without prejudice to the provisions of the foregoing, the Reserve Bank may, if it is satisfied that for the purpose of enabling it to regulate the payment systems or in the interest of management or operation of any of the payment systems or in public interest, it is necessary so to do, lay down policies relating to the regulation of payment systems including electronic, non-electronic, domestic and international payment systems affecting domestic transactions and give such directions in writing as it may consider necessary to system providers or the system participants or any other person either generally or to any such agency and in particular, pertaining to the conduct of business relating to payment systems”.
[6] ¶6.3, Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017.
[7] ¶17.4.e.(iii), Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017:
“PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.”
[8] ¶1.3.(ix), Annexure 7, Foreign Direct Investment Policy, 2017:
“The Company shall not transfer the subscribers’ databases to any person/place outside India unless permitted by relevant law.”
[9] ¶1.3.(x), Annexure 7, Foreign Direct Investment Policy, 2017:
“The Company must provide traceable identity of their subscribers.”
[10] ¶4, Storage of Payment System Data, Statement on Development and Regulatory Policies, Reserve Bank of India (5th April, 2018) available at https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=43574.
[11] ¶4, Storage of Payment System Data, Statement on Development and Regulatory Policies, Reserve Bank of India (5th April, 2018) available at https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=43574.
[12] ¶2, Storage of Payment System Data (6th April, 2018) available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0.
