RBI's Data Localization Mandate: What Happens Next?Compliance Deadline Has Passed; Questions Raised About How to Deal With Non-Compliance
Although some global payment organizations apparently have failed to meet the Reserve Bank of India's October 15 deadline for storing all Indians' payment data domestically, the nation's central bank reportedly has ruled out extending the deadline and is demanding a status report.
See Also: Deception Technology: Making the Case
RBI also has rejected a proposal by overseas service providers to allow data mirroring, which involves retaining a copy of the data on their overseas servers, the Economic Times reports.
RBI's mandate, announced in April, is applicable to licensed entities, such as wallet issuers, as well as payment gateways and intermediaries, including international payment card companies. The central bank sees the mandate as a way to better protect data (see: RBI Mandates Domestic Storage Payments Data).
Mukesh Aghi, CEO of the U.S.-India Strategic Partnership Forum, an industry body acting on behalf of U.S. businesses, in an interview with Bloombergquint says multinational payments companies are willing to comply with the RBI mandate but are requesting 12 months to better understand the technical requirements and complete the process.
"We've requested a 12-month period from the RBI so we can provide you world-class data," he says. "We need to have a consultative process to set milestones for three months, six months and 12 months."
Reasons for Delay
Although RBI apparently has not yet fined any organizations for missing the deadline, it's reportedly seeking schedules of pending data transfers to India. And Bharat Panchal, chief risk officer and vice president, National Payments Corporation of India, stresses that RBI has emphasized it won't issue a deadline extension.
A large percentage of global payment organizations have complied with RBI's mandate, but Mastercard, Visa and American Express, which account for the largest chunk of digital payments, have not yet complied, BloombergQuint reports, quoting an anonymous source.
Mastercard, Visa and American Express did not reply to an ISMG request for comment.
The card companies remain committed to ensuring customers are not inconvenienced, Aghi says. "There's a lack of consultative process. We've requested a meeting to understand the requirements," he says. "We just have no way of knowing what happens if we miss the deadline."
A.P. Hota, former CEO of National Payments Corporation of India and currently adviser to SWIFT, believes some companies will need at least three years to make the transition to domestic data storage. Data mirroring could be been an interim solution, but rules for that must be established, he adds.
Storing data locally means increased costs because card companies must set up large data storage operations. It also can hurt their ability to leverage economies of scale in analytics of the data.
Vivek Belgavi, fintech leader at PwC India, tells the Yourstory news site: "It's not just data. These companies must also shift their processing engines (for Indian data), which otherwise operate in a centralized manner to achieve economies of scale. The complexity is because these systems are interconnected; these capabilities must be built separately for India now."
Santanu Patro, a research director with Gartner in India, tells Reuters: "Data localization will increase costs for public cloud companies as they will expand data center capacity to fit customer data currently hosted outside India." And that cost could be passed on to customers, he points out.
What Are the Benefits?
Some critics say they're still confused about the advantages of localizing data and are demanding clarification from the government and RBI.
They're concerned that the domestic storage of payments data could lead to state misuse and surveillance of personal data, and they argue that localization will not improve security, Indian Express reports. Even if data is stored in India, encryption keys may still remain out of reach of national agencies, critics point out.
But some large enterprises are endorsing the concept of data localization.
"Storing data in India is critical to ensure better security, and RBI's mandate is justified," says N. Rajendran, chief technology officer, National Payments Corporation of India. "RBI is having discussions around how to make the payment infrastructure fool proof when the entire payments data is stored in India."
Former Infosys CFO T.V. Mohandas Pai told PTI: "Our data is safest if stored in India, subject to oversight by our government and courts. The Supreme Court now unequivocally corrects this and protects us fully. India has a strong anti-money laundering law now, and without payment data in India, the government cannot track financial flows to terrorists."