"Enough time given": RBI unlikely to lift restrictions for barred payment service providers

The Reserve Bank of India (RBI) is unlikely to relax the restrictions on payment services providers not complying with data localization norms anytime soon, stated two government officials.

The banking regulator and the government believe that processing and storage of critical financial data within the country is a “necessity for an effective supervision mechanism as well as for sound regulation”.

It’s important that payment players adhere to the regulatory guidelines as more than enough time was given for compliance. Processing and storing data locally are essential to ensure safety of customers and the system. Banks are being asked to ensure that customer service is not impacted stated the senior government official.

The RBI rules require all payment system providers to ensure that their entire data, including end-to-end transaction details and information collected and processed, is stored in a system only in India. 

On July 14, the RBI imposed restrictions on Mastercard Asia Pacific Pte Ltd from onboarding domestic customers (debit, credit or prepaid) in India from July 22, citing non-compliance with guidelines for storage of data in India. The RBI said it had given almost three years to Mastercard for complying with the regulatory directions, but it was unable to complete the process. 

The latest draft of the personal data protection Bill also envisages a strict regime for localized storage of sensitive personal and financial data, an IT Ministry official said. “Our learning with non-localized data storage has been the lack of jurisdiction in case of leaks and databases being hacked. Most often the companies that were targeted express helplessness, citing lack of orders from headquarters,” the official added. The IT Ministry had sent suggestions on the norms for local storage of sensitive financial data to the central bank. 

The 2018 draft of the personal data protection Bill, which is currently being deliberated upon by a Joint Parliamentary Committee, had suggested that cross-border transfer of personal data, sensitive personal data and financial data of individuals be barred unless specifically allowed by relevant authorities. Such data, the draft Bill mentioned, should not be retained once the purpose for which it had been transferred was fulfilled. 

The National Payments Corporation of India’s RuPay card as well as Visa are expected to take fresh business from other players as they are in compliance with the norms. As per the RBI data, there were 90.23 crore debit cards and 6.23 crore credit cards in India, as of May 2021. The RBI has so far barred three foreign card payment network companies — Mastercard, American Express and Diners Club — from onboarding new customers over the issue of storing data in India. 

The RBI’s April 6, 2018 circular on Storage of Payment System Data requires all system providers to ensure that within six months the entire data relating to payment systems operated by them is stored in a system only in India. However, credit and card firms with global operations have been resisting the move, citing higher compliance costs, security risk and the possibility of data localization demand from other countries. Officials clarified that there will be no easing of the data storage norms despite demands for relaxation from global companies. 

Current Issue