The Reserve Bank on Wednesday said all data related to payments, including those processed abroad, must be stored only in India, notwithstanding concerns raised by American e-commerce and payment firms.
In case the payment processing is done abroad, the data should be deleted from the systems there and brought back to India within 24 hours, the central bank said.
The clarifications, in the form of FAQs (frequently asked questions), came on a day when US Secretary of State Mike Pompeo held talks with senior leaders during his India visit.
Several US giants like Google, Mastercard, Visa and Amazon operate in India and have raised concerns over data localisation and its impact on their operational cost.
“The entire payment data shall be stored in systems located only in India…,” the RBI said.
The FAQs were issued after the Payment System Operators (PSOs) raised certain implementation issues regarding the central bank’s April 2018 directive on ‘Storage of Payment System Data’.
In April last year, the RBI had issued a directive on ‘Storage of Payment System Data’. It had advised all system providers to ensure that within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India, for effective monitoring.
The FAQs further said there is no bar on processing of payment transactions outside India if so desired by the PSOs.
However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.
“In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India,” it said.
However, any subsequent activity such as settlement processing after payment processing, if done outside India, should also be undertaken / performed on a near real time basis. The data should be stored only in India, it added.
“In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India where it is stored,” it added.
The RBI further said the data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/processed as part of a payment message/instruction.
“This may, interalia, include – customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); payment sensitive data (customer and beneficiary account details); payment credentials (OTP, PIN, Passwords, etc.); and, transaction data (originating and destination system information, transaction reference, timestamp, amount, etc.),” the FAQs clarified.
Recently, many US companies had held intensive discussion with Commerce and Industry Minister Piyush Goyal and the issue of data localisation figured prominently. They had expressed apprehensions that RBI’s diktat would lead to an increase in their operational cost.
Pompeo, who is on an official visit to India, met Prime Minister Narendra Modi and External Affairs Minister S Jaishankar.
The RBI’s FAQs further said that in the case of banks, especially foreign banks, earlier specifically permitted to store the banking data abroad, they may continue to do so.
However, in respect of domestic payment transactions, the data shall be stored only in India, whereas for cross-border payment transactions, the data may also be stored abroad as indicated earlier.
As per the FAQs, data could be shared with the overseas regulator, if so required, “depending upon the nature/origin” of transaction with due approval of RBI.
Meanwhile, the government is planning to come out with a national e-commerce policy within 12 months to facilitate achieving holistic growth of the sector.
The government, in February, had released the draft national e-commerce policy proposing setting up a legal and technological framework for restrictions on cross-border data flow and also laid out conditions for businesses regarding collection or processing of sensitive data locally and storing it abroad.
Several foreign e-commerce firms have raised concerns over some points in the draft pertaining to data.
Work is also on to frame a legislation on data protection.