As the Reserve Bank of India’s (RBI’s) deadline for data localisation got over on Monday, almost all payments players claimed they were either fully compliant with the rules or were actively working towards it. For card companies, however, it was a different tale, with the three major players — Visa, Mastercard, and American Express — yet to toe the line.
In a meeting between the non-compliant players and the RBI last week, the central bank had said the October 15 deadline would not be relaxed. Does this mean people will not be able to use their debit and credit cards from Tuesday?
Stern action seems unlikely in the near term, said a source. Neither the RBI nor the payments companies want clients to be inconvenienced. “Action against each company will depend on what progress they have made towards compliance,” the source added.
“About 85 per cent of the companies are fully compliant, while the remaining 15 per cent have made significant progress towards compliance,” said a source from the payments industry. After the RBI refused to extend the deadline, more payments companies have met local data storage requirements.
The companies that have failed to comply with the local data storage requirements are giving regular updates to the RBI. The fully compliant ones include global majors such as Google, Facebook (with its subsidiary WhatsApp), Amazon, and Alibaba.
There are political implications of the RBI’s move to force payments companies to localise customer data within the country.
Two US senators wrote to Prime Minister Narendra Modi to soften India’s stance and allow data mirroring measures, reported Reuters. The letter warned that measures requiring data localisation represent “key trade barriers” between the two nations.
Business Standard had earlier reported that major US multinationals had sought the help of the US Treasury to ensure local data storage norms are watered down. Despite a suggestion from the finance ministry to allow data mirroring instead of exclusive storage, the RBI did not relent.
Sources said the central bank was preparing the ground for a stringent Data Protection Bill, a draft of which was released by the Justice Srikrishna committee in August.
A payments executive said, “The data protection law would not make it feasible for Indian data to be stored elsewhere.”
Those companies resisting data localisation have a Plan B ready and will continue to leverage trade relations to push a lighter data storage stance, said sources. While the non-compliant global companies may temporarily comply with the regulations, they are likely to continue challenging the data-localisation norms, said a payments executive.
The payments industry remains divided on the issue.
Local players applauded the move saying it will bring greater security as well as opportunities for India. Global players have been vocal on the importance of free flow of data across borders.
Vinay Kalantri, founder and managing director, The Mobile Wallet, said the RBI’s stance could severely affect trade relations between the US and India.
“The RBI should get every stakeholder on the same page of the policy-making architecture by putting an end to policy confusions instead of rushing through new benchmarks. By doing so, the central bank will be serving the original purposes of payment companies — enhancing financial inclusion and putting to use their full potential to spur existing business and creating new business,” he added.
India has the second-highest fintech adoption rate in the world, creating multiple opportunities for payments companies — both national and international. This also translates into a growing volume of user and transaction data, coupled with the challenges of data breach and fraud, said Sampad Swain, chief executive officer and co-founder, Instamojo.
He added: “The RBI’s regulation is a positive step towards ensuring data security and is a reassuring move for many potential users hesitant to embrace digital payments.”
Experts said data localisation norms would require global companies to increase their investment in the country.
“The payments companies would not only need to build more data centres in India but also employ greater resources in the country. The local data storage norms would require global companies to perform all of their processes, both transactional and supervisory, such as security and fraud prevention,” said Munjal Kamdar, partner, Deloitte India.
The condition of exclusive data storage would make India’s data localisation laws among the strictest in the world.
Even in the most stringent markets, such as in Russia and China, specific data can be transferred, but only after storing it onshore first. The UK and Sweden are in favour of free flow of data, whereas Germany and France strongly oppose it.
According to analysts, storing data locally is a time-consuming process and a humongous exercise.
D-Day is here
- RBI remains firm on October 15 deadline
- 85 per cent companies are fully compliant with data storage norms
- Data mirroring not allowed, despite heavy lobbying
- US-India trade relations may be affected
- Global companies will have to increase investment in India