The Reserve Bank of India (RBI) directive to compel the storing of users’ financial transactions data within this country’s geographic boundaries has put payment companies in a quandary.
There is ambiguity on who would come under the regulations and what types of data need to be so stored in the country. That aside, experts say, it would seem the new guideline is likely to hurt foreign players more, especially card companies such as Visa, MasterCard and American Express. These process and store credit card transaction data outside of India.
It is also expected to affect payment gateways such as MIGS and CyberSource, which work for MasterCard and Visa, respectively.
Experts also say companies using Unified Payments Interface (UPI) for cash transfer or payment are also expected to take a hit to some extent. For, they have access to customer data such as who is sending the money, since people using the service share their WhatsApp numbers or Gmail. However, they don’t have access to the transaction data.
Most global companies which have launched payment services here -- such as WhatsApp (WhatsApp Pay), Google (Google Tez), Amazon (Amazon Pay) or Microsoft (Microsoft Pay) -- keep their users’ data outside the country; payments data always stays in the country. Most of these companies that Business Standard spoke to said they were trying to gauge the extent of the impact before figuring their next step.
“We are studying the RBI policy,” said an Amazon India spokesperson. A Google India spokesperson said: “We will review the detailed instructions from RBI when it is circulated. We have nothing further to share at this stage.” Google recently started Tez, its payments service in India; it would have to shift all its data operations into the country in six months if these are not already operating from India. WhatsApp Pay, run by Facebook’s chat app, would have to do the same.
“We are yet to fully understand the implications of these restrictions on platforms like Google Tez and WhatsApp but a very liberal interpretation of the Act is that only operators will have to follow these guidelines, not the aggregators. Google Tez and WhatsApp are aggregators; they are not acting as operators,” said A P Hota, former managing director of National Payments Corporation of India (NPCI), which had designed the UPI platform.
He said Indian players such as Paytm were keeping their data within the country. It is only the card entities -- such as Visa, MasterCard and American Express -- which process and store the transactions outside the country and are expected to take a hit. “In fact, this regulation affects these three the most,” said Hota, who was in charge of payment and settlement systems at RBI before taking up the NPCI role in 2009.
“As per our initial research and understanding, there is slight ambiguity on a few aspects of this directive, though we feel this directive will impact foreign companies more than home-grown ones,” said Sampad Swain, chief executive officer (CEO) and co-founder of Instamojo, one of the country’s leading digital payment solution companies. “We would like to understand the type of data that is the bone of contention here -- whether the data mentioned is of user engagement or transactional.
Also, it will be interesting to know how RBI would track the changes implemented by companies. Will they appoint a separate wing to keep a tab on the developments and check on adherence to the directive? Last, it is vital to understand who would fall under this regulation, considering there are various stakeholders in the payments system, from card schemes to processors to aggregators.”
Visa, MasterCard and American Express could not be reached for comment. Bankers and executives with payment companies say the impact would be for credit card transactions, as the processing part is done abroad, unlike debit card transactions. So, the payment of fees for processing (credit card transactions) is in foreign exchange. When the processing activity moves on-shore (in India), the cost of doing work is expected to come down. Also, fees charged for processing would decline, which will benefit the banks.
A chunk of India’s financial technology entities and banks have stored all their customer data in India but many also use foreign servers, for operations, providing of services and for data analytics. If RBI completely stops ‘data travel’ for all purposes to destinations out of the country, these companies might not be able to offer the host of services they presently do.
“From the beginning of the company, we have partnered closely with all major banks -- HDFC, SBI, Citibank and others. As a result, from early on, we adhered to local data hosting requirements and end-to-end security, in which all Indian data stayed in India,” said Abhijit Bose, co-founder & CEO at Ezetap, a digital payment platform for merchants.
Added Harshil Mathur, CEO & co-Founder of RazorPay: “We migrated all our data centres to India about one and a half years ago. That’s because we were working with a lot of banks and many had this requirement, that the data be hosted in India.” Razorpay works with Amazon Web Services and uses their Mumbai data centre for all its operations and storage.
According to Naveen Surya, chairman, Payments Council of India, it is not that fintech entities do not store their customers’ data in India. The issue is when peak loads come, transactions happen and certain services are being done on that data, that might be done out of India. “Some part of the service or data for analytics purposes is always travelling,” he concludes.