The dynamic and exponential growth of digital payments in India is pretty evident. Everyone, from the Government of India (BHIM) to global tech companies (Facebook, Google) to legacy banks (Axis, HDFC, et al) to a number of start-ups (PayTM, PayU, MobiKwik) have jumped into this space.

However, one pressing concern has been security in the digital payments ecosystem. Cyber-frauds, scams, and phishing attacks are one layer of the problem. The other is ensuring that appropriate cybersecurity controls are actually implemented by payment systems providers.

The Reserve Bank of India (‘RBI’) is the primary regulator involved here, given its broad oversight powers over payment systems in general. The RBI also has a pretty elaborate framework around cybersecurity in general for banks – but efforts around payment systems have been relatively less developed. There have been requirements for technical audits of mobile wallets imposed in December 2016, though.

In April 2018, the RBI did actually move the needle quite a bit in this regard – first through a press release on April 5th  and then a Notification under the Payment and Settlement Systems Act of 2017 (‘PSS’ Act) dated April 6th 2018. With these documents, the RBI has introduced a local storage requirement for payment data in India.

We’ve looked at the Notification and its implications below.

Local Storage Requirement

Specifically, the RBI wants all ‘payment system operators’ to ensure that data related to payment systems operated by them are stored inside India within a period of 6 months.

In terms of the actual details, the Notification stated the following:

  • That the ‘entire’ data relating to payment systems operated in India by payment systems providers are stored only in a system in India. This data shall include “end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction”.
  • The Notification also specifically refers to data pertaining to the foreign portions of payment transactions, stating that copies of such data may be stored in the concerned foreign countries as well, if required. It seems that ‘mirror’ servers are probably allowed, though this is heavily dependent on the presence of a single word – ‘For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.’
  • That system providers will be required to report compliance of this local storage requirement of such data to the RBI by October 15th
  • They will also be required to submit a ‘System Audit Report’, which involves getting a certification of the completion of the local storage requirement from any audit currently empanelled by the Indian Computer Emergency Response Team [‘CERT-In’]. This shall have to be approved by the Board of the concerned payment system provider, and submitted by December 21st

Implications

The RBI Notification clearly places its focus on ensuring the adoption of best-in-class safety and security measures across India’s payment ecosystem. The overall objective is laudable, given that cybersecurity is (and should be) a top priority for India’s digital ecosystem today, especially when we consider the massive volumes of data being generated from payments in India.

There are a few interesting implications of this notification:

  • The RBI definitely sees gaining ‘unfettered supervisory access to data’ as integral to the process of enhancing cybersecurity in India’s digital payments ecosystem. The objective here seems to be ensuring that RBI can monitor the activities of payment systems providers who operate in India properly.
  • Global companies will be required to get local server space in India. This may seem like a pretty major development for India– but it’s not necessarily a new development when we look at the APAC region. China, Japan, Thailand, Malaysia and Indonesia have all apparently implemented similar requirements. So it seems like India’s not really changing the game, so much so as it is catching up to speed with the region.
  • The RBI has also placed focus on demonstrating compliance through a ‘systems audit report’. Payment systems operators are going to flock to the 69 empanelled auditors that have been notified by CERT-In – though they’ll probably have to go through each auditor’s offerings to see which ones can actually perform this audit.
  • One difficulty is probably determining which entities in India’s digital payments ecosystem don’t have to comply with this requirement.
  • In the press release, the RBI referred to ‘payment system operators’, which seemed to be an undefined group under the framework of the PSS Act.
  • However, the notification goes onto to reference ‘payment service providers’ – which are defined under the PSS Act – and also talks about their “service providers / intermediaries/ third party vendors”.
  • This could include a whole bundle of operators such as Visa/MasterCard, mobile wallet companies, payment gateways, and other licensed players.
  • RBI really needs to inject greater clarity around the meaning of ‘payment systems providers’; ‘payment systems operators’ as well as what it means by “service providers / intermediaries/ third party vendors”.
  • A similar difficulty is determining what all data must be stored in India as well. The RBI notification seems to be trying to cover every type of data by illustration, but doesn’t actually limit this requirement much.
  • Maybe a classification system for both (a) different entities and (b) different data categories would work well to define different entities’ requirements proportional to the risk?

Conclusion

Though there’s been a lot of controversial discussion around the introduction of data localisation in India, data localisation itself isn’t new for India.

The Companies Act 2013 requires records of books of accounts of an Indian entity to periodically backed-up on local mirror servers. Even the Environmental Protection Act requires records of generation and import of hazardous wastes to be maintained within Indian facilities. There’s also a National Data Sharing and Accessibility Policy, which requires all data collected through public funds to be stored in India. At Leegality.com, we too are covered by similar local storage requirements under the Aadhaar eSign regime.

Let’s wait and find out how the directive is implemented and if the industry is able to convince the RBI to make any favorable modifications.


Also published on Medium.