loader
Close

Search

See all results for ""

Ergo Newsflash

17-Apr-2018

The Reserve Bank of India (RBI), India’s central bank and the regulator for payment systems in India, in its press release dated 5 April 2018 (Press Release) on Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19, had announced that all payment system operators would need to ensure that data related to payment systems operated by them are stored only within India within a period of six months. RBI had indicated that detailed instructions would follow in a week’s time.
On 6 April 2018, RBI released a directive (Directive) with detailed instructions, which are discussed below:
What Payment Systems need to do?

All payment system providers will need to ensure that the entire data relating to payment systems operated by them are stored in a system only in India;

System providers need to ensure compliance of (a) above within a period of six months i.e. latest on or before 15 October 2018. Such compliance will also need to be reported to the RBI;

System providers will need to submit a System Audit Report (SAR) on completion of the requirement at (a) above. Such audit needs to be conducted by Indian Computer Emergency Response Team (CERT-In) (Ministry of Electronics and Information Technology) empanelled auditors certifying completion of compliance in (a) above;

The SAR duly approved by the board of the system providers will need to be submitted to RBI, not later than 31 December 2018.

What Data needs to be stored in India?
RBI’s Press Release did not elaborate on the nature of data that needs to be stored within India. However, in the Directive, RBI has clarified that data would include the full end-to-end transaction details, information collected, carried or processed as part of the message or payment instruction. Further, it has been clarified that if there is a foreign leg of the transaction, then the data can also be stored in the foreign country, if required.
Comment
RBI’s move on data localisation to payment systems comes as a probable aftermath of the recent data breach that has allegedly impacted elections in US and India.
The payment system ecosystem in India has developed considerably in recent times with the emergence of new players and technology in this space. With rapid growth, it is pertinent that data stored by payment systems is indeed secure and best practices and standards are followed for securing it so as to ensure a sound digital economy. This seems to be the thought behind RBI’s sudden mandate for making local storage compulsory by payment systems in India. Data localisation by payment systems will ensure supervision and greater control over such data by RBI. The detailed instructions on compliances and reporting will help RBI enforce the Directive effectively.
However, one must consider the downside of data localisation measures, which have historically culminated in economic isolation and stifled growth for countries that have adopted them. To add to the above, the Directive is likely to largely impact the foreign players in this segment, who will now not only have to invest in infrastructure to comply with this Directive, but will also have to bear additional compliance and administrative costs. Also, the nature of data that needs to be stored locally is also wider, and would restrict the ability of foreign players to undertake other incidental support services offshore using this data, which was otherwise possible so far. Industry players may also be concerned with the mention of ‘RBI’s unfettered supervisory access’ to such data in the Directive given that India’s new data protection law is yet to be released. It will therefore be interesting to see how the Directive is implemented in practice.

Harsh Walia (Associate Partner), Supratim Chakraborty (Associate Partner), Shweta Dwivedi (Principal Associate) and Shobhit Chandra (Senior Associate)

For any queries please contact: editors@khaitanco.com

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2019 Khaitan & Co. All rights reserved.

Mumbai

One Indiabulls Centre
13th Floor, Tower 1
841 Senapati Bapat Marg
Mumbai 400 013 India

T: +91 22 6636 5000

E: mumbai@khaitanco.com

New Delhi

Ashoka Estate, 12th Floor
24 Barakhamba Road
New Delhi 110 001 India

T: +91 11 4151 5454

E: delhi@khaitanco.com

Bengaluru

Simal, 2nd Floor
7/1 Ulsoor Road
Bengaluru 560 042 India

T: +91 80 4339 7000

E: bengaluru@khaitanco.com

Kolkata

Emerald House
1B Old Post Office Street
Kolkata 700 001 India

T: +91 22 6636 5000

E: kolkata@khaitanco.com