India: RBI's clarifications on payment system data storage
On 6 April 2018, the Reserve Bank of India ('RBI') issued Circular DPSS.CO.OD No. 2785/06.08.005/2017-18 on the Storage of Payment System Data ('the Directive') which mandates the storage, by Payment System Operators ('PSOs') only in India, of end-to-end transaction details and payment system information that has been collected, stored and processed as part of the transaction. Huzefa Tavawalla and Arvind Ravindranath, from Nishith Desai Associates, discuss the composition of the Directive and the clarifications from the RBI with regards to the scope and applicability of the Directive.
Although the Directive was a step in the direction of data localisation, there were several ambiguities in the implementation of the Directive. Therefore, PSOs approached the RBI to seek clarifications regarding issues such as the scope of the Directive and the terminologies it used. The Directive also appeared to have triggered large scale lobbying efforts by US companies and the US Government, who were seeking to dilute portions of the Directive. However, more than a year after the original Directive was issued, the RBI came out with frequently asked questions ('FAQs') which stuck to the original intention of the Directive, but clarified a few ambiguities.
The RBI has clarified that the Directive is applicable to:
- all PSOs authorised by the RBI to operate payment systems in India under the Payment and Settlement Systems Act, 2007;
- all banks operating in India; and
- all transactions occurring through third party system participants, service providers, intermediaries, payment gateways, third party vendors, and other entities in the payments ecosystem who are engaged by the PSOs for providing payment services. However, the responsibility to ensure compliance by all such entities will be on the authorised PSOs.
The term 'end-to-end transaction details and information' has been clarified to include:
- customer data, such as name, mobile number, email address, Aadhaar number, permanent account number, as applicable;
- payment sensitive data, such as customer and beneficiary account details;
- payment credentials, such as one time passwords, personal identification number, passwords; and
- transaction data, such as originating and destination system information, transaction reference, timestamp, and amount.
In addition, it has been clarified that the processing of payment transactions can take place abroad, but the data must be deleted from the systems abroad and brought back to India within one business day or 24 hours from the payment processing, whichever is earlier, so that the data is stored only in India.
Moreover, if any subsequent activity, such as settlement processing, is done outside India, it has to be performed on a near real time basis and the data has to be stored only in India. Thus, in case of any other related processing activity, such as chargeback, the data can be accessed from India.
The data stored in India can be shared with overseas regulators after due approval from the RBI.
With respect to 'cross border transactions,' it has been clarified that a copy of the data stored in India may also be stored abroad, if required. However, the RBI has not clarified what a 'requirement' is.
Although the FAQs have made the scope of the Directive clearer, the mandate of data localisation is well established. As defined in the FAQs, payment data for all domestic transactions need to be stored only in India. Although there has been some leeway for real time processing, along with a limited time buffer for permitting overseas processing, the Directive essentially mandates the storage of data only in India.
Further to this, in order to comply with the Directive, companies would also need to revisit their existing arrangements with their service providers, especially to comply with the additional obligations of data deletion. Complying with these provisions, in all likelihood, would result in an increased service cost.
For multinational companies, clarity is provided in terms of having the right to store a copy of the data abroad in the event that the transaction is of a cross-border nature. However, since the term 'cross-border transaction' is not defined, and the storage in such cases is only 'if required,' it would be interesting to see how companies interpret this and what constitutes as cross-border.
Lastly, although independent of the Directive, it will be fascinating to see how the Directive ties in with the Personal Data Protection Bill, 2018 ('the Bill') and what would be the impact of complying with both, as and when the Bill is implemented.