Local storage of payment data to inspire confidence, entice transactions
It was just another weekday on the sixth of April when a directive by Reserve Bank of India (RBI) asking all payment companies to ensure that all their data are stored in India, sent out ripples across the industry. Interestingly, the order not only applied to traditional banks, but also to new-age payment and fin-tech companies. The time frame of six months made it clear that a new disruption is on the horizon and India is soon going to be the destination for data storage.
The new directive applies to India-born companies building infrastructure for financial services or payments companies, as well as firms that hold licences in India for operating any form of payment system, including a mobile wallet, payment processing, Bharat Bill Payment System, or financial products like loans, investments or insurance. All the data across these companies need to be stored in India and need to be available for audit in the country. RBI has asked the companies to ensure it has unfettered access to all payment data for supervisory purposes.
Let’s go back to a point in time many years ago, when we started out in the fin-tech space, when the ecosystem of data storage and data centres in India was still in its infancy. So, one could argue that one didn’t have many options but to host outside India. In fact, the cost of hosting data/servers outside India was less. As financial institutions expanded their footprint in the country, they also accumulated massive amounts of data. It is then that they started looking out for a suitable option for housing all their data. This is the time when numerous information technology multinationals did business worth millions of dollars and provided services to financial institutions for storing all their data. In a majority of cases, the data were stored on the cloud, with servers stationed outside India. However, this has changed over time. Now, the cloud providers have also set up their data centres in India. Companies like Amazon Web Services and Microsoft have set up their systems in India, so one can use the cloud also and keep the data in India. There are multiple cities like Delhi, Mumbai, Chennai, and Pune where they offer data centres.
I believe that, irrespective of whether it is an India-born organisation or a global brand that has entered India and is running an office of profit in the country, the regulations across companies should be standardised.
One can argue that there is hindsight to this regulation since it also means that in the short term, if a company’s data storage is not fully set up in India, the company will have to make huge investments. Also, this is a time-consuming exercise.
I am of the firm belief that the companies should realise the overall objective behind this directive and how it will help push the industry in a positive direction. It will go a long way to further strengthen the ecosystem, increase capabilities, and, most importantly, give consumers more confidence to do financial transactions digitally. We, at MobiKwik, support and applaud this recent directive as it is democratic and equal. It creates a more level playing field for all players.
We have seen in the recent past how regulations are good for the adoption of a disruptive offering. Many years ago, RBI had given a directive that all card transactions must be subjected to second-factor authentication. While many people complained that this is cumbersome and not in line with the global best practices, interestingly, it was the second-factor authentication that gave the new consumers a lot of confidence and encouraged more customers to use cards for their financial transactions. Today, we see millions of customers transacting using cards, either online or at offline stores. Payments will see a similar uptake with the recent regulation by the RBI.
I will also like to touch upon some global regulations on data storage by payment companies, across countries. If we look at regulations across some of the countries like Malaysia, Indonesia and China, they all have Acts/regulations that require personal data on citizens to be stored within the country. Going by the laws in China, all personal, financial, and medical data of the citizens need to be stored on local servers. In Russia, the law states that any firm collecting personal information must have servers within the country. The new data regulation in the European Union that is expected to be implemented from this month, outlines strict privacy protection rules, and may make it mandatory for firms to store the data locally. In general, governments and regulators across the world assign high importance to privacy of customer data. I am glad that regulators in India are also defining stringent rules to ensure consumer data are safe.
In the world of financial services, data are key. It is important that the data are stored safely to control frauds, reduce risks and give the consumer necessary confidence. MobiKwik has always been a responsible financial services brand. It understands the importance of maintaining high levels of security standards and puts this at the centre of all user interactions on the platform. All our data rest in India itself. MobiKwik is PCI-DSS- certified and ISO27001-certified, and it follows all information security guidelines laid down by the regulators and the Indian government. For us, security is not just a state; it’s a process which is applied in every new feature upgrade or in case of any new product development. Our consumer complaint rate is less than 0.0001%, as our security team works round the clock in identifying and resolving frauds.
I think that from the perspective of providing a level playing field and giving consumers the necessary confidence that they own their data (especially with the recent unfortunate episode with Facebook), this directive is paramount. Financial data must be secured. Ensuring the safety and security of payment systems’ data by bringing in the best global standards and thereby ensuring a continuous monitoring and surveillance are essential to reduce the risks from data breaches.
Lastly, also from a capability point of view, this directive will ensure better practices in terms of creating a data management regime in India, a regime in which not just data centres, cloud companies or fin-tech companies, but even banks, etc. can create frameworks of sharing data and data interoperability while safeguarding individual data. For us to be able to promote innovation in data management, it is necessary that data are posted in India.
To sum it up, I support the recent regulation by the RBI and I am confident that this will go a long way to drive the next level of adoption and growth of digital payments in India.
Bipin Preet Singh is founder and chief executive, MobiKwik, an Indian mobile payments and digital wallet firm