Explainer: How does the RBI’s data localisation directive impact payments firms?

Explainer: How does the RBI’s data localisation directive impact payments firms?
Photo Credit: Photo Credit: Shah Junaid/VCCircle

The Reserve Bank of India’s refusal to extend the deadline for localisation of payments data in India has left global companies operating in the country in a fix. In a media report published in September, Google chief executive Sundar Pichai had requested minister of Information Technology Ravi Shankar Prasad time till the end of December to comply with the guidelines. The last date to comply with the RBI directive fell on October 15 with no indication of an extension, according to reports.

What does the guideline say?

The notification on ‘Storage of Payment System Data’ issued by the RBI on 6 April 2018 states that the federal bank needed ‘unfettered access to data stored with these service providers’ to better monitor the security measures adopted by technology dependent payment providers. The notification also states that this will prevent the misuse of payment data stored with intermediaries and third-party vendors.


How did this come into effect?

The guidelines are in addition to the draft Personal Data Protection Bill, which was tabled by a committee led by Justice BN Srikrishna (https://www.techcircle.in/2018/07/30/personal-data-protection-bill-why-the-draft-is-drawing-more-jeers-than-cheers) in July which addresses the larger issue of storing, processing and utilisation of customer data by consumer internet companies and online service providers.

Whom does it affect?


The guidelines impact payment gateways and digital payments companies headquartered outside India. The directive prohibits storing the data of Indians using these apps and gateways outside the country. The guidelines also insist that all data processing, including gathering insights, patterns and user profiling must be carried out within the country.

Which global companies are likely to suffer?

The list includes the likes of Google, which launched Google Pay in 2017, WhatsApp Pay India, which has a user base of 1 million users on a pilot in the country and payment gateways like Mastercard, VISA and others. In an email statement issued on 9 October, WhatsApp stated, “In response to India’s payment data circular, we’ve built a system that stores payments-related data locally in India.”


What is the cost impact?

Companies such as WhatsApp Pay India and Google Pay will incur costs in India by storing user data on the cloud as well as expenses from teams of engineers and scientists to process the data collected.

The guidelines also impact cross-border remittance players like PayPal, Payoneer and InstaRem. “The RBI’s Storage of Payment System Data guidelines made a provision stating that ‘for the foreign leg of the transaction if any, the data can also be stored in the foreign country if required’. As InstaReM does cross-border remittances, all transactions involve a foreign leg of the transaction. Also, all transactions involve overseas entities, which require the transaction data. Hence, we store the data in India and also in foreign countries as required,” said AG Ramakrishna, India country manager at InstaReM.


He added that the company had a few thousand users in India after the launch of its services in April 2018 and has been able to absorb the cost for compliance.

Whom do the guidelines benefit?

Indian payment and digital wallet company Paytm has been vocal in supporting the localisation of payments data. It benefits the SoftBank and Berkshire Hathaway-backed entity to maintain its lead in the payments market as new entrants like WhatsApp Pay India, Amazon Pay and Google Pay grapple to conform to the legal requirements. Apple Pay delayed its India launch owing to the RBI mandated deadline for localisation of data.


How much time can the companies buy?

While most companies, including WhatsApp, have started the process of ‘data mirroring’ and are likely to toe the line, all payments players have to furnish an audit report prepared by CERT-IN empaneled auditors on compliance localisation requirements by 31 December 2018.

Why is the US critical of the move?


In a letter to the Indian prime minister dated 12 October 2018, two US senators John Cornyn and Mark Warner, who are part of the US Senate's India Caucus, urged that the country adopt a 'light touch' on the regulatory framework, allowing cross-border data flow, according to a Reuters report.

“We see this (data localisation) as a fundamental issue to the further development of digital trade and one that is crucial to our economic partnership,” the US senators said in the letter. This draws from the multitude of US-headquartered companies affected by the decision.

Founder of digital payments platform The Mobile Wallet Vinay Kalantari says that the issue of data localisation has assumed international proportion with the involvement of the US Senate's India Caucus. He believes that the RBI should soften its stand on the timeline for localisation of data.

Sign up for Newsletter

Select your Newsletter frequency