The Reserve Bank of India (RBI) on Wednesday said that all data related to payments must be stored only in India and data processed abroad must be brought back to the country within 24 hours.
In the case of cross-border payments, a copy of the domestic component can be stored abroad and shared with regulators there with due approval from the RBI.
The clarifications issued with regard to the RBI’s original directive on April 6 last year apply to systems operated by umbrella body NPCI such as Unified Payments Interface (UPI) and others as well as cards, payment intermediaries, digital wallets and payment gateways.
"It [the clarifications] is a welcome move on the part of the RBI. Certain players in this space were unsure about the applicability of the data localisation provisions for them. It is now amply clear that even banks operating in India are squarely covered as participants in the payment system," said Supratim Chakraborty, partner at law firm Khaitan & Co.
Though the directive allows for processing of payments data outside of India, the clarification specifies that such data must be deleted within one business day or 24 hours, whichever is earlier. The processed data will also be required to be stored in India.
"This could pose significant logistical challenges and also conflict with foreign laws," said Chakraborty.
As part of the clarification, the central bank stated that end-to-end payment data should be stored in the country, including customer-specific data on name, mobile number, email, Aadhaar Number, PAN as well as payment-sensitive data, payment credentials and transaction data.
Payment service operators (PSOs) can access data stored in India anytime for purposes of chargeback in case the data is being processed abroad. The regulator has also directed PSOs to carry out settlement processing and similar actions in near real-time in such cases.
Multiple PSOs have been pulled up by the RBI for non-compliance with regard to the data localisation norms. WhatsApp Pay had in April said that it was ready for a third-party audit on compliance while Paytm had written to NPCI alleging violation of localisation norms by Google Pay in September 2018.
The directive also requires PSOs to be audited by CERT-In empanelled auditors, submitting a System Audit Report on data storage, data restoration and backup, among others.