Stating that how payment companies handle data is 'crucial', Kiran Vasireddy, COO and SVP-Business, Paytm, says data laws will ensure accountability and that it's time to enforce these laws.
The Reserve Bank of India, in its bi-monthly Monetary Policy earlier this month, asked all payment system operators working in India to ensure that data related to payment systems (operated by them) was stored in the country. This topic stirred up a massive debate in the Indian payments ecosystem, with Indian players mostly in support of the directive.
With the recent Cambridge Analytica and Facebook debacle, the issue seems even more pertinent. And it coincides with two internet conglomerates launching their payment services in India- Google Tez and WhatsApp Payments.
Last week, the Paytm boss came out in support of RBI’s new directive, stating that the company was open to data safety laws. But there continue to be critical questions that the RBI needs to answer.
In an interview with YourStory, Kiran Vasireddy, COO and SVP, Business, of One97 Communications-owned Paytm, talks about the Indian payment major's viewpoint and what this announcement means for global players.
Edited excerpts of the interview:
YS: What is your view on the RBI's recent data storage policy?
KV: It is in the drafting stage at present. The key point is that we understand that there need to be strict data policy laws. We should come out with stricter and more stringent data privacy laws in our country and must ensure that users themselves own the data, not corporations or the government. All the data and digital footprint that gets generated from people in India should remain in India and be regulated.
It is important that data from even apps comes under some regulation. For it is easy for players to get away with misuse of data, looking at what has been going on in the US. (Referring to the Cambridge Analytica and Facebook data breach).
YS: But don’t you think the RBI's recent data directive can be fleshed out better?
KV: Well, to begin with, at least the RBI is being cognisant about data sovereignty; I am sure it will issue more such directives. It is time we enforce these directives and ensure that the data of this country remains in this country.
We have all seen examples of the power of data, especially when it is misused. And with companies getting access to consumer’s data it can get extremely lethal. Our concern is more towards global players, who don’t come under any regulation and don’t pay taxes (to this country); it is unlawful for them to share or sell this data.
All this is happening because of no regulation.
YS: So, what does Paytm suggest when it comes to the data protection law?
KV: All in all, the data privacy laws should be created and complied with by everyone. What we are suggesting is that, first, India’s data not leave the country; second that the ownership of this data remains with the users of the country where they decide. And third, we would like to see some critical regulations around data relating to financial services in the country.
YS: But doesn’t Paytm have engineering done in Canada through its entity Paytm Labs? How do data engineers work there without Paytm data leaving the country? Also, what about your third-party vendors?
KV: We see most tools being built ourselves; the deployment is also in India. We believe it is good that data is not sent out of India. The key aspect is whether you are sending data out or are you using it within the boundaries of the country and building tools here. For us, data remains in India; they just build tools for us. Paytm Labs looks into Paytm’s own operations in Canada.
(Note: YourStory found that Paytm Labs, which is based out of Canada, builds technologies for Paytm, uses data assets, and builds data products that are currently live. Paytm Labs’ website says they are hiring data engineers and machine learning engineers, who essentially work on this data.)
YS: At present, what is the immediate impact you see on the payment ecosystem, especially with companies having to shift their data storage (centres) in India?
Kiran: I think it is crucial how we handle data. Yes, smaller and non-serious players will face some issues but it is time that they also become serious. Some might also move out of the Payments business. But bigger players like ours will continue to invest and there is all the reason why they should.
YS: In the past, there has been news about some messaging giants sharing data with their parent in the terms of conditions? Do you think it is careless on their part?
Kiran: I think such companies are going to be losing out with the new directive since their business model is essentially selling your data. And they are not regulated. We believe that the ownership of India’s data should be with the citizens of this country.
See, it is about intent. The intent that the payment data that has been generated by consumers should be in the country. And there is no reason why it shouldn’t. At least now, with some data laws, the accountability the country has been waiting for will kick in. Now is the time for enforcement of these laws.
Subsequently, WhatsApp clarified in its FAQ section that WhatsApp creates the necessary connection between the sender and recipient of the payment, using Facebook infrastructure and does not use it for payment purposes. It also clarified, “We pass the transaction information to the bank partner, which is called a PSP (payment service provider), and to NPCI (National Payment Corporation of India), so they can facilitate the movement of funds between the sender's and receiver's bank accounts. Facebook does not use WhatsApp payment information for commercial purposes.”
Relating to the storage of UPI pin, WhatsApp’s FAQ stated, “No, when you make a payment, WhatsApp sends the encrypted UPI PIN to our bank partners, which are called payment service providers. WhatsApp cannot see and does not store the UPI PIN, which is encrypted by software provided by National Payment Corporation of India. Nor does WhatsApp store other sensitive payment information such as your one-time password (OTP), account number or full debit card details.”