Critical questions the RBI must answer before it delves into data sovereignty

After the Cambridge Analytica controversy, India’s central bank wants payment system operators to store payment-related data in the country. But right now, the new directive has led to more questions than answers.

Just last week the Reserve Bank of India (RBI) took on the impending topic of data privacy. The central bank, in its bi-monthly Monetary Policy Statement, made it clear that all payment system operators working in India have to ensure that data related to payment systems (operated by them) is stored in the country.

And that’s only fair, considering the recent controversy that erupted between British political consulting firm Cambridge Analytica and social media behemoth Facebook. Governments around the world are taking steps to ensure that their data remains within the geographic boundaries of their respective countries.

The Indian government might also be taking this path.

YourStory spoke to several Indian fintech players, who requested anonymity, and said the RBI’s new move could be pressure from the Ministry of Information Technology, considering the state of affairs around the world.

Recently, reports stated that Prime Minister Narendra Modi has expressed serious concerns over data leaks, instructing that data sharing should be regulated with server being located in India.

While the divided rest believe that this continues a move to create a virtual wall for payment services like WhatsApp Pay and Google Tez, who recently launched their services within the last seven months.

But the divided rest do create a valid argument.

A clause hiding in WhatsApp’s Legal lnfo about Payments states, “We share information with third-party providers and services to help us operate and improve Payments. To send payment instructions to PSPs (Payment Service Providers), maintain your transaction history, provide customer support, and keep our Services safe and secure, including to detect, prevent, or otherwise address fraud, safety, security, abuse, or other misconduct, we share information we collect under this Payments Privacy Policy with third-party service providers including Facebook.”

What’s surprising is that a circular floated by National Payments Corporation of India (NPCI) dated September 15, 2017 states that such third-party app providers require exclusive permission from NPCI and PSP bank for sharing individual UPI transaction data with any other third party, including its own parent, subsidiaries, and subsidiaries of parents.

So that brings us to the first question.

Questions the RBI needs to answer

Who regulates WhatsApp Pay and Google Tez? And what is a Payment System according to RBI?  

For Prepaid Payment Instruments (PPIs), guidelines of storing payments data are not new.

Shailendra Naidu Somarouthu, CEO, Obopay, explains, “If you have to be a PPI license holder, you need to have data centres in India and produce an audit report. Further, the auditing is done by an RBI-appointed auditor, who also performs a Vulnerable Assessment and Penetration Test (VAPT) on physical systems. So, this move is more relevant to consumer apps that do things other than just payments.”

But in case of WhatsApp Pay or Google Tez, who haven’t applied for any PPI license and ride on NPCI’s payment network UPI, what happens when they tend to be on the wrong side of the court?

While there is still ambiguity on what RBI means by Payment System providers, Harshil Mathur, CEO and Co-founder of Razorpay adds,

“The most important thing is the definition of Payment System Operators and its outsourcing partners. But it is still very ambiguous. So, does it mean wallet providers, UPI providers, payment gateways? Consumer apps like Tez or WhatsApp should also be added considering they now generate definite amount of payment data.”

With the new data directive, RBI needs to define the scope of payment systems, to better control India’s data sovereignty at least for payments.

Shailendra says,

“These services (WhatsApp Pay and Google Tez) should come under the purview of payment systems or else you are giving them an unfair advantage. If a service is touching customers’ money to transact, it should come under payment systems.”

He adds, “For the moment, we think that services like WhatsApp and Google Tez are not considered as payment systems. But information does flow through their pipes as well, even if they are partnering with UPI. It took us 1.5 years from the time we applied for the license to get it. Why give global players an unfair advantage?”

What is the scope of payment data? And which part needs to be stored in India?

Another part of the story comprises the different aspects of transaction data the RBI want payment companies to store in India.

From merchant data, transaction amounts, stored cards to the instrument being used for making a payment, there are multiple aspects of a transaction. And the industry awaits clarity for the word “payment data”.

Prashanth Susarla, Chief Technology Officer, PayU India, says,  “Grey areas need to be clarified. For example, service tickets, which are basically queries raised on refunds etc over email or to the call centre to the servicing team. So, would that also be a part of the payments data as well?”

Service tickets are just one part of the story. There are other aspects like fraud detection, attribution, and analytics for which Indian fintech firms may be taking help from global third-party service providers.

What happens to international service providers, intermediaries and third-party vendors? Especially when it comes to fraud detection?

YourStory did some digging and found that financial services company Paytm uses Israeli-based marketing analytics and attribution platform AppsFlyer. It is also associated with mobile engagement platform and digital wallet solution Urban Airship.

On the other end, digital wallet and payment gateway player MobiKwik leverages analytics services of Seattle-based analytics and app-marketing player Tune. Bengaluru-based payment container PhonePe also leverages the services of Tune.

These analytics companies do track things like Lifetime Value of a User (LTV) against Cost per Acquisition (CPA) for which they would like to understand per user spends on their client’s platforms.

In a notification around storage of payment system data, the RBI has stated: “In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/ intermediaries/third-party vendors and other entities in the payment ecosystem.”

So how does RBI plan to keep that data in India, considering some of the best attribution or analytics players continue to be based out of India?

Harshil states that usually raw data is masked when used and is not accessible to these third-party vendors.

“So, we also use such services. And we do not send transactional data to these partners. Things around transactional data such as card number and value of transactions are never shared. People use broad view sense and data (like overall transactions) rather than specific, individual transactional-level analysis.”

A bigger question that arises: will these analytics and attribution players have to build operational efficiencies and rest their data in India?

An email sent to AppsFlyer on these issues did not receive a response.

An important part of a transaction is also risk detection. So, when a transaction takes place, the backend calls for the risk engine, which holds a copy of the raw data.

Prashanth explains,

“The rules get more and more complex if one doesn’t have a copy of the raw data. In the past we were also using a vendor to detect fraud, but we have now built that capability in-house. However, we might explore better players, since those who are in the business of only risk and fraud can track fraudulent transactions better than players like us who are in business of payments. The law of better focus works for their business.”

Also, when it comes to risk, the wider the blacklist data, the better it is. So, that does force the participation of foreign players as well. Because when payment systems authorise transactions from international cards, this information will be sitting on foreign servers, and participation of global players might help curb fraud better.

Now, think about this in the case of larger card networks like Mastercard and Visa.

Harshil says,

“What part of the chain can be in India, and what part of the chain can be outside in India needs to be defined. If they ask the entire data base to be India, it will disrupt a lot of things because card transactions will have to be routed internationally.”

Where will the backup for these payment players rest? 

Another area the RBI would like to highlight is the backup of business data.

Harshil says, “A lot of people assumed from this circular that the primary copy needs to be in India and secondary can be outside. We believe that with even a backup outside you are not solving that problem.”

What happens when there are server outages or fails in a particular service region? Or when there is a natural disaster in an area? What happens to the server backup?

Over the past two to three years, multiple data storage providers, including Amazon Web Services (AWS), Google, and Microsoft Azure, have deployed their data centres in India.

While Prashanth states that there is no dearth of locations for data centres and that Bengaluru, Noida, and Hyderabad are not so prone to water-related disasters, the bigger issue is about uniformity in the infra hosting. He states,

“In case of locations in India, there are practical considerations. If your infrastructure is optimised to AWS, it is operationally expensive to optimise your infrastructure to some other servers and run a multivendor model. So, uniformity is key.”

“It is like living in two different houses. The skill needed to manage these two different houses and the modelling which needs to take place is different. So, this might result in some serious level of management overheads,” Prashanth adds.

If companies need to maintain uniformity, providers like AWS will have to either deploy more servers or the RBI will need to allow companies to put their passive sites on foreign servers.

But if the latter is the case, the RBI will have to specify the annual traffic that can be allowed on the passive (or failover) site and business volumes these can support to avoid any non-compliance.

Looking forward

However, uniformity in infra hosting will have some implications on smaller payment players.

Shailendra says: “The challenge will be towards scalability. The beauty of cloud-based systems is that they are scalable, but now the challenge is that you don’t know where the servers are. So companies need to invest in physical data centres in India and will have to plan their operations way in advance.”

For bigger players though, as Shailendra says, there will be some service fluctuations in the short term, considering they have to move their systems to India. The higher the number of operations of a certain player, the more complex things may get.

It is said this would be more from the perspective of bigger players and card networks like Mastercard or Visa.

In an email response, Porush Singh, Division President, Mastercard – South Asia said,

“It is critical India benefits from the best of global technology and innovation in meeting the country’s unique needs. This benefit will only come from open and free flows of data, something that has long benefited India’s information technology industry.”

However, in the same statement, Mastercard stated that it only receives very little information – the card number, the merchant name and location, the date, and the total amount of the transaction. They don’t know who the cardholder is, and what the cardholder is buying - information that sits with banks who manage their customer relationships.

Extending their support to the RBI’s data directive, Porush said, “Of course, we will work closely with the Reserve Bank of India to discuss details of the directive as part of our ongoing dialogue around payments and data practices with governments, regulators and policymakers across the globe.”

But as Harshil rightly says: this is just the start of regulating data in the country.

“I think this is the first step towards guidelines of how financial data should be used and stored. But before that the government needs to know that the data is stored in India for them to even regulate it. Future courses will be definitely on consumer and malicious practices.”