With a view to strengthening regulation and supervision, the Reserve Bank of India (RBI) on Thursday said all payments system operators working in India will have to ensure that data related to payment systems operated by them is stored in the country. The operators will have a period of six months to comply with the RBI directive.
A statement from the central bank said,
“In recent times, the payment ecosystem in India has expanded considerably with the emergence of new payment systems, players and platforms. Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches while maintaining a healthy pace of growth in digital payments.”
It added that, “It is observed that at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country."
RBI is expected to issue further instructions in this regard within one week.
Whom does it effect?
Over the last eight months, global companies like Google Tez and WhatsApp have set up payment operations in India. In mid-September, Google launched its UPI-based payment service Tez, and by November it was reported that the search giant had close to 67 percent market share.
Reacting to the development, a Google spokesperson said, "We will review the detailed instructions from RBI when it is circulated. We have nothing further to share at this stage."
WhatsApp started the beta of its payment service WhatsApp Pay in February, which raged a bigger debate about violating circulars that the National Payment Corporation of India had enforced on other UPI apps.
“Payment is a matter of trust and WhatsApp does not even have a team in India. So, what does one do when there is a dispute in settling a payment. This makes WhatsApp Pay a highly mistrusted model,” said one of the founders of a payment startup, who didn’t want to be identified.
The central bank's latest move will make it imperative for foreign players to set up local operations, and keep the data in India. "Foreign players seem to be getting away since they are not regulated by the government. So, who are they answerable to? There needs to be a better grasp on these companies," added the founder.
YourStory reached out to Indian payment companies who stated on condition of anonymity that RBI has been regularly auditing their payment infrastructure, with their data resting within the country.
Jitendra Gupta, MD, PayU India said,
“With this new directive of central bank, every payment firm will have to set up India operations for hosting and data management, which will make entry bit tougher for a foreign player who generally has unified systems and works across the globe with same application servers.”
Shilpa Mankar Ahluwalia, Partner at law firm Shardul Amarchand Mangaldas said,
"It is unclear at this stage whether this requirement will extend to only licensed entities (such as wallet issuers) or also apply to the payment gateways and intermediaries. A data localisation requirement will have significant implications for global payment system players, many of whom are have centralised offshore data storage systems. Detailed rules are expected within a week."
With the rising popularity of the country’s Unified Payment Interface (UPI), and foreign players picking up the network to establish their payment operations, a larger question rises is whether RBI should regulate UPI to ensure better transparency and safe practices.
Tarush is driven towards delivering unbiased and accurate reportage while engaging with as many mediums as possible to narrate a fresh perspective. Working for the past few years in the digital space with YourStory, he has covered the Indian technology ecosystem extensively, focusing on new age Fintech companies, while building strong connects within the industry.