Like the govt, RBI policy also gets unpredictable
Prima facie, data localization for payments systems makes sense. The Payments and Settlement Systems Act of 2007 designates RBI as the sector’s supervisor and regulator
The Indian government’s courtship of foreign investors has yielded some results but the full potential remains elusive. This government has tried hard to improve ease of doing business to accelerate foreign investment flows. It’s best to call that effort a work-in-progress, though one major reason for investor apathy remains unaddressed: the surprise element, or unpredictability, in policymaking.
This used to be the exclusive preserve of the government but regulators are joining in now. The Reserve Bank of India’s (RBI) statement on development and regulatory policies, issued with the 6 April bi-monthly monetary policy document, has a section called storage of payments system data which requires all players in the payment system to store data in India: “In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/intermediaries/third-party vendors and other entities in the payment ecosystem.” This has to be accomplished within six months.
The debate on data localization intersects disparate areas of geostrategy, data privacy and surveillance capitalism. According to the white paper on a data protection framework for India, “Governments across the globe driven by concerns over privacy, security, surveillance and law enforcement have been enacting legislation that necessitate localization of data.”
While there is no legislation in India yet, RBI is making it compulsory for only the payments ecosystem. Ironically, it exempts the banking system or other parts of the financial sector which routinely conduct cross-border transactions and generate data on the Indian financial sector’s constituents and customers.
Prima facie, data localization for payments systems makes sense. The Payments and Settlement Systems Act of 2007 designates RBI as the sector’s supervisor and regulator. The ecosystem includes “…credit card operations; debit card operations; smart card operations; money transfer operations; or similar operations.” As a regulator, RBI is within its rights to seek “unfettered” access to financial and transaction data of Indians. This is crucial for supervision and monitoring. In addition, as the regulator, the central bank is also concerned about the safety and security of the Indian payments ecosystem.
Data on payments systems, or any other data, stored in an offshore location acquires a foreign identity. Many jurisdictions are wary of sharing it and are known to have denied Indian agencies access, even though the transaction might have originated and settled in India.
That said, the RBI notification circumvents the first principles of transparent public policy articulation. The central bank should have ideally sought stakeholder inputs through a consultative process, published a draft document for wider inputs and then finalized its notification after taking into account the multitude of technical complexities. Even if the RBI did seek stakeholder inputs, there is no way of knowing who was invited and what views were offered.
The second misstep seems a disregard for security and risk mitigation parameters. Most databases create mirror sites for business continuity and disaster recovery management. Concentration of servers in one geography increases risk, especially in the event of a cyberattack on the nation’s network.
While it is true that some jurisdictions are reluctant to share data, RBI could consider shortlisting locations with which India has, or can sign, bilateral treaties. RBI seems to be exhibiting undue haste before considering or exhausting all alternatives.
The third concern relates to RBI’s legitimate anxieties about foreign surveillance of Indian payments systems, thereby impacting the privacy and security of data relating to Indian citizens. The Justice Srikrishna committee had a counter-argument: “While, a data localization mandate may be effective in reducing foreign surveillance as data will be stored locally, such a mandate may increase the risk of local surveillance by law enforcement agencies.” Thus, ideally, RBI’s notifications should have incorporated information privacy protection, as per the Supreme Court’s August 2017 judgment. The notification is in keeping with the policy environment’s persisting bias against data privacy.
RBI seems to have also jumped the gun by issuing this notification before the Srikrishna committee finalizes its data protection framework, which promises to provide some future direction. It might be pertinent to note that the committee’s draft white paper (which incidentally is being finalized after seeking stakeholder inputs) did not advocate unilateral data localization: “A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue has the potential to cause a major ripple effect across a number of industries.”
The paper is also candid about its impact: “The domestic benefits … go to the few owners and employees of data centres, and the few companies servicing these centres locally.”
So the obvious question is: what was the RBI’s hurry? Did influential external agents shape decision-making? The reasons behind RBI’s decision might be legitimate but the opacity undermines the central bank’s reputation as a fair and autonomous institution.
Rajrishi Singhal is a consultant and former editor of a leading business newspaper. His Twitter handle is @rajrishisinghal.
Comments are welcome at firstname.lastname@example.org