Regulator says copy of local data can be stored abroad in foreign leg of deals
Data stored in India should include end-to-end transaction details and info about payment transactions.
A week after commerce minister Piyush Goyal met representatives of the payments industry and the central bank, the Reserve Bank of India (RBI) on Wednesday clarified that in case of cross-border transactions, a copy of the domestic data can be stored abroad.
“For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required," it said.
While RBI’s April 2018 circular had said that in the foreign leg of transactions, ‘data’ can also be stored in the foreign country, it did not specify if domestic data could be stored. However, experts said companies still have to store data locally as per the earlier circular. A senior executive at a global payment processing company said requesting anonymity that RBI’s clarification does not change the data localization norms and is only a clarification on some ambiguities in the circular. “We have always interpreted that the word data includes domestic data as well in case of cross-border transactions," he said.
The RBI had, on 6 April, 2018, asked payment system operators to store data related to payments in India. These regulations were expected to affect companies like Mastercard, American Express, Amazon, Facebook, Microsoft, Visa and PayPal who will be forced to store data locally.
The founder of an information technology think-tank, who declined to be named, said the RBI is still saying that domestic transactions should be completed in India, because otherwise India’s domestic payments systems could come to a grinding halt if the overseas entity faces any issue.
The RBI also clarified that there is no bar on overseas processing of strictly domestic transactions; however in such cases, this data shall be stored only in India after the processing. “In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India," it said.
The regulator also said that the data may be shared with the overseas regulator, if so required, depending upon the nature and origin of transaction, with due approval of RBI. On Wednesday, the RBI said data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions. “This may, inter alia, include—customer data (name, mobile number, email, Aadhaar number, PAN number, etc), payment sensitive data (customer and beneficiary account details) payment credentials (OTP, PIN, passwords, etc.); and, transaction data (originating and destination system information, transaction reference, timestamp, amount, etc.)," it said. PTI reported on 18 June that the RBI will examine concerns around its strict data localization rules that require storing of customer data exclusively in India without creating mirror sites overseas. Goyal held extensive consultations with the technology industry and e-commerce firm, PTI reported, citing a statement by his ministry last week.