Bengaluru: Retail payments organisation National Payments Corporation of India (NPCI), which operates various payment instruments including Unified Payments Interface (UPI), has asked all its digital payment platform members to provide a system audit report on ‘Storage of Payment System Data in India’, as per a letter dated 6 May.
The auditing of data localisation norms is significant because it allows safeguarding, security and governance of payments data of Indian consumers.
The letter, citing indicative guidelines for a system audit from NPCI, however, comes almost two years after the RBI issued a directive in this regard, stating that “it is observed that not all system providers store the payments data in India".
“It looks like NPCI which was following data localisation norms strictly for some international players and wants to increase the audits for even domestic UPI operators. This is clearly late and maybe NPCI is acting as an indirect auditing body on behalf of RBI for products it operates. Or this could also be read as precautionary measures which NPCI is taking before any localisation norms is flouted by a player," said an industry expert, aware of the guidelines.
The RBI had released the FAQs on the above mentioned data localisation circular clarifying the implementation issues in June, 2019, the NPCI guidelines mentioned.
A copy of the NPCI letter has been reviewed by Mint.
Although NPCI has stated that these guidelines are based on interactions with various stakeholders in the UPI ecosystem, payment platforms, Mint spoke to, confirmed that this auditing practice has been delayed.
However, the NPCI auditing initiative comes at a time when digital payment firms are looking to revive their businesses from the covid-19 impact on their revenues.
“This is actually a delayed ‘System Audit Report’ on Data Localisation. It seems like NPCI has visibly colluded with international UPI players and is performing unfairly to perform its duty to ensure and implement the RBI directive of data localisation, only now, as some of them are going live. This delay further mitigates the risk of privacy and safety of UPI user data," said an executive of a digital payments firm, who didn’t want to be named.
Interestingly, messaging major WhatsApp is expecting a full roll-out of its UPI-based payment service, which initially faced regulatory hurdles from the Reserve Bank of India, in 2018, over data localisation norms.
WhatsApp declined to comment, while NPCI didn't respond to an email query.
The indicative guidelines for auditing asks UPI payment providers to provide NPCI with a step-wise understanding on how transaction data flows; and detailed application architecture clearly indicating which components (of the payment provider) are located geographically.
The audit should also clearly bring out that defined payment data is only stored in India and no copy or backup is maintained outside the Indian jurisdiction in any form.
“With MDRs (Merchant Discount Rates) or transaction fee being slashed to zero and impact of covid-19 on UPI transactions, this audit might act as a burden for some domestic Indian players as it increases the cost of compliance. In a time when digital payment companies are trying to revive from the impact, auditing from NPCI has come across an extra pain point," said the industry expert mentioned above.