RBI Mandate for Domestic Data Storage Proves ControversialSome Fintech Companies Want Requirements Relaxed, While Others Support Them
While some payment companies are strongly protesting the Reserve Bank of India's mandate that they store all data locally by October 15, portraying compliance as costly and impractical, others support the move as a way to ensure data is protected.
RBI's mandate, announced in April, applies to licensed entities, such as wallet issuers, as well as payment gateways and intermediaries. The mandate comes at a time when the government in India is pushing for a shift to digital payments to help crack down on "black money" tax evasion (see: Securing Digital Payments).
But setting up a new infrastructure in a short span of time to comply with the mandate will prove difficult, some companies argue. And they call for relaxing some of the requirements.
"I believe the biggest challenge is that most payment firms have set up their infrastructure abroad without having any indication that this mandate was going to come," says Dharshan Shanthamurthy, CEO at SISA, a payment security specialist firm. "Now that they have set it up outside India, it would have considerable business impact to move it back to India."
The COO of a Bangalore-based fintech company, who asked not to be named, tells Information Security Media Group: "I had only last year changed my data service provider to one in Singapore. The cost was huge for me. It will be a big financial burden for me if I have to shift all my data to India now. There must be some sort of relaxation with at least the backup data being allowed to be stored abroad."
But some payment companies, including Paytm and PhonePe, have strongly supported the mandate.
Kiran Vasireddy, COO at Paytm, India's largest payment wallet, believes that data storage outside of India can lead to confusion with regards to applicability of laws.
"Payments data must be stored and processed only in India. When data is sent outside India, there will always be a lack of clarity as to which country's data laws will apply to it," he says. "The scope of law must enforce that no public or private entity must be allowed to continue or start their operations without adhering to these guidelines laid out by RBI for storing and processing payments data only in India. We strongly believe that users should own their data; it does not belong to any government or a company."
And some payment firms argue RBI should have issued the mandate sooner.
"The mandate should have been there right from the time fintech companies began their operations in the country," says the vice president of security and compliance at a payment firm in India, who asked not to be named.
The Payments Council of India, which has about 100 payments firms as members, has sought a meeting with the RBI to suggest "alternative solutions which can meet the RBI requirements of unfettered access," according to MoneyControl.
"The data localization issue requires discussion with the industry and relevant stakeholders," a council official tells ISMG. "It will be difficult for the country if the central authority takes such a decision. The main problem is data storage 'only' in India."
Payment card companies, including Visa and MasterCard, also have expressed their concerns about the mandate to RBI, according to a vice president of one payments firm, who requested anonymity.
But various concerns raised about the mandate have failed to shift the central bank's position, with the RBI telling firms in a meeting this month to comply, not complain, Reuters reports.
Many fintech companies in India store their data abroad. The reason: The cost of hosting a data center in India is higher than elsewhere, including the U.S. and Singapore.
Because most fintech companies in India are small, cutting costs by having a data center abroad is attractive.
"Until now, the RBI required only transactional data to be stored in India. Now it wants companies to store all the data within the country. I feel it is impractical," says the founder of a Gurgaon-based payment firm, who asked not to be named. "It [shifting data centers] is not a small cost. Companies need to do their system-level changes, code-level changes as well as strategy-level changes. To implement these changes is a huge cost."
Some payment companies argue that the RBI's insistence that payments data be stored only in India would hamper global fraud detection and suggest that the companies be allowed to keep back-up data in other nations, Reuters reports.