RBI -payment firms deadlock continues

With the Reserve Bank of India’s October 15 deadline for storing all payment data generated in India within the country coming to an end on Monday and major international firms such as American Express, Visa, Mastercard, Amazon, Paypal, and Western Union, failing to meet it, a regulatory uncertainty hangs over the issue.

While RBI officially did not issue any statement on Monday on whether it is going to extend the deadline or what kind of action it would take against the ones not meeting it, government sources said the deadline is not likely to be extended.

However, consumers need not worry as their ATM/ debit cards as well as credit cards which are mostly on the Visa or Mastercard network, will continue to work without any glitches.

Though the concerned companies declined to comment officially, sources said a regulatory action and penalty may be in the offing. Legal experts told FE that there’s a likelihood of a legal battle between the companies concerned and RBI with the former challenging any show-cause notice issued to them by the latter.

Cyberlaw expert Pawan Duggal told FE that the companies are free to legally challenge RBI’s notification as it comes under secondary legislation and on the same hand RBI is free to take any action against the errant companies. “This is a positive, cogent, and strict step taken by RBI to protect India’s sovereignty and security. If the foreign companies are keen to take the benefit of the Indian market they need to follow the rules set by the market. RBI has given them 180 days which is fair and it is asking only for payments data to be stored in India while other data can be stored as it is being done currently,” Duggal said.

Industry sources said, in a meeting on October 10, RBI had told the companies that if they fail to meet the deadline regulatory action and penalty will follow.

Subsequently on October 13, RBI had asked all the concerned companies to file a compliance report.

Sources said after going through the respective compliance reports, RBI is likely to issue show-cause notices to individual companies as to why regulatory action should not be taken against them and penalty imposed. Executives of the concerned companies, who did not wish to be named, told FE that RBI has not spelt out so far what kind of regulatory action it proposes to take or the quantum of penalty.

Sources said the international firms had stuck to their line that they are ready for mirroring the data in India which they store and process overseas but RBI is not ready for that. Further, these international firms need around six month for mirroring data in the country.

Some experts are of the view that RBI’s insistence on local storage hasn’t taken a full view of the issue. “Access to data is more important than storage and RBI has not said anything regarding who can and who cannot access the data,” SN Gupta, an independent regulatory expert and former adviser to Telecom Regulatory Authority of India (Trai), said.

Access to data means with who all the financial payment agency shares the data. For instance, if one uses a Mastercard to shop anything on an e-commerce site, the data goes to the e-commerce player too. In such cases even if Mastercard is storing data locally, the e-commerce player may be storing data overseas and the basic purpose of data not going outside the country gets defeated.

This issue has been raised by the ministry of electronics and IT with regard to WhatsApp’s payment system. Though WhatsApp has created a local data storage facility, it has not clarified whether it shares data with any third party, particularly its parent firm Facebook.

According to Gupta, if RBI is so insistent on local data storage, it should also lay down guidelines that data centres are owned by Indian companies. “How does it help if the data is stored locally in data centres of say Amazon in India? They can still do virtual mirroring with their global centre,” he said.

Meanwhile, two top US senators John Cornyn and Mark Warner have urged Prime Minister Narendra Modi to adopt a soft stance on data localisation and pointed out that otherwise, the issue would adversely affect US businesses in the country.

“Data localisation requirements, such as those contained in the draft data protection Bill and draft national e-commerce policy framework, will have negative impacts on the ability of companies to do business in India, may undermine you own economic goals and will likely not improve the security of Indian citizens’ data,” they said.

As is known, RBI had on April 5, put out a circular stating that all payment system operators in the country must move to a system of storing transaction data within India by October 15. So far, WhatsApp is the only major overseas payments player to have confirmed its intent to comply with the circular.

Finance minister Arun Jaitley had also recently held a meeting with RBI deputy governor BP Kanungo on the matter.