With thanks to our friends Karam Daulet Singh and Gaurav Desai at Platinum Partners in New Delhi for alerting me to this important development.
On 6 April 2018, the Reserve Bank of India (the RBI) issued a circular requiring operators of all payment systems in India to store the entire data related to the payment system “in a system only in India”. This was done to secure "unfettered supervisory access" to data stored with these system providers. The data stored in India should include the full end-to-end transaction details/ information collected/ carried/ processed as part of the message/ payment instruction.
While the circular permits data related to the foreign leg of a transaction to be stored offshore, there is no provision for storing data relating to the Indian leg in a jurisdiction outside of India, even by way of backup. Firms have been given six months to ensure (and report) compliance (i.e. by 15 October 2018).
This requirement is not likely to affect local payment systems operators (in particular the local mobile wallet companies that have sprung up in India over the last couple of years) since they already store their data in India. However, global payment systems operators are likely to be significantly impacted. I am told that there has been an effort from these global firms to get the RBI to dilute the requirement as the concern is that the requirement to store data only in India could significantly jeopardise global fraud detection. In addition, storing the data in India could lead to greater operational costs. So far, at least, the RBI doesn’t seem to have backed down and press reports suggest that a roll back seems unlikely.
In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/ intermediaries/ third party vendors and other entities in the payment ecosystem.