Understanding the RBI’s data localization requirement

The Reserve Bank of India (“RBI”), by order dated April 23, 2021, imposed restrictions on American Express Banking Corp. and Diners Club International Ltd. from onboarding new domestic customers onto their card networks from May 1, 2021. These entities have been non-compliant with the directions on Storage of Payment System Data dated April 6, 2018 (“Data Localization Notification”).

The RBI is the central bank of the country and the primary banking regulator for financial institutions operating in India. By way of the Data Localization Notification, the RBI has directed all payment system operators (including foreign bank branches in India) to ensure that data related to payment systems operated by them are stored only inside India.

What is data localization?

In terms of the Data Localization Notification, the entire data relating to payment systems operated in India are required to be stored within India only. This data includes end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/processed as part of a payment message/instruction, including:

· customer data (name, mobile number, email, Aadhaar number, PAN number, etc. as applicable);

· payment sensitive data (customer and beneficiary account details);

· payment credentials (OTP, PIN, Passwords, etc.); and,

· transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

However, in terms of the frequently asked questions issued by RBI on June 26, 2019, in regards to the Data Localization Notification (“FAQs”), the RBI has clarified that while payment system data needs to be stored in India only, there is no bar on the processing of payment transactions outside India. In the FAQs, the RBI has also added that when the payment transaction is processed abroad, the relevant data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours, whichever is earlier. Further, for cross-border transaction data, consisting of a foreign component and a domestic component, the domestic component copy may also be stored abroad, if required.

Key reasons for data localization

The proponents of data localization argue its necessity, among other things, for the following key reasons:

· it allows better monitoring and easier/unfettered access to all payment data by local law enforcement authorities (and the RBI) for supervisory/investigative purposes;

· it prevents multinational financial institutions from taking advantage of tax loopholes. The Data Localization Notification requires such financial institutions to set up a permanent establishment in India and pay fair tax in India; and

· setting up local data servers will create new job opportunities in India. This will be significant, given the enormous growth opportunity for fintech and digital payment in India.

Key challenges with the Data Localization Notification

Multinational financial institutions must comply with the relevant regulations of their home jurisdiction and each jurisdiction where they have a business presence. The RBI asserting territorial jurisdiction of all payment data may lead to a conflict of laws issues.

The Data Localization Notification has increased logistical expenditure for multinational financial institutions. Any company handling or having access to Indian payment data must set up a local data server which involves a significant upfront cost. This is an even more severe problem for young fintech companies, who rely on cheap cloud storage from the global supply chain. To illustrate:

· Certain European countries prevent European financial institutions from “making funds available” to persons/entities whose name appears on one of the EU sanction lists. Accordingly, such European financial institutions are required to implement a screening and filtering system for all transactions in each jurisdiction where its branches are located (including India) against the EU sanction lists. Typically, such screenings are undertaken at centralized servers located in the home jurisdiction of the financial institutions. The Data Localization Notification creates a significant roadblock as Indian payment data cannot be stored and monitored from its centralized offshore database, forcing such financial institutions to separately monitor Indian domestic transactions in India.

· Similarly, for compliance with anti-money laundering/counter-terrorist financing (“AML/CFT”) laws across jurisdictions (in which it operates), multinational financial institutions prefer to have a centralized database for all KYC documents and information. A centralized KYC database allows for a more efficient, real-time, and comprehensive AML/CFT check. The definition of ‘payment data’ in the Data Localization Notification is extremely wide, and KYC documents and information may be classified as payment data. Given the ambiguity and lack of clarification from the RBI in this regard, multinational financial institutions are not able to store such KYC documents and information in its offshore centralized database, creating a sub-optimal situation.

Way forward

In addition to payment data, the Indian government is also keen on data localization of (a) personal data, (b) data generated on e-commerce and social media websites, and (c) community data collected on IoT devices, etc.

Therefore as a first step, the Indian government should formulate a national policy for incentivizing data centers in India. The government must also ensure availability of skilled human resources, stable power supply, real estate, high network bandwidth, and other ancillary infrastructural support. The promised growth of fintech in India will receive a severe blow if India fails to provide the necessary support and infrastructure to seamlessly house large data centers within its territory.

Moreover, the RBI and the Indian government may also consider a more light-touch data localization regulation that allows storing mirror copies of payment/personal data in offshore jurisdictions while retaining the local/primary copy within India. However, this needs to be supplemented by a multilateral treaty on data governance between India and other relevant countries to avoid potential conflict of law issues.

Having said so, the RBI must be lauded for recognizing that there is an emerging demand for data localization from various jurisdictions. To this end, the RBI recently proposed a model where binary (Yes or No) queries from abroad may be allowed on data stored within India based on a globally agreed-upon set of permitted queries. While this indeed is an encouraging step in the right direction, it only emphasizes the importance of global cooperation to solve the issue of data localization/sovereignty.