India proposes easing local data storage rules for foreign payment firms
New Delhi: India’s finance ministry has proposed relaxing a directive from the country’s central bank that would compel global payment firms to store customer data only locally, following weeks of intense lobbying by US companies and trade bodies.
Easing the proposal would be a relief for firms including MasterCard, Visa and American Express, which fear India’s data onshoring move could cost them millions of dollars and set a precedent for other major governments to implement similar rules at a time when there is heightened scrutiny of how companies globally handle their customers’ data.
Prime Minster Narendra Modi has been aggressively pushing digital and cashless modes of payment that leave an electronic trail as part of a campaign to crack down on the black economy.
Foreign payment companies were caught off guard in April by the Reserve Bank of India’s (RBI) one-page directive that said all payments data should, within six months, be stored only in the country for “unfettered supervisory access”.
India’s finance ministry, in a meeting held in June with RBI officials and executives from payment firms, said that a possible solution could be that companies would be allowed to store data offshore, as long as a copy was kept in India.
The companies had opposed the restriction on storing data overseas and had lobbied for its removal.
The ministry has also proposed clarifying the kind of data that needed to be stored and the time given to implement the directive, according to a copy of the minutes of the meeting reviewed by Reuters.
At the June meeting, RBI executive director S Ganesh Kumar said the central bank had been approached about the companies’ concerns and was in the process of issuing a circular to clarify the rules, according to the minutes. Suggestions made at the meeting would be helpful in deciding the matter, Kumar said.
The meeting was chaired by the government’s Economic Affairs Secretary Subhash Chandra Garg and attended by other ministry and RBI officials, as well as executives from companies including MasterCard, Visa and American Express.
MasterCard and American Express declined to comment. Visa and RBI did not respond to an email seeking comment.
“This is a big step and shows India has a progressive outlook towards businesses,” said an executive with one of the payment companies, adding that the ministry had tried to address some of the industry’s biggest grouses.
“This will hopefully serve as a precedent for other regulators who might be thinking of data localisation,” said a lawyer familiar with the matter, adding that this would also allow for data processing and analytics - which is currently done offshore - to continue.
Main concerns
The RBI had initially resisted a joint lobbying effort by the foreign payment companies, with sources with direct knowledge of the matter telling Reuters in May that the central bank was telling the firms to comply, not complain.
The industry’s main concerns have been over restricting data storage to India, a lack of clarity on the type of data that needed to be stored and the timeline to implement the rules.
During the June meeting, representatives from U.S. lobby group U.S.-India Business Council (USIBC) said that storing the data only in India would be a security risk, as in the event of a natural disaster no-one would have access to it if it was all stored in one place.
The representatives also said that only after understanding the kind of data that needed to be stored would they be able to estimate the time needed to set up the necessary infrastructure.
Global payment firms currently store and process Indian transactions outside the country. The RBI’s directive comes as more people in India are switching to plastic, partly driven by the Modi government’s decision to replace high-value currency notes in November 2016, since when the government has aggressively discouraged cash transactions.
In March, Indians clocked transactions worth $52 billion using their 900 million credit and debit cards, nearly double the amount recorded in November 2016, data from the RBI showed.
But rising fraud is a concern too. The RBI in April said the payment ecosystem in India had “expanded considerably”, making it necessary to ensure “the safety and security” of data.