A three year journey on payment data localization
In April 2021, the Reserve Bank of India (“RBI”) restricted American Express and Diners Club from adding new customers for 6 months, with effect from May 2021. This was a drastic restriction, and one not lightly imposed by the usually restrained regulator. That this ban was imposed due to their violation of the local data-storage rules introduced back in 2018 speaks to the crucial place payment data localization now holds in the Indian fintech ecosystem.
In this article, we take a refresher on what these data localisation rules are, their 3 year evolution, and how they affect banks and payment system operators, and (increasingly) unlicensed fintech entities availing financial services.
The 2018 notification, and its initial targets
On April 6, 2018, the RBI introduced a directive relating to the storage of payment system data in India (“Notification”). TheNotification was specifically addressed to banks and authorized payment system operators (“PSOs”). You will remember that Banks and PSOs are required to be licensed with the RBI to operate in India, and have to comply with reporting, operational, and other regulations.
The Notification was issued under the Payment and Settlement Systems Act, 2007 (“PSS Act”), an umbrella law that empowers the RBI to regulate and supervise payment systems in India. The Notification placed the onus on ‘system providers’ (i.e., banks and PSOs) to store all payments data within India, and to start complying within a period of 6 months, i.e., by October 2018. The Notification also required all ‘system providers’ to submit system audit reports confirming compliance.
The likely regulatory imperative behind the Notification was to have payment data readily available in India for regulatory oversight over licensed entities. And this makes sense, since it would make it easier for the RBI to conduct investigations in case of any fraud, money laundering, etc.
But since the very beginning, there was resistance to this directive.
A number of banks resisted compliance, most likely due to practical difficulties (costs, terminating contracts, etc.). Licensed banks claimed that the Notification did not apply to them, arguing –
- that the Notification was targeted at payment networks, and the business carried out by banks was not of the nature intended to be regulated by the RBI;
- that banks were not licensed under the PSS Act (pursuant which the Notification was issued), but the venerable Banking Regulation Act, 1949; and
- that banks already had separate data confidentiality requirement as well. These are provided in the RBI’s Master Circular on Customer Service in Banks issued on July 1, 2015.
The fight continued
Even after the October 2018 deadline to comply with the Notification passed, there were gaps regarding compliance with the Notification. In June 2019, the RBI released frequently asked questions on this matter. In these, too, the RBI’s position remained unchanged; it maintained that banks and PSOs were responsible for complying with the Notification.
Perhaps surprisingly, it appeared that the RBI delayed its enforcement of the Notification. This could have been due to continuing negotiations with banks on compliance with the Notification. Another factor is that data localization is typically a privacy law question, and India’s privacy law has been in a draft form since 2018 (as it still is!).
In 2018, some more confusion was created when the RBI took a view that third-party payments apps were required to comply with the Notification. This was done in a petition filed before the Supreme Court seeking WhatsApp’s compliance with the Notification in respect of its payment services, Whatsapp Pay. For nearly 2 years thereafter, there was no clarity on the matter. Sometime in 2020, the National Payments Corporation of India (“NPCI”) updated its guidelines to specify that third party application providers of the unified payments interface (such as Whatsapp Pay, etc.) had to store all payments data in India. With this, it became clear that Whatsapp Pay had to retain payment data in India due to its contractual understanding with NPCI.
It now appears that most banks and PSOs have started complying with the Notification (at least to some degree) and are continuing to do so. So how was this compliance achieved?
Non-bank players caught in the crossfire
Entities in the payment ecosystem, other than licensed banks and PSOs, do not fall within the regulatory ambit of the RBI. But since 2019-20, there have been instances of banks and PSOs indirectly, i.e., contractually, requiring entities (for e.g., an online merchant, intermediary platform, etc.) availing their services, to comply with the Notification.
In a strictly legal sense, the Notification applies only to banks and PSOs. What seems to be happening now is an unofficial “outsourcing” of this compliance – banks and PSOs require this of their customers, so that they can in turn fulfil obligations under the Notification. An understanding may have been reached, that such indirect compliance is evidence of the bank’s / PSO’s own compliance. Of course, nothing official has been said about this by any party.
Being unlicensed, the RBI will likely not directly take action against non-bank/PSO participants (though it has very wide powers under law, arguably to do this too). There is no precedent of the RBI (publicly) initiating enforcement action against non-banks/ PSOs for non-compliance with the Notification. That said, this is now a fait accompli in the Indian fintech ecosystem. An entity availing financial services from a bank or PSO could be held liable for damages, indemnity, injunctions, etc., by the bank or PSO if it breaches any contractual conditions.
What this means, and what happens next
During the pandemic, the fintech market in India boomed. It was reported that, in 2020, India was home to the highest number of real-time online transactions, ahead of countries such as China and the US. PricewaterhouseCoopers has reported that 48 billion digital transactions were recorded in calendar year 2020 despite (or maybe because of) the COVID-19 pandemic and its effect on the economy. That all of this is happening in the foreground of lack of clarity on as crucial a rule as payment data localization gives us a reason pause. If India’s fintech success story is to continue, its market participants should be able to look to laws that are clear, certain, and (one hopes) reasonable.
After spending nearly 3 years aligning with banks and PSOs on the Notification, it appears that the RBI is (finally) focusing on enforcement. The ban on American Express and Diners Club indicates that the RBI is no longer keen to negotiate applicability, and is getting serious about enforcement. It is also likely that the RBI will now routinely follow up on compliance and may impose similar bans and/ or other penalties (like fines/ imprisonment under the PSS Act) in case of lapses.
For the time being, entities availing services from banks and PSOs should also be prepared to comply, albeit contractually. Costs associated with such compliance should also be accounted for, including for local data servers, procuring compliance certificates, providing contractual damages/ indemnities to cover any non-compliance, purchasing insurances, etc. And most of all, don’t be surprised if an Indian bank asks you to do this!