The last few weeks have seen a lot of discussion in the payment ecosystem around the mandate for local data storage. The Reserve bank of India (RBI) through its circular on storage of payment system data has mandated all system providers to ensure that the entire data relating to payments operated by them are stored in systems only in India. This directive to store payments data within the country has led to a lot of debates and inquiries.
The RBI directive comes at a time when the payment ecosystem in India is growing by leaps and bounds and has seen the emergence of new players and technology in this space. With this rapid growth, it becomes important that all data in the payment systems is indeed safe and best practices and standards are followed so as to support the growth of a sound digital economy.
It is important to recognize that India is one of the largest emerging open digital ecosystem providing access to players across the world to operate and offer payment services. It provides a great opportunity for participants across lines of businesses to start offering payments as a service to its customers. In this context, all payment related data generated in India by customers in India has to be rightfully guarded within the country’s boundaries.
I also believe that there is no real need for processing payment related data to be stored outside the country. Processing any data outside the country also leaves behind an imprint/trail of the same on the servers through which it is processed and hence defeats the purpose of data localization. Likewise, there should be no data replication outside the country as the geographical spread of India provides enough room for creating alternate infrastructure and ensure business continuity. Any player therefore interested in contributing towards the long-term growth of payments in India should also be willing to invest in building the infrastructure locally here.
Globally as well there are regulations to store data of their citizens within the county itself. Countries like Malaysia, Indonesia, Russia and also the European Union mandate storing data locally. In China, personal data including medical data needs to be stored on local servers. Regulators and governments globally are getting increasingly cautious when it comes to financial data, so that information stays safe, secure and there is a clear regulatory oversight on the same. I am glad that India is also moving towards the same goal.
Lastly, even from the perspective of fraud and risk management since all the data is emerging from the country, all the global best practices can be incorporated in local risk management tools/engines. RBI’s 2FA mandate has reduced fraudulent transactions substantially in the last 8-9 years and also significantly reduced the scope of fraud and risk in the local market. The amount of data that is generated in India now and in the future will also be sufficient for companies to build a strong risk management framework.
To encapsulate, I believe this will go a long way in instilling customer confidence for digital transactions and protecting the national interest. Financial data of a country’s citizenry is extremely sensitive and this mandate will ensure that the legal jurisdiction of the same stays within the country. RBI as a regulator has taken a very balanced approach to ensure data protection while being progressive in allowing India to be an open market for payments