The Latest Chapter in the Fight over Payment Data Localization.  A three year journey on payment data localization

In April 2021, the Reserve Bank of India (“RBI”) restricted American Express and DinersClub from adding new customers for 6 months, with effect from May 2021. This was a drastic restriction, and one not lightly imposed by the usually restrained regulator. That this ban was imposed due to their violation of the local data-storage rules introduced back in 2018 speaks to the crucial place payment data localization now holds in the Indian fintech ecosystem.

In this article, we take a refresher on what these data localisation rules are, their 3 year evolution, and how they affect banks and payment system operators, and(increasingly) unlicensed fintech entities availing financial services.

On April 6, 2018, the RBI introduced a directive relating to the storage of payment system data in India (“Notification”). TheNotification was specifically addressed to banks and authorized payment system operators (“PSOs”). You will remember that Banks and PSOs are required to be licensed with the RBI to operate in India, and haveto comply with reporting, operational, and other regulations.

The Notification was issued under the Payment and Settlement Systems Act, 2007(“PSSAct”), an umbrella law that empowers the RBI to regulate and supervise payment systems in India. The Notification placed the onus on ‘system providers’(i.e., banks and PSOs) to store all payments data within India, and to start complying within a period of6 months, i.e., by October 2018. The Notification also required all ‘system providers’ to submit system audit reports confirming compliance.

The fight continued

Even after the October 2018 deadline to comply with the Notification passed, therewere gaps regarding compliance with the Notification. In June 2019, the RBI released frequently asked questions on this matter. In these, too, the RBI’s position remained unchanged; it maintained that banks and PSOs were responsible for complying with the Notification.

Perhaps surprisingly, it appeared that the RBI delayed its enforcement of theNotification. This could have been due to continuing negotiations with banks on compliance with the Notification. Another factor is that data localization is typically a privacy law question, and India’s privacy law has been in a draft form since 2018 (as it still is!).

Non-bank players caught in the cross fire

Entities in the payment ecosystem, other than licensed banks and PSOs, do not fallwithin the regulatory ambit of the RBI. But since 2019-20, there have been instances of banks and PSOs indirectly, i.e., contractually, requiring entities (for e.g., an online merchant, intermediary platform, etc.) availing their services, to comply with theNotification.

Source: Lexology news