The Reserve Bank of India (RBI) has said that all payments-related data has to be stored within India and in cases where data gets processed outside of the country, it needs to be brought back within 24 hours, reiterating its stand on compulsory localisation of payments data from last year.
The regulator clarified this on Wednesday in a set of Frequently Asked Questions, or FAQs. It further added that these directives were applicable not only to payment entities but to all banks operating in India as well.
In April 2018, the RBI had issued a note mandating that all payments firms should store data within India. The move affected players such as Visa, Mastercard, American Express and the likes of PayPal, Google Pay, Amazon Pay, among others.
“There is no bar on processing of payments transactions outside India if so desired by the payment system operators (PSOs). However, the data shall be stored only in India after the processing,” RBI said in a note released on Wednesday.
The central bank had given a 24-hour timeframe within which the data needs to be brought back to India after processing is completed outside the country.
In cases of charge back or any other reconciliation processes that might need to be undertaken, it can be done by accessing the data from servers in India.
“In such a case the data needs to be deleted from the systems abroad and brought to India not later than one business day or 24 hours from payment processing, whichever is earlier. This could pose significant logistical challenges and also might be in conflict with foreign laws,” said Supratim Chakroborty, partner, Khaitan and Co.
The circular puts to rest speculation by multiple industry executives who had raised questions on whether only the data needs to be stored in India or processed here as well.
“The RBI has issued a few lines for data localization, there is no detailed note on the matter, whereas bringing payments data into India for storage is a humongous task for multinationals,” a top executive of a global payment company operating in India had told ET after the directives were released.
In another major clarification, the central bank has kept foreign banks outside the purview of the matter, with regard to storage of banking data. It has specified that foreign banks can continue to store banking data outside India, but their domestic payments data needs to be stored here.
For cross-border payments, the data related to the domestic component of the transaction may be stored abroad, but a copy of the data needs to stay in India.