Why e-payment companies give RBI’s data localisation mandate a thumbs-up

Amidst the widespread furore and the general perception of RBI’s data localisation mandate being a spoke in the wheel for digital payment companies, the latter believes RBI’s diktat is a step in the right direction.

RBIHP_0.jpg

The RBI, on 6 April, mandated that all digital payment providers will have to store their payments data in India. The deadline was set as 15 October and the RBI had made it clear it wouldn’t budge. And true to its word, it hasn’t.

In a statement, Nanda S Dave, Chief General Manager-in-charge of RBI said that the aforementioned data includes full end-to-end transaction details and payment instructions.

India’s regulatory banking authority disclosed that it may not immediately penalize companies that failed to adhere to the deadline. 

RBI’s mandate clearly has far-reaching consequences not only on payment processing majors like MasterCard and Visa, but also on digital payment companies. In fact US Senators reportedly asked Prime Minister Modi to take a softer stance on data localisation. 

... Storing payment-related data in India makes it easier to monitor transactions and makes it possible to have better access controls on the data to reduce risks from data breaches.
Aditya Khullar
Tech Security Leader, Paytm

CSO online spoke to the top hats of leading e-payment companies in India to get a read on the market sentiment. Contrary to US-based companies crying wolf, Indian e-payment players actually believe RBI’s mandate is prudent and as a consequence of the new regulation, monitoring transactions will become a lot easier.

What e-payment players think about RBI’s mandate

Aditya Khullar, Tech Security Leader at Paytm believes that data protection and privacy laws will be the central theme for regulatory mandates in the days to come. “Moreover, storing payment-related data in India makes it easier to monitor transactions and makes it possible to have better access controls on the data to reduce risks from data breaches,” he reveals.

In addition to better controls, a unanimous voice that reverberated across all players was the fact the ruling would significantly curb the menace of data misuse. 

... RBI’s norm on data localisation is a pragmatic move and will benefit the payment sector in the long run as it is a necessary step in order to avoid data embezzlement.
Harshil Mathur
CEO & co-founder, Razorpay

“RBI’s norm on data localisation is a pragmatic move and will benefit the payment sector in the long run as it is a necessary step in order to avoid data embezzlement,” says Harshil Mathur, CEO & co-founder of Razorpay.

Rachit Chawla, CEO of Finway, throws light on how the new regulation is in line with tackling the humungous data volumes digital payment companies are now witnessing in India.

“All these companies are digitally strong, and payment wallet volume is increasing continuously. To some extent, the government is right to control it locally because the moment we store it outside, there is a potential threat,” he explains.

Did RBI just make the CSO’s job easier?

“Yes, it did. As the goal is to make it easier to conduct investigations of fraud and crime that involve the misuse of data. Nonetheless, what’s important is how data is governed for compliance and security, not where it's stored,” says Khullar.

Shailendra Naidu, CEO of Obopay seconds this opinion for the simple reason that with data not leaving the country, protocols will be more transparent and simple.

... With data not leaving the country, protocols will be more transparent and simple.
Shailendra Naidu
CEO, Obopay

So what happens when data is not locally stored?

“If it is not locally stored, then accessibility is a challenge. If it is physically available, everyone can reach out to avoid discrepancies as well as confusions. With locally stored data, the government will have more control over the transactions, and auditing will be more reliable and straightforward,” shares Chawla.

But it’s not just a win-win for digital payment companies. It’s in the government’s interest to have data stored locally as they can play the big brother watching over all digital transactions. 

“Without localisation of data, the government has little or no control of data being misused considering the laws specific to India are not applicable outside the country,” explains Mathur.

Was RBI’s deadline too harsh for digital payment firms?

Although the US-based players expressed disappointment over the 15 October deadline being unattainable, their Indian counterparts voted a vociferous ‘no’.

... RBI’s 15 October deadline was not harsh. It is the right step as the government is coming out with a clear vision on how it wants to grow digital transactions across India.
Rachit Chawla
CEO, Finway

“It is not harsh. It is the right step as the government is coming out with a clear vision on how it wants to grow digital transactions across India,” opines Chawla.

Both Paytm and Razorpay share the same thought around RBI’s ruling not posing an infrastructural challenge for e-payment companies in the country.

While Razorpay migrated all its datacentres to India over a year and a half back, security lead at Paytm, Khullar believes that as most companies use global cloud service providers that could be storing data outside India, they must relook at their policy and amend it if need be.