Payments data must be stored in systems located in India, says RBI

The Reserve Bank of India (RBI) has said all data related to payment transactions must be stored in the country and that such information, if processed abroad, will have to be brought back within 24 hours. 

“The entire payment data shall be stored in systems located only in India,” the RBI said in its frequently asked question (FAQ) section on Wednesday, responding to certain issues raised by payment system operators. “The data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from the payment processing, whichever is earlier,” it added.  

The clarification has come a week after the government said the RBI would examine concerns around its strict data-localisation guidelines.

Payment providers have been lobbying at various levels for free flow of data across borders in order to ensure that customer benefits and fraud analysis are not affected. 

While the government has been pushing for softer data-localisation guidelines by allowing data mirroring, the RBI has held its ground, maintaining that India's payments data can only be stored locally.

The central bank has also said the data stored in India can be accessed or fetched whenever required for handling customer disputes as well as for any other related processing activity, such as chargeback. The data may be shared with the overseas regulator, if so required, depending upon the nature/origin of a transaction with due approval of the RBI, it added. The RBI allows a copy to be stored abroad in case of cross-border transactions.

The clarity on data processing outside India may come as a relief to global payment firms, but the RBI’s reiteration on exclusive storage poses a problem. The representative of a leading international payments provider had told Business Standard earlier that the company needed to change some of its global processes to ensure that none of the payments data of Indian customers was stored elsewhere while processing globally. He had said that most of the other players would need to follow a similar process and called it a‘work-in-progress’.

The RBI had released data-localisation guidelines on April 6, 2018, and gave payments providers six months for complying with the norms. Despite excessive lobbying by these players, the RBI remained firm on its guidelines and nearly all payments providers submitted a compliance plan and report to the regulator when the deadline approached. Majority of payment players have complied with the data storage norm.

Here's the full list of frequently asked questions on the matter that the RBI published:  

1. Applicability of the direction

The directions are applicable to all Payment System providers authorised / approved by the Reserve Bank of India (RBI) to set up and operate a payment system in India under the Payment and Settlement Systems Act, 2007.

Banks function as operators of a payment system or as participant in a payment system. They are participants in (i) payment systems operated by RBI viz., RTGS and NEFT, (ii) systems operated by CCIL and NPCI, and (iii) in card schemes. The directions are, therefore, applicable to all banks operating in India.

The directions are also applicable in respect of the transactions through system participants, service providers, intermediaries, payment gateways, third party vendors and other entities (by whatever name referred to) in the payments ecosystem, who are retained or engaged by the authorised / approved entities for providing payment services.

The responsibility to ensure compliance with the provisions of these directions would be on the authorised / approved PSOs to ensure that such data is stored only in India as required under the above directions.

2. Where should the payment data be stored?

The entire payment data shall be stored in systems located only in India, except in cases clarified herein.

3. Clarification regarding data that needs to be stored in India

The data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction. This may, interalia, include - Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

4. Storage of data pertaining to cross-border transactions

For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.

5. Processing of payment transactions

There is no bar on processing of payment transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.

In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.

However, any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken / performed on a near real time basis. The data should be stored only in India.

In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India where it is stored.

6. Can the data processed abroad be retained abroad till the window for customer dispute resolution / chargeback is available?

As indicated above, the payment data sent abroad for processing should be deleted abroad within the prescribed time line and stored only in India. The data stored in India can be accessed / fetched for handling customer disputes whenever required.

7. Can the payment system data be shared with overseas regulators?

The data may be shared with the overseas regulator, if so required, depending upon the nature / origin of transaction with due approval of RBI.

8. Scope and coverage of the System Audit Report (SAR)

The System Audit Report (SAR), from a CERT-In empanelled Auditor, should inter-alia include Data Storage, Maintenance of Database, Data Backup Restoration, Data Security, etc.

9. Clarification in respect of entities earlier permitted to store banking data abroad?

In the case of banks, especially foreign banks, earlier specifically permitted to store the banking data abroad, they may continue to do so; however, in respect of domestic payment transactions, the data shall be stored only in India, whereas for cross border payment transactions, the data may also be stored abroad as indicated earlier.