Walking the digital financial tightrope

RBI desires unfettered access to payment systems' data for supervisory purposes. But it begs the fundamental question of how, especially in absence of a strong governance framework for data in general

With data breaches tugging at shaky foundations of the digital economy with unnerving regularity, it did not come as a surprise when the Reserve Bank of India (RBI) on April 5 issued a statement announcing policy measures attempting to fortify the digital financial economy. The build-up to this can arguably be traced back to November 2016 when 86 per cent of the currency in circulation was declared illegal. Demonetisation provided a fillip to digital payments, especially mobile wallets, in a country where access to mobile phones dwarfs access to the formal banking system. The subsequent behavioural nudge by the government in favour of cashless transactions in a growing economy meant it was only a matter of time before RBI would issue guidelines for its safe functioning.

Essentially RBI desires “unfettered access” to payment systems’ data for “supervisory purposes” and hence such data must be “stored only inside the country”. It sets out a timeline of six months for compliance by all payment system operators (PSOs). Further specific instructions were issued the next day. It effectively mandates data localisation or data residence without using either of the terms. The same statement also effectively bans cryptocurrencies without using the term.

The rationale is to ensure “safety and security” of financial data. This is sought to be achieved by “adoption of the best global standards” and “continuous monitoring and surveillance to reduce the risks from data breaches”. The logic is impeccable and yet it begs the fundamental question of how, especially in the absence of a strong governance framework for data in general.

Data, to use a Wodehousian turn of phrase, has as much “reticence as a steam calliope”—it resides and flows oblivious of geographic borders. It is vulnerable irrespective of its physical location. Data security breaches in the recent past are evidence that no country is spared because of the location of data—whether it is India, or even the United States. That is not to say there exists no advantage to forced data localisation. Getting data from across borders required by law enforcement agencies for investigations are famously cumbersome. Having data locally makes it easier. Although, absence of a supporting legal framework for data disclosure or transfer to the appropriate authority under specified conditions renders the efficacy of any data localisation strategy moot. Effective regulation could target the entity collecting, processing and/or storing the data and not restrict data itself.

Illustration by Binay Sinha

In addition, there can hardly be consensus on data localisation as a “best global standard” for data protection. In some countries it is guised as a measure of national security, while in many other democracies, such requirements stem from privacy interests, like the European Union’s General Data Protection Framework (GDPR). The Payment Card Industry Data Security Standard that improved control of card holder data, and reduced credit card fraud is an example of industry self-regulation. Recently, digital privacy is at the crossroads with the prolonged legal battle between United States and Microsoft being rendered moot due to the passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act. These developments indicate diverging approaches to security, privacy and their ultimate balance. RBI’s statement does not overtly suggest a privacy angle, nor does it seem that its “safety and security” goal is within reach under the extant regulations.

Is this an attempt at digital protectionism that favours “only certain payment system operators and their outsourcing partners” that already store data within India? RBI’s list of PSOs include over 80 entities across different categories that include retail payment organisations, instant money transfer, ATM operators, prepaid payment instruments, cross-border money transfer, and card payment networks. Whether it is Visa, or PayU or Western Union—payments data will now be resident at home with this new regulation.

The subsequent “detailed instructions” issued by RBI do not offer much clarity. It expands the scope to data of not only service providers, but also intermediaries, third-party vendors, and other entities in the payment ecosystem. Yet, oddly, many entities that participate in the digital finance economy are excluded from the scope. For example it’s ambiguous whether regular banks or even payment applications operating on NPCI and UPI interfaces like mobile-banking apps, Google-Tez or WhatsApp Pay are covered.

Mapping the location of data storage facilities of all PSOs would reveal which entities would be most and least affected. This exercise may or may not reveal a home entity bias. However, it would certainly expose the economics of data localisation and compliance burden. While bigger entities may not feel the pinch, the competitive landscape of the sector could be altered due to the increased regulatory burden. Even if the alluring Indian market eventually does cajole foreign entities to make that additional investment and comply, will other countries reciprocate? Indian players wishing to operate outside will have to bear additional expenses to comply with overseas data localisation requirements that may not effectively protect their data. It could trigger a trend given Asia’s large mobile wallet market in comparison to some other developed economies that are dominated by usage of cards.

The list of questions only begins. Does a cost-benefit analysis indicate feasibility? Is this the optimum way to audit and protect the sector? If it is a measure to nurture Indian players, do we truly understand the value chain of data and potential for changes in the future? What constitutes “data related to payments systems” and are these requirements aligned with privacy regulations? Will these measures align with the forthcoming legal framework from the Srikrishna Committee on data protection and privacy? That is the all-important factor now.

Kathuria is director and chief executive, and Varma is consultant at ICRIER. The views expressed are personal