D-Day for data localisation: Will RBI make short-term exemptions for payment players?

The D-day for India’s digital payment economy is here. Today is the deadline for electronic payments companies to submit a report to the Reserve Bank of India (RBI) on its directive to store payments data pertaining to Indian users within the country. Once they submit the report, all payment firms are expected to get their systems audited by an external auditor and submit a compliance report by December this year.

Failure to do so will lead to the central bank acting against them and, in some cases, even revoking their licences.

However, multiple sources and industry analysts told YourStory on condition of anonymity that this will not happen with immediate effect, and that the central bank is open to holding discussions on a case-by-case basis before deciding the fate of players (who are scrambling to comply with the current directive), depending on their intent and preparations to comply.

“The RBI will not take any sudden action where the consumers will be affected. But there might be multiple consultations and some short-term exemptions between the big players and the central bank behind close doors,” said a payment veteran, who was part of the industry discussions.

Another fintech expert from an analyst firm told YourStory,

“The ultimate direction is clear - that the common data of Indian users will have to reside in India, whether we look at RBI’s data localisation directive or the inputs from the Sri Krishna Committee. But there will be small exemptions which the RBI will make for certain players in the short term. Since the idea is not to create damage, data mirroring is a temporary measure to show confidence. However, the long-term aim is data sovereignty.”

Over the past few months, many US-based firms have reached out to the Ministry of Finance and the Ministry of Electronics and Information Technology (MeitY) and have been lobbying to seek dilution of the norms and hope for some relief from the RBI’s directive.

However, the RBI has time and again taken a strong stand, stating that it will not change the deadline, or make exceptions. The stand has proved effective too. Recently, in a big gesture of intent to comply, WhatsApp, which was marred by controversy around its privacy policies, stated that it was setting up systems to ensure that all India-centric data will not move out of the country.

Explaining reasons for the RBI’s confidence, the industry expert quoted above also said,

“If you see the digital payments landscape over the past few years, the dependency on a single operator has reduced significantly. India has its own card processing network RuPay as well as payment options like UPI, which are indigenous to India. This is giving the RBI further confidence to ask foreign players to comply, because now there is an alternative.”

In fact, a recent media report stated that card processing platform RuPay is set to emerge as the second largest player in the country. Further, it is not a secret that the potential of business and scale in India continues to be an attractive market and a strong R&D centre for these global behemoths.

In a recent statement, Mastercard said its cumulative investment in India over 2014-2019 would reach Rs 6,500 crore (close to $1 billion). Digital payments giant PayPal is looking to hire another 600 techies by this December. In August, Amazon invested $386 million into its India business. And finally, India continues to be the biggest market for messaging (and now payments) player, WhatsApp.

“The India opportunity is too big and attractive for any of these global players. So, I don’t see any reason why they won’t comply,” added the expert.

Emails sent to global card processing behemoths such as Mastercard and American Express last week didn’t elicit a response at the time of publishing this article. While PayPal said that it does not comment on the ongoing regulatory developments, Amazon Pay declined to comment on the matter.

Indian payments major Paytm on Friday took a tough stand against the lobby groups involved saying,

“It is disheartening to see lobby groups working against the data localisation mandate laid down by the RBI as it could harm the economic interests of certain global organisations who have been monetising the data generated by Indian users. With data localisation, they would lose that opportunity as cross-border flow of data would be restricted, and these companies would become more accountable to the authorities, which will significantly impact the business interest of global companies at large.”

How many will comply?

Last week, media reports estimated that almost 80 percent of payment systems are compliant with RBI’s directive.

However, an analyst firm that has been helping payment players with the compliance process, and didn’t want to be named, told YourStory that only 10 percent of payment systems in India would have actually complied with RBI’s directive by today.

Another industry source also confirmed this number to YourStory.

Additionally, while 60 percent of payment companies are expected to show an intent and an execution blueprint to the RBI, the remaining 30 percent are in bad shape with some even planning to shut their Indian operations, added the analyst.

Banks seek clarity from RBI

As opposed to popular perception, this directive doesn’t apply only to wallet operators. The same analyst firm quoted above told YourStory that the circular for payments data storage in India has also been sent to urban cooperative banks.

“Our reading is that this covers every player which has a payment system in place. If this was only for wallet players and card processors, the circular wouldn’t have gone to banks.”

The same analyst also confirmed that close to 10 banks have written to the RBI asking for clarifications around what exactly it means by ‘payment systems’. These include some big retail banks as well.

However, industry experts claim that banks need to ensure that all their partners are compliant to the RBI’s directive, since they are the ones who will be directly answerable in case of a non-compliance.

For instance, after ICICI Bank has partnered with WhatsApp to launch payment service, WhatsApp Pay, ICICI Bank is also answerable to the regulator in case of a breach or non-compliance from the messaging giant’s end.

But one thing is certain: data of Indian users will have to be stored in India either under the data localisation directive or India’s upcoming data privacy policy, which analysts say is expected to be fairly demanding for payments players. The Sri Krishna Committee has already made suggestions that all firms and agencies need to have a data protection officer. Further, it has recommended that individuals should have the right to withdraw consent for a firm to use the individual’s data. Penalties for non-compliance could be as high as 2-4 percent of a company’s turnover.

The road ahead is somewhat unclear and likely to be rough, at least in the short term. What will be interesting to watch is how Indian players who are compliant will react to the exemptions, if any, are made to foreign players.