NEW DELHI: The Reserve Bank of India has written to payment companies seeking details of their preparedness to comply with its mandate to store all user data in servers located within India. 

The letter sent on June 1, which was reviewed by ET, also tasks companies with providing fortnightly updates on preparedness to the central bank. In an order issued in April, the banking regulator had asked all digital payment providers to set up data storage facilities inside India by October this year. 

“You are hereby advised to inform the status of ensuing compliance with the above requirements... The same shall be submitted by June 8, 2018, followed by update on progress at fortnightly intervals thereafter,” wrote P Vasudevan, chief general manager, RBI

The central bank has asked payment companies to ensure that all transaction details relating to payment systems are stored in servers only in India within a period of six months. 

Analysts are of the view that the latest missive by the central bank reflects the stringent view it is taking on the issue of local data storage. 

In recent weeks concern over privacy and security of data have risen sharply, following widespread allegations of data leakage from social network Facebook. 

“To me it signifies that RBI is serious about the storage of data locally and in the followup if they don’t see movement, they can ask questions,” said Vivek Belgavi, fintech leader at PwC. 

“The order will help RBI in conducting physical audits and checking how data is being run and control it from being leaked,” he said. 

Welcoming the banking regulator’s mandate, home-grown digital payment companies such as Paytm and Flipkart-owned PhonePe have said they are fully compliant as all user data generated is already stored in India. 

Deadline May be Extended 
Global technology firms, meanwhile, have voiced strong reservations over the order and made multiple representations through organisations such as US-India Business Council (USIBC), US-India Strategic Partnership Forum (USISPF) and Nasscom. 

These companies claim they were not consulted before the regulations were announced. The clause where the regulator has asked for user data to be stored “only” in India is regarded as the biggest challenge. Industry groupings have asked RBI to withdraw this condition or permit data mirroring, which allows for data to pass through global networks while a copy can reside in India as well. 

USISPF president Mukesh Aghi told ET that they are not running away from the RBI request and one has to learn to respect the local law of the land. “We have to find a balance with the companies as well so it doesn’t become onerous; it’s technically feasible and more importantly they just don’t get off the international grid especially on fraud.” 

ET reported last week that RBI is expected to clarify its stand on the data localisation mandate for payment companies given the concerns raised by various industry groups on the issue. It could either reiterate its April order maintaining that payment firms have to store data in India within six months by releasing just FAQs, or it could soften its stand by allowing firms to mirror the data outside the country keeping a copy in India, according to people aware of the issue. 

“A deadline extension is also not ruled out,” said one person, while some others are of the view that RBI is unlikely to budge from its stand. 

Read more at: https://economictimes.indiatimes.com/industry/banking/finance/banking/rbi-takes-stock-of-payment-companies-preparedness/articleshow/64515680.cms