NEW DELHI/HONG KONG – India’s central bank is standing firm on a directive to compel global payment firms to store customer data in India, resisting calls from U.S. companies to dilute an order they say would cost them millions of dollars, people familiar with the matter said.
The payment companies are worried India’s data onshoring move could set a precedent and nudge other major governments to implement similar rules at a time when there is heightened scrutiny on how companies globally handle their customers’ data.
The industry’s tussle with the Reserve Bank of India (RBI) also comes as Prime Minster Narendra Modi aggressively pushes digital and cashless modes of payment that leave an electronic trail as part of a campaign to crack down on the black economy.
While Modi’s administration is working on a separate data protection law, foreign companies were caught off guard in April by the RBI’s one-page directive that said all payments data should within six months be stored only in the country for “unfettered supervisory access”.
The RBI said storing data locally would help “ensure better monitoring”.
A joint lobbying effort by American Express Co, Mastercard Inc and Visa Inc to dilute or reverse the directive has failed to shift the central bank’s position, with the RBI telling the firms in a meeting this month to comply, not complain, sources with direct knowledge told Reuters.
The RBI declined to comment, but a government source with direct knowledge confirmed the central bank was “unlikely to back down on its plans”.
The card companies are nervous that the move will disrupt their investment plans, as millions of dollars are diverted from other projects in a scramble to open local data centres within six months.
“There is a feeling of helplessness and we will have to comply,” said a source with direct knowledge of the meetings.
The RBI’s insistence that payments data be stored “only in India” would hamper global fraud detection and the companies should be allowed to keep a back-up, the sources said.
The government source disagreed.
“The suggestion that you need a disaster management back-up centre overseas just does not cut it,” said the source, who declined to be identified. “This is not a small island nation that would get entirely crippled by a single natural disaster.”
Mastercard said it was working with the industry to engage the RBI “to understand their need for access to domestic data and work towards a solution that meets the regulatory requirements” in line with global norms.
Visa declined to comment, while American Express did not respond to a request for comment.
The move would not impact local players such as Softbank Group-backed Indian digital payments firm Paytm, as well as homegrown card payment network RuPay, which competes with the likes of Visa and Mastercard, as they already store their data in India.
“ONLY IN INDIA”
The industry says India’s proposed data storage rules would be among the world’s most restrictive.
China also tightened cyber regulation in the past year, formalising new rules that require firms to store data locally. None of the global payment card companies, however, operate in the Chinese domestic market yet.
Countries such as Russia and Indonesia also have an onshore data storage requirement, but they do not restrict companies from transfer of transactions data offshore as well, according to lobby group U.S.-India Business Council (USIBC), which counts the three U.S. card companies among its members.
Global payment firms currently store and process Indian transactions outside the country and a major concern to the industry is a clause in the RBI’s order that asks for data to be stored “only in India”, two sources said.
That, according to the industry, would restrict the transfer of data needed to effectively detect and analyse global fraud patterns, and make India more vulnerable to financial crime.
In a letter dated May 3, seen by Reuters, the USIBC pressed the RBI for a “reversal or an indefinite stay” of its directive, which it said would make India’s payments ecosystem more prone to cyber-attacks.
It also urged the RBI to remove any restriction on transferring the data outside India and specify the time period for which the data needed to be stored locally.
An industry executive at a U.S. payments firm said while the RBI was likely to soon issue clarifications to address some of their concerns, but it would not change the notification’s implementation date.
In an earnings call last month, Visa CEO Alfred Kelly Jr. referred to the RBI’s six-month deadline as a “tough timeframe”.
The directive comes as more people in India are switching to plastic money, partly driven by the Modi’s decision to replace high-value currency notes in November 2016, since when the government has aggressively discouraged cash transactions.
In March, Indians clocked transactions worth $52 billion using their 900 million credit and debit cards, nearly double the amount recorded in November 2016, data from the RBI showed.
But fraud is a concern too. The RBI recorded 57,411 cases of card fraud totalling $43 million in the three years to December 2017, according to a Right to Information response seen by Reuters.
The RBI in April said the payment ecosystem in India had “expanded considerably”, making it necessary to ensure “the safety and security” of data.