Mumbai: To meet RBI demands, WhatsApp has finally set up its data storage facilities in India and is reportedly preparing for the full launch of its UPI payments app in association with ICICI Bank.
In April 2018, the RBI had issued a circular asking all payment system operators in the country to store data – pertaining to their customers – within India to ensure that user details remain secure against privacy breaches. They also had to get a third-party audit done by CERT IN-empanelled auditors.
Going ahead, RBI has toughened its stand on companies processing data outside India and has set a 24-hour deadline for the companies to bring back all data back to the country in such cases. These directives were applicable not only to payment entities but also to all banks operating in India.
While the Indian players like Paytm took no time to comply with the norms, WhatsApp and other foreign players active in payment domain were seeking a bit of relaxation in terms of securing mirror or copy payments data within India, while also storing the same data in its overseas servers. The list included Visa, Mastercard, American Express and the likes of Pay-Pal, Google Pay, Amazon Pay, as well.
“The entire payment data shall be stored in systems located only in India,” the RBI said in its frequently asked question (FAQ) section on Wednesday, responding to certain issues raised by payment system operators. “The data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from the payment processing, whichever is earlier,” it added.
The clarification has come a week after the government said the RBI would examine concerns around its strict data-localisation guidelines.
Payment providers have been lobbying at various levels for the free flow of data across borders in order to ensure that customer benefits and fraud analysis are not affected.
While the government has been pushing for softer data-localisation guidelines by allowing data mirroring, the RBI has held its ground, maintaining that India’s payments data can only be stored locally.
The central bank has also said the data stored in India can be accessed or fetched whenever required for handling customer disputes as well as for any other related processing activity, such as chargeback. The data may be shared with the overseas regulator, if so required, depending upon the nature/origin of a transaction with due approval of the RBI, it added. The RBI allows a copy to be stored abroad in case of cross-border transactions.
The clarity on data processing outside India may come as a relief to global payment firms, but the RBI’s reiteration on exclusive storage poses a problem.
The RBI had released data-localisation guidelines on 6 April 2018 and gave payments providers six months for complying with the norms. Despite excessive lobbying by these players, the RBI remained firm on its guidelines and nearly all payments providers submitted a compliance plan and report to the regulator when the deadline approached. Majority of payment players have complied with the data storage norm.