RBI Firm on Data Localisation; 80% of Firms to Comply by October 15 Deadline

Mumbai: The Reserve Bank of India (RBI) will stick to its data-localisation directive and the October 15 deadline to comply with it, the central bank strongly communicated in a meeting with payments services providers on Wednesday.

This comes as a major blow to global firms engaged in active lobbying to water down the RBI’s diktat. Most of these are now understood to have presented their plans for a full compliance, effective October 16.

Out of 80 payments services providers that were told to store data locally, and not mirror it outside India, 64 said they were ready with local data storage. The fully compliant ones include global majors such as Google, Facebook (with its subsidiary WhatsApp), Amazon and Alibaba.

The remaining 16 companies, including major card companies, pleaded that they needed more time to comply, as the central bank was not in a mood to allow any leeway.

The RBI, sources said, told these errant companies that six months were more than enough to develop the infrastructure. And, in case they were still not ready, these firms must rent out an India-based cloud and store their data temporarily while working on building the required infrastructure.

In any case, customers will not be inconvenienced as services move to a cloud for the time being, said payments services providers. Migrating to a cloud can be done relatively easily and in a day or two, said experts.

However, it is also likely that the belligerent companies have their own Plan B ready in case the RBI did not entertain their request.

It is not that all foreign companies are transferring their data overseas. SWIFT India, for example, is one of the first few foreign companies to store data exclusively in India, creating two mini-models of their global data centres. The same can be followed by others in India.

“We have clearly communicated to all our clients that if they want to use our messaging system, the data has to be stored locally,” said SWIFT’s India chief executive officer Kiran Shetty.

No company said they will not comply, but that they were at various stages of compliance, said a person present at the Wednesday’s meeting.

While the RBI insisted on an “unfettered supervisory access”, of data to ensure better monitoring, there could be much more in its stance. Sources say the central bank is preparing the ground for a stringent Data Protection Bill, a draft of which was released by the Justice Srikrishna Committee in August.

“Data is the new oil and the regulator does not want other countries to store Indian data,” said a payments executive, who did not want to be named.

Business Standard had earlier reported that major US multinationals had sought the help of the US Treasury to ensure that local data storage norms are watered down. Despite a suggestion from the finance ministry to allow data mirroring instead of exclusive storage, the RBI did not budge. It did not respond to an email sent to it.

Visa refused to comment while emails sent to MasterCard and American Express remained unanswered.

“Data localisation would require them (card companies) to create a lot of processes, hire people and employ higher resources. They will also have to manage the impact on their existing risk-management framework,” said a senior payments industry executive. He added the larger the company, the more difficult it was to rework the processes in place.

Various global firms, including Google and MasterCard, were initially vocal about their opposition to data localisation and said they believed in the open flow of data between countries.

The companies that do not have a data centre in India raised concerns about the difficulty of acquiring such a facility locally.

While payment players have been vocal on needing more clarity on the RBI’s data-localisation directive, the central bank said the directive does not need any clarity.

On Tuesday, executives of global payments companies had said they were still hoping for a deadline extension. A source said the companies wanted to understand what would be the RBI’s action if they are not compliant within the deadline. They were initially hoping for a slap on the wrist by way of penalty for non-compliance.

It is still unclear what could be the RBI’s action on companies that fail to comply with its requirements within the deadline. However, neither the central bank nor the card companies would allow any disruption or risk-creating panic among customers, said a payments executive.

While the non-compliant global companies may temporarily comply with the RBI’s regulations, they are likely to continue challenging the data-localisation norms, said a source.

By arrangement with Business Standard.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.