Submission of audit reports have been disrupted and similarly, according to a recent communication from the RBI, three years after the circular’s issuance, the majority of banks have failed to submit system audit reports showing compliance with data storage standards.
Several multinational banks submitted that they were not subject to auditing criteria which was unnecessary. By May 15, 2021, the Central Bank requested that the institutions report their compliance and an action plan. Over the last few years, the Government of India has been striving to harness the revolutionary potential of the digital economy.
These concepts allude to the practice of restricting data storage, processing, and/or mobility to specified regions. As a result, preserving data, localizing it, and controlling access to it becomes vital, often by designating it as sensitive and critical.
The Public Documents Act of 1993, which bans the movement of public records beyond India, was among the first criteria for local data storage. Currently, the framework for electronic data sharing between governments of two nations was being dealt through Mutual Legal Assistance Treaties (MLATs), which are legally binding treaties signed by countries to help one another with their domestic legal procedures.
Under such framework, Law enforcement officials in one nation request evidence kept in another nation for criminal or civil prosecution. Although acquiring evidence through MLAT proceedings takes time and often leads to delay in justice.
On April 6, 2018, the Reserve Bank of India (RBI) issued a directive regarding payment systems and platforms. The RBI had mandated in the directive that data relevant to financial transactions happening in India be maintained solely in India.
The payment systems were given a 6-month deadline to comply with the directive, which ended on October 15, 2018. The directive also required payment system providers to produce an audit report on their compliance with the directive.
The Reserve Bank of India (RBI) has said that all payment transaction data must be maintained in the country and that such information, if processed outside, must be returned within 24 hours. The regulations apply to all Payment System providers who have been permitted or authorized by the Reserve Bank of India (RBI) to set up and operate a payment system in India under the Payment and Settlement Systems Act of 2007.
The RBI’s data storage standards make it insignificantly difficult for payment systems that are not based in India. These include the need that payment data be stored “only” in India, with no copies maintained outside of the nation.
Many banks argued that the RBI’s mandate was impractical as most of their processing was centralized outside and that will require reorganizing worldwide operations and establishing a separate hub in India.
The payment networks will have to completely redesign their payment processing systems to ensure that all transaction data is maintained solely in India. With massive numbers of transactions processed by card payment networks, the amount of data involved would be mind-boggling. Given the level of security that is the norm for card payment networks across the world, such a change cannot be implemented quickly.
Several high-profile Indian payment and IT businesses have purportedly experienced data breaches. It is anticipated that the exposure of sensitive data to selected properly supervised servers can reduce cybersecurity threats. Also, solid data localization structure and laws/regulations are critical in safeguarding Indian customers along with the country’s national and economic interests.
Restricting cross-border data flow will guarantee national security by making it easier for Indian law enforcement officials to conduct investigations. Furthermore, it may reduce conflict of jurisdiction as a result of cross-border data sharing and delay in justice delivery. Such standards would protect people’ data while also improving data privacy and sovereignty in the face of foreign spying.
According to reports, almost all Indian payment platforms have data centres in India, where payment data is collected, processed, and stored. Given that the order mandated that financial data be maintained solely in India, domestic platforms may need to take efforts to guarantee that any copies available outside of India are likewise transferred to India.
Non-domestic platforms, on the other hand, were in an entirely different position. Compliance with the requirement, such platforms claimed, would necessitate a complete architectural level change on their end. The growth and pervasiveness of the digital realm has given birth to, and will continue to give birth to, a variety of concerns.
Such challenges will have to be explored an d resolved collaboratively by both the industry and the regulators. Despite these challenges, payment companies are likely to follow the RBI’s instructions. However, the RBI has directed banks and other entities to conduct customer due diligence activities in accordance with regulations governing standards.
About the Author
Sonam Chandwani is the Managing Partner at KS Legal & Associates and heads the firm’s Corporate Litigation Practice. She specializes in commercial structures, commercial litigation, mergers & acquisitions generally, with an emphasis on large scale and complex commercial litigation including contract law, trade practices, real estate disputes and finance issues across a range of sectors.
Photo by rupixen.com on Unsplash