RBI's latest norms makes Paytm happy, leaves Google, Amazon upset

digital payment industry could be thrown into disarray due to the demand by the Reserve Bank of India (Rbi) that all user data be stored within the country, fears an industry grouping, which has termed the decision as "heavy-handed", even as others, including the country’s largest digital payment provider Paytm, have hailed the move.

In a bid to narrow the growing schism, the industry is planning to send a formal representation to the regulator highlighting its concerns, a top official told ET.

"We are trying to build a consensus on the issue," said the person adding that the representation to the central bank will be ready this week.

RBI on April 6, mandated all payment companies — global and local—to set up data storage facilities within India by October. The stringent six-month deadline has attracted the ire of several sections of the industry that fear it will lead to a disruption of well-established global networks as well as dampen new innovation in the sector.

"What RBI is doing is heavyhandedness. A regulator should not bring about such fundamental changes without consultation with a cross section of affected parties," said Subho Ray, president of Internet and Mobile Association of India (IAMAI).

RBI in its notification said that while the payments ecosystem had grown in India, it needed "unfettered supervisory access" to transaction data to ensure better monitoring of the payment ecosystem. The only exception it gave was for foreign transactions, where the data generated overseas could be stored outside India.

Global technology giants such as Google which offers payment service Tez in India, online retail giant Amazon’s Amazon Pay as well as the payment service from Facebook’s WhatsApp, which leverage the Unified Payments Interface (UPI) —the platform for bank-to-bank micro payments-—could be affected by the move, said industry members, as Indian banks would insist on local hosting of data in order to partner with these firms.

A senior banker, who works very closely on the integration of these platforms with UPI, told ET that they have "had discussions with them ( global technology corporations) already. As of now our stand is that if it affects the payments ecosystem it will affect every global player equally, it will not affect UPI or any payment system alone."

"We are hoping to get more clarifications from the regulator," the banker said.

Google did not reply to ET’s queries. A spokesperson for WhatsApp said the company would not comment as it is reviewing the RBI mandate.

"The problem is not with data localisation but with the process which is being used to implement it," said Ray of IAMAI, which counts American technology corporations such as Google and Facebook as members.

In contrast, India’s largest digital payment provider Paytm, which is a member of Payments Council of India, which is a part of IAMAI, believes the mandate has come at the right time when payment companies are witnessing unprecedented growth.

"The directive to process and store data only in India will help curb the potential misuse and enable active regulatory monitoring. It will definitely boost customers’ confidence in moving to digital payments without worrying about the security of their personal data," said Kiran Vasireddy, chief operating officer of Paytm.

Data replication

India has been rocked in recent days by claims that a UK-based analytics firm Cambridge Analytica sourced personal data of users from social network site Facebook without consent.

Paytm, which in addition to offering digital payments is also a licensed payment bank, is already required by law to store all user data within the country.

IAMAI is of the view that the payments industry requires "some kind of data replication," whereas the RBI is demanding that data be kept only in India. "There is a concept called dual locations, in any case data is kept in multiple locations," said IAMAI’s Ray.

Bankers that ET spoke to also said that "even if the regulator would have mandated storing data in India along with other data centres for the purpose of scrutiny, it would have been understandable. But to restrict storage in India only is a bigger challenge at this point of time."

Compliance4All is a professional trainings provider for the regulated industries. It offers professional trainings for regulatory compliance professionals and offers innovative strategic consulting and advice to a broad range of organizations.