RBI directive on data localisation: Though security agencies back move, govt may take a lenient view

New Delhi: Rattled by the Reserve Bank of India (RBI) directive on data localisation, American global payment companies want the Donald Trump administration to intervene and put ‘considerable pressure’ on Indian authorities after the latter refused to buckle under pressure. The RBI is firm on its norm for storage of payment system data and has instructed financial services companies to ensure implementation of data localisation by 15 October.

A slew of meetings was held in September-October within the government and with the monetary regulator to discuss various concerns raised by global financial technology companies who were reluctant to store transaction data in India instead of USA. Since the RBI has turned down the offer of ‘mirror data’ by the companies with a clear direction of storage of data in India only, there were some fireworks in the recent meetings. US-based firms observed that through such a directive India was seeking to take a higher ground.

According to sources privy to the development, certain US companies suggested that the Donald Trump government must apply pressure on the Indian government and at the same time convene a meeting with the US industry to find out concerns of US companies to evolve a solution without hampering their global business model.

“It became quite apparent during the conversation that they want to put pressure on Indian authorities to negotiate on the data localisation issue. It is not surprising. US companies have always shown reluctance in sharing data even through legal means. India is emerging as a big economy and there are serious challenges in financial crime in digital era,” sources said.

Interestingly, some of these companies have blamed security agencies and cyber security units behind RBI’s tough stand against global payment companies and even dragged Nirav Modi scam and Facebook Cambridge Analytica controversy in their arguments suggesting that India was looking to take up data sovereignty issues in order to have unhindered access to transaction details.

Sources said the government is divided over the issue. While security agencies are fully backing the RBI move, the Finance ministry may take a lenient view after several rounds of discussions at North Block to consider the concerns raised by foreign payment companies. “Finance Ministry may agree to the proposal of mirror data instead of processing and storage of data in India only. Though security agency and the RBI have a totally different view on this,” sources said.

According to a note prepared by security agencies, “the recent financial frauds trends from RBI clearly indicate that the frauds involving debit/credit cards and net banking are witnessing a sharp increase and presently 65 percent of the total frauds reported by the banks are technology-related frauds.”

The confidential note reviewed by Firstpost further said: “With the demonetisation drive, cashless and digital transactions had received a major boost. The importance and the role of the Internet, mobile phones, plastic money, mobile banking and electronic pre-paid instruments have registered a sharp increase in the past two years.

E-commerce and M-commerce have registered steady growth and are poised to touch new heights. These initiatives have also led to a new digital era characterised by a neat and clean economy and empowerment of the masses. The increase in digitisation of the financial services without adequate attention to setting up of robust processes, controls and monitoring mechanisms have given New Age fraudsters the opportunity to exploit these gaps leading to new types of financial crimes.”

Companies adopt various methods to delay RBI directive

The US companies are working on twin policies of threat and dialogue to wriggle out from the RBI mandatory regulation on data localisation. While on the one hand they want US government intervention, they are also trying to engage with the RBI seeking more time beyond 15 October to comply with the order. One such company even wondered whether they could switch off the services in India that would adversely affect transactions of customers. Some of the company’s representatives, who recently met Economic Affairs Secretary Subhash Chandra Garg also complained that the RBI did not have any prior consultations from the concerned sector before implementing its mandate. The argument also indicated that data localisation directive was more critical for remittance companies. In data processing, transaction done through cards in India is processed in a US data centre.

“Though the RBI has asked them to delete the entire trail of transactions in the US and store the same in India, one company said they are not comfortable with the RBI requirement and instead proposed to store copy of the data in India without impacting the existing data processing architecture. Their argument that no other foreign companies except the US were affected due to the proposed directive of data localisation doesn’t hold water,” sources privy to the development said, further adding that certain issues like types of data elements that needed to be captured were also raised.

“The global financial technology companies also said that the RBI has not clarified on two basic issues like data related to domestic card issued in India and used overseas and cards issued in other countries and used in India. They also raised concerns saying in cases like transaction originating overseas, payments in India, the remittance companies would not be able to comply with clause of data to be stored in India since regulators from two countries will be involved in it.”

According to sources, the companies argued that they need at least a year for implementing the entire process of data localisation which includes setting up of a data centre, space, procurement of hardware, installation of software, system integration and testing. The RBI, however, told them categorically in a meeting that if it was not possible for the companies to meet the data localisation requirement by 15 October, then they could hire servers till a dedicated infrastructure arrangement was put in place.

The unfazed security officials said there is a long list of past cases where data stored on servers in the US was provided after much delay and in some cases, requests were even turned down. Officials said more than a decade ago, they had faced massive roadblocks in investigating Laraib Khan case related to terror funding, in which money was being moved through remittance companies based in the US.

Most recently, sources said, they were made to wait for a long duration during the investigation of Indian Mujahideen co-founder Yasin Bhatkal, who was found to be communicating through messenger and email services based in the US. Security agencies had encountered similar constraints while investigating the case of HUJI India chief Jalaluddin alias Babu Bhai, who was using US-based communication platforms knowing very well that these companies hardly share information with law enforcement organisations.

A US-based investment and financial services company, however, claimed during the ongoing discussions that present issues affecting payment companies would leave an impact on the entire business model of payment and credit card companies. This New York-based firm was of the view if needed companies must engage with all stakeholders including regulators and Indian bankers association forum.

During the closed-door meetings, some companies also expressed angst over the Commerce Ministry plan to draft a national policy on data localisation for domestic companies involved in e-commerce business in India but did not consult international players on the policy. One of the representatives even went on to say that the Ministry was protecting domestic businesses in India and data localisation under the pretext of privacy and data security.