Last Updated : Oct 11, 2018 04:10 PM IST | Source:

Opinion | Who will blink first in the data localisation debate?

If the October 15 deadline passes without an agreement between the RBI and global payment companies on storage of payment data locally, credit cards and debit cards could be taken offline in a way that might be reminiscent of demonetisation

Moneycontrol Contributor @moneycontrolcom

Bala Murali Krishna

Global payments companies have played brinkmanship and now have less than a few days to go for a deadline set by India’s central bank, the Reserve Bank of India (RBI), six months ago to store all payments data locally.

If the October 15 deadline passes without a deal, credit cards and debit cards powered by Visa and Mastercard could be taken offline in a way that might be reminiscent of demonetisation.

It would affect nearly 900 million Indians — a majority of them debit cards issued by banks to account holders — but the volume of transactions is laughably small at Rs 4,000 per card per month, and can only cause minor inconvenience to urban Indians, notably the middle class. It could additionally disrupt digital services such as Google Pay and Amazon’s equivalent, among others.

For nearly six months, firms such as Visa and Mastercard, and fintech players such as PayPal and Google, have dragged their feet on the RBI directive, and lobbied hard for concessions. In the early stages, many protested higher costs of storing data in India, compared to highly efficient server farms at other global locations. But in recent months, they have reconciled themselves to the potentially higher cost as a price for access to one of the hottest, and biggest, markets and focused on the core issues.

So, what are these?

RBI’s primary demand is for “unfettered access to all payment data for supervisory purposes”, asserting the central bank’s primacy. India is not the first country to require payments companies to store data locally. Many others, including China and Russia, have introduced similar regulations for obvious reasons.

With a growing number of digital channels for finance, countries are increasingly challenged to even detect money laundering and tax evasion, as the recent scandal at Denmark’s Danske Bank shows — nearly $230 billion flowed through the bank’s tiny branch in Estonia, leaving the regulator in the dark for the better part of a decade. Understandably, the least other countries, especially those with large amounts of black money, can do is to have unrestricted access to the local transactions.

Local payments companies such as Paytm and PhonePe have given the dispute a foreign vs local twist, with talk of data manipulation and privacy abuses by payment giants, perhaps in the hope of extracting some competitive advantage. But these miss the point.

It’s true that the RBI order came weeks after the United Kingdom political consultancy Cambridge Analytica leaked the Facebook data of nearly 100 million users, shining a light on data privacy. However, it is hard to believe the RBI was acting on data privacy concerns when it mandated local storage of payments data, or indeed that the global payments firms would not still be able to slice and dice the data at hand.

Mastercard, for example, has a secret partnership with Google to analyse its users’ transactions to study American consumer behaviour offline and online, and there is nothing in the RBI order that could conceivably stop the payments giant from doing the same with its data in India.

The real dispute is about storing the payments data only in India — a stipulation the RBI has made without advancing any reasons.

“All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India,” the RBI said in its note seeking local storage of data by all payments firms.

In the circumstances, lobbying by many global payments companies and by the US-India Business Council has focused on two issues.

One, a concession on data exclusivity, allowing the companies to “mirror” their servers and store the payments data in India as well as another global location. Many hold the view that the RBI could be offered unfettered access to Indian payments data, regardless of where that data is stored.

During negotiations, the finance ministry is believed to have backed moves to let the global firms store some or all the data abroad, with a copy in India or vice versa. But the RBI officials have stood their ground for unknown reasons.

Two, the companies seek more time to comply. Google, for example, is believed ready to comply with the rules by year-end. Six months might seem ample time in the fast-moving world of technology, but the large companies have squandered a lot of it in hope of a negotiated settlement.

Recently, representatives of global companies reportedly met finance minister Arun Jaitley for last-minute parleys, even though it is not clear what the finance ministry can actually do. The ball clearly is in the RBI’s court and the question is: will it hold firm and pull the plug on October 15 or offer concessions and avert a potential disruption to the financial system?

(Bala Murali Krishna works for a New York-based startup. Views expressed are personal)
First Published on Oct 11, 2018 04:10 pm
More From
Follow us on
Available On
PCI DSS Compliant