Reserve Bank of India on Wednesday said all data related to payments involving Indian entities must be stored only in India and such data if processed abroad should be shipped entirely to the country within 24 hours.
While there is no bar on processing of payment transactions outside India, if so desired by the payment system operators (PSOs), RBI said such data should be deleted there and brought back to India within 24 hours.
RBI had, in April last year, issued a directive on ‘Storage of Payment System Data’ advising all system providers in the country to ensure that the entire data relating to payment systems operated by them is stored in a system only in India, within a period of six months.
“The entire payment data shall be stored in systems located only in India wherein such data include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction. This may, interalia, include - customer data (name, mobile number, email, Aadhaar number, PAN number, etc as applicable); Payment sensitive data (customer and beneficiary account details); Payment credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating and destination system information, transaction reference, timestamp, amount, etc),” RBI said.
For cross border transaction data, consisting of a foreign component and a domestic component, RBI said, a copy of the domestic component may also be stored abroad, if required.
There is no bar on processing of payment transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.
In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.
However, any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken / performed on a near real time basis. The data should be stored only in India.
In case of any other related processing activity, such as chargeback, etc, the data can be accessed, at any time, from India where it is stored.
RBI also clarified that the payment data sent abroad for processing should be deleted abroad within the prescribed time line and stored only in India. The data stored in India can be accessed / fetched for handling customer disputes whenever required.
The data may also be shared with the overseas regulator, if so required, depending upon the nature / origin of transaction with due approval of RBI.
The System Audit Report (SAR), from a CERT-In empanelled auditor, should inter-alia include data storage, maintenance of database, data backup restoration, data security, etc.
In the case of banks, especially foreign banks, earlier specifically permitted to store banking data abroad, they may continue to do so; however, in respect of domestic payment transactions, the data shall be stored only in India, whereas for cross border payment transactions, the data may also be stored abroad as indicated earlier.
RBI’s advice comes after payment system operators (PSOs) sought clarification on certain implementation issues. RBI also issued FAQs in order to provide clarity on the issues to facilitate and ensure expeditious compliance by all PSOs.
RBI said the directions are applicable to all payment system providers authorised / approved by the RBI to set up and operate a payment system in India under the Payment and Settlement Systems Act, 2007.
Banks function as operators of a payment system or as participant in a payment system. They are participants in (i) payment systems operated by RBI, viz, RTGS and NEFT, (ii) systems operated by CCIL and NPCI, and (iii) in card schemes. The directions are, therefore, applicable to all banks operating in India, RBI clarified.
The directions are also applicable in respect of the transactions through system participants, service providers, intermediaries, payment gateways, third party vendors and other entities (by whatever name referred to) in the payments ecosystem, who are retained or engaged by the authorised / approved entities for providing payment services, RBI pointed out.
The responsibility to ensure that such data is stored only in India as required under the above directions and ensure compliance with the provisions of these directions would be on the authorised / approved PSOs, it added.