wordpress blog stats
Connect with us

Hi, what are you looking for?

RBI: All payments data to be stored in India, data processed overseas to be localised within 24 hours

The RBI has issued FAQs clarifying, among other things, that all payments data needs to be stored in systems located in India. The regulator issued the FAQs in response to implementation issues raised by payments companies.

  • Data processed outside: The RBI also clarified that while there is no bar on overseas processing of strictly domestic transactions, the data shall be brought back to India within one business day or 24 hours of payment processing and be stored locally here. The regulator also said that should companies need access to data for payment processing activities, they can access it, at any time.
  • Data to be mandatorily stored in India includes i) customer data – name, mobile number, email, Aadhaar number, PAN number, etc. as applicable; ii) payment sensitive data – customer and beneficiary account details; iii) payment credentials – OTP, PIN, passwords, etc.; and iv) transaction data – originating & destination system information, transaction reference, timestamp, amount, etc. It said data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions.
  • These norms are applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors and other entities in the payments ecosystem apart from all payment system providers authorised by the RBI.

In a closed door meeting between the commerce ministry and tech and e-commerce companies last week, all the companies raised concerns related to RBI’s data storage requirements and processing related guidelines. The apex bank regulator’s deputy governor BP Kanungo, who was also present at the meeting, had then “assured” these companies that RBI would look into the matter. However, for now, the central bank has only issued these FAQs which are a mere clarification of RBI’s stance on data storage requirements. We are still waiting for the RBI to take a second look at this matter as per its assurance to companies.

The Central bank, in April 2018, had mandated all payments system operators working in India to ensure that data related to payment systems operated by them is stored in the country. “In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of six months,” RBI had said in a report during its Monetary Policy meeting in the April 2018 meeting.

A timeline of the RBI’s localisation mandate for payments data

  • April 2018: the localisation circular surfaces: The RBI told all payments system operators in India to ensure that payments-related data was stored within the country and gave the companies six months to comply. The RBI wanted data stored locally “to have unfettered access to all payment data for supervisory purposes”.
  • July 2018, Finance ministry tries to step in: The Finance Ministry eased the RBI’s directive for foreign payment firms, saying that mirroring a copy of the data in India would be sufficient. Payments companies were relieved, assuming that the Finance Ministry’s directive stood and that it would be okay to mirror user data in India. The companies were awaiting a circular from the central bank to this effect. However, the RBI’s did not issue any such circular.
  • Also in July, the Data Protection Bill mandated localisation : The long-awaited draft Data Protection Bill 2018 was submitted to the government, adding to the confusion. The bill overrode all sectoral regulators and therefore all their directives. It mandated that all data fiduciaries store a copy of users’ personal data in India. Worryingly, it also required mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to explicitly define ‘critical data’.
  • September 2018, RBI asks for updates on local storage: The RBI asked payment companies to send it fortnightly updates about their progress on local storage of payments data.
  • October 2018, RBI circular comes into effect: The RBI’s circular on localisation of payments data came into effect.
  • February 2019: The Department for Promotion of Industry and Internal Trade released a Draft E-commerce Policy, which included strategies for regulating access to data, mandating data storage requirements, and controlling cross-border data flows. Data localisation may now be left out of the e-commerce policy, and left to the jurisdiction of the Data Protection Bill, which is expected to tabled in Parliament’s Budget session.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ