In the recent times, a number of companies including Google, Whatsapp and such other global giants have reportedly shown interest to venture into the digital wallets or digital payment space. Since after the demonetization phase in 2016, the Government of India has been actively promoting and encouraging the use of online payment systems, online banking and payment transactions, etc in a bid to digitize the economy.
Therefore, there is a rising need to regulate and adopt safety and security measures the online payment systems as they hold private and significant data of the users. Thus, the Reserve Bank of India (RBI), by virtue of its powers under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, has recently issued a Notification dated 06.04.2018 mandating all payment system operators to store data related to payment systems operated by them within the country latest by 15.10.2018. This would enable RBI to have unfettered access to all payment data stored with the payment system providers, intermediaries, third party vendors and other entities in the payment ecosystem for supervisory purposes and also to reduce risks of data breaches. As per the Notification, such data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
Upon completion of the storage of data, an audit should be conducted by the empaneled auditors of the Computer Emergency Response Team- India, the nodal agency for responding to computer security incidents as and when they occur, to certify the completion of such data storage activity by the system providers. The System Audit Report (SAR) so prepared by the auditors and approved by the board of directors of the system provider company has to be submitted to the RBI on or before 31.12.2018.
In this regard, the RBI has recently communicated to the payment system providers seeking details of their preparedness to comply with the mandate issued under the Notification. Reportedly, Paytm and PhonePe have stated that they are fully compliant with such mandates. But some have raise concern stating that RBI would be able to regulate the systems of those service providers who have their data stored in the servers in India, but the consumer data with global companies willing to do business in this sector stored in servers outside India, may not be monitored by RBI. So in such a case the manner in which such data can be kept safe and secure is unclear.
Senior Legal Associate
The Indian Lawyer