Data Localization Rule by RBI for all Payment Companies

Digital payments are taking over the world at quite a rapid pace and it is made possible through a number of payment facilitators and intermediaries. They bridge the gap between the customer who wants to make the payment and the merchant who wants to receive the payment.

The payment systems in India have witnessed rapid advancements in innovation, eCommerce, and fintech, to name a few. It is only natural to ensure that the guidelines, prescriptions and regulations also advance in order to safeguard the interests of the customers, users, and the government

In September 2019, the Reserve Bank of India issued a discussion paper on Guidelines for Payment Gateways and Payment Aggregators.

This came to fruition as the RBI issued guidelines to regulate payment aggregators and payment gateways in India effective 1st April 2020.

These guidelines bring about significant changes to the governance of payment intermediaries.

Background

Payment intermediaries were governed by the Directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions Involving Intermediaries (Intermediary Directions) issued in November 2009.

But taking into consideration that Payment Aggregators accept funds from customers before it reaches the respective merchant accounts and that they also handle huge volumes of customer data, the RBI recently revisited these directions and decided to further regulate these entities prioritizing the interest of the consumer.

On 17th March 2020, under the provisions of section 18 read with section 10(2) of the Payment and Settlement Systems Act, 2007 (PSSA), the RBI issued new guidelines on the regulation of payment aggregators and payment gateways (“Guidelines”).

Coming into effect on 1st April 2020, these guidelines set forth a detailed regulatory framework that applies mandatorily to payment aggregators and payment gateways.

These new guidelines stipulate a registration requirement and eligibility criteria for payment aggregators. It also includes a number of compliances for governance, security, local incorporation, and anti-money laundering measures.

The guidelines apply only to domestic collection and maintenance of funds and settlements with domestic merchants. It does not apply to cash-on-delivery transactions of payment aggregators.

Understanding Payment Aggregators and Payment Gateway

The RBI has made it mandatory for aggregators to implement the recently released guidelines. But gateways can choose to adhere to them as best practices. This makes it important to understand the difference between the two entities.

Payment Aggregators

Merchants and eCommerce retailers need to accept various forms of digital payment. It would be incredibly difficult for merchants to set up their own payment integration system that accepts a variety of payment instruments.

To make things simple, payment aggregators step in to connect the merchants with payment acquirers who receive payments from customers, pool it together, and then transfer the payments to the respective merchants.

With payment aggregators, eCommerce sites and merchants can easily accept payments without the need to have an individual merchant account with a bank or financial services provider.

Payment Gateway

To accept payments from millions of customers and to route them to the right merchant, there is a need for solid technology-based infrastructure.

Payment gateways are entities that provide exactly this to facilitate online payment processing. They do not actually handle the funds but provide the set up for payment aggregators to carry out their processes.

It’s important to note that most intermediaries operate as payment aggregators and payment gateways.

Storage of Payment System Data

Payment system data is stored on servers all around the world making surveillance difficult for the RBI.

In April 2018, the RBI directed payment firms to store data related to payment systems exclusively on the local server in India. This directive was issued with a 6-month deadline for compliance. However, a few foreign firms such as Visa and Mastercard missed adhering to the deadline.

After this, Commerce and Industry Minister Piyush Goyal held extensive consultations with the tech industry and e-commerce companies where many issues and concerns were noted. Policymakers in India also believe storing data in India would help to monitor and safeguard the data given the fast growth of technology-dependent payment systems.

Thus, it was made mandatory that all data related to payment systems be stored in India only. This enables the RBI to have better supervisory access to the data stored in the payment ecosystem including intermediaries, third-party vendors, and other entities.

Interesting Read- Why is PUBG Banned in India? Questions Revolving Around Security and Data Localization

Registration Requirements

As per the Payment and Settlement Systems Act, 2007 (PSSA), all existing non-bank payment aggregators must obtain a registration issued by the RBI. The deadline for this is 30th June 2021. The RBI has dictated a list of conditions that payment aggregators must adhere to in order to seek authorization:

Key Compliance's

Governance

The RBI’s intention with these guidelines is to regulate payment aggregators and govern them better. The guidelines are drawn up in line with RBI’s management and internal policies and have sought to regulate payment aggregators and their activities. To ensure transparent governance, the guidelines emphasize on the following:

1) If there is a takeover or change in control, the payment aggregator must communicate the information to the RBI.
2) Payment aggregators must disclose information regarding their privacy policy, terms, and conditions on their website or mobile application, merchant policies, and customer grievances.
3) Promoters of a Payment Aggregators must satisfy the 'fit and proper criteria' prescribed by the RBI.

Must Read- Understanding the DSCI Security Framework

Anti-Money Laundering

At present, payment system providers, financial institutions, and banks must adhere to the Prevention of Money Laundering Act, 2002, along with RBI’s Master Direction and Know Your Customer Directions.

Therefore, payment aggregators must also ensure the following:

• That customers are verified in the manner prescribed by the RBI. For this, payment aggregators must develop policies for customer acceptance and put KYC requirements in place. They must update KYC information from time to time.
• They must also preserve and make all customer information stored with them available at all times.
• They need to monitor large transactions as well.
  
  

Settlement/Escrow Account

For funds collected, payment aggregators must set up an escrow account held with a scheduled commercial bank. In addition, the RBI has issued strict requirements for escrow account usage in order to regulate the flow of funds through payment aggregators.

• Escrow accounts can be used only for credits and debits that are specified in the Guidelines.
• Cash on Delivery transactions is not permitted.
• Credits include payments from customers, payments for onward transfer to merchants for promotional activities, refunds for canceled or failed transactions, and pre-funding of the escrow account by merchants.
• Debit transactions can include payments to merchants and service providers, payments made on instructions from merchants, payment of commission to intermediaries, and payments for promotional activities.
• Payment Aggregators must settle amounts with merchants within the stipulated time periods. The time periods vary depending on the nature of the transaction and the entity that is responsible for delivering the service or goods.

That said, there is a lack of distinction between services that involve instant delivery, and those that are delivered over a period of time. Thus, it could lead to uncertainty for payment aggregators.

Good Read: Top 7 Cybersecurity Regulations in the Financial Industry that you Need to Know

Security, Fraud Prevention and Risk Management

With digital payment and mobile payment frauds on the rise in India, the guidelines address the need for security fraud prevention.

Board-approved information security policies and mechanisms need to be put in place by payment aggregators in order to handle security breaches and incidents and to submit relevant security reports to the RBI.

Merchant Onboarding

In regards to contracts with merchants, payment aggregators now have increased responsibilities and guidelines to adhere to.

• Background checks on merchants are necessary to ensure they are not selling counterfeit or fake products
• Terms and conditions of the merchant must be clearly displayed on the merchant’s website including the timeline for processing refunds and returns.
• Payment aggregators must ensure that the merchants adopt the prescribed security standards.
• They must also ensure that merchants do not save credit or debit card numbers and related data.

Payment aggregators would need to stipulate these conditions in the contracts they issue to merchants. However, the extent of responsibility undertaken by the payment aggregated is ambiguous.

Regulation of Payment Gateway

As payment gateways do not handle funds and only provide technology and infrastructure, they can voluntarily undertake the guidelines.

However, in the case of payment gateways of banks, there are guidelines that are applicable for outsourcing the work to payment gateway services. Therefore, banks may pass on compliance's detailed in these guidelines by way of a contract with payment gateways.

Thus, payment gateways may mandatory have to follow the same compliance's. If not, they may opt to adopt them as best practices.

Checklist for Data Localization System

National Payments Corporation of India (NPCI) issued a circular on 12th May 2020 stating that a System Audit has to be conducted on all payment systems in India. The directive is linked to RBI’s new guidelines on data localization that states all payment system providers need to ensure that all data related to payment systems need to be stored in systems in India only within the stipulated deadline of six months.

To ensure adherence, testing is required as per a required format and checklist issued by the NPCI and RBI.

• Payments Data Elements - The auditor should check all data elements and their classification as payments or non-payments data. It should include customer data, transaction data, payment sensitive data, and payment credentials data. Each element needs to be categorized into jurisdictions and whether or not the data has been brought back to India.

The auditor must provide substantial and conclusive evidence that no payment data is stored outside of India.

• Transaction/Data Flow (For all Transaction types including cross border transactions) - The report must include a detailed diagram of the transaction and data flow. The diagram should detail the steps of how a transaction flows through the different components of the application. This diagram is required for all transactions including cross-border ones and must explain the data elements stored in India as well as other jurisdictions for processing, if applicable.
  
  
• Application Architecture - A detailed diagram of the application architecture is required in the report to show the components and modules of the application. The auditor must verify the location of every component of the application and relevant evidence needs to be included.
  
  
• Network Diagram - A detailed diagram of the network architecture must show the relevant equipment for primary and disaster recovery sites including CBS, if applicable.
  
  
• Transaction processing - The auditor should check if aspects of a transaction processing are done in India and outside India. The auditor also needs to check whether the purging process and policy is defined and in accordance with the RBI guidelines.
  
  
• Activities subsequent to Payment Processing - The auditor needs to identify activities that follow the payment processing such as settlements and check if these processes are carried out in India or outside India. They must also check whether the post-payment process and purging process and policy is defined. Lastly, conclusive checks are required on the defined policy to ensure it is as per RBI Guidelines.
  
  
• Cross Border Transactions Database Storage and Maintenance - The auditor must verify if there is a presence of cross-border transactions, whether occurring or supported in the application. Verification and evidence are required for the payment data elements stored, for both domestic and foreign components.
  
  
• Data Backup & Restoration - The auditor must verify if the backup and restoration of the defined payment data is compliant with the guidelines.
  
  
• Data Security - Security controls must be verified to ensure transaction data is safeguarded. This includes standard data security controls like masking, encryption, data leakage prevention, and database access monitoring. It also includes applicable regulatory guidelines issued by the RBI, UIDAI, UPI, and such.

The auditor needs to verify if any payment data is stored as an alias such as a one-way hash on systems outside of India. It also needs to be verified whether any data is stored or accessible from outside of India for data analytics and mining purposes. If it is found, controls should be in place to ensure compliance to RBI guidelines. This includes data sharing between parent, sister, and sublet organizations.

• Access Management - If data is accessed from outside of India such as for dispute resolutions, chargebacks, customer support activities, data analytics, permission levels, and access levels granted should be in accordance with the defined processes and policies.

Conclusion

The guidelines issued by the RBI for data localization of payment aggregators will greatly improve the governance of payment-related data in the country.

There is a need for more clarity in certain areas as to the extent of responsibility borne by the payment aggregators.

That said the new directives safeguard the customer’s interests and data. With proper implementation, the guidelines will bring about better surveillance of payment-related data in India.