The RBI has sent out a stern reminder that businesses must follow the letter of the law. On Wednesday, it barred global payments systems provider MasterCard, whose market share in India is roughly a third of total debit and credit cards currently. The central bank made no bones about MasterCard’s non-compliance even after ‘considerable time and adequate opportunities’ to fall in line with its April 2018 circular on localisation of data storage. The RBI had also asked foreign banks for a board-approved system audit report certifying compliance with its data localisation norms, which MasterCard and others have failed to furnish even after three years. In the recent past, the RBI has barred players like American Express and Diners Club, and the latest rap only reiterates the central bank’s intent to solidify its stance on data localisation.
Drawing territorial limits to the flow of data gains significance amid rising breaches and electronic spying at companies including domestic players like Mobikwik, Big Basket and Unacademy, where the data of customers was put on the dark web for sale. Data on transactions is crucial to avoid financial frauds, but foreign banks reason that local data storage runs counter to their centralisation practices and limits their flexibility to detect frauds. The central bank maintains that while storing data locally, they can send data overseas for 24 hours for analysis.
With mushrooming fintech and payment systems providers, data gathering practices are increasingly becoming opaque. Often, consumers too give consent to privacy forms without reading the complex fine print and hence enhanced regulation is even critical to ensure financial safety and stability. That said, it’s important to balance stakeholders’ interests, particularly in overlapping areas of fraud detection and prevention of money laundering. If the broader Personal Data Protection Bill, 2019, is taken up in the upcoming Monsoon Session, perhaps the issue of cross-border data flows will likely get attention. This can throw clarity on whether developing cross-border data flow agreements with countries having similar principles of data protection and privacy should be extended to financial transactions too.