India: Views of Industry Experts on Reserve Bank of India notification regarding Storage of Payment System Data

April 18, 2018

Views of Industry Experts RBI



India is aiming towards being a paperless economy. For the past one year, digitization has taken India by storm. Everything today is shifting on to the digital world. From booking a restaurant to booking a house, from opening a bank account to paying the bills, from lending money to getting a loan everything can happen in just a click. This has become possible because of the robust online payment ecosystem of the country. These online payment systems share and store the data digitally. The amount of information shared on the internet is immeasurable. The information shared includes personal information and sensitive personal information of an individual. Thus, in the fast-moving technological world today, everything about data protection, data security and data storage is significant.


Reserve Bank of India (hereinafter referred as ‘RBI’) on March 6, 2018 issued notification regarding
Storage of Payment System Data[1] . The said notification has directed all the payment system operators to ensure within a period of 6 months, i.e. by October 15, 2018 that the data related to payment systems operated by them are stored on servers located in India. With the increasing number of data breach incidents, the guidelines are a step to ensure the safety and security of the data, thereby, reducing the risk of data breach and catalyzing the growth of online payment ecosystem.

According to the RBI, there are very few payment system operators (and their outsourcing partners) who store data on servers located within India, either partly or completely. The director of RBI was quoted saying
‘the directive is aimed at having unfettered access to all payment data for supervisory purposes.’[2]


The notification has caused a split opinion among the different online payment systems within the industry. On one side companies like PayPal, Paytm and PayU have supported the move of RBI, whereas on the other hand companies like Google, Facebook, and the fin-tech startups within the country have shown concerns.

Our systems are within the country and they are getting audited regularly, but if global players do not have their servers in India, how can the regulator ensure the safety of the consumer data,” said a founder of a Bengaluru-based payments company. [3] Also, Subho Ray, president of Internet and Mobile Association of India (IAMAI) said that ‘What RBI is doing is heavy-handedness. A regulator should not bring about such fundamental changes without consultation with a cross section of affected parties.[4]

Amrish Rau, chief executive officer of PayU India, said that ‘Most countries require transaction data to remain within the country. This is different from situations where the regulator allows no data to leave the country. The RBI step is welcome and we adhere to it today[5].

PayPal has become the first country that has responded publicly to RBI. It has agreed to store its transaction data in India after the RBI issued a mandate asking all the payment firms to comply to above-mentioned requirement within six months. The Chief Technology Officer of PayPal, in an interview said that
the major competitive advantage of the company lies in fact that they look at compliance and regulations, and work with local the government. The company aims to work with regulators and comply as closely and as best possible.[6]

Kiran Vasireddy, chief operating officer of Paytm, supported the move and said that ‘The directive to process and store data only in India will help curb the potential misuse and enable active regulatory monitoring. It will definitely boost customers’ confidence in moving to digital payments without worrying about the security of their personal data[7]


The requirement mandated by the RBI is aimed at ensuring that the personal data of data subjects – Indian residents is protected with greater certainty. This move can be viewed in consonance with the General DataProtection Regulation set to be implemented for the protection of the personal data of European residents in the European Union on May 25, 2018[8] . However, it should be noted that the practical implementation of such a mandate comes with its own roadblocks like installation of adequate servers for storing of information/ data.

Further, this is move is also set to improve the quality of data management by Indian players as well, whether such function is currently being outsourced by major payment system operators or not. This move can also be viewed as a positive towards protection of sensitive personal data or information (SPDI) of Indian citizens in the light of already existing Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[1] Available at:

[2] Available at:

[3] Available at:

[4] Available at:

[5] Available at:

[6] Available at:

[7] Available at:

[8] For more information read “Getting Ready For General Personal Data Protection Regulation”

For more information please contact us at :