Over the past couple of years, the digital payment sector has grown in leaps and bounds and has allowed seamless delivery of online services and aided in the growth of digital businesses. The use of electronic payment modes for payments to merchants for goods and services like bill payments, online shopping, etc., has gained large scale momentum over the years.
The Reserve Bank of India (RBI) recently adopted a policy framework for the oversight of Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs) operating in India. The oversight framework, coupled with localisation of payments data, can seriously deter the capacity of these businesses in detecting frauds and ensuring the security of the user in the digital payment ecosystem. Moreover, it will also increase the compliance burden and deter growth and innovation.
Retail payment systems consist of platforms, payment products, and services that allow transfer money without the use of cash, and have become increasingly prevalent in the Indian economy. Due to the widespread growth of the digital economy, there has been an increased reliance on these platforms and systems from consumers across the board. The efficiency and ease of operating these systems have been key factors of its growth in the past couple of years. It is to be noted that these systems have been instrumental in increasing the corpus of digital transactions, and this is pronounced as we battle the Covid pandemic.
Operational risks, the stability of the financial market infrastructure
The policy framework aims at enhancing the existing oversight and supervisory mechanism of the RBI, which will lead to over-regulation and make it more difficult to do business in India. The RBI carries the responsibility to preserve the smooth functioning of payments systems, and to support efforts promoting financial inclusion. It is important to ensure that the FMIs and RSPs are resilient to disruption, including financial and operational shocks, to continue effective functioning, and to contribute to economic growth in the country. An earlier circular by the RBI mandates the storing of all financial data of payments systems within the territorial limits of India, in an attempt to provide “unfettered supervisory access” to the central bank.
Similar language has been adopted in the policy framework for oversight of FMIs and RPS. The framework mandates all system providers are required to ensure that the entire data relating to payment systems operated by them is stored in a system only in India. This move can be seen as a measure taken to further solidify the Indian stance of localisation and draws territorial limits to the flow of data in a global economy, which will have negative consequences in the future. This move seriously restricts businesses to draw benefits from the free flow of data in cyberspace.
Storage of payment system data
It is important to acknowledge the vital role that fraud detection plays in consumer protection and in turn, the stability of the market. In the context of online payments, real-time fraud detection relies on noting unusual payment patterns across jurisdiction. With the growth in global trade and services, many businesses require the flexibility to analyse large volumes of data from across different jurisdictions. Disallowing cross-border data flows limits the resources that global businesses have at their disposal to detect such frauds.
As far as the security of data is concerned, a localisation policy cannot operate in a vacuum. It is important for investment in infrastructure and maintenance to effectively carry the objective. In the absence of adequate funding, data storage will become expensive for these entities that will increase the cost of compliance, which will have a trickle down effect on the consumers/users of these services.
Centralising data storage in local servers without adequate investment in security infrastructure can make data more susceptible to breaches. It is also pertinent to note unfettered supervisory power granted to the RBI under the framework could lead to arbitrariness. Power must always be qualified with adequate checks and balances to ensure that there is greater transparency and accountability from the side of the Central Bank.
Proposed framework- key changes to RPS Compliance
The key change from the existing framework of regulation of FMI is the inclusion of RPS into the ambit of such policy. This move is spurred by the drastic change in the manner of operation of the financial market itself and the wide corpus of transactions that are carried out online.
The framework has identified NPCI as a “system-wide important payment system (SWIPS)”. In addition to this, the framework proposes measures such as off-site surveillance by the RBI, data localisation, fraud monitoring, and improved standards of reporting of cybersecurity breaches, etc as oversight mechanisms. In addition to the concerns around compliance and security concerns, “unfettered supervisory access” to RBI will lead to domestic surveillance concerns. Access to data to RBI must be within the scope of the privacy principles, consisting of proportionality, necessity and legitimacy, as laid out in the Puttaswamy judgment. This is critical to enhance consumer trust.
Way Forward
Governments can facilitate cross-border flows of data in a way that allows them to ensure data security and data privacy while maintaining an attractive business environment. To this end, there is a need to critically assess the objectives behind the imposition of a localisation regime for payment data.
These measures cannot be arbitrary, and disproportionate against the foreign players, as that will adversely affect investment. A better model would be to develop cross-border data flows with like-minded countries, which agree on similar principles of data protection and privacy. Data sharing agreements that detail the modalities of access for law enforcement for defined, and legitimate state purposes, and for the prevention of money laundering can be concluded with countries while allowing for cross-border data flows. Mapping out inter-regulator mechanisms with foreign regulators could be an alternative to enable scrutiny of data hosted outside of their national borders without restricting data flows.