RBI Clarifies Payments Data Rule For Foreign Companies

RBI Clarifies Payments Data Rule For Foreign Companies

The Reserve Bank of India (RBI) has clarified a data storage rule for companies like Mastercard and Visa, which mandates foreign companies to store payment data “only in India” for “unfettered supervisory access,” according to a report from Reuters.

The clarification states that companies can process Indian payments outside of the country, but the data has to be back for local storage within a 24-hour period. When RBI made the rules, many American companies said they would hurt business and started lobbying against them. Last year, the RBI declined to soften the rules.

“The entire payment data shall be stored in systems located only in India,” the RBI said in its frequently asked questions section on Wednesday (June 26), according to the Business Standard. “The data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from the payment processing, whichever is earlier.”

The new rules clarified the question of whether data could be processed outside of India. The RBI said that regardless of where the data transactions are processed, they must be “deleted from the systems abroad and brought back to India” within the 24-hour timeframe.

“The clarity on processing, and the ability to do so overseas, is a welcome development. Although the clarifications do not ease the local-only storage requirement,” said Kriti Trehan, a technology lawyer in India.

The news comes on the heels of India’s commerce ministry meeting with different technology and payment companies about the issue. There have been some trade tensions between the U.S. and India; on Wednesday, U.S. Secretary of State Mike Pompeo pledged there would be a new focus on working out better ties, but he didn’t talk specifics.

India has asked for tighter data storage rules so it can access and investigate things when necessary. In addition, the country has written a law about data storage requiring that all critical personal data also be processed in the country.