Cybersecurity is unarguably the most pertinent challenge faced by merchants, payment aggregators and consumers in the digital payment ecosystem. The RBI, in view of the emerging cyber security concerns around digital payments, issued new guidelines to regulate payment aggregators and payment gateways. This article will discuss the concept of rbi data localization put forth by RBI to secure consumer interests in detail.

RBI Data Localization

In April 2018, the RBI directed all payment firms to store all data pertaining to payment systems on servers in India. The RBI gave a deadline of six months for firms to comply with this directive. This circular titled ‘Storage of Payment System Data’ demanded that payment system providers store all data in systems that are within the territorial jurisdiction of India.

The central bank released FAQs to provide certain clarifications on issues raised by Payment System Operators. The RBI directions are applicable to all Payment System Providers who are authorized or approved by the central bank to establish and operate a payment system in India under the Payment and Settlement Systems Act, 2007. 

The RBI shed light on the type of data that must be stored in India which includes  end-to-end transaction details as well as any information that pertains to payment or settlement transaction and is transmitted or gathered or processed as part of a payment message or instruction. Customer data such as name, PAN, Aadhar card number etc, payment sensitive data such as customer account details, beneficiary details, credentials such as one time passwords and pin numbers and transaction data are crucial details that need to be protected as directed by the RBI guidelines. 

In case the data processing takes place outside India, the data needs to be deleted from systems overseas and stored only in India. This should be done immediately within 1 business day or 24 hours after payment processing, whichever is earlier. With data localization, RBI aims to protect personal data of the country’s citizens by restricting data on servers outside the country’s geographical boundaries. 

Key Compliances For Payment Aggregators

The new RBI guidelines issued under the provisions of section 18 read with section 10(2) of the Payment and Settlement Systems Act, 2007 (PSSA) state registration requirements and eligibility criteria for payment aggregators. The guidelines also shed light on the key compliances that need to be adhered to by payment aggregators when dealing with domestic collection and maintenance of funds. The key compliances are elaborated below in detail:

1. Governance

The RBI aims to govern payment aggregators and ensure more transparency with these guidelines. These guidelines underline a few important instructions concerning the activities of  payment aggregators’ which are as follows:

• The payment aggregators must mandatorily disclose information pertaining to any takeover or change in control to the RBI.
• Payment aggregators are required to reveal information about privacy policy, terms and conditions and merchant policies on their website or mobile application.
• Promoters of payment aggregators must fulfill the conditions specified under the ‘fit and proper criteria’.

2. Anti-money laundering

To prevent money laundering, RBI had issued the Prevention of Money Laundering Act in 2002. Payment system providers, financial institutions and banks must comply with this act while also adhering to the RBI’s Master Directions and KYC Directions. Payment aggregators must pay attention to few things such as:

• Ensuring customers are verified in a way acceptable to RBI
• Developing policies for customer acceptance and clearly stating KYC requirements
• Updating KYC information in a timely manner
• Preserve customer information for future reference
• Monitoring all transactions 

3. Settlement/Escrow account

Payment aggregators are required to open an escrow account with a scheduled commercial bank to manage the funds collected. RBI has laid certain regulations that govern the use of escrow accounts. According to these guidelines:

• Usage of escrow accounts must be limited to handle only credits and debits as mentioned in the guidelines.
• Cash on Delivery transactions aren’t allowed
• Credit transactions are payments received from customers, payments for onward transfer to merchants for promotional activities, merchants pre-funding the escrow accounts and money received for refunds in case of failed transactions. 
• Debit transactions mean money paid to service providers and merchants, payments initiated on merchant instructions, commission paid to intermediaries as well as money paid for promotional activities. 
• Transactions with merchants must be completed within the specified time period. The time period however is dependent on factors such as the nature of the transaction and the entity entrusted with the responsibility of delivering the goods or services. 

4. Security, Fraud Prevention and Risk Management

The rise of online security breaches has made it absolutely essential to have measures in place for prevention of online frauds. Payment aggregators must therefore adhere to board-approved information security policies and implement appropriate mechanisms to tackle security breaches as well as submit security reports to the RBI. 

5. Merchant onboarding

While payment aggregators are required to issue contracts to merchants, their responsibilities don’t end there. Background checks must be conducted on merchants to make sure they aren’t involved in the sale of fake products. Payment aggregators must make it a point to ensure merchants have stated all terms and conditions governing refunds on their website. It is the duty of the payment aggregators to ensure merchants adhere to the necessary security standards. merchants should not save any data such as credit card and debit card numbers. 

To ensure merchants comply with these guidelines, aggregators must issue contracts that clearly state these terms and conditions. 

6. Regulation of payment gateway

Payment gateways are only responsible for providing the technology and infrastructure to manage funds. These guidelines are therefore not mandatory for payment gateways. But payment gateways can voluntarily follow these guidelines as security best practices. Payment gateways of banks may have to comply with the guidelines compulsorily as banks are likely to issue contracts to payment gateways stipulating these guidelines. 

The RBI & NPCI Checklist

A circular was issued on 12th May 2020 by the National Payments Corporation of India (NPCI) which demanded a system audit of all payment systems in India. RBI and NPCI issued a checklist to ensure all data is stored in India as per the RBI’s data localization guidelines. This checklist can be referred to as criteria for System Audit Report (SAR). The checklist underlines a few important points that need to be taken into account when auditing payment systems which are mentioned below in detail.

1. Payments data elements

The auditor is entrusted with the responsibility to verify all data and ensure whether they are classified appropriately as data related to payments and non-payments. Data here refers to customer data, sensitive data related to payments, transactions data and credentials data. The auditor must ensure that all data elements are deleted from abroad and stored only in India. Evidence has to be submitted to prove no data is stored outside the country. 

2. Transaction/Data Flow

The flow of data in a transaction needs to be outlined through a well-explained diagram. The diagram must contain information about the flow of transactions through numerous components of the application. This is applicable for cross-border transactions as well. Information pertaining to data elements stored in India and other jurisdictions for processing must be explained in the diagram. 

3. Application architecture

The components and modules present in the application must be specified in the report by means of an application architecture diagram. The location of all application components must be mentioned and appropriate evidence need to be provided to support the information in the diagram.

4. Diagram of network architecture

It is necessary to provide a network architecture diagram that contains information on the equipment that are essential for primary and disaster recovery sites including CBS in cases where it is applicable. 

5. Transaction processing

It is the duty of the auditor to confirm whether certain aspects of the transaction processing is conducted within or outside the territorial jurisdiction of India. In addition to that, it is also important to verify that the purging process is undertaken by complying with the guidelines stated by the RBI. 

6. Activities followed by payment processing

There are further processes such as settlements that take place after payment processing. The auditor must verify whether these are conducted within or outside the country. One of the important responsibilities of the auditor also includes verifying whether the policy for post-payment process and purging process are defined and complied with in accordance with the RBI guidelines. 

7. Cross border transactions, database storage, and maintenance

This criteria emphasizes that the auditor should also check if the application conducts or supports any cross-border transactions. The SAR must include evidence of the payment data elements stored. This is applicable for domestic as well as foreign components.

8. Data backup and restoration

The auditor is responsible for checking whether the provisions made for data restoration and backup are in accordance with the RBI regulations. 

9. Data security

To fulfill these criteria, the auditor needs to monitor the security controls implemented to secure transaction data. Common data security controls include encryption, masking, preventing data leakage and monitoring database access. The auditor must also ensure payment systems comply with regulatory guidelines issued by RBI, UIDAI, UPI etc. It is mandatory to check whether the payment aggregators have stored any payment data as a one-way hash on systems outside India. 

It is also important to verify whether any data is stored outside of India or anyone from outside of India can access the data for data analytics and mining purposes. If yes, it is mandatory to ensure there are proper security controls in place. Compliance with RBI guidelines is must for sharing of data between parent, sister and sublet organizations. 

10. Access management

There may be instances when data needs to be accessed from outside the country for resolution of disputes, customer support activities, data analytics, chargebacks etc. The extent to which access can be granted must be defined appropriately and these must comply with the guidelines and regulations laid down by the central bank.

Final Thoughts

The RBI issued a circular effective from 1st April 2021 that reiterates its stand on data privacy. The circular directed all Payment System Operators to submit a compliance certificate signed by their CEOs and Managing Directors on a half yearly basis. 

International payment companies operating in India were compelled to store data on local servers instead of global servers following the RBI’s introduction of new guidelines. While this new policy raised a few implementation concerns and caused payment companies to miss the RBI deadline for compliance with the data localization guidelines, RBI addressed these issues through a list of FAQs. 

Though the RBI had originally issued the guidelines in 2018, in a relaxation in 2019, RBI permitted processing of data abroad through a list of FAQs. However, RBI demanded that the data be stored locally and deleted from abroad within the stipulated time period. For further information and clarifications on RBI data localization guidelines, you can refer to this link. 

AppSealing is a top-notch security solutions provider for Android, iOS and Hybrid applications. With zero coding and no impact on app performance, it safeguards applications against runtime attacks and provides threat analytics on attack vectors to make data based decisions in real-time. Compatible with a third-party library, its security solutions are designed to protect applications from across industries including gaming and fintech. Contact our team today to safeguard applications against data theft and manipulation and ensure robust mobile application protection within minutes.