With the central bank’s deadline for payment players to store data locally in India coming to an end on Monday, it is believed that about 15 entities out of the total 78 are yet to fully comply with the directive.
Further, some of the largest entities that are not yet compliant are in constant dialogue with the RBI after having completed a “significant amount of work” towards compliance, said banking sources.
“Around 62-63 entities have fully complied with the RBI circular and the rest who are currently not compliant have also completed a significant amount of work towards becoming fully compliant,” said a person familiar with the development.
“Some of the bigger players are in the process of compliance and are also in continuous dialogue with the RBI. The central bank is currently ascertaining whether the non-compliant players are facing any particular genuine difficulties,” said the person on condition of anonymity.
While it could not be immediately confirmed, it is believed that some of the biggest payment processing players are yet to fully comply with the RBI diktat that was issued in April. Email queries sent to American Express, Visa and Mastercard remained unanswered till the time of going to press.
Khushroo Panthaky, Director, Grant Thornton Advisory, was of the view that while some of the non-compliant companies were believed to be meeting policy makers seeking a review of the RBI decision, it was only fair that they should be told to comply as most players had already complied.
Larger interest
“In the larger interest of confidentiality of data and the fact that many have complied with the timeline, it would be appropriate if the remaining companies also ensure data localisation at the earliest, for which they will have to seek extension from RBI,” Mr. Panthaky said.
Meanwhile, sources familiar with the matter said that since the RBI had not hinted at any extension of the deadline, it was likely that the banking regulator would act against non-compliant entities if found that the delay was on account of avoidable issues.
“Consequences of non compliance could range from monetary penalties to even termination of permissions with each citizen also having a right to claim damages,” said advocate and cyberlaws expert N.S. Nappinai.
“Data localisation is not a misconceived proposition, especially in the context of data of financial transactions. The RBI circular is independent of data protection laws and will most likely stand the test of proportionality. It applies only to those entities it governs such as payment systems,” she said.
“The belated clamour now for only storing a mirror image within India is contrary to RBI’s stated intent which is not only about easy access of data but of protecting Indian citizens’ data against rampant sharing outside India, as a public policy process. There is no real cause for delaying the compliance,” explained Ms. Nappinai.
