Is RBI's Diktat to Retain Payment Data in India Decelerating Fintech Driven Financial Inclusion?
Financial inclusion by the payments industry is a by-product of its efforts to monetize customer data, cutting off the offshore market and forcing payment data localization may have the unintended consequence of slowing down financial inclusion by the payments industry
Over the last decade, India has emerged a hotbed for the growth of digital payment and fintech companies on account of a combination of factors that are unique to India. These include the ubiquity of smartphones, permeation of ‘last mile’ wireless internet connectivity, and a young demographic profile. To add to this, India’s consent based data protection laws permit the collection and processing of personal information once a user’s consent is obtained. This provides additional incentives to companies which trawl for user data, to establish last mile connectivity and expand their user base. These factors have allowed digital payment and fintech companies to monetize their vast repositories of customer data, which in turn has allowed them to keep the costs of their offerings relatively low.
Financial inclusion and the on-boarding of the masses to digital payment platforms is likely to have been a by-product of digital payment companies attempting to widen their user base and gather customer data of a size that is a representative sample of the targeted demographic segment. India’s large population, coupled with inadequate infrastructure, cash shortage after the demonetization of high-value notes, and scattered brick and mortar banking channels, has further accelerated the adoption of digital payment products to substitute traditional retail banking and finance needs.
The Reserve Bank of India (RBI) has on multiple occasions reiterated that it is keen to promote the use of technology for cashless transactions. It has even acknowledged that digital payment systems are likely to spearhead financial inclusion in India. Despite this, in April this year, the RBI issued a directive to payment system providers to store all data relating to payment systems operated by them exclusively in India by October 15th 2018. This directive imposes fetters on the digital payments industry that is difficult to rationalize and certainly does not reflect the RBI’s purported enthusiasm to promote digital payments in India.
Location Agnostic Cybersecurity: If one were to argue that the intention of this restriction is to strengthen security measures, the lack of any security standards or restrictions on the end use or analytics of the data, which would directly address the imminent concern, is conspicuous by its absence. In such circumstances, proffering the justification that retention of payments data in India would increase oversight or customer confidence, is irrational to the point that it is ludicrous. With cloud storage becoming the industry standard, cyber-security has become location agnostic. Prescribing the storage of payments data exclusively within India provides no incremental benefit or additional security as compared to data which is stored not just in India but also offshore.
Alternate Oversight Mechanisms: If the RBI’s move is motivated by its concern to prevent unethical data analytics, the ability to send any data relating to the foreign leg of a transaction offshore, presents a large loophole. Without a clear definition, this allows for convenient interpretations of what constitutes data pertaining to the ‘foreign leg of a transaction’. With advancements in artificial intelligence and machine learning, in particular, the analysis developed from segments of data, and the data discerned from such segments, even if redacted or anonymized, can often be greater than the data disclosed. Therefore, the storage and analysis of fragmented data relating to cross-border transactions may allow for inferences to be drawn, even regarding the Indian leg of such transactions. This discrimination between data relating to the Indian leg of a transaction and the foreign leg of a transaction does little to prevent the analytics of Indian user data. What may provide greater oversight for the RBI, would be to regulate the retention, disclosure and permissible end uses of payment data rather than restricting the location of storage of such data.
Given that the RBI can summon data from any payment system operator, irrespective of the location where such data is stored, it would be difficult to rationalize the restriction on storage of data in India as a measure to improve regulatory oversight. Admittedly, storing a copy of such data in India may allow faster access to such data, but a greater degree of oversight, albeit requiring regulatory supervision, could equally, and perhaps more efficiently, be exercised by prescribing inspections, reporting obligations (to specify the security measures and end use of such data), and third-party audits to prevent the perverse utilization of customer data. Lastly, as the prohibition on storing a copy of such data offshore does not consider disclosure requirements or reciprocal obligations with offshore regulators it could make foreign payment companies wary of the Indian regulatory landscape. Additionally, compelling companies facilitating cross-border transactions to store an incomplete half of a transaction entry without being able to present complete transaction records may create challenges when dealing with foreign regulators.
Unintended Ramifications: Fintech and digital payment companies making a foray into India have thus far been able to defray the high costs of development and deployment by the ability to analyse customer data to understand demography specific consumer preferences and spending patterns. The marketability of big data is largely dependent on the ability to store, process and sell such data to companies assessing consumer preferences and market trends in India. Consequently, by eliminating the ability to share payment system related data with offshore markets, digital payment companies are deprived of an important market for big data analytics. This measure would likely have the effect of asphyxiating the revenue stream generated from data analytics for the digital payments industry.
Stringent data localisation requirements imposed by the RBI would, therefore, slow the aggressive expansion of digital payments companies in India, as it would force companies to either transmit the costs to the end users or forfeit a revenue stream which eats into both their bottom line and their motivation to expand their user base.
Privacy Concerns & Commercial Exigencies: To balance data privacy and security with commercial interests, RBI may consider permitting the cross-border dissemination of customer data which has been anonymized or de-identified, a concept which has not been considered in the present framework. This would serve both purposes, by allowing digital payment companies to offer their products without giving up on a revenue stream through data analytics and not requiring them to transmit the costs to their customers. At the same time, if the customer data is anonymised, it does not impinge upon the privacy of its customers, thereby balancing privacy with the ability to derive demographically meaningful trends, and spending patterns that are discernible from user data.
It is necessary that the RBI acknowledges that the meteoric rise in the value of customer data is one of the primary economic incentives for payment and fintech companies to dredge for new users where traditional banking and financial channels would not have ventured. It may, therefore, be time that the RBI considers revisiting its decision to force payment data localisation, and contemplate implementing an enforceable framework, that places end-use restrictions on the use of customer data to limit its unethical utilization. If the RBI truly wants to promote financial inclusion through digital payment systems, the RBI should consider taking a closer look at the rationale behind requiring customer data to be stored within India
Akash Karmakar is a partner with the Law Offices of Panag & Babu and leads the firm’s fintech and regulatory advisory practice. Akash has advised several technology, telecom, and fintech companies to navigate regulatory challenges stemming from the intersection of law and technology. Through the course of his career, he has also assisted several multinational companies structure their entry into India, evaluate and address regulatory risks, and ensure compliance with Indian privacy laws.