FOREIGN BROKERS MAY SOON HAVE TO STORE DATA LOCALLY
Sebi likely to issue norms, fears a country can block access in case of data war
The Securities and Exchange Board of India (Sebi) may soon come up with guidelines that mandate foreign entities to store data pertaining to India locally.
Several foreign brokerages and custodians typically store data digitally in regional centres such as Hong Kong and Singapore.
The regulator is concerned that access to such data could be blocked by another country in the event of a data war. It wants all such data to be stored on servers in India or a real-time backup to be created, enabling access from within the country.
“Foreign brokerages access servers in Singapore and Hong Kong for their daily transactions. Now, what happens if a country like China cuts off access to that server in Hong Kong? It may seem like an extreme situation but we can potentially become a data colony of some other country,” said a senior industry official, on condition of anonymity.
Financial institutions such as Citi, JP Morgan, HSBC and Deutsche Bank operate brokerages and custodian services in India.
The regulator is expected to take a call on the matter soon based on the recommendations of a panel led by Ashok Jhunjhunwala, a professor at Indian Institute of Technology (IIT) Madras. The guidelines will apply to all Sebi-regulated entities.
Here’s an example of how data ends up overseas. Let’s assume a buy order for shares is placed with a foreign broker. The broker puts the order on the domestic exchange. After the transaction goes through, the broker issues an electronic contract note. While the copy of that transaction is on the exchange platform, the entry into the system at the broker’s end is stored on a server that is not in India.
Sebi’s concern assumes significance in the light of the Reserve Bank of India’s diktat in April last year asking global payment companies to store transaction data of Indian customers within the country. The RBI’s stance on data localisation is a result of the rapid growth in digital payments and the increasing instances of fraud and data theft, according to experts.
Data localisation is a concept that dictates that the data of a country’s residents should be physically present within the borders of the country where data was generated.
“The government is concerned that foreign regulators can access data, especially that pertaining to the financial services sector. There is also a misplaced view that law enforcement authorities in India will have better access to data if the data resides in India," said Shahana Chatterji,
partner, Shardul Amarchand Mangaldas.
“The regulator’s concern is justified if data is stored at certain specific locations within Asia. But if it is kept with global providers such as Dropbox or Microsoft, then we are at same risk as any other country,” added Viraj Kulkarni, founder & CEO, Pivot Management Consulting.
The RBI’s April directive states that data would be stored only in India, meaning payment companies cannot store copies of Indian consumer-related data outside the country. This eliminates the scope for data mirroring, a practice which allows companies to store copies of a particular database at multiple locations.
Sebi, on the other hand, is of the view that if exclusive data servers cannot be set up in India, the foreign entities should ensure that there is a real-time data backup set up here.
Both these arrangements could be challenging and significantly jack up costs for the foreign players. “The RBI wants data pertaining to transactions in India to be kept in India. This involves a huge investment in terms of infrastructure, technicians, maintenance and space. Sebi is saying that if you can’t set up a server in India, create a real-time
backup of the data, a task almost as challenging,” said the first person quoted above.
Digital data in India stood at about 40,000 petabytes (1 petabyte is 1,000 terabytes or 1 million gigabytes) in 2010 and is projected to climb to 2.3 million petabytes by 2020, twice as fast as the worldwide rate, according to a blog posted by Cushman & Wakefield. In its Budget last year, the government emphasised the importance of creating a cloud warehouse that will safely store digital data in India.
Globally, there have been an increasing number of cases of identity theft, and regulators and governments are doing their bit to protect personal data. Europe, for instance, has introduced the General Data Protection Regulation (GDPR), which deals with privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The GDPR aims to give control to citizens and residents over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU. It also addresses the export of personal data outside the EU and the EEA.