POV: THE ‘STORE IN INDIA’ PROBLEM
Did you make a card transaction today? If that card has a Visa, Mastercard or American Express logo, the companies behind those logos now fall afoul of a new law. That’s because a six-month deadline, given through a Reserve Bank of India (RBI) circular issued abruptly last April to force all payment companies to store all financial data of Indian citizens only in India, expired on October 15.
There’s irony in the huge amount of American financial data that is processed in India. Of our tech services exports in 201718, 62 per cent was to the US and 41 per cent of the total was in the financial services area. (Nasscom calls all this IT-BPM—information technology and business process management.)
Reciprocal US action could disrupt our IT-BPM exports, worth $126 billion and counting. On October 12, two US senators, who co-chair the India caucus, wrote to Narendra Modi warning that data localisation would have a “negative impact on the ability of companies to do business in India”. The Trump administration is also considering prohibitions on data localisation.
India’s banking regulator and law enforcement agencies want access to financial data. But wait. This is the internet age. Access to data is dependent on jurisdiction, agreements, legal process. Not on ‘where a box is stored’. The bigger irony is that your card data is likely already stored in India, by card issuers such as the SBI, ICICI or HDFC, which locally store your name, address, KYC (identity) proof, and transactions. Visa and Mastercard do not even get your name and address. (This doesn’t apply to AmEx.)
Let’s come to data localisation. Why is American financial data processed offshore in India? Expertise, and cost, where India scores, especially when thousands of people are needed—such as for helplines for bank accounts or credit cards.
Why is your card data processed outside India? Well, when you swipe a card, and get an approval, there’s an enormous global platform behind that one-second approval, checking for fraud, for instance.
“Move that global platform to India,” says the RBI. Not so simple. Entire platforms, including third-party processors, can’t simply set up in India in months. Stolen card data, hacks and breaches—all this is shared globally. Cut India off and card transactions become less, not more, secure.
The platforms use machine learning. An odd transaction in Prague is found to be fraud, and the global platform learns. A similar transaction in Gurugram the next day will be blocked (a higher fraud score will cause the transaction to be declined). This needs access to the global platform and data sets.
Back to that unusual RBI April 2018 circular, issued without external consultation. It should have gone through the Payments Regulatory Board, announced by the finance minister as part of his Union budget speech on February 1, 2017. But oddly, the RBI didn’t constitute that board. The banking regulator did listen to and read submissions from trade bodies and dozens of companies. Many in the ministry of finance, and even Finance Minister Arun Jaitley, met and listened to the industry. It appeared that the RBI would at least relax the deadline and allow mirroring of data, agreeing to a copy of data being stored in India.
And so the RBI’s extreme, hardened stance in the fifth of the six-month period is rare. It happened after the entry into its board of a right-wing, anti-globalisation ideologue who has influenced Modi’s key economic policies, including demonetisation: S. Gurumurthy of the Swadeshi Jagran Manch. A coincidence, I am sure, and nothing to do with 2019.
In a round table last week, when I mentioned the criticality of global free flow of data, a top government official asked me why India should bear the disproportionate burden of that free flow and why not China or Europe. Good question. But of the world’s total IT-BPM global sourcing revenues, a whopping 55 per cent comes to India. So, yes, India has a disproportionate interest in maintaining the free cross-border flow of data, and preventing the balkanisation of the global internet.
Enforced ‘data localisation’ could hurt India’s $126 billion services exports and make transactions less secure