The Reserve Bank of India has said in a recent communication that many banks are yet to submit system audit reports certifying compliance to data storage rules, even though it issued the circular three years ago. The RBI has reportedly pulled up multiple banks for failing to comply with the data storage rules. Last month, the Central Bank stopped American Express and Diners Club from onboarding new members, citing violation of the rules.
Issue with Foreign Banks
The Central Bank had urged banks to declare their compliance along with a plan of action on or before May 15, 2021. However, many banks claimed that the auditing standards did not apply to them.
Several international banks failed to provide an audit report certifying that all personal and non-personal transaction related data transmitted outside India, for processing, have been permanently erased. They replied to the RBI’s demand by claiming that most of their processing was centralized. Hence, reorganizing worldwide operations and establishing a separate hub in India was not viable.
However, as per the RBI, while data can only be stored locally, it can be sent intraday for processing but must be destroyed from offshore servers within 24 hours.
Banks must submit a system audit report attesting to their compliance with RBI standards. The audit must be carried out by auditors who have been appointed by the Indian Computer Emergency Response Team (CERT-In)
Data Localisation Norms
Payment data must be held “only in India”. Any data handled outside the nation must be returned within 24 hours, according to RBI regulations. Payment System Operators (PSO) can only temporarily process transactions transactions outside of India. But, “the data shall be removed from the systems abroad and transferred back to India not later than one business day or 24 hours from payment processing, whichever comes first.” The RBI has stated that “the whole end-to-end transaction information should be part of the data.”
As per the RBI’s April 6, 2018 circular on ‘Storage of Payments Systems Data ‘, all payment system providers were initially required to ensure that within six months. All data related to their daily operations was to be stored in a system only in India. Banks are also expected to notify RBI of their compliance and send a Board-approved System Audit Report (SAR) performed by a CERT-In empanelled auditor within the guidelines’ deadlines.
Banks who fail to comply may face action under Section 17 of the Payments and Settlements Act.