Storage of Payment System Data – Compliance Framework Update 2024
Summary
The Reserve Bank of India has issued an updated compliance framework for the storage of payment system data within India, reinforcing the data localization mandate originally issued in April 2018. This circular addresses gaps identified during supervisory assessments and introduces a structured audit framework to ensure that all payment system operators, intermediaries, and their service providers maintain complete end-to-end transaction data exclusively within systems located in India.
The updated framework clarifies that data localization requirements apply to the entire payment processing chain, including data generated, collected, or processed during payment transactions. The circular explicitly states that even temporary or transient storage of payment data outside India during transaction processing is not permitted, closing a loophole that some operators had previously exploited.
The compliance framework introduces a three-tier audit mechanism. Payment system operators must conduct quarterly self-assessments, submit annual compliance certificates signed by their board of directors, and undergo biennial on-site audits by RBI-empanelled auditors. The circular provides a detailed checklist covering data storage architecture, access controls, data flow mapping, and incident response procedures.
Non-compliant entities face graduated enforcement actions ranging from warning letters for minor deviations to suspension of authorization for persistent or willful non-compliance. The circular establishes a 180-day remediation window for entities found non-compliant during audits. Payment system operators must also report any data breach involving cross-border data exposure within 6 hours of detection.
Key Highlights
- Complete end-to-end payment transaction data must be stored exclusively within India
- Temporary or transient storage of payment data outside India explicitly prohibited
- Three-tier audit mechanism: quarterly self-assessment, annual board certification, biennial on-site audit
- 180-day remediation window for non-compliant entities before escalated enforcement
- Mandatory 6-hour reporting for data breaches involving cross-border data exposure
- Graduated enforcement from warning letters to suspension of authorization
Impact on Fintech Companies
This circular has substantial implications for fintech companies, particularly those using global cloud infrastructure or partnering with international payment processors. Companies that previously relied on cloud regions outside India for redundancy or disaster recovery must now ensure all payment data processing and storage occurs within Indian data centers.
For payment aggregators and gateway providers, the prohibition on transient cross-border data storage requires careful review of their transaction routing architecture. Many payment processors route transactions through global networks for fraud detection or currency conversion, and these flows must now be redesigned to ensure no payment data leaves Indian borders at any point during processing.
The audit requirements create ongoing compliance costs for fintech companies. Quarterly self-assessments require dedicated compliance teams, while biennial on-site audits by empanelled auditors represent significant expense, particularly for smaller fintech startups. However, companies that proactively achieve and maintain compliance will have a competitive advantage when partnering with banks and larger financial institutions.