The Chairman and Managing
Director / Chief Executive Officers,
Authorised Payment Systems /
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks /Payment Banks / Small Finance Banks
and Local Area Banks
Madam / Sir,
Storage of Payment System Data
Please refer to paragraph 4 of
the Statement on Development and Regulatory Policies of the First
Bi-monthly Monetary Policy Statement for 2018-19 dated April 5, 2018. In
recent times, there has been considerable growth in the payment ecosystem
in the country. Such systems are also highly technology dependent, which
necessitate adoption of safety and security measures, which are best in
class, on a continuous basis.
2. It is observed that not all
system providers store the payments data in India. In order to ensure better
monitoring, it is important to have unfettered supervisory access to data
stored with these system providers as also with their service providers /
intermediaries/ third party vendors and other entities in the payment
ecosystem. It has, therefore, been decided that:
system providers shall ensure that the entire data relating to payment
systems operated by them are stored in a system only in India. This data
should include the full end-to-end transaction details / information
collected / carried / processed as part of the message / payment
instruction. For the foreign leg of the transaction, if any, the data can
also be stored in the foreign country, if required.
providers shall ensure compliance of (i) above within a period of six
months and report compliance of the same to the Reserve Bank latest by
October 15, 2018.
providers shall submit the System Audit Report (SAR) on completion of the
requirement at (i) above. The audit should be conducted by CERT-IN
empaneled auditors certifying completion of activity at (i) above. The SAR
duly approved by the Board of the system providers should be submitted to
the Reserve Bank not later than December 31, 2018.
3. The directive is issued under
Section 10(2) read with Section 18 of Payment and Settlement Systems Act
2007, (Act 51 of 2007).
(Nanda S. Dave)
Chief General Manager-in-charge