New Delhi/ Mumbai: The Reserve Bank of India (RBI) has pulled up several multinational banks operating in the country for not providing a board-approved system audit report certifying compliance with its data-localisation norms.
In a recent communication, the RBI said that a majority of banks are yet to submit system audit reports certifying compliance to data storage norms even after three years since the issuance of the circular. It also said that many foreign banks have said that the audit norms did not apply to them and this was not acceptable. The central bank had asked banks to submit their compliance along with a plan of action on or before May 15, 2021.
Sources said that recently, the banking regulator had a discussion with some of the foreign banks where it made its displeasure known. According to sources, several foreign banks have been unable to issue an audit report stating that all personal and non-personal transaction data which has been sent overseas for processing has been permanently deleted. Last month, the central bank barred American Express Bank and Diners Club from on-boarding new customers citing violation of data storage norms.
The issue relating to data localisation is similar to the one that Google and WhatsApp had faced. What makes it challenging for banks is that RBI’s “on soil” data storage norms. These have a condition that payments data have to be stored “only” in India and no copy should exist outside the country. Many banks had responded to the RBI’s directive and said that much of their processing was centralised and it was not feasible to restructure global operations and create a separate hub in India. The RBI then clarified that while data can be stored only locally, it can be sent intraday for processing but should be deleted from offshore servers in 24 hours.
Banks are required to provide a system audit report certifying compliance with the RBI rules. The audit has to be conducted by auditors empanelled by the Indian Computer Emergency Response Team (CERT-In, in the ministry of electronics and information technology). The auditors study the IT infrastructure of the organisation and identify all the storage locations. The auditors also have to ascertain that data is being deleted from offshore servers.