Selecting Observability and Security Solutions in Compliance with RBI: Fintech Challenges
Fintech, an abbreviation for financial technology, encompasses many firms and technologies that employ innovation and tech to enhance and automate financial services and operations.
Their goal is to enhance the efficiency, accessibility, and user-friendliness of financial services. Fintech entities span numerous sectors within the financial industry, such as online payments, lending, digital banking, investing, insurance, and more, all aimed at streamlining financial processes. Notable examples include PayPal, Robinhood, and Coinbase.
In 2022, Indian fintech companies secured the second-highest amount of funding among all startup sectors, with a total of USD 5.65 billion raised. Notably, the number of distinct institutional investors in the Indian fintech sector nearly doubled from 535 in 2021 to 1,019 in 2022.
Fintech services have become integral to modern financial management, with people utilizing them for various purposes, including digital payments, online banking, investments, lending, insurance, cryptocurrency, budgeting, remittances, credit scoring, small business solutions, financial planning, and regulatory compliance. These services offer convenience and accessibility in managing money and investments.
Fintech firms process extensive data in their daily financial operations, necessitating robust security measures for data storage. To guarantee the security of the personal data of customers, seamless digital transactions, minimal downtime and minimal network latency, fintech companies should employ efficient Application Performance Monitoring (APM) tools to oversee their financial applications. These applications are vital for comprehensive financial transactions and require diligent monitoring.
Fintech companies in India have access to various Application Performance Monitoring (APM) tools for monitoring and optimizing their applications. Some popular options include New Relic, Dynatrace, AppDynamics, Datadog, Splunk, SolarWinds, Raygun, Instana, Stackify Retrace, and ManageEngine Applications Manager. These tools help ensure the smooth and secure operation of fintech applications.
However, fintech firms in India may find it more complex to pick APM tools due to the regulatory framework established by the Reserve Bank of India (RBI). These regulations emphasize stringent data security and privacy standards, impacting the selection of APM solutions to guarantee compliance.
- What do the RBI's Guidelines Encompass?
- Impact of RBI Guidelines on APM Tool Selection for Fintech
- Selecting APM Tools for Indian Fintech: Complying with RBI Guidelines
- Anticipating the Digital Personal Data Protection Bill in 2023
What do the RBI's Guidelines Encompass?
On April 6, 2018, the Reserve Bank of India issued a directive regarding the "Storage of Payment System Data" for fintech companies, to ensure the protection of personal data belonging to Indian citizens. This directive includes provisions related to data localization and other essential requirements.
Data localization means storing data within the country where it's generated, ensuring sensitive consumer data remains within national borders. This contrasts with the previous practice of storing data on foreign cloud servers.
RBI guidelines require all payment system operators to store payment data in India, emphasizing the necessity of having unrestricted access to payment data for supervisory reasons. Furthermore, they mandate that payment system operators provide a System Audit Report conducted by an auditor approved by CERT-IN.
The circular pertains to the following groups:
- Payment system providers authorized or approved by RBI for establishing and operating payment systems in India.
- All banks that operate within India.
- Various entities, such as system participants, service providers, intermediaries, payment gateways, third-party vendors, and others, regardless of the terminology used to describe them in the payment ecosystem.
As per the circular, the following data must be retained within India:
- Comprehensive transaction details from start to finish.
- Information associated with payment or settlement transactions is collected, transmitted, or processed as part of the payment message or instruction. This may encompass:
- Customer Data (such as name, mobile number, email, Aadhar number, PAN number, etc., as applicable).
- Sensitive payment information (including customer and beneficiary account details).
- Payment credentials (such as OTPs, PINs, passwords, etc.).
- Transaction data (comprising originating and destination system details, transaction reference, timestamp, amount, etc.).
PSOs must provide the RBI with a System Audit Report, conducted by CERT-IN-approved auditors, to confirm compliance with security and data localisation practices for payment-related data.
The audit report should contain:
- A roster of data-sharing service providers and third parties, along with their data localization reports.
- Information about the systems used for data storage, whether databases, file servers, electronic media, or logs.
- Specifics regarding the data collected from each channel or source.
- A confirmation or agreement from service providers regarding the storage of data within India.
It is essential to ensure that any third-party tools or services used align with RBI guidelines. As advised by the Security Brigade, the audit should encompass critical criteria, including payment data, data flow, application structure, network design, data storage, transaction processing, post-payment activities, cross-border transactions, database maintenance, backup procedures, data security, and access management.
American Express and Diners Club: A real-time example of the RBI's "Storage of Payment System Data" guidelines
Impact of RBI Guidelines on APM Tool Selection for Fintech
Due to RBI's data localization directive, fintech firms cannot engage in cross-border data transfers. They are compelled to select APM tool providers with data centres in India to ensure customer data remains securely within the national borders.
A multitude of APM tools is experiencing rapid growth in parallel with the fintech sector in India. However, a significant challenge arises from the fact that many APM tool providers operate their data centres outside India.
This complicates the process for fintech companies to adhere to RBI guidelines, as only a limited number of APM companies maintain data centres within India's borders.
Several monitoring tools such as Atatus, Datadog, and New Relic operate their data centres outside of India, while others like ManageEngine and SigNoz have their data centres located within India.
Another significant challenge for fintech firms when selecting APM tools is the limited availability of providers with data centres in India. This scarcity drives up demand and consequently raises the costs of APM tools, necessitating increased spending by fintech companies.
Many Indian banks and PPI (Prepaid Payment Instruments) providers are already in alignment with the guidelines outlined in this circular. However, entities like foreign banks, international card networks, modern FinTech companies employing cloud services hosted abroad, and payment intermediaries involved in processing and authentication need to promptly take steps to ensure compliance.
While this mandate is advantageous for Indian data centre providers, it could potentially serve as an obstacle for prospective entrants seeking to join the Indian payments ecosystem in the future.
The following challenges are also faced by fintech companies:
- High capital requirements
- Limited time for compliance
- Data storage exclusively within India
- Separation of India-specific data
- Clarity concerning the types of data under regulation
Selecting APM Tools for Indian Fintech: Complying with RBI Guidelines
Fintech companies can take several actions to navigate challenges related to regulatory compliance and data localization requirements:
- Data Localization: Consider investing in or partnering with data centre providers in India to establish compliant data storage facilities within the country.
- Technology Utilization: Explore technology solutions, such as secure cloud services or data encryption, that can assist in meeting data localization requirements while upholding data security.
- Collaboration with Compliant Service Providers: Collaborate with third-party service providers, including APM (Application Performance Monitoring) tool providers, offering compliant data storage and processing services within India.
- Establishing an Independent Data Centre: This involves setting up IT components like servers and networking, as well as non-IT components such as cabling, cooling, and security. While owning a data centre provides control, establishing a new one is costly and time-consuming, involving tasks like location selection, vendor engagement, resource allocation, disaster recovery planning, certifications, and security audits. For large organizations, this process can take 12 to 18 months and become a major project.
- Utilizing a Multi-Tenant Hosting Environment: Opting for co-location in a managed data centre offers advantages like flexibility, scalability, cost allocation over an extended period, high availability, and efficiency. If there is a strategic long-term advantage and a willingness to invest, the acquisition of an established hosted data centre business could be an option for achieving rapid results and ensuring compliance.
- Cloud Hosting: Utilizing private cloud hosting with isolated resources presents a fast, secure, and adaptable solution. However, it is contingent on the physical servers' network being locally hosted, as specified in the circular. This approach can also be cost-efficient for organizations experiencing periodic spikes in demand utilization.
When looking at alternatives to building or expanding a data centre, it's crucial to consider factors like business needs, costs, growth expectations, data security, and staffing. One viable option could be a phased migration to on-site systems, initially for primary operations and subsequently for disaster recovery, enhancing compliance with timelines.
Anticipating the Digital Personal Data Protection Bill in 2023
The Digital Personal Data Protection (DPDP) bill covers personal data that could potentially identify an individual, including factors such as physical health, sexual orientation, medical history, biometric data, financial information, and other data considered private. It received approval in both legislative houses in early August 2023.
Let's examine how this bill can benefit fintech firms.
The legislation includes the following aspects:
- The bill regulates the management of digital personal data in India, covering information from online and offline sources, including data processing like collection, storage, usage, and sharing. It also applies to personal data processed outside India if related to goods or services in the country.
- Data processing necessitates explicit consent from individuals, given after clear notification of data collection and processing purposes, with the option to withdraw consent anytime.
- Entities handling data must verify its correctness, adopt security protocols to prevent breaches, promptly notify authorities in case of breaches, and ensure data deletion once its intended purpose is fulfilled.
- The legislation permits the transfer of personal data beyond India, subject to limitations on specific countries as designated by the government.
- The legislation carries substantial consequences for a range of industries, including fintech firms. There's speculation that fintech and cryptocurrency businesses might fall under the category of data fiduciaries.
- The bill's focus on securing explicit consent, transparent data processing, and protecting personal data is in harmony with the fundamental values of fintech companies.
- Fintech companies are entrusted with safeguarding financial data. The bill's mandatory data breach reporting to the Data Protection Board of India is crucial for fintech. It may prompt improved data security, including stronger encryption and access controls. Board oversight could drive increased cybersecurity investment to reduce breach risks.
- Numerous fintech companies operate on a global scale, often requiring the transfer of data across borders. While the bill permits such transfers, it places limitations on specific countries. Fintech enterprises engaged in international activities will need to vigilantly track the restricted countries and align their data transfer procedures with the bill's requirements. This may involve evaluating data protection regulations in target nations and implementing the essential protective measures.
The 2023 Digital Personal Data Protection Bill can reshape India's fintech landscape. It introduces strong data protection measures, but compliance and adapting to new consent strategies are challenges. Fintech firms that navigate these changes can enhance trust, cybersecurity, and alignment with India's data protection framework.
For more information, just tap the link.
Conclusion
Indian fintech firms have the option to employ APM tools from global providers, yet they must meticulously align with data protection laws, cross-border data transfer guidelines, and the RBI and DPAI's particular stipulations. Maintaining transparency, obtaining customer consent, and staying abreast of changing legal obligations are paramount.
In the process of choosing a data centre solution, fintech companies should evaluate elements such as security, adherence to data protection regulations, scalability, and cost-efficiency. Equally crucial is the assessment of whether the selected data centre aligns with the fintech business's particular needs and is in harmony with their expansion and operational plans.
India has several data centre providers offering a range of services. Companies can explore partnerships with established providers, such as NxtGen, Netmagic, and Sify Technologies.
India's data centre sector is experiencing significant growth, serving critical roles in national security, internet infrastructure, and economic productivity. As of 2022, the country's data centre capacity stands at 637 MW, with projections to reach 1318 MW by 2024. The industry's value in 2021 reached $1.2 billion, marking a remarkable 216% increase from $385 million in 2014. As of March 2022, India is home to 138 data centres, earning it the 13th position globally in terms of the highest number of data centres.
Monitor Your Entire Application with Atatus
Atatus is a Full Stack Observability Platform that lets you review problems as if they happened in your application. Instead of guessing why errors happen or asking users for screenshots and log dumps, Atatus lets you replay the session to quickly understand what went wrong.
We offer Application Performance Monitoring, Real User Monitoring, Server Monitoring, Logs Monitoring, Synthetic Monitoring, Uptime Monitoring and API Analytics. It works perfectly with any application, regardless of framework, and has plugins.
Atatus can be beneficial to your business, which provides a comprehensive view of your application, including how it works, where performance bottlenecks exist, which users are most impacted, and which errors break your code for your frontend, backend, and infrastructure.
If you are not yet a Atatus customer, you can sign up for a 14-day free trial .