On 6 April 2018, the Reserve Bank of India issued a directive requiring all payment system providers and third parties operating in the country to store all data related to their payment system operations exclusively in India. Shortly thereafter, a government-appointed committee recommended a data protection bill to Parliament that, if passed, would restrict the transnational flow of data in other sectors, too. In taking these steps, India will join more than two dozen countries, including China, Indonesia, Nigeria, Russia and Vietnam, in imposing data localization requirements that could unintentionally limit financial inclusion and pose cybersecurity risks to low-income consumers.
Here are three myths about data localization that are often cited as reasons for restricting transnational data flows, and why they don’t justify data localization.
Myth #1: Data are safer if kept in the country.
Policy makers who support data localization often express concerns about the safety of data stored abroad in the cloud. Yet data security is not a matter of physical location but of security processes. Financial services providers (FSPs) in many developing countries lack the advanced cybersecurity skills and technologies to fend off sophisticated attackers, and they cannot afford to invest in them.
International cloud and payment systems providers can support local FSPs with far more extensive security accreditations and certifications. Since security is part of cloud providers’ core business and value proposition, they can invest more money in security and keep up with ever-changing cyber threats better than small FSPs. Moreover, hackers behave similarly across the world. Leveraging access to a global database of fraud patterns and suspicious transactions can significantly improve fraud risk management and potentially support compliance with international anti-money laundering/combating the financing of terrorism (AML/CFT) rules.
Governments concerned about unauthorized access to sensitive data are better off requiring data security and encryption standards than mandating localization. For example, encryption can prevent any third party from accessing the data, including hackers, the cloud provider and the country where the data are located. Statistically, the biggest financial services security risks in terms of value are internal threats from employees, which are not mitigated by storing data locally. Outsourcing data storage allows FSPs to make necessary investments in the operational security efforts that do protect against insider threats, such as access and user right controls, data encryption and awareness building.
Myth #2: Supervisors can access data faster and more reliably if data are kept in the country.
Storing data abroad or in the cloud does not mean it will be less accessible to financial sector supervisors. Whether data are stored on a local server or abroad, accessibility depends on system uptime and internet connectivity. Data that are held locally can be more difficult to access if the local infrastructure cannot supply the seamless internet connectivity and high amounts of electricity required by most data centers. Multinational firms, on the other hand, build their data centers in locations that have a guaranteed power supply, strong internet connectivity and disaster recovery management systems.
Some countries, such as Indonesia, Nigeria and Vietnam, require a copy of financial data to be stored locally for supervisory inspection. This regulatory condition for allowing cross-border data storage still imposes additional data localization costs, putting a significant burden on local and international firms. By increasing the number of locations where data are stored and the number of times databases must be updated, these requirements also make errors more likely, create additional targets for hackers and can slow down processing times.
A better approach to making data access faster and more reliable for supervisors in developing countries is to require system uptime and processing standards. It is also important to consider regular onsite inspections and new supervisory tools and approaches for accessing data, such as direct data access through a virtual private network.
Myth #3: Keeping data in the country will protect domestic FSPs from international competition.
Data localization saddles international firms with the costs of building data centers in every developing country in which they operate, but such trade barriers do little to protect local economies. Instead, they increase the costs of doing business and delay local incumbents’ time to market. Since data centers are capital intensive and not employee intensive, making international and local firms set up data centers will generally not result in significant local employment gains but increase their capital expenses.
Beyond just failing to protect the local economy, data localization can hamper local FSPs’ ability to innovate and grow, as international firms provide technical support and services that are useful to them. For example, data analytics have allowed FSPs to customize and add value to their products. The international firms that provide these services often benefit from tapping into global data from social media networks, which FSPs cannot access as easily. By placing limitations on local companies’ ability to outsource support functions, data localization may force companies to work with more limited datasets and data analytics for product design. It may also limit their data processing power for offering a seamless user experience. Allowing FSPs to outsource support functions like cloud-based data analytics or storage can promote local innovation and drive prices down, creating better services for customers.
Data localization is effectively a trade barrier. It deters foreign direct investment and reduces local firms’ ability to export their services due to the added data storage costs that international competitors don’t have to bear. Studies suggest that, ultimately, data localization reduces economic productivity and GDP growth.
The reality of data localization
In the long term, data localization requirements can hurt local financial markets. They can make it harder for both international and local FSPs with cutting-edge technologies and innovative products to enter the market because they impose significant costs. This will inevitably have a negative impact on financial inclusion, as higher operational costs, higher risks and reduced competition will increase consumer prices and reduce the value that financial services bring to people’s lives.