Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Asia-PacificJanuary 23 2023

Data residency laws frustrate Asian banks’ cross-border activity

As Asia looks towards greater levels of connectivity, banks are struggling to work out how to operate within ever more stringent data protection laws. Kimberley Long reports. 
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Data residency laws frustrate Asian banks’ cross-border activity Image: Getty Images

Restrictions on the movement of banking data have increased significantly in recent years. The Information Technology and Innovation Foundation reported that in 2017, 35 countries globally had implemented 67 data restrictions. That number has now increased to 62 countries with 144 data restrictions in place, with more countries planning their own initiatives. 

Split into three categories, data protection takes the forms of privacy, residency and sovereignty. While data privacy measures have been in place for some time, and banks have been able to build in processes for this, the emergence of stricter controls are impacting day-to-day operations. 

Venkat ES, head of Asia treasury product, global transaction services (GTS) at Bank of America, explains that data residency restricts cross-border access to some sensitive data, meaning data sets can only be handled locally. “Businesses must recruit local teams in each market, often working in silos, making regional management of data difficult and reducing possible economies of scale that could be achieved through centralising certain processes,” he says. 

Under data sovereignty rules, nations maintain legal control and authority over data within their jurisdiction. This includes the data flows and the processing of the information within their borders. These rules affect banks which have taken a multinational approach to managing their operations. 

“The recent trend of absolute data localisation is driven by data protectionism, such as a blanket requirement to have data stored within a jurisdiction. This means every process and application which leverages the cloud has to be rebuilt and replicated locally,” Mr ES adds. 

Frustrations 

In Asia, banks are frustrated by the data rules, which are stifling their ability to conduct seamless cross-border business. As Europe and North America embrace data sharing and open banking, Asia’s banks risk falling behind. 

Sriram Muthukrishnan, group head of product management GTS at DBS, says, “Today, 75% of countries globally have implemented some level of data localisation rules. The Asian market, for instance, is very fragmented in its approach to data localisation, with different locations adopting different approaches.” 

Today, 75% of countries globally have implemented some level of data localisation rules

Sriram Muthukrishnan

Chris Barford, financial services consulting partner at EY in Hong Kong, sympathises with the issues being encountered: “It’s getting more and more difficult for companies around Asia to enjoy the free movement of data as they used to.

“Open banking will be limited to a single jurisdiction unless regulators allow individual portability of data, with the appropriate consent,” Mr Barford adds. 

These data laws are being updated and expanded on a regular basis. Indonesia, for example, enacted its first umbrella legislation on personal data protection (PDP) in October 2022.

Cellia Cognard, senior international counsel at Hiswara Bunjamin & Tandjung and partner at Herbert Smith Freehills, explains: “This umbrella legislation is intended to apply to all sectors, including the financial services regulatory (FSR) sector — which includes banking unless an exemption applies. Implementing regulations are expected to be issued by Indonesian regulators in the FSR sector, and banks will need to navigate quite carefully between what the PDP law says and what the current banking regulations say before the issuance of the new implementing regulations come into play.

“Current banking regulations are more stringent when it comes to the protection of consumer data and information,” Ms Cognard adds. “Under the existing banking data localisation rule issued by the Indonesian Financial Services Authority (OJK), banks must have a data centre and a disaster recovery centre that are located onshore in Indonesia, unless otherwise approved by OJK.”

Businesses operating in China, meanwhile, cannot transfer customer and employee data out of the country, including some non-personally-identifiable data which are subject to industry-specific restrictions. Zhenyu Ruan, senior counsel at Baker McKenzie’s China joint operation partner, FenXun Partners, says: “[Banks] need to categorise the data they process and only transfer the data outside of China which can be justified with genuine business reasons. This also means that there will be an increased need to store and process data locally.” 

This is having a direct impact on how businesses are using data. “Companies are taking measures to limit or reduce the amount and types of data being transferred outside of China to avoid regulatory scrutiny and challenge,” Mr Ruan adds. 

Meanwhile, in India, the focus has been on the localisation of payment, card and personal data storage. Mr ES says the Reserve Bank of India has been an “aggressive enforcer of these restrictions, even imposing bans on card networks due to assessed non-compliance and, most recently, envisaging mandating local processing of domestic transactions”. 

These rules may be extended as the Indian government has been working on legislation for personal data protection with the Digital Personal Data Protection Bill of 2022. The markets regulator, the Securities and Exchange Board of India, has released a discussion paper that calls for all regulated entities to store and process data in India.

Some locations require the storage of critical or important data onshore, and additional notice if data is to be moved. Peggy Chow, a data and cyber security law specialist at Herbert Smith Freehills, says: “A Hong Kong-based financial institution should notify the Hong Kong bank regulator of the data outsourcing arrangement and submit the risk assessment form at least one month before the implementation date, as an arrangement involving the transfer of data and the use of the cloud is likely to be considered a material outsourcing arrangement.” 

Vietnam is drafting a Personal Data Protection Decree (PDPD) to restrict the flow of personal data cross-border, with the PDPD expected to be issued during the first quarter of 2023. This is in addition to existing localisation laws. 

Manh-Hung Tran, head of intellectual property and technology practice at Baker McKenzie in Vietnam, explains that data localisation requirements and the law on cyber security does not specifically restrict the flow of data out of Vietnam, as long as a copy is retained within the country. He says, “Companies that are subject to the data localisation requirement may need to have a backup or mirror system located in Vietnam, with regular synchronisation, in order to transfer the relevant users’ data outside of Vietnam.” 

Bank impact 

An increasing number of rules has the two-fold impact of reduced efficiency and increased costs — two areas that banks had been striving to improve in recent years. 

Mr Muthukrishnan says supply chains are one area that is being materially impacted. With more conscious attempts at greater supply chain visibility and sustainability, measurement and tracking are essential. Data localisation makes it more difficult to monitor cross-border flows. 

“Data localisation rules are forcing global companies to pivot from a single approach to data management to the different requirements of each market. Organisations that thrive on their globality must now think local. This has a direct impact on businesses that are able to serve their customers regardless of where they are located through new digital business models, such as software-as-a-service, and digitally native products, but are now constrained by the local regulations,” says Mr Muthukrishnan. 

He also cautions that activities including risk management, anti-money laundering, know your customer, market risk, credit risk, payments and financing trade flows cannot be done efficiently without the free flow of data. 

The perception of data being produced and managed in one country also goes against the realities of modern business, especially since the Covid-19 pandemic demonstrated how people can work from any location. 

Ken Chia, principal in intellectual property and technology practice, Baker McKenzie Wong & Leow in Singapore, says: “In particular, the new realities post-Covid make it more important to ensure that data can flow where it needs to, to support employees working from outside their home countries and enable increased virtual collaboration with partners.” 

Before sharing or transferring data, banks would need to have customer consent

Cellia Cognard

It also impacts the cross-border service industry, stifling trade flows which have emerged across fields ranging from legal, consulting, accounting and overseas call centres in countries such as India and the Philippines. “In Asia, from 2005 to 2019, global exports of digitally deliverable services grew at an average rate of 21%, versus the global average of 12%,” says Mr Muthukrishnan. “The localisation policies will have a significant impact on many Asian economies that have benefited significantly from a global digital economy.”

Data privacy laws can contradict other regulations in the financial services industry, such as resolution planning, also known as living wills, which requires knowledge of cross-border exposure to corporates and individuals. Co-operating with emerging players may also be stifled. 

“There remain challenges in relation to collaborating with other financial institutions or fintech companies, whether onshore or offshore, in how customer data and information are exchanged,” Ms Cognard says. “Before sharing or transferring data, banks would need to have customer consent and enter into a co-operation agreement with the relevant financial institution or fintech.” 

Mitigation plans

Despite the number of rules implemented, Mr Chia insists that they do not represent “an insurmountable obstacle”. 

While there are strict rules in place in some jurisdictions, some are making agreements to facilitate business. Singapore has established digital economy agreements to allow data sharing, agreeing separate partnerships with countries including New Zealand, South Korea and Australia. Mr Chia says agreements like these have been implemented to prevent the need for further data residency requirements in the future. 

“India has data residency requirements for payment data, but this will not be an impediment to the new cross-border payment corridor linking India’s UPI and Singapore’s PayNow national payment rails,” Mr Chia adds.

“Similarly in China, although there are requirements to submit a security assessment before companies can move certain data offshore, this is better than an absolute prohibition on data transfers which was previously feared. Companies have been submitting their applications to the Cybersecurity Administration of China since September 2022; there are a few more months until the window closes in March 2023, and hopefully the process will be smooth.” 

Solutions can be found, but they require further work. It is possible to create new technology infrastructure which complies with the data privacy laws in the country. Such options include cloning global technology and locate it in a jurisdiction, or deploying local technologies that have been specifically tailored for a jurisdiction. However, this option negates the benefits of consolidated technology. Another option is the use of automatic tokenisation or encryption of an individual’s information, so it is not visible outside the country; however, these systems are still in development and have limited testing at scale in Asia. 

The final option is the most drastic, which is for banks to exit markets or withdraw products, particularly those aimed at retail customers who tend to garner the highest levels of data privacy legislation. “Jurisdictions will have to decide whether the ambitions of data localisation are worth the potential risk of multinational exits,” Mr Barford adds. 

With the banks needing to find solutions, some have been working together to ensure their views are heard. “The banking associations have been working with the State Bank of Vietnam to voice their concerns on the negative impact that the data localisation and cross-border transfer restriction may have on the banking operations in Vietnam,” Mr Tran says. 

In circumstances where the flow of data is affecting business, banks have the duty of care to support their customers. “It is important to help clients navigate these processes,” says Mr ES. “Post implementation of a rule, clients need to be made aware of changes in processes and protocols, and be prepared to handle them.” 

Options for the long term include looking to establish an internationally recognised set of standards that allow for data to be shared within a controlled environment, with prior consent given by each jurisdiction. Other ideas include leveraging the existing Swift infrastructure, or using blockchain or distributed ledger technology, which could ensure the complete anonymity of participants, while providing binding conformations of transactions and data transfers. 

Banks also have to ensure they do not lose sight of the purpose of greater data residency regulation. Mr Barford says: “Protecting the privacy of individuals needs to be balanced against the wider societal good in having well-regulated banks that are able to move critical data across borders to manage their business and provide capital to the economy.”

Was this article helpful?

Thank you for your feedback!

Read more about:  Asia-Pacific , Regulations
Kimberley Long is the Asia editor at The Banker. She joined from Euromoney, where she spent four years as transaction services editor. She has a BA in English Language and Literature from the University of Liverpool, and an MA in Print Journalism from the University of Sheffield. Between degrees she spent a year teaching English in Japan as part of the JET Programme.
Read more articles from this author