info@arridae.com 9019854583

The RBI Data Localization Audit is an essential service that ensures compliance with the Reserve Bank of India's (RBI) stringent data localization guidelines. In April 2018, RBI issued a notification mandating that all payment system operators (PSOs) store their data locally in India. This step was aimed at enhancing the security, privacy, and sovereignty of critical data generated by payment systems operating in the country. Our service provides a comprehensive audit to help organizations adhere to these guidelines and achieve full compliance, ensuring smooth operations and regulatory satisfaction.

RBI Guidelines Overview

The Reserve Bank of India issued a directive vide circular DPSS.CO.OD.No 2785/06.08.005/2017-18 dated April 06, 2018 on ‘Storage of Payment System Data’ advising all system providers to ensure that, within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India.
RBI Circular

The Reserve Bank of India’s notification, dated April 6, 2018, outlined several key requirements for payment system operators and associated entities. According to the RBI mandate:

  1. Data Storage Requirements
    • All payment data (including transaction details, customer data, payment credentials, etc.) related to payments made in India must be stored within the country.
    • Payment system operators must ensure that the full end-to-end transaction data is stored only in systems located in India.
  2. Access and Reporting
    • While the data must be stored locally, it is permissible to allow cross-border access to foreign entities for processing purposes, but only on a need-to-know basis and with prior approval from RBI.
    • Payment system operators must ensure regular reporting to the RBI, including audit trail reports and system updates.
  3. Audit Requirements
    • Organizations must conduct a System Audit Report (SAR) by an external CERT-IN empaneled auditor, focusing on the adherence to data localization requirements.
    • The SAR must be submitted annually to the RBI to ensure continuous compliance.
    • Any breach or non-compliance with the localization requirement could lead to penalties and regulatory actions from the RBI.

Key requirements for SAR

Based on the RBI & NPCI Cyber Security Guidelines, the following key criteria need to be covered as part of this audit.

  • Payment Data Elements
  • Transaction / Data Flow
  • Transaction / Data Flow
  • Network Diagram / Architecture
  • Data Storage
  • Transaction Processing
  • Activities subsequent to Payment Processing
  • Cross Border Transactions
  • Database Storage and Maintenance
  • Data Backup & Restoration
  • Data Security
  • Access Management

OUR SERVICE

Our RBI Data Localization Audit service focuses on helping organizations meet these regulatory standards through a structured, efficient, and thorough audit process.

Key Features of Our Service:

  1. Comprehensive Audit:
    • We perform an in-depth audit of your organization’s data storage, processing, and transmission mechanisms to ensure compliance with RBI’s localization requirements.
    • Our team of experienced auditors reviews end-to-end data flow, ensuring that all customer data, transaction records, and other relevant information are stored locally as per the guidelines.
  2. Gap Analysis and Risk Assessment
    • We identify potential areas of non-compliance and security gaps in your data storage systems.
    • Our auditors evaluate the risks associated with the existing data management practices and provide actionable insights on mitigating risks and closing any gaps.
  3. Internal Controls Review
    • We assess the adequacy of internal controls and security protocols related to data access and management.
    • This includes reviewing encryption protocols, access controls, and user privileges to ensure compliance with data security best practices.
  4. Regulatory Compliance Documentation
    • Our service ensures that all necessary compliance documentation, including the System Audit Report (SAR), is prepared and submitted to RBI as per the stipulated timelines.
    • We assist in filing reports, audit trails, and other necessary documentation, ensuring seamless interaction with regulators.
  5. Recommendations and Remediation Support
    • After identifying gaps or vulnerabilities, we provide detailed recommendations on how to enhance your systems to meet RBI compliance standards.
    • Our team can assist in implementing necessary changes and ensure continuous monitoring for future compliance.
  6. Follow-up Audits
    • In cases where corrective actions are needed, we conduct follow-up audits to ensure that all recommended measures are properly implemented.
    • We also help prepare your organization for future audits and compliance checks by the RBI