RBI Compliance Audits
The Reserve Bank of India issued a directive vide circular DPSS.CO.OD.No 2785/06.08.005/2017-18 April 8, 2018, making it mandatory for all transaction data to be stored exclusively within India.
Request free consultation - Click Here
SAR Audit
A System Audit Report (SAR) is a document that organizations, particularly those involved in handling payment data, are required to submit to the Reserve Bank of India (RBI) in compliance with the data localization mandate. The SAR serves as an official record certifying that the organization has fulfilled the requirement of storing end-to-end transaction data within India.
Key Criteria For System Audit Report For Data Localization (SAR)
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
- Payment Data Elements
- Transaction / Data Flow
- Application Architecture
- Network Diagram / Architecture
- Data Storage
- Transaction Processing
- Activities subsequent to Payment Processing
- Cross Border Transactions
- Database Storage and Maintenance
- Data Backup & Restoration
- Data Security
Approach For System Audit Report For Data Localization (SAR)
Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach
Phase 1 – Information Gathering & Documentation Review
A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls in place. These documents are thoroughly reviewed by our experts to understand the implementation and flag any concerns.
Phase 2 – Assessment, Validation & In-Depth Control Review
In this phase, we thoroughly analyse the documentation and review the provided artifacts to ensure their validity. Additionally, we assess the technical controls according to industry best practices and examine the data flow to identify any potential risks or gaps
Phase 3 – Remediation & Re-Validation
A detailed report will be provided that highlights any areas of concern, risks, or violations. In addition, we will offer appropriate recommendations will work closely with you to facilitate re-validation, ensuring that all gaps are addressed and successful compliance is achieved.
Phase 4 – CERT-In Empanelled Certification
As an auditor certified by CERT-IN, we thoroughly document all activities, including relevant paperwork, evidence, findings, and recommendations. We issue a CERT-IN certification for the System Audit Report (SAR) which focuses on data localization and storage of payment system data.
Why Do Organizations Need It?
- SAR data localisation shields native citizen’s financial and personal information in moments of geopolitical crisis
- Shielding against anti-money laundering threats
- Holistic implementation of regulations to secure payment gateways
- Enhance IT Governance for payment service providers
Advantages
- Secures citizen’s data and provides data privacy and data sovereignty from foreign surveillance
- Unfettered supervisory access to data will help Indian law enforcement ensure better monitoring
- Minimises conflict of jurisdiction due to cross-border data sharing and delay in justice delivery in case of data breach
- It will give local governments and regulators the jurisdiction to call for the data when required
RBI Advisory IS Audit
The Reserve Bank of India (RBI) Advisory on Information Systems (IS) Audit outlines key guidelines and best practices for regulated entities (REs), such as banks and financial institutions, to ensure the security and integrity of their information systems.
Key Focus Areas
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
- IT Governance: Governance structures and processes in place to manage IT resources effectively
- Cybersecurity Controls: Security protocols to prevent unauthorized access and ensure the integrity of data
- Change Management: Validating business-justified changes and ensuring they are documented and approved
- Data Privacy and Confidentiality: Ensuring the protection of customer data and sensitive information
- Business Continuity and Disaster Recovery: Processes in place to ensure resilience and recovery in the event of an incident
RBI Advisory IS Audit report for PPI on Advisory No. 1/ 2024 Dated: January 17, 2024 emphasizes with a specific focus on change management frameworks and vendor oversight, to ensure the robustness of REs' systems, particularly where vendors manage critical applications or handle sensitive data.
v-KYC
Video Know Your Customer (vKYC) Audit is a security review process that assesses the digital KYC procedures of an organization. vKYC allows financial institutions to verify a customer's identity remotely via video, enabling seamless onboarding in an increasingly digital world.
The vKYC audit ensures that the organization adheres to regulatory standards and that their processes for remote customer verification are secure, accurate, and reliable.
Objectives
The vKYC audit focuses on
- Regulatory Compliance: vKYC audit ensures to comply with the local and international regulations, such as Anti-Money Laundering (AML) laws, Data Privacy Acts, and specific financial guidelines
- Data Security: Assess the security protocols in place to protect customer data during the vKYC process
- Fraud Prevention: Verifying that the technology and procedures used in vKYC help to detect and prevent fraudulent activities
Key Focus Areas
- Technology Infrastructure: Evaluating the tools and platforms used for video verification to ensure they are secure and compliant with industry standards
- Data Encryption: Ensuring that customer data is encrypted during transmission and storage
- Customer Consent and Privacy: Reviewing the consent processes to verify that customers are adequately informed about how their data will be used
- Employee Training: Auditing the effectiveness of training provided to employees handling vKYC processes to ensure compliance and accuracy
- Incident Response: Evaluating the protocols in place for responding to any potential security breaches or fraud incidents within the vKYC system
Reference : Know Your Customer (KYC) Direction, 2016 dated February 25, 2016 ("KYC MD"), issued by the Reserve Bank of India ("RBI").