+91-9825600907

RBI DATA LOCALIZATION AUDIT (SAR)

AUDIT OF RBI DATA LOCALIZATION

In order to reduce the risks associated with the storage of payment system data in the present payment ecosystem, the Reserve Bank of India and NPCI have published new guidelines for payment operators.

Data Localization (SAR) & Storage of Payment System Audit Report for the RBI System In order to maintain proper security precautions and data localization controls for storage of payment-related data, RBI has established data as a compliance obligation.

The central banking authority that demands unfettered data of all transactions that take place in India is the Reserve Bank of India, the main financial institution of the nation. Data localization is the practise of keeping citizens' data inside the nation's physical bounds to prevent any foreign accessibility, and it is being promoted on April 8th, 2018. All transaction providers and facilitators received a warning from the RBI requesting that all data be kept on systems located in India.

The System Providers were given a deadline of six months from the date of notification by the RBI to produce the System Audit Report. Prior to certification, the Auditor must confirm a number of aspects of the system in accordance with the RBI's guidelines:

  • Payment Data Elements
  • Transaction / Data Flow
  • Application Architecture
  • Network Diagram / Architecture
  • Data Storage
  • Transaction Processing
  • Activities subsequent to Payment Processing
  • Cross Border Transactions
  • Database Storage and Maintenance
  • Data Backup & Restoration
  • Data Security
  • Access Management

What is RBI System Audit Report (SAR) Data Localization Audit?

On April 8, 2018, the Reserve Bank of India (RBI) published a notice requiring the preservation of all end-to-end transaction data inside India. This requirement was created because the RBI, the body in charge of monetary policy in India, needs unlimited supervisory access to all payment data. A government strategy known as "Data Localization" calls for keeping user information amassed under its purview on servers based domestically

Data is often kept in a separate place for fast accessible data backup for data centres in today's Data Storage Technology trend. It has been rumoured in the current payment environment throughout the globe that the Reserve Bank of India has granted permission to all local and international transaction operators in India to retain all end-to-end payment data "inside the country." Every entity that handles payment data has to get permission, from fintech companies that conduct peer- to-peer transactions to gateway operators that are accessible internationally for universal funds transfers.

The following are the major items in the circular for payment operators:

  • All system providers must make sure that all information pertaining to the payment systems they administer is kept on a system that is exclusively located in India. The whole end-to-end transaction details and information that were gathered, carried, and processed as part of the message or payment instruction should be included in this data.
  • System providers must assure compliance with the aforementioned within six months and notify compliance to the Reserve Bank by October 15, 2018, at the latest.
  • When the requirement is met, system providers must submit the System Audit Report (SAR). The audit should be carried out by CERT-IN Empanelled Auditors who can attest to the activity's completion. The Reserve Bank should receive the SAR that has been properly authorised by the Board of the system providers.

Important Considerations for a System Audit Report on Data Localization (SAR)

The following important criteria need to be addressed as part of this audit.

  • Data Elements Related to Payments - The auditor should examine all data elements and determine whether they are related to payments or not. Data about customers, transactions, sensitive payments, and payment credentials should all be included. Each component has to be classified according to the applicable jurisdictions and whether or not the information has been returned to India.
  • A full flowchart of the transaction and data must be included in the report for all transaction types, including cross-border transactions. The flow of a transaction across the various parts of the programme should be shown in the figure.
  • Application Architecture - To demonstrate the components and modules of the application, a thorough diagram of the application architecture must be included in the report.
  • Network Diagram - A thorough depiction of the network architecture must include the necessary hardware for both main and backup sites, as well as CBS, if applicable.
  • Transaction processing: The auditor should determine if certain components of a transaction are processed in India and elsewhere. The auditor must also determine if the cleansing procedure and policy are clear and adhere to RBI regulations.
  • Actions after Payment Processing - The auditor must identify activities such as settlements that occur after payment processing and determine whether they take place within or outside of India.
  • Cross-border Dealings Database Storage and Maintenance - The auditor must confirm the existence of cross-border transactions in the application, whether they are supported or taking place.
  • Data Backup and Restoration - The auditor must confirm that the stated payment data backup and restoration complies with the rules.
  • Data security - To make sure transaction data is protected, security procedures must be examined. This comprises common data security measures including database access monitoring, data leakage prevention, encryption, and masking.
  • Access Management - If data is accessed outside of India for purposes such as data analytics, chargebacks, customer service, or dispute resolution, the authorization levels and access levels allowed should follow the established procedures and regulations.

Our Blog

You cannot copy content of this page

error: