RBI Data Localization Audit (SAR)

Call Us

The Reserve Bank of India, the apex financial institution of the country is the central banking institution that requires unrestricted data of all transactions that take place in India. In an effort to promote "Data Localization" on the 8th of April 2018, Data Localization is the act of storing citizens’ data within the country’s geographical boundaries to avoid any foreign accessibility. The RBI issued a notice to all transaction providers and facilitators to ensure all the data is stored in systems within India.

The RBI directed the system providers to submit the System Audit Report within 6 months from the date of notice. The Auditor has to verify multiple facets of the system based on the guidelines issued by the RBI before certifying it :

Payment Data Elements
Transaction / Data Flow
Application Architecture
Network Diagram / Architecture
Data Storage
Transaction Processing
Activities subsequent to Payment Processing
Cross Border Transactions
Database Storage and Maintenance
Data Backup & Restoration
Data Security
Access Management

The Auditor or the auditing firm meticulously verifies and categorizes elements of the system according to the guidelines. In case of any gaps in terms of compliance, the Auditor informs the company regarding the non-compliance and offers solutions to ensure that everything is in line. Once all the required verification is carried out, the Auditor then gives the report the stamp of approval which showcases the reliability of the system provided by the company.

As SAR audit may be a necessity, we approach our work in a practical proactive manner adding value to the process through our expert opinion and experience.

Audit Approach

Working alongside RBI & NPCI Guidelines, QRC assesses your organization with a wholesome approach, dealing with SAR Data Localization controls. Our approach for assessment is as follows:

Business Understanding

Evaluating business process and environment to understand the in-scope elements

Audit Scope Finalization

Detailed questionnaire is shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls.

Initial/Readiness Assessment

Conduct an initial audit to understand the infra of the organization and help our clients in identifying all the storage locations which comprise of any payment related data.

Risk Assessment

Identifying and analysing the risks in the information security posture.

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages

Remediation Support

Support you by recommending solutions to compliance challenges

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance

Final Audit

Post remediation, we conduct a final audit and review your evidence as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.

Concise Reporting

Our team documents a comprehensive report detailing all findings covered during the assessment cycle.

Related Updates

Everything You Need To Know About Data Protection.

India took massive step with its own data protection act last year when Srikrishna Committee shared....