RBI Data Localization Audit (SAR)

RBI Data Localization Audit (SAR)

The Reserve Bank of India, the apex financial institution of the country is the central banking institution that requires unrestricted data of all transactions that take place in India. In an effort to promote "Data Localization" on the 8th of April 2018, Data Localization is the act of storing citizens’ data within the country’s geographical boundaries to avoid any foreign accessibility. The RBI issued a notice to all transaction providers and facilitators to ensure all the data is stored in systems within India.

The RBI directed the system providers to submit the System Audit Report within 6 months from the date of notice. The Auditor has to verify multiple facets of the system based on the guidelines issued by the RBI before certifying it :

  • Payment Data Elements
  • Transaction / Data Flow
  • Application Architecture
  • Network Diagram / Architecture
  • Data Storage
  • Transaction Processing
  • Activities subsequent to Payment Processing
  • Cross Border Transactions
  • Database Storage and Maintenance
  • Data Backup & Restoration
  • Data Security
  • Access Management

The Auditor or the auditing firm meticulously verifies and categorizes elements of the system according to the guidelines. In case of any gaps in terms of compliance, the Auditor informs the company regarding the non-compliance and offers solutions to ensure that everything is in line. Once all the required verification is carried out, the Auditor then gives the report the stamp of approval which showcases the reliability of the system provided by the company.

As SAR audit may be a necessity, we approach our work in a practical proactive manner adding value to the process through our expert opinion and experience.

Our Approach

Working alongside RBI & NPCI Guidelines, QRC assesses your organization with a wholesome approach, dealing with SAR Data Localization controls. Our approach for assessment is as follows:

Information Gathering & Documentation Review

We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow.

Audit Process

Post scope definition and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying all the storage locations which comprise of any payment related data.


As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI mandate.

Report & Confirmation Letter

Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.

Having a successful System Audit Report (SAR) audit ensures appropriate assessment of  technology risks and the control environment as related to critical business processes.

  • SAR Audit secures citizen’s data and provides data privacy and data sovereignty from foreign surveillance, thereby increasing accountability. Example – Facebook shared user data with Cambridge Analytica.
  • Empowers local governments and regulators with the jurisdiction to call for data when required.
  • Ensure National Security by providing ease of investigation to Indian Law Enforcement agencies as they currently need to rely on Mutual Legal Assistance Treaties (MLATs) to obtain access to data.
  • Assessing your IT infrastructure will help to identify precisely what sensitive information you hold, providing the scope to organize storages and refine data management processes.
  • Audits conducted by a CERT-IN empaneled auditor, allows our clients to be proactive in identifying vulnerabilities in their IT infrastructure, and validating the effectiveness of their current security safeguards.

Get Free Consultation