RBI System Audit Report for Data Localization (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for the storage of payment-related data.

What is RBI System Audit Report (SAR) Data Localization Audit?

The Reserve Bank of India (RBI) issued a notification to mandate the storage of all end-to-end transaction data within India on April 8, 2018. RBI, the central banking institution, controlling monetary policies in India, requires unrestricted supervisory access to all the payment data and hence this mandate. Data Localization can be referred to as a government policy for storing the user data collected within its jurisdiction on the servers located within the country.

In today’s Data Storage Technology trend, data is generally preserved in a different location for quickly available data back up for data centers. Reserve Bank of India authorizes all global and local transaction operators in India to preserve all end-to-end payment data “within the country” has been whispering in the present payment environment across the world. The authorization is relevant for every organization handling payment data – initiating from fintech firms that perform peer-to-peer payment transactions to gateway operators which are accessed globally for universal funds transactions.

Circular for Payment Operators Include the Major Items as Below:

All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/ carried/processed as part of the message/payment instruction.
System providers shall ensure compliance of the above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
System providers shall submit the System Audit Report (SAR) on completion of the requirement. The audit should be conducted by CERT-IN Empanelled Auditors certifying completion of the activity. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank.