Compliance

RBI Cybersecurity Framework: Fintech Compliance 2026

RBI cybersecurity framework for Indian fintech in 2026: IT governance requirements, CSITE reporting, audit rules, and how to comply on a startup budget.

AK
Ashok Kamat
Cybersecify
9 min read

RBI cybersecurity requirements apply to any Indian fintech that touches money: payment aggregators, account aggregators, NBFCs, and fintech companies working with regulated entities like banks. Key applicable directives: Cybersecurity Framework for Banks (June 2016), Guidelines on IT Governance / Risk / IT and IS Audit (2023 update), Master Direction on Digital Payment Security Controls (2021), IT Framework for NBFCs (2017), and CSITE reporting requirements. Annual VAPT is mandatory and must cover applications, infrastructure, and APIs, address OWASP Top 10 plus business logic, and include remediation verification. Repeat after significant system changes. Non-compliance risks license action, partnership termination, and IT Act penalties.

You just closed a partnership with a bank or NBFC. Or maybe you’re a payment aggregator that just got your PA license. Somewhere in the compliance checklist your partner handed you, there’s a line item about “RBI cybersecurity framework compliance” and a requirement for a VAPT report.

If you’re a fintech startup in India that touches money in any form (payments, lending, insurance, wealth management), RBI’s cybersecurity requirements apply to you. Not just banks. NBFCs, payment aggregators, account aggregators, and even fintech companies working with regulated entities need to comply. The specifics vary by entity type, but the direction is clear: every player in the financial ecosystem is expected to have a baseline security posture.

Here’s what you actually need to know.

Which RBI Guidelines Apply to You?

RBI has issued multiple circulars and directions over the years. The ones most relevant to fintech startups:

GuidelineYearApplies To
Cybersecurity Framework for BanksJune 2016Scheduled commercial banks
Guidelines on IT Governance, Risk, IT & IS AuditJanuary 2023 (updated)Banks, NBFCs, UCBs
Master Direction on Digital Payment Security Controls2021Payment system operators, banks, non-bank PSOs
IT Framework for NBFCs2017All NBFCs (scaled by size/category)
CSITE Reporting RequirementsOngoingAll regulated entities

If you’re a payment aggregator, the Master Direction on Payment Aggregators and Payment Gateways (2020, updated 2024) also has specific security requirements you need to meet for licensing and ongoing compliance.

The key thing to understand: these aren’t suggestions. Non-compliance can result in regulatory action, fines, or your banking partner pulling the plug on your integration.

Key Requirements Breakdown

The exact requirements vary by entity type and scale, but here’s the practical summary of what RBI expects across its various frameworks.

1. Board-Approved Cybersecurity Policy

Every regulated entity needs a cybersecurity policy approved by the board (or equivalent governing body). This isn’t a 50-page document that sits in a drawer. RBI expects it to be reviewed and updated annually, covering emerging threats, incident learnings, and technology shifts.

For startups: if you don’t have a board yet, your founding team needs to formally approve and sign off on this policy. It should cover access control, data protection, incident response, vendor risk, and employee security awareness.

2. Cyber Security Operations Center (SOC)

Banks need a dedicated SOC. Smaller entities (NBFCs, payment aggregators) can outsource this to a managed SOC provider, but you still need continuous monitoring in place. “We check logs once a week” does not meet the requirement.

What this means practically: you need 24/7 monitoring of your critical systems, with alerting and escalation procedures documented.

3. Vulnerability Assessment and Penetration Testing (VAPT)

This is where most fintech startups first encounter RBI compliance. The requirement is straightforward:

  • Annual VAPT is mandatory for all regulated entities
  • Must cover your applications, infrastructure, and APIs
  • Report should address OWASP Top 10, business logic vulnerabilities, and API security
  • Remediation verification is required (not just “here’s a list of findings”)
  • VAPT must be repeated after significant changes to applications or infrastructure

RBI does not strictly mandate CERT-In empaneled auditors for all entity types, but many banks and NBFCs require their partners to use qualified, certified security firms. If your banking partner requires CERT-In empanelment, confirm that upfront before engaging a vendor.

4. Incident Response and CSITE Reporting

RBI requires regulated entities to report cyber security incidents through the CSITE (Cyber Security Incident Reporting) framework. The key points:

  • Incidents must be reported to RBI within 6 hours of detection (for banks)
  • NBFCs and other entities have similar reporting requirements with varying timelines
  • All Indian companies (not just banks and NBFCs) are also covered by CERT-In’s parallel 6-hour reporting rule for the same incidents
  • You need a documented incident response plan that your team actually practices
  • Post-incident root cause analysis is required

For startups: even if you’re not directly regulated, your banking/NBFC partner will contractually require you to report incidents to them within tight timelines. Build this into your incident response plan from day one.

5. Data Localization

This is non-negotiable for payment data:

  • All payment system data must be stored only in India
  • This includes transaction data, card data, and customer authentication data
  • End-of-day processing data can be shared abroad for settlement purposes, but the primary copy stays in India
  • RBI has conducted audits to verify compliance with this requirement

If you’re using AWS, GCP, or Azure, make sure your payment data workloads run exclusively in the Mumbai (or Hyderabad) region. No exceptions.

6. Multi-Factor Authentication

For digital payment transactions:

  • MFA is required for customer-facing payment transactions
  • The authentication factors must be from different categories (something you know, have, or are)
  • SMS OTP alone may not be sufficient for high-value transactions going forward
  • Device binding and biometric authentication are encouraged

7. Encryption Requirements

  • Data at rest and in transit must be encrypted
  • Encryption standards must align with current best practices (AES-256, TLS 1.2+)
  • Key management procedures must be documented
  • PCI DSS compliance is additionally required if you handle card data

VAPT Requirements: The Details

Since VAPT is the most common compliance requirement fintech startups face, here’s a deeper breakdown of what RBI expects from a VAPT engagement.

RequirementWhat It Means
ScopeAll customer-facing applications, APIs, mobile apps, and supporting infrastructure
MethodologyOWASP Top 10 + business logic testing + API security testing
Authentication testingSession management, MFA bypass attempts, privilege escalation
Report formatExecutive summary + technical findings + remediation guidance + risk ratings
Remediation verificationRe-test after fixes to confirm vulnerabilities are resolved
FrequencyAt least annually, plus after significant changes
Tester qualificationsCertified professionals (OSCP, CEH, CompTIA PenTest+, or equivalent)

A common mistake: running an automated vulnerability scanner (Nessus, Qualys) and submitting that as your “VAPT report.” Regulators and banking partners know the difference. A proper pentest involves manual testing of business logic, authentication flows, and API endpoints that automated tools miss entirely.

How Cybersecify delivers pentest engagements for fintech

Cybersecify conducts penetration testing for Indian fintech startups, NBFCs, and payment aggregator partners. Scope covers OWASP Top 10, business logic testing, API security testing, authentication and session management, and post-fix retest. Reports include executive summary, technical findings with reproduction steps, remediation guidance, CVSS risk ratings, and retest verification. Engagements are founder led by both co-founders (Rathnakara GN holds OSCP and CompTIA PenTest+; Ashok S Kamat handles compliance scoping). Startup Pentest INR 74,999 for 1 scope, Growth Pentest INR 1,79,999 for 2 scopes including SOC 2 and ISO 27001 audit prep and a Letter of Attestation. See pentest plans, view a sample report, or book a 30-min scoping call.

How This Affects Fintech Startups (Not Just Banks)

Even if you’re not directly regulated by RBI, here’s why this matters to you:

Payment aggregators (Razorpay, Cashfree partners): If you’re a merchant or platform using a payment aggregator, your PA will increasingly require you to demonstrate security compliance. If you’re applying for your own PA license, these requirements are mandatory.

NBFCs and lending platforms: All NBFCs are required to comply with the IT framework. If you’re a lending platform partnering with an NBFC, they will require VAPT reports and security policy documentation from you.

Account aggregators: The AA framework has its own security requirements, heavily influenced by RBI’s broader cybersecurity framework. Data security is central to the AA model.

Fintech-bank partnerships: When a bank evaluates you as a technology partner, they’ll assess your security posture against RBI’s framework. No VAPT report, no security policy, no partnership.

Compliance Roadmap for Startups

Here’s a practical sequence that works for early-stage fintech companies:

Phase 1: Assessment (Week 1-2)

Start with a security assessment to understand where you stand. Map your current controls against RBI requirements for your specific entity type. Most startups are 20-40% compliant without realizing it (you probably already have encryption in transit, cloud security groups, and some form of access control).

For a structured assessment with an actionable gap report, book a free 30-min discovery call with the founders. For ongoing execution, our Security Retainer (INR 24,999/month) covers 10 hours of founder-led work per month.

Phase 2: VAPT (Week 2-4)

Get a proper penetration test done. Not just a scanner report. Manual testing of your application, APIs, and infrastructure by certified testers who understand fintech-specific risks (payment flows, transaction manipulation, authentication bypass).

Our Startup Pentest Plan (INR 74,999) covers one application scope with 7-day delivery, including remediation guidance and a re-test. The Growth Pentest Plan (INR 1,79,999) covers two scopes and includes SOC 2 + ISO 27001 audit prep if you’re on that path too.

Phase 3: Policy and Documentation (Week 3-5)

Document your cybersecurity policy, incident response plan, data classification, access control policy, and vendor risk management. These don’t need to be lengthy. They need to be accurate, followed, and board-approved.

Phase 4: Incident Response Setup (Week 4-6)

Build your incident response workflow with CSITE reporting built in. Define severity levels, escalation paths, communication templates, and reporting timelines for your banking/NBFC partners.

Phase 5: Data Localization Verification (Week 5-6)

Audit your infrastructure to confirm all payment data stays in India. Check your database hosting, backup locations, CDN caching, log storage, and any third-party integrations that might process payment data outside India.

Phase 6: Ongoing Compliance (Continuous)

Annual VAPT, quarterly vulnerability scans, regular policy reviews, and incident response drills. This isn’t a one-time checkbox. RBI expects continuous compliance, and your banking partners will ask for updated reports annually.

What This Costs

For context, here’s a realistic budget for a seed-to-Series A fintech startup:

ItemCost RangeNotes
Security assessmentINR 10,000 - 50,000Depends on scope and complexity
Penetration test (annual)INR 75,000 - 1,80,000Manual testing, not just scanners. Our pricing
Policy documentationINR 50,000 - 2,00,000Can be done in-house if you have security expertise
Managed SOC (if required)INR 1,50,000 - 5,00,000/yearOutsourced monitoring for smaller teams
Data localization auditINR 25,000 - 75,000Infrastructure review
Total first yearINR 3 - 10 lakhVaries significantly by entity type and existing maturity

That’s significantly less than what banks spend, and it’s achievable on a startup budget. The cost of non-compliance (failed partnerships, regulatory action, or a breach without proper controls) is far higher.

How We Help

We work with fintech startups at every stage of RBI compliance:

  1. Security assessment: identify gaps against RBI requirements for your specific entity type
  2. Penetration testing: annual VAPT with audit-grade reports your banking partners and regulators expect
  3. Remediation support: fix what the pentest finds, with verification retesting included
  4. Policy documentation: practical, followable policies that satisfy regulatory requirements
  5. Ongoing security: fractional security team support through our consulting plans for companies that need continuous coverage without hiring a full-time security team

Not sure where to start? Book a free 30-min discovery call with the founders. We will map your compliance gaps and recommend a prioritized roadmap. No payment, no commitment.

Book a discovery call, check our pentest plans, or run a free external attack surface scan to see what’s publicly exposed today. For a broader view of how we support compliance readiness, see our audit and compliance services.

Frequently Asked Questions

Does the RBI cybersecurity framework apply to fintech startups?

Yes. If your fintech startup touches money in any form (payments, lending, insurance, wealth management), RBI cybersecurity requirements apply. This includes payment aggregators, account aggregators, and fintech companies working with regulated entities like banks and NBFCs.

Is VAPT mandatory for RBI compliance?

Yes. Annual VAPT is mandatory for all regulated entities under RBI guidelines. The assessment must cover applications, infrastructure, and APIs, address OWASP Top 10 and business logic vulnerabilities, and include remediation verification. VAPT must also be repeated after significant changes to your systems.

Which RBI cybersecurity guidelines apply to fintech startups?

Five main directives stack depending on your entity type and partnerships. Cybersecurity Framework for Banks (June 2016) applies to scheduled commercial banks but flows through to vendor procurement. Guidelines on IT Governance, Risk, IT and IS Audit (2023 update) apply to all regulated entities and set baseline controls. Master Direction on Digital Payment Security Controls (February 2021) applies to payment system operators including payment aggregators. IT Framework for NBFCs (June 2017) applies to NBFC-ICCs, NBFC-IFCs, and other categorised NBFCs. CSITE (Cybersecurity and IT Examination) reporting applies to entities directly supervised by RBI. If you partner with a bank or NBFC, the bank's compliance team will flow these requirements down to you via the vendor questionnaire even if you are not directly regulated.

What is CSITE and do I need to report?

CSITE stands for Cybersecurity and IT Examination, the RBI's specialised supervision function for cybersecurity at regulated entities. Direct CSITE reporting applies to banks, NBFCs above a certain asset threshold, payment system operators, and similar entities directly supervised by RBI. Fintech startups that are not directly regulated typically do not file CSITE reports themselves but must support their regulated-entity partners (banks, NBFCs, payment aggregators) in their CSITE submissions when the partner is asked about vendor security posture. CSITE involves periodic returns on incidents, controls, audit findings, and remediation. If your partner bank's CSITE submission references your service, expect your security posture to be examined alongside theirs.

Does the RBI Account Aggregator framework have cybersecurity requirements?

Yes. RBI Master Direction on NBFC-AA (2016, updated 2023) requires Account Aggregators (AAs) and the Financial Information Users (FIUs) and Financial Information Providers (FIPs) participating in the framework to meet specific cybersecurity controls. Requirements include: end-to-end encryption of financial data in transit, consent artefact integrity verification (signed via the AA), no storage of financial data by the AA itself (the AA is a consent and data-flow facilitator, not a data store), audit logging of every consent and data-share event, and annual VAPT covering the AA application and consent management system. If you build on the AA ecosystem (Sahamati partner), expect AA framework cybersecurity asks alongside RBI's general fintech requirements.

What are the Digital Payment Security Controls under the February 2021 Master Direction?

RBI's Master Direction on Digital Payment Security Controls (February 18, 2021) applies to all entities offering digital payment products. Core controls include: governance framework and Board oversight of payment security, secure SDLC for payment applications, application security testing (VAPT mandatory annually plus after major releases), API security including OAuth 2.0 and rate limiting, fraud risk management including transaction monitoring, customer authentication (multi-factor for high-value transactions), session management (idle timeouts, re-authentication for sensitive operations), cryptography (TLS 1.2+ for transport, AES-256 for data at rest), and incident response with reporting to RBI within prescribed timelines. Smaller fintechs partnered with regulated banks see these controls flow through their bank partner's procurement questionnaire.

Do RBI Digital Lending Directions 2025 affect fintech compliance?

Yes, heavily, if you are in the lending stack. RBI Digital Lending Directions 2025 (effective May 8, 2025) restrict digital lending to regulated entities (banks, NBFCs) and their approved Digital Lending Apps (DLAs). The directions require: clear display of the regulated lender's name and grievance officer, mandatory Key Fact Statement before disbursal, prohibition on harvesting unrelated permissions (contacts, gallery, SMS, call logs cannot be required by lending apps), mandatory escrow account flow for disbursements (no direct lender-to-borrower transfers via DLA), and inclusion in the RBI Centralised Information Management System (CIMS) directory of registered DLAs. The directions effectively shut down most fake loan apps; legitimate fintech lenders need explicit RBI registration or partnership with a regulated lender.

What is the timeline for RBI cyber incident reporting for fintech?

Stacked timelines apply. CERT-In (under MeitY) requires reporting within 6 hours of incident detection per the April 2022 directive, and this applies to fintechs regardless of RBI status. RBI separately requires reporting cyber incidents to the Reserve Bank within specified windows (varies by entity type and incident severity, typically 2 to 6 hours for material incidents at directly-regulated entities). Bank-partnered fintechs must additionally notify their bank partner's incident response team per the vendor agreement, typically within 1 to 4 hours. Build the incident response playbook to start CERT-In notification immediately on detection, RBI notification in parallel where applicable, and bank-partner notification within the contractual window. Multiple parallel notifications are common; missing the deadline on any one is non-compliance.

How does ISO 27001 certification help with RBI cybersecurity compliance?

ISO 27001:2022 covers approximately 70 to 80 percent of RBI's baseline cybersecurity expectations (governance, access control, cryptography, operations security, supplier security, incident management, audit). RBI guidelines explicitly reference ISO 27001 as an acceptable framework for some control categories. Certification gives you a Statement of Applicability mapping your controls to Annex A, which is directly useful when responding to RBI examinations or bank-partner vendor questionnaires. Gaps where RBI exceeds ISO 27001: specific Indian regulatory reporting (CSITE, incident reporting timelines), payment-domain-specific controls (Digital Payment Security Controls), and DPDP Act overlay. Plan ISO 27001 plus a thin RBI-specific overlay rather than starting from scratch on RBI.

What does a fintech RBI compliance pentest scope cover?

A compliant pentest for an RBI-regulated or RBI-adjacent fintech covers: web application (customer-facing portal, internal admin), API endpoints (authentication, authorisation, rate limiting, business logic), mobile applications (Android and iOS, including local data storage, secure communication, anti-tamper), supporting infrastructure (load balancers, WAF, database, message queue), and integration touchpoints (bank-partner APIs, payment gateway, KYC provider, AA framework if applicable). Methodology should reference OWASP WSTG v5.0, OWASP API Security Top 10 (2023), OWASP MASVS, PTES. Findings should map to RBI Master Direction Digital Payment Security Controls (where applicable) and to ISO 27001 Annex A. Cybersecify Growth Pentest at INR 1,79,999 plus taxes covers 2 scopes with this methodology including Letter of Attestation and 1 free retest.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok Kamat on LinkedIn.

Share this article
RBIfintechcompliancecybersecuritystartup securityIndiabanking security