Home » Compliance » SAR Audit

SAR Audit - RBI Data Localization Mandate

The Reserve Bank of India (RBI) issued a directive through circular DPSS.CO.OD.No 2785/06.08.005/2017-18 on April 8, 2018, mandating that all transaction data be stored exclusively within India. As the central banking institution overseeing monetary policies, the RBI requires unrestricted supervisory access to payment data, enforcing this mandate to ensure compliance.

Under this mandate, any company handling transactions in India, whether local or global, such as fintech firms facilitating peer-to-peer transactions or gateway operators managing international fund transfers must store all payment data within India.

Free SAR Audit Consultation

What is SAR Audit?

A SAR Audit, or Security Assessment Review Audit, is a comprehensive evaluation of an organization’s security posture. This meticulous process identifies vulnerabilities, assesses the effectiveness of existing security measures, and ensures compliance with industry standards and regulations. Conducted by expert auditors, a SAR data localization audit provides a clear roadmap for enhancing cybersecurity, mitigating risks, and safeguarding sensitive data. It’s a critical step for organizations aiming to strengthen their cybersecurity framework and protect against evolving threats.

How Does SAR Audit Work?

Selection of Auditors

The audit must be conducted by auditors who are empaneled with the Indian Computer Emergency Response Team (CERT-IN).
These auditors are officially recognized and qualified to assess compliance with the RBI’s data localization requirements.

Conducting the Audit

The auditors begin by gathering all relevant data from the organization, including transaction data, storage details, and security protocols.
The auditors thoroughly review the organization’s data handling practices, ensuring all payment data is stored within India.

Certification of Compliance

The auditors verify that all data localization activities have been completed successfully.
The auditors issue a certification confirming that the organization complies with the RBI’s data localization mandate. This certification is a critical component of the SAR.

Board Approval

The completed SAR, along with the auditor’s certification, is presented to the Board of the system provider.
The Board reviews the audit findings and the certification. Their approval indicates that the organization’s leadership supports and acknowledges the audit’s conclusions.

Preparation of the SAR

The SAR is meticulously prepared, incorporating the auditor’s certification, detailed findings, and any recommendations.
Supporting evidence and documentation, such as diagrams, security policies, and data flow charts, are included to substantiate compliance.

Submission to RBI

Once the SAR is prepared, certified by the auditors, and approved by the Board, it is submitted to the Reserve Bank of India.
This submission is a crucial step in demonstrating the organization’s compliance with the regulatory requirements. The RBI uses the SAR to verify that the organization meets all data localization mandates.

The Benefits of SAR Audits

Data
Localization

In times of geopolitical uncertainty, SAR audits play a crucial role in securing financial and personal data of Indian citizens. Ensuring data localization provides a strong safeguard against potential threats during geopolitical crises.

Anti-Money
Laundering

SAR audits are essential in detecting and preventing suspicious financial activities. Thorough audits enhance organizational defenses, contributing significantly to the global fight against illicit financial practices.

Enhanced
IT Governance

For payment service providers, robust IT governance is critical. SAR audits identify and address potential weaknesses in data storage, access management, and security protocols, elevating the overall integrity of IT governance.

Key Data Requirements for System Audit Report (SAR)

The System Audit Report (SAR) is a comprehensive document that organizations must prepare to demonstrate compliance with the RBI's data localization mandate. The report must cover various aspects of data management, security, and governance. Below are detailed explanations of the key data requirements for a SAR data localization audit

Classification of Data Elements

Information such as card details, account numbers, and payment method specifics must be classified and managed. Personal details of customers, including names, addresses, and contact information, must be clearly categorized and protected.

Transaction / Data Flow

The SAR should include a comprehensive diagram that maps out the entire flow of transactions from initiation to completion. It should differentiate between data at rest (data stored in any digital form) and data in motion (data actively moving through the system).

Application Architecture

A detailed architecture diagram should be provided, illustrating all components involved in the application. This includes servers, databases, middleware, user interfaces, and any other relevant components.

Online System Security

The SAR must detail the security controls in place to protect payment information systems and mobile applications. This includes measures against malware, phishing attacks, and unauthorized access.

Network Architecture

The SAR should demonstrate adherence to a robust Network Security Policy, detailing firewalls, intrusion detection systems, and secure communication protocols.

Data Storage

An architecture diagram explaining the data retention policy and database structure. This includes where and how data is stored, retention durations, and methods for secure storage.

Transaction Processing

The SAR should show detailed transaction and data flow processes. Evidence of Standard Operating Procedures (SOPs) or organizational policies governing these processes should be provided.

Data Backup & Restoration

The SAR must demonstrate compliance with guidelines for data backup and restoration. This includes policies for regular backups, disaster recovery plans, and log management practices.

Data Security

Verification of security controls such as data masking, encryption, and access monitoring. Policies for Data Security, Database Access Monitoring, and Data Purging should be detailed.

Access Management

The SAR should assess how data access is managed, particularly from locations outside India. It must demonstrate adherence to organizational Access Control Checks.

Information Security Governance

Evaluation of top management’s role in overseeing information security. Supporting documentation of an Information Security Governance policy.

Asset Management

The SAR should cover policies for hardware management, change management, physical security, and system scalability. An Asset Management policy should be detailed.

Human Resource Management

Policies for recruitment, training, and termination processes related to information security should be outlined. This ensures that personnel handling sensitive data are adequately vetted and trained.

Business Continuity Management

Assessment of the organization’s capabilities in disaster recovery. Documentation of a comprehensive Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan.

Incident Management

Examination of the incident management policy. The SAR should detail the organization’s procedures for responding to security incidents, including detection, reporting, and resolution

IT Project Management

Evaluation of controls in place for developing or acquiring new systems. Focus on project risk management and adherence to a Secure Software Development Life Cycle (SDLC) Policy.

Third-Party Risk Management

Assessment of controls for managing risks associated with third-party vendors. This includes vendor contracts, Third-Party Risk Management (TPRM) policy, and vendor outsourcing policies

Start Your SAR Audit Today

Payment credentials (card numbers, account details)
Transaction data (dates, amounts, beneficiaries)
Customer information (names, addresses, contact details)