Key Takeaways
- RBI Cyber Security Framework for banks (2016, updated) is the foundational document. NBFC IT guidelines (2017) and payment aggregator authorisation requirements (2020) extend specific controls into fintech.
- VAPT cadence under RBI is at minimum annual, more frequent for material changes, with the report retained for inspection.
- API security for UPI integrations is where many fintech findings cluster. BOLA across customer IDs, weak mutual TLS, and over-permissive partner API keys are recurring.
- Third-party risk is a major RBI focus area. The fintech is accountable for the cyber posture of every fintech, payment, KYC, credit-bureau and infrastructure vendor in the stack.
- Incident reporting: RBI material incident notification (typically 2 to 6 hours), CERT-In within 6 hours, DPDP notification if personal data involved.
The Indian Fintech Regulatory Landscape in 2026
Indian fintech regulation has matured rapidly. The dominant cyber-relevant documents in 2026 are: RBI Cyber Security Framework in Banks (Master Direction series), RBI Master Direction on Outsourcing of IT Services, RBI Information Technology Framework for NBFC sector, RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI Digital Lending Guidelines, RBI Master Directions for Co-Lending and others, plus SEBI and IRDAI guidance where the fintech bridges those sectors.
On top of RBI-sector regulation: DPDP Act 2023 (every fintech is a Data Fiduciary), CERT-In April 2022 directions (6-hour incident reporting), the IT Act 2000 framework, and the NCIIPC designation where applicable. Indian fintechs operating internationally also navigate PCI DSS 4.0 (anyone in card flow), HIPAA (rare but possible), GDPR (any EU customers), and similar global frameworks.
RBI Cyber Security Framework: The Core
The RBI Cyber Security Framework structures controls across governance, board oversight, cyber security policy, risk assessment, controls (preventive, detective, corrective), continuous surveillance, incident reporting, and IT/cyber audit. RBI categorises regulated entities by size and exposure (Categories 1 to 4 / IV depending on the master direction); larger entities have more demanding controls.
Practical implementation for fintechs: appoint a board-approved CISO with reporting line independent of CIO, document the cyber security policy with annual board review, establish a Cyber Crisis Management Plan tested at least annually, conduct VAPT at minimum annually plus on material changes, deploy SOC monitoring (in-house or managed) covering critical systems, log retention sufficient for forensics (1 year minimum, longer for some classes), and maintain a board-reviewed cyber risk dashboard.
Need a Sector-Specific Cyber Programme?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for healthcare, fintech, manufacturing, e-commerce, education, legal and insurance customers across India. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Payment Aggregator and Gateway Specifics
Payment aggregators authorised by RBI have additional explicit obligations: PCI DSS compliance (mandatory at appropriate level), card data tokenisation where applicable, settlement account segregation, periodic security audit, and incident reporting. The PA license terms reference cyber controls in detail and inspections check them.
Common PA security findings in our engagements: card data scope creep beyond the documented CDE, weak segregation between PA infrastructure and the broader fintech stack, partner API keys reused across environments, insufficient logging on settlement flows, and incomplete vendor cyber assurance for the bank settlement partners and the upstream networks (Visa, Mastercard, RuPay, UPI infrastructure providers).
API Security for UPI and Open Banking
Modern fintechs are API-centric. UPI integrations, account aggregator flows, lending bureau integrations, KYC providers, merchant onboarding, transaction monitoring services, and partner channel APIs together create a large API attack surface that is often under-tested.
Recurring findings: Broken Object Level Authorization (BOLA) where one customer ID can be substituted for another in API calls and the backend trusts the client-supplied ID; weak mutual TLS implementation (server certs validated, client certs accepted without proper chain check); over-permissive partner API keys with wildcard scopes; missing rate-limiting on sensitive endpoints (OTP, balance enquiry); and JWT handling issues (algorithm confusion, weak signing keys, missing audience validation). Our API security audit blog walks each in detail; RBI-aligned fintech VAPT must cover these systematically.
VAPT Cadence and Evidence
RBI expects at minimum annual VAPT for all critical systems, with more frequent testing for material changes and high-risk components. The VAPT must be conducted by competent independent parties; the report is retained for inspection and shared with the audit committee.
Our standard fintech engagement covers external network, internal network, web applications (customer, merchant, admin), mobile applications (iOS, Android), APIs (REST, GraphQL), cloud configuration (AWS, Azure, GCP), Active Directory, and source code review where in scope. Reports map findings to RBI Cyber Security Framework control areas plus ISO 27001 Annex A, SOC 2 if applicable, and PCI DSS where in scope. Free re-test within 90 days for remediation validation is part of every engagement.
Regulator Pressure or Customer Audit?
Whether you need RBI, IRDAI, DPDP, HIPAA, PCI DSS or NCIIPC evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →Third-Party and Vendor Risk Management
RBI is increasingly specific about third-party risk. The fintech is accountable for the cyber posture of every vendor in the chain: cloud provider, KYC partner, credit bureau, transaction monitoring service, payment infrastructure, identity verification, communication platform, ticketing, monitoring, and the long tail of SaaS that modern fintechs use.
Practical controls: maintain a complete vendor register, classify each by criticality and data access, require vendor cyber attestation (ISO 27001, SOC 2, PCI DSS, BAA where applicable), include cyber clauses in service agreements (incident notification, audit rights, exit data deletion), assess vendors annually or on material change, and integrate vendor incidents into the fintech's own IR plan. Most fintech engagements reveal a vendor register that is 20 to 50 percent incomplete at first scan.
Incident Reporting: RBI, CERT-In, DPDP
Indian fintechs operate under parallel notification regimes that fire simultaneously during a material incident. RBI material incident notification typically applies within 2 to 6 hours of awareness for regulated entities. CERT-In April 2022 directions require notification within 6 hours for specified cyber incident types. DPDP Section 8 plus the breach notification rules apply where personal data is involved.
Our recommended IR plan template (see our companion IR blog) includes a one-page notification matrix per incident class, with pre-positioned templates for each regulator. The Legal Lead during an incident does not need to invent which regulator to call; the matrix provides it. Codesecure delivers fintech-specific IR readiness as part of our compliance engagements.
Frequently Asked Questions
Does the RBI Cyber Security Framework apply to fintechs that are not banks?
The Framework directly applies to banks. The principles cascade into NBFC IT guidelines, payment aggregator authorisation requirements, digital lending rules and the master directions for other regulated entity categories. Most Indian fintechs operate under one or more of these, so RBI cyber expectations apply in practice through whichever instrument governs the licence.
How often do we need VAPT under RBI?
Annual is the minimum baseline. Material changes (new product, significant architectural change, cloud migration, M&A) trigger additional VAPT. High-risk components (customer-facing apps, payment flows) often justify quarterly or continuous testing. Codesecure offers continuous-VAPT programmes for fintechs needing that cadence.
What is the difference between RBI material incident and CERT-In incident?
Different scopes and timelines. RBI material incident notification applies to regulated entities for incidents affecting regulated operations, typically 2 to 6 hours. CERT-In applies to all Indian organisations for specified incident types per the April 2022 directions, 6 hours. They overlap frequently; one significant incident often triggers both notifications in parallel.
Do we need a dedicated CISO?
Yes for almost every RBI-regulated fintech beyond the smallest. The Framework expects a board-approved CISO with reporting line independent of the CIO. For very small fintechs, a virtual CISO arrangement satisfying the same governance can work; Codesecure provides vCISO services for early-stage Indian fintechs.
How does PCI DSS interact with RBI?
PCI DSS is required for entities in the cardholder data flow (payment aggregators, gateways, merchants accepting cards). RBI references PCI DSS in payment aggregator authorisation. The two are complementary, not competing. Codesecure delivers integrated RBI + PCI DSS programmes that share a controls library.
Can Codesecure act as our RBI cyber audit partner?
Yes. Codesecure delivers RBI-aligned cyber audits, VAPT, compliance gap closure and vCISO services for Indian fintechs, NBFCs and payment aggregators. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals.
Build A Fintech Cyber Programme RBI Will Sign Off On
Codesecure delivers RBI-aligned cybersecurity, VAPT, compliance gap closure and vCISO services for Indian fintechs and NBFCs. ISO/IEC 27001:2022 certified delivery, named OSCP and CISSP consultants, fixed-price proposals, free retest within 90 days.
