You just closed a partnership with a bank or NBFC. Or maybe you’re a payment aggregator that just got your PA license. Somewhere in the compliance checklist your partner handed you, there’s a line item about “RBI cybersecurity framework compliance” and a requirement for a VAPT report.
If you’re a fintech startup in India that touches money in any form (payments, lending, insurance, wealth management), RBI’s cybersecurity requirements apply to you. Not just banks. NBFCs, payment aggregators, account aggregators, and even fintech companies working with regulated entities need to comply. The specifics vary by entity type, but the direction is clear: every player in the financial ecosystem is expected to have a baseline security posture.
Here’s what you actually need to know.
Which RBI Guidelines Apply to You?
RBI has issued multiple circulars and directions over the years. The ones most relevant to fintech startups:
| Guideline | Year | Applies To |
|---|---|---|
| Cybersecurity Framework for Banks | June 2016 | Scheduled commercial banks |
| Guidelines on IT Governance, Risk, IT & IS Audit | January 2023 (updated) | Banks, NBFCs, UCBs |
| Master Direction on Digital Payment Security Controls | 2021 | Payment system operators, banks, non-bank PSOs |
| IT Framework for NBFCs | 2017 | All NBFCs (scaled by size/category) |
| CSITE Reporting Requirements | Ongoing | All regulated entities |
If you’re a payment aggregator, the Master Direction on Payment Aggregators and Payment Gateways (2020, updated 2024) also has specific security requirements you need to meet for licensing and ongoing compliance.
The key thing to understand: these aren’t suggestions. Non-compliance can result in regulatory action, fines, or your banking partner pulling the plug on your integration.
Key Requirements Breakdown
The exact requirements vary by entity type and scale, but here’s the practical summary of what RBI expects across its various frameworks.
1. Board-Approved Cybersecurity Policy
Every regulated entity needs a cybersecurity policy approved by the board (or equivalent governing body). This isn’t a 50-page document that sits in a drawer. RBI expects it to be reviewed and updated annually, covering threat landscape changes, incident learnings, and technology shifts.
For startups: if you don’t have a board yet, your founding team needs to formally approve and sign off on this policy. It should cover access control, data protection, incident response, vendor risk, and employee security awareness.
2. Cyber Security Operations Center (SOC)
Banks need a dedicated SOC. Smaller entities (NBFCs, payment aggregators) can outsource this to a managed SOC provider, but you still need continuous monitoring in place. “We check logs once a week” does not meet the requirement.
What this means practically: you need 24/7 monitoring of your critical systems, with alerting and escalation procedures documented.
3. Vulnerability Assessment and Penetration Testing (VAPT)
This is where most fintech startups first encounter RBI compliance. The requirement is straightforward:
- Annual VAPT is mandatory for all regulated entities
- Must cover your applications, infrastructure, and APIs
- Report should address OWASP Top 10, business logic vulnerabilities, and API security
- Remediation verification is required (not just “here’s a list of findings”)
- VAPT must be repeated after significant changes to applications or infrastructure
RBI does not strictly mandate CERT-In empaneled auditors for all entity types, but many banks and NBFCs require their partners to use qualified, certified security firms. If your banking partner requires CERT-In empanelment, confirm that upfront before engaging a vendor.
4. Incident Response and CSITE Reporting
RBI requires regulated entities to report cyber security incidents through the CSITE (Cyber Security Incident Reporting) framework. The key points:
- Incidents must be reported to RBI within 6 hours of detection (for banks)
- NBFCs and other entities have similar reporting requirements with varying timelines
- You need a documented incident response plan that your team actually practices
- Post-incident root cause analysis is required
For startups: even if you’re not directly regulated, your banking/NBFC partner will contractually require you to report incidents to them within tight timelines. Build this into your incident response plan from day one.
5. Data Localization
This is non-negotiable for payment data:
- All payment system data must be stored only in India
- This includes transaction data, card data, and customer authentication data
- End-of-day processing data can be shared abroad for settlement purposes, but the primary copy stays in India
- RBI has conducted audits to verify compliance with this requirement
If you’re using AWS, GCP, or Azure, make sure your payment data workloads run exclusively in the Mumbai (or Hyderabad) region. No exceptions.
6. Multi-Factor Authentication
For digital payment transactions:
- MFA is required for customer-facing payment transactions
- The authentication factors must be from different categories (something you know, have, or are)
- SMS OTP alone may not be sufficient for high-value transactions going forward
- Device binding and biometric authentication are encouraged
7. Encryption Requirements
- Data at rest and in transit must be encrypted
- Encryption standards must align with current best practices (AES-256, TLS 1.2+)
- Key management procedures must be documented
- PCI DSS compliance is additionally required if you handle card data
VAPT Requirements: The Details
Since VAPT is the most common compliance requirement fintech startups face, here’s a deeper breakdown of what a proper RBI-compliant pentest looks like.
| Requirement | What It Means |
|---|---|
| Scope | All customer-facing applications, APIs, mobile apps, and supporting infrastructure |
| Methodology | OWASP Top 10 + business logic testing + API security testing |
| Authentication testing | Session management, MFA bypass attempts, privilege escalation |
| Report format | Executive summary + technical findings + remediation guidance + risk ratings |
| Remediation verification | Re-test after fixes to confirm vulnerabilities are resolved |
| Frequency | At least annually, plus after significant changes |
| Tester qualifications | Certified professionals (OSCP, CEH, CompTIA PenTest+, or equivalent) |
A common mistake: running an automated vulnerability scanner (Nessus, Qualys) and submitting that as your “VAPT report.” Regulators and banking partners know the difference. A proper pentest involves manual testing of business logic, authentication flows, and API endpoints that automated tools miss entirely.
How This Affects Fintech Startups (Not Just Banks)
Even if you’re not directly regulated by RBI, here’s why this matters to you:
Payment aggregators (Razorpay, Cashfree partners): If you’re a merchant or platform using a payment aggregator, your PA will increasingly require you to demonstrate security compliance. If you’re applying for your own PA license, these requirements are mandatory.
NBFCs and lending platforms: All NBFCs are required to comply with the IT framework. If you’re a lending platform partnering with an NBFC, they will require VAPT reports and security policy documentation from you.
Account aggregators: The AA framework has its own security requirements, heavily influenced by RBI’s broader cybersecurity framework. Data security is central to the AA model.
Fintech-bank partnerships: When a bank evaluates you as a technology partner, they’ll assess your security posture against RBI’s framework. No VAPT report, no security policy, no partnership.
Compliance Roadmap for Startups
Here’s a practical sequence that works for early-stage fintech companies:
Phase 1: Assessment (Week 1-2)
Start with a security assessment to understand where you stand. Map your current controls against RBI requirements for your specific entity type. Most startups are 20-40% compliant without realizing it (you probably already have encryption in transit, cloud security groups, and some form of access control).
Our Security on Demand session (INR 9,999, 4 hours, founder-led) is built for exactly this: a structured assessment with an actionable gap report.
Phase 2: VAPT (Week 2-4)
Get a proper penetration test done. Not just a scanner report. Manual testing of your application, APIs, and infrastructure by certified testers who understand fintech-specific risks (payment flows, transaction manipulation, authentication bypass).
Our Startup Pentest Plan (INR 74,999) covers one application scope with 7-day delivery, including remediation guidance and a re-test. The Growth Pentest Plan (INR 1,79,999) covers two scopes and includes SOC 2 + ISO 27001 audit prep if you’re on that path too.
Phase 3: Policy and Documentation (Week 3-5)
Document your cybersecurity policy, incident response plan, data classification, access control policy, and vendor risk management. These don’t need to be lengthy. They need to be accurate, followed, and board-approved.
Phase 4: Incident Response Setup (Week 4-6)
Build your incident response workflow with CSITE reporting built in. Define severity levels, escalation paths, communication templates, and reporting timelines for your banking/NBFC partners.
Phase 5: Data Localization Verification (Week 5-6)
Audit your infrastructure to confirm all payment data stays in India. Check your database hosting, backup locations, CDN caching, log storage, and any third-party integrations that might process payment data outside India.
Phase 6: Ongoing Compliance (Continuous)
Annual VAPT, quarterly vulnerability scans, regular policy reviews, and incident response drills. This isn’t a one-time checkbox. RBI expects continuous compliance, and your banking partners will ask for updated reports annually.
What This Costs
For context, here’s a realistic budget for a seed-to-Series A fintech startup:
| Item | Cost Range | Notes |
|---|---|---|
| Security assessment | INR 10,000 - 50,000 | Depends on scope and complexity |
| Penetration test (annual) | INR 75,000 - 1,80,000 | Manual testing, not just scanners. Our pricing |
| Policy documentation | INR 50,000 - 2,00,000 | Can be done in-house if you have security expertise |
| Managed SOC (if required) | INR 1,50,000 - 5,00,000/year | Outsourced monitoring for smaller teams |
| Data localization audit | INR 25,000 - 75,000 | Infrastructure review |
| Total first year | INR 3 - 10 lakh | Varies significantly by entity type and existing maturity |
That’s significantly less than what banks spend, and it’s achievable on a startup budget. The cost of non-compliance (failed partnerships, regulatory action, or a breach without proper controls) is far higher.
How We Help
We work with fintech startups at every stage of RBI compliance:
- Security assessment: identify gaps against RBI requirements for your specific entity type
- Penetration testing: annual VAPT with audit-grade reports your banking partners and regulators expect
- Remediation support: fix what the pentest finds, with verification retesting included
- Policy documentation: practical, followable policies that satisfy regulatory requirements
- Ongoing security: fractional security team support through our consulting plans for companies that need continuous coverage without hiring a full-time security team
Not sure where to start? Our Security on Demand session (INR 9,999, 4 hours) gives you a clear picture of your compliance gaps and a prioritized roadmap. Full refund if you don’t continue. Continue with us, and the fee comes off the price.
Book a Security on Demand session, check our pentest plans, or run a free external attack surface scan to see what’s publicly exposed today. For a broader view of how we support compliance readiness, see our audit and compliance services.