Regulatory Compliance

SAR Compliance Audit

Overview
Methodology
Purpose
Our Approach
Benefits
Clients
FAQs

Overview : SAR Compliance Audit

The current trend in data storage technology involves storing data in many locations so that data centres may quickly access backup copies of it. Every entity managing payment data, from fintech companies that conduct peer-to-peer transactions to gateway operators accessed globally for universal fund transfers, must have the appropriate authorisation, hence conducting a SAR audit becomes a necessity. As per the guidelines of RBI on 6th April 2018, all payment firms which earlier used to have their payment systems servers based outside India, now have to establish their payment systems on servers in India having data related to Indian national residents. The directive states that all the payment system providers who have been regulated by the Reserve Bank of India, have to set up their payment systems in India now wards as per the Payment and Settlement Act, 2007.

Methodology

RBI and NPCI have defined a holistic checklist for all information being stored in India in RBI’s data localization guidelines. The checklist is often referred to as the System Audit Report criterion highlighting several domains that need to be taken into account while auditing payment systems.

Why do organizations need it?

SAR data localisation shields native citizen’s financial and personal information in moments of geopolitical crisis
Shielding against anti-money laundering threats
Holistic implementation of regulations to secure payment gateways
Enhance IT Governance for payment service providers

Our Approach

Finally, all the information and understandings are compiled in a well-documented scope, determining the boundaries and applicability of the SAR audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, number of departments and location of the organization.

Information gathering

In order to understand how data flows, a thorough questionnaire is offered, shared with the teams, and supported by other supporting material and statistics on implementation and controls.

Audit Process

After defining the scope of the project and beginning the engagement, we'll carry out an initial audit to understand the organization's infrastructure and assist our clients in locating all the storage facilities that house any payment-related data.

Remediation Support

The remediation support for adhering to the RBI mandate will be provided by kratikal in accordance with the assessment and identification of the payment data.

Report and Confirmation Letter

After evaluation and correction, Kratikal will look over your documentation regarding the Action phase's successful conclusion as noted during the audit. When the transaction is completed successfully, we will provide the letter of confirmation stating that all payment-related data is stored in India.

Benefits

Clients

Kratikal Insights

Enterprise
Customers

Organizations’ Security
Compliant

K+

Small and mid-size
enterprises (SMEs)

K+

Threats Recorded in
GCTx Database

FAQs

What are the major key criteria covered under SAR audit?

The major parts covered are - Payment Data elements, Data Storage, Access Management, Data Backup & Restoration, Data Security.

What does data localisation as per RBI stand for?

Data Localization is an attempt to rehabilitate citizens’ data under Section 94 of the Companies Act 2013, where organizations must collect, process or store the data in their native country and registered office before transferring it overseas.

Is there any limitation of data localization?

One of the prominent drawbacks of enforcing data localization is that there is nil assurance that the services provided would fully wipe out the data informally stored overseas.

Why are Indian Officials localizing data?

The major catch behind localizing citizens’ data is to prevent their information from international monitoring. This further ensures that if some foreign organization wishes to look into the financial information of Indian citizens, they must acquire legal permission from the domestic authorities of India.