Compliance

RBI, SEBI and Sectoral Compliance for BFSI

Compliance Wednesday, October 28, 2026 16 min read For engineers, analysts & operators
Share LinkedIn X

Every large Indian bank, broker, depository participant, and insurer now files evidence for three or four overlapping cyber and IT frameworks at once — RBI's Cyber Security Framework and IT Governance directions, SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), CERT-In's six-hour reporting rule, and increasingly IRDAI and DPDP Act obligations layered on top. The traditional response — a quarterly scramble of screenshots, spreadsheets and sign-offs before an IS audit — cannot scale to this density of mandates. This article is a practitioner's blueprint for replacing point-in-time audit theater with always-on assurance: compliance-as-code, continuous control monitoring, and evidence that generates itself.

Why point-in-time audits are structurally failing BFSI

The classical compliance operating model in Indian BFSI runs on an annual or half-yearly rhythm: an IS audit team (internal or empaneled CERT-In auditor) samples controls, IT teams pull evidence manually from consoles, spreadsheets get stitched into a compliance report, and the board's risk committee reviews a RAG status six to nine months after the underlying control state existed. This model was tolerable when regulation moved slowly and infrastructure changed on release cycles measured in quarters. It is not tolerable now, for three concrete reasons.

First, the regulatory cadence itself has compressed. RBI's Cyber Security Framework circular of 2016 has been substantially supplemented by the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023), effective April 2024, which explicitly mandates continuous monitoring of IT and information security controls rather than periodic sampling. SEBI's CSCRF, issued in August 2024 and phased in through 2024–2025 across stock exchanges, depositories, clearing corporations, RTAs, KRAs, mutual funds, and other regulated entities, requires real-time SOC monitoring, quarterly vulnerability assessments, and cyber-audit reporting with far shorter remediation windows than the predecessor circulars it replaces. CERT-In's 2022 directions require security incident reporting within six hours of detection — a window that makes any manual, human-in-the-loop evidence pipeline structurally incapable of compliance.

Second, the attack surface being audited has itself become continuous. API gateways, cloud workloads, SaaS integrations, and third-party payment processors change configuration multiple times a day. A control that was compliant on the day of the audit sample can drift out of compliance within hours — a firewall rule opened for a vendor integration and never closed, an IAM policy over-provisioned during an incident and never walked back, a certificate that silently expires. Static, retrospective audits cannot see this drift; they can only certify a snapshot that was already stale by the time it was reviewed.

Third, the cost structure of manual evidence collection has become the binding constraint on audit scope itself. When every control requires a human to log into a console, take a screenshot, and paste it into a workbook, audit teams instinctively narrow the sample size to what is operationally survivable. That narrowing is precisely where risk hides — the untested 90% of controls between samples. Always-on assurance inverts this: once evidence collection is automated, the marginal cost of testing every control, every day, approaches zero, and audit scope can finally match risk exposure rather than staffing capacity.

Insight. The real cost of manual compliance isn't audit fatigue — it's the silent narrowing of audit scope to whatever a team can manually evidence in the time available, which systematically under-samples the highest-velocity risk: configuration drift between audit cycles.

RBI's cybersecurity and IT governance stack

RBI regulates banks, NBFCs, urban co-operative banks, and payment system operators through a layered set of instruments that, read together, form a de facto continuous-assurance mandate even though the word "continuous" appears explicitly only in the newer directions. The foundational circular remains the June 2016 Cyber Security Framework for banks, which established the requirement for a board-approved cyber security policy distinct from the general IT policy, a Cyber Security Operations Centre (C-SOC) with defined SLAs, and a baseline cyber resilience posture including network segmentation, privileged access management, and vulnerability management.

Layered on top of that baseline is the Master Direction on IT Governance, Risk, Controls and Assurance Practices, finalized in November 2023 and effective from April 1, 2024, which is the single most consequential document for engineering teams to internalize. It mandates a formal IT Governance framework with board-level oversight (IT Strategy Committee), a defined IT risk management framework mapped to business risk appetite, and — critically for this article — an IS Audit function that must operate on a risk-based, continuous basis rather than a fixed annual calendar. The direction explicitly calls for automated tools for control testing where feasible and requires that IT and cyber risk be reported to the board at a frequency proportionate to risk, not merely annually.

For payment system operators and banks handling payment data, the April 2018 data localization circular remains binding: end-to-end transaction data for payment systems must be stored only in India, and where a foreign leg exists, only the foreign-leg data may reside outside India, with a 24-hour repatriation window after processing. This has direct architectural consequences — it rules out several categories of foreign-hosted SaaS logging and analytics tools unless they are deployed in an India region with contractual and technical guarantees, which is one reason sovereign and on-prem deployment options matter for any monitoring or evidence platform used in this vertical.

RBI also runs sector-specific overlays: the Digital Payment Security Controls directions (2021) for card-issuing and payment gateway entities mandate specific technical controls — tokenization, velocity checks, transaction monitoring rule engines, and mandatory penetration testing cadences. NBFCs and UCBs above defined asset thresholds are brought under a parallel Cyber Resilience and Digital Payment Security framework with somewhat relaxed timelines but the same control philosophy. The common thread across all of these instruments is a shift in emphasis from "produce a policy document" to "prove the control operated, continuously, with evidence."

SEBI's CSCRF and market infrastructure obligations

SEBI's regulated universe — stock exchanges, clearing corporations, depositories, depository participants, RTAs (registrars and transfer agents), KYC registration agencies, qualified stock brokers, mutual funds and AMCs, and portfolio managers — was previously governed by a fragmented set of circulars issued separately for each category of intermediary, each with its own cadence and terminology. The Cybersecurity and Cyber Resilience Framework (CSCRF), circulated in August 2024, consolidates these into a single framework structured around five functions borrowed from the NIST Cybersecurity Framework: Governance, Identify, Protect, Detect, Respond and Recover, plus a sixth SEBI-specific pillar on cybersecurity audit.

The operationally significant elements for engineering teams are threefold. First, CSCRF mandates a Cyber Security Operations Centre (SOC) with defined monitoring coverage — for the largest Market Infrastructure Institutions (MIIs) this means 24x7 SOC operations with defined detection and response SLAs, and for smaller qualified REs a proportionate but still continuous monitoring obligation. Second, it requires a standardized VAPT (Vulnerability Assessment and Penetration Testing) cadence — typically half-yearly for MIIs and annually for smaller REs — with findings tracked to closure against fixed remediation timelines and reported through a structured format to SEBI and CERT-In. Third, and most relevant to this article's thesis, CSCRF introduces the concept of a Cyber Capability Index (CCI), a maturity self-assessment scored against a defined rubric that regulated entities must submit periodically, effectively converting qualitative security posture into a quantitative, auditable metric that SEBI can trend over time across the industry.

CSCRF also tightens data localization and cloud governance requirements for REs using third-party cloud infrastructure, requiring a documented cloud risk assessment, defined data residency commitments, and exit strategy documentation before onboarding a cloud provider for critical systems. It further mandates that regulated entities maintain a Software Bill of Materials (SBOM) practice for critical applications and track third-party and open-source component risk — a requirement that pushes CSCRF obligations directly into the software supply chain and DevSecOps pipeline, not just runtime security operations.

The practical effect of CSCRF for a broker or RTA's engineering organization is that cyber-audit is no longer an annual event conducted by an external CERT-In empaneled auditor alone; it is a continuous obligation with monthly and quarterly artifacts — SOC monitoring logs, VAPT closure trackers, CCI self-assessment evidence, and incident reports — that must be produced on a recurring cycle and be defensible to both internal audit and SEBI inspection at any time.

The overlay problem: CERT-In, IRDAI, and the DPDP Act

BFSI entities rarely answer to a single regulator. A bank with an insurance subsidiary, a broking arm, and a payments business answers to RBI, IRDAI, and SEBI simultaneously, plus the horizontal obligations that apply to every "body corporate" in India regardless of sector: CERT-In's 2022 cybersecurity incident reporting directions and the Digital Personal Data Protection (DPDP) Act, 2023, along with its 2025 draft rules.

CERT-In's directions require reporting of 20 specified categories of cyber incidents within six hours of detection (not six hours of occurrence — detection, which is a materially harder clock to hit), mandatory time synchronization to NTP servers, log retention of 180 days within India, and designation of a Point of Contact for CERT-In coordination. The six-hour clock is the single hardest constraint in the entire Indian regulatory landscape to satisfy manually: by the time a human analyst has triaged an alert, confirmed it meets a reportable category, drafted the incident report, and routed it through internal sign-off, six hours is frequently gone. This is the clearest possible argument for automated detection-to-evidence-to-draft-report pipelines, a workflow well suited to an agentic SOC architecture where a triage agent pre-populates the CERT-In reportable-category classification and drafts the initial report the moment a qualifying detection fires, leaving a human to review and submit rather than build from scratch. Platforms built around agentic SOC workflows and XDR detection and response are designed precisely for this compressed-clock reality.

IRDAI's cybersecurity guidelines for insurers, most recently consolidated in 2023, mirror the RBI and SEBI structure — board-approved policy, C-SOC or equivalent monitoring, incident reporting, and periodic audit — but with insurer-specific emphasis on policyholder data protection and claims-system integrity, given the volume of PII and health data insurers process. For BFSI groups with an insurance arm, this means a fourth control taxonomy to reconcile against the same underlying infrastructure.

The DPDP Act adds a horizontal layer: consent management, purpose limitation, breach notification to the Data Protection Board, and (once the rules are notified) significant data fiduciary obligations including mandatory Data Protection Impact Assessments and, for entities so designated, data localization for specified categories of sensitive personal data. Because DPDP breach notification timelines and CERT-In incident reporting timelines do not perfectly align, and because RBI, SEBI and IRDAI each define "reportable incident" slightly differently, a BFSI compliance function today is reconciling four overlapping but non-identical incident taxonomies against a single underlying security event stream. This reconciliation problem is exactly what a common control catalog, discussed in the next section, is built to solve.

RBI

Cyber Security Framework, IT Governance Master Direction, Digital Payment Security Controls, data localization (2018)

SEBI

CSCRF (Governance, Identify, Protect, Detect, Respond, Recover, Audit), Cyber Capability Index, VAPT cadence

CERT-In

Six-hour incident reporting, 180-day log retention, NTP time sync, empaneled auditor requirement

IRDAI / DPDP

Policyholder data protection, consent management, breach notification to Data Protection Board

Figure 1 — Four overlapping regulatory taxonomies converge on the same underlying infrastructure and event stream.

Compliance-as-code: turning circulars into executable policy

Compliance-as-code means representing each regulatory obligation as a versioned, testable, machine-evaluable artifact rather than a paragraph in a policy document that a human interprets during an audit. In practice this requires three layers: a control catalog that decomposes each RBI, SEBI, CERT-In and DPDP clause into atomic, technically checkable statements; a policy engine that evaluates those statements against live infrastructure and application state; and a mapping layer that lets one underlying technical check satisfy multiple regulatory clauses simultaneously, since RBI, SEBI, and CERT-In frequently ask for functionally identical controls in different words.

The control catalog is the foundational artifact and the one organizations most often skip, going straight to tooling before doing the decomposition work. A well-formed catalog entry looks like a structured record: a unique control ID, the regulatory source clauses it satisfies (e.g., "RBI IT Governance MD ¶17.3(b); SEBI CSCRF PR.AC-04; CERT-In Annexure I item 7"), a plain-English control statement, the technical assertion that must hold true, the systems in scope, the evidence artifact expected, the check frequency, and the owner. Maintaining this catalog in a structured format — YAML or JSON in a version-controlled repository, not a Word document — is what makes everything downstream automatable, because the catalog itself becomes the input to policy engines and evidence pipelines rather than a reference document a human re-reads before each audit.

The policy engine layer is where the "as-code" part actually executes. Tools like Open Policy Agent (OPA) with Rego, or cloud-native equivalents (AWS Config rules, Azure Policy, custom Kubernetes admission controllers), let you express a control such as "no security group shall permit unrestricted inbound access on management ports" as a policy that evaluates automatically on every infrastructure change, not just during an audit window. For BFSI environments running a mix of on-prem, private cloud, and public cloud — often mandated by RBI/SEBI data localization rules to keep core banking and payment data in India-resident infrastructure — the policy engine needs connectors into each environment: Kubernetes admission webhooks for containerized workloads, Terraform plan-time policy checks (via Conftest or Sentinel) for infrastructure-as-code changes before they merge, and runtime agents for legacy on-prem systems where infrastructure-as-code coverage is incomplete, which is common in core banking mainframe and midrange environments that predate the IaC era by decades.

The mapping layer deserves particular engineering attention because it is where compliance-as-code earns its return on investment. A single technical check — "privileged account access is reviewed and recertified at least quarterly, with evidence of reviewer identity and timestamp" — simultaneously satisfies RBI's privileged access management expectation, SEBI CSCRF's Identify-function access governance control, and is relevant evidence for a DPDP data-fiduciary access-control obligation. Building the catalog so that one control node fans out to multiple regulatory citations, rather than maintaining three separate control implementations for three regulators, is the single highest-leverage design decision in the entire program; without it, engineering teams end up building and maintaining three parallel, slightly divergent automation pipelines for what is functionally one control.

Regulatory mapping layer — RBI, SEBI CSCRF, CERT-In, IRDAI, DPDP clauses fanned onto shared control IDs
Policy-as-code engine — OPA/Rego, Terraform plan-time checks, Kubernetes admission control, cloud config rules
Infrastructure & application estate — core banking, trading systems, cloud workloads, on-prem and air-gapped nodes
Figure 2 — A layered compliance-as-code stack: one control catalog, one policy engine, many regulatory citations satisfied per check.

Continuous control monitoring: from batch checks to a living state

Compliance-as-code gives you the ability to evaluate a control programmatically; continuous control monitoring (CCM) is the operational discipline of actually running those evaluations on a schedule tight enough that drift is caught before it becomes an incident, and of persisting the result as a time series rather than a point-in-time pass/fail. The distinction matters because a policy engine that only runs at merge time (say, blocking a Terraform apply that would violate a control) catches new drift but says nothing about controls that were compliant at deploy time and have since drifted due to manual out-of-band changes, expired certificates, or a break-glass emergency change that was never reverted.

A mature CCM architecture runs three concentric monitoring loops at different frequencies. The fastest loop, running continuously or at minute-level intervals, watches for security-relevant state changes via event streams — cloud provider config-change events, IAM policy modification events, firewall rule changes — and evaluates them against policy the instant they occur, which is the loop that catches the "opened a port for a vendor and forgot to close it" class of drift within minutes rather than at the next quarterly audit. The second loop, running daily or hourly, performs full-estate reconciliation sweeps that catch drift the event stream missed (an agent outage, a missed webhook, a system that changed state outside the monitored control plane entirely, such as a manual change on a legacy on-prem switch). The third loop, running weekly or monthly, aggregates the first two into trend reports and computes the maturity-style metrics that regulators like SEBI's CCI framework now expect as a standing artifact rather than an annual production.

For BFSI specifically, the highest-value controls to bring under this three-loop model first are the ones that show up in every regulatory taxonomy simultaneously: privileged access management and recertification, network segmentation between core banking/trading systems and general corporate IT, patch and vulnerability remediation SLAs, encryption-at-rest and in-transit configuration, log integrity and retention, and third-party/vendor access governance. These six control families alone typically map to 60–70% of the line items in an RBI IS audit and a SEBI cyber-audit simultaneously, which means automating continuous monitoring for just these six delivers the majority of the always-on assurance benefit before the program has to tackle the long tail of narrower, lower-frequency controls.

Continuous monitoring is also where detection and compliance genuinely converge operationally, not just conceptually. The same telemetry a SOC analyst uses to detect a privilege-escalation attack — identity and access logs, EDR telemetry, network flow data — is the evidence a compliance control needs to prove access governance is operating correctly. Building the monitoring pipeline once, feeding both a detection engine (via an XDR or exposure management platform) and a compliance evidence store, avoids the common anti-pattern of standing up a separate, lower-fidelity "compliance monitoring" tool that duplicates 80% of what the SOC's detection stack already collects, at real licensing and maintenance cost, and inevitably drifts out of sync with what the SOC actually sees.

Evidence automation: from screenshots to an immutable evidence lake

Evidence automation is the layer that converts a continuous control-monitoring result into something an RBI inspector, a SEBI cyber-auditor, or an internal audit committee will actually accept as proof. This is a harder problem than it sounds, because auditors are trained to be suspicious of self-reported, mutable data — a spreadsheet a control owner can edit is worth less as evidence than a system-generated, timestamped, tamper-evident record, even if the underlying fact is identical.

The architecture that works in practice is an evidence lake: a write-once, append-only store (object storage with object-lock/WORM configuration, or a hash-chained log) that receives evidence artifacts automatically from the monitoring pipeline — a JSON record of the control check result, the raw system output that produced it (a config export, an access-review report, an IAM policy diff), a cryptographic hash of the artifact, and a timestamp anchored to a trusted time source, satisfying the NTP time-synchronization requirement CERT-In already mandates for exactly this reason. Each evidence record is linked to its control catalog ID and, through the mapping layer described earlier, to every regulatory clause it satisfies, so a single automated capture event produces evidence usable in an RBI IS audit, a SEBI cyber-audit, and a CERT-In post-incident review without three separate collection exercises.

Retention policy for the evidence lake should be driven by the strictest applicable requirement rather than a single default: CERT-In mandates 180 days of log retention, but RBI's IS audit expectations and SEBI's CSCRF cyber-audit cycles typically require evidence covering the full audit period (commonly 12 months) plus a prior-period comparison, and internal audit committees often want multi-year trend data to demonstrate sustained control operation rather than a single good quarter. In practice this means most BFSI evidence lakes are configured for a minimum 3-year retention on control-evidence records, with the underlying raw logs retained per the shorter regulatory floor and a compacted/summarized evidence record retained longer for exactly this trending purpose.

Chain-of-custody matters as much as retention. Every evidence record should carry an immutable lineage: which system produced the raw data, which policy version evaluated it, which control catalog version it was mapped against at the time, and who (or what agent) approved any manual override or exception. When SEBI's CCI self-assessment or an RBI examiner asks "prove this control was operating on March 14th," the answer should be a query against the evidence lake returning a signed artifact, not a scramble to reconstruct what the environment looked like five months earlier.

A practical operating pattern many BFSI security teams are converging on is to route continuous-monitoring findings and evidence capture through the same agentic workflow that handles alert triage and case management in the SOC, so that an exception raised by a control check (say, a firewall rule that violates segmentation policy) automatically opens a tracked case, notifies the control owner, and — on remediation — captures the closure evidence in the same evidence lake, closing the loop without a separate GRC-tool ticket that has to be manually reconciled against the security case later. This is the operational integration point where compliance tooling and integrated NOC-SOC operations genuinely merge rather than running as parallel, loosely coupled functions.

Insight. Evidence that a human can edit after the fact is worth less to an auditor than evidence a system generated automatically at the moment the control operated — even when the underlying fact is identical. Design the evidence lake for tamper-evidence first, dashboards second.

Data residency, sovereignty, and air-gapped deployment constraints

A compliance-as-code and continuous-monitoring architecture for Indian BFSI has to be designed against a residency constraint that many general-purpose compliance and observability platforms simply cannot satisfy: RBI's 2018 payment-data localization circular requires end-to-end transaction data to reside only in India, and several PSU banks and defense-adjacent financial entities operate infrastructure that is fully air-gapped from the public internet as a matter of policy, not just regulation. This rules out any evidence pipeline or policy engine whose control plane depends on a foreign SaaS backend, and it rules out monitoring agents that phone home to an external vendor cloud for policy updates or telemetry aggregation.

The practical design response is a control plane that can run entirely within the regulated entity's own infrastructure boundary — on-prem, in an India-region private cloud, or fully air-gapped with periodic signed policy-update packages carried across the air gap rather than pulled live from the internet. This is a materially different architecture from a typical cloud-native SaaS compliance tool, which usually assumes the monitored environment can reach the vendor's cloud continuously. Policy catalog updates (say, a new CSCRF clause added mid-cycle) need to be distributed as versioned, signed artifacts that can be imported into an air-gapped environment through an offline transfer process, with the evidence lake itself remaining fully local so that no compliance evidence ever needs to leave the regulated perimeter to be generated, stored, or queried.

This is also the reason sovereign deployment options matter concretely rather than as a checkbox: a platform architected from the ground up to run in cloud, on-prem, and air-gapped modes with an identical control and evidence model across all three lets a BFSI group standardize one compliance-as-code catalog across its cloud-hosted digital lending platform, its on-prem core banking system, and an air-gapped treasury or defense-linked subsidiary, rather than maintaining three incompatible compliance tool stacks because only one of them could actually be deployed everywhere the group operates. Algomox's platform, spanning ITMox for IT operations, CyberMox for security, and the AI-native stack underneath both, is built specifically to support this cloud-to-air-gapped continuum, which is the deployment reality most Indian BFSI groups actually live in rather than the cloud-only assumption most compliance SaaS products are built around.

Metrics: proving the shift from audit-readiness to always-on assurance

An always-on assurance program needs its own metrics, distinct from the pass/fail audit-finding count that dominated the point-in-time era, because pass/fail counts measured at a single moment tell you nothing about how long a control was actually in a compliant state between measurements. The metrics below are the ones that matter to engineering leadership, the CISO, and the board's risk committee, roughly in order of operational importance.

  • Control coverage ratio — the percentage of the full control catalog that has an automated, continuously-evaluated check versus controls still relying on manual attestation. This is the single best leading indicator of program maturity; most programs start below 30% and should target 80%+ within 18–24 months.
  • Mean time to evidence (MTTE) — how long it takes from an auditor's request to a signed evidence artifact being produced. Manual programs measure this in days; a mature evidence-lake architecture measures it in minutes for any control already under continuous monitoring.
  • Drift duration — for controls under continuous monitoring, the actual elapsed time a control spent out of compliance before remediation, aggregated across the estate. This replaces the old binary "was it compliant on audit day" with a real exposure-time measure that maps directly to risk.
  • Exception aging — the count and age distribution of open compensating-control exceptions (cases where a control cannot be met and a documented, risk-accepted workaround is in place). Regulators increasingly scrutinize exception volume and staleness as a proxy for control debt.
  • CCI trend (for SEBI-regulated entities) — the trajectory of the Cyber Capability Index score over successive self-assessment cycles, since SEBI explicitly expects this to be a rising or stable trend, not a static annual number.
  • Audit preparation cost — person-hours consumed per audit cycle, tracked over time as a direct ROI measure for the compliance-as-code investment; organizations that automate the six high-leverage control families described earlier typically see 50–70% reduction in preparation hours within a year.
  • Time-to-CERT-In-report — elapsed time from detection to submitted incident report for qualifying events, benchmarked directly against the six-hour regulatory clock rather than a generic MTTR metric.

These metrics only become credible when they are themselves produced from the evidence lake rather than compiled manually, for the same reason the underlying compliance evidence needs to be system-generated: a board risk committee that is shown a manually-assembled "control coverage" slide has no more assurance than one shown a manually-assembled audit report. The metrics program and the evidence automation program are the same engineering effort viewed from two angles.

FrameworkPrimary regulatorCore continuous obligationReporting / audit cadenceKey engineering touchpoint
Cyber Security Framework (2016) & IT Governance Master Direction (2024)RBIBoard-approved cyber policy, C-SOC, risk-based continuous IS auditContinuous monitoring; board reporting proportionate to riskIAM/PAM controls, network segmentation, IS audit automation
Digital Payment Security Controls (2021)RBITokenization, velocity checks, transaction monitoringPeriodic penetration testing; incident-driven reportingPayment gateway rule engines, card data tokenization
Payment data localization (2018)RBIEnd-to-end payment data resident in India; 24-hr repatriation for foreign legOngoing / audit-verifiedData residency architecture, no foreign-hosted logging for payment data
CSCRF (2024)SEBI24x7 SOC (MIIs), VAPT cadence, Cyber Capability Index self-assessmentHalf-yearly VAPT (MIIs), annual (smaller REs); periodic CCI submissionSOC integration, SBOM tracking, cloud risk assessment docs
Cybersecurity incident reporting directions (2022)CERT-InReportable incident detection and disclosureWithin 6 hours of detectionAutomated detection-to-report pipeline, NTP sync, 180-day log retention
Cybersecurity guidelines (2023)IRDAIPolicyholder data protection, claims-system integrityAnnual audit; incident-driven reportingPII/health-data access controls, claims workflow monitoring
DPDP Act (2023) & draft rulesData Protection BoardConsent management, purpose limitation, breach notificationIncident-driven; periodic DPIA for significant fiduciariesConsent ledger, data-flow mapping, breach-notification automation

Worked example: from circular text to executable control

To make the abstraction concrete, walk through one control end to end: privileged access recertification, which appears in some form in RBI's IT Governance Master Direction, SEBI's CSCRF Identify function, and is implicitly relevant to a DPDP access-governance obligation. The circular language is qualitative: privileged access must be granted on a need basis, reviewed periodically, and revoked promptly on role change or exit. Turning this into compliance-as-code requires four concrete steps.

Step one is decomposition: break the qualitative statement into atomic, testable assertions — every privileged account must map to an active, authorized business justification; every privileged account must have been reviewed by an accountable owner within the last 90 days; every account belonging to a user whose HR status changed to "terminated" or "role-changed" must be revoked or re-scoped within a defined SLA (commonly 24–48 hours for terminations); and no privileged account may be shared across multiple human identities without a documented exception. Each assertion becomes its own control catalog entry with its own check logic, because they fail independently and an auditor will ask about each separately.

Step two is instrumentation: identify the authoritative data sources for each assertion — the IAM/PAM system's entitlement export for the account-and-justification mapping, the review-workflow system's approval log for the recertification timestamp, an HRIS feed joined against the IAM system for the termination-SLA check, and a directory-service query for shared-account detection. This is usually the most time-consuming engineering step in the whole program, not because the logic is complex but because BFSI environments typically have multiple identity stores (mainframe RACF or ACF2 alongside Active Directory alongside a cloud IAM) that need to be reconciled into one entitlement view before any policy can evaluate cleanly.

Step three is policy expression: encode each assertion as a Rego policy (or equivalent) that runs against the reconciled entitlement feed on the appropriate loop — the termination-SLA check on the fast, event-driven loop since it is time-critical, and the 90-day recertification check on the daily reconciliation loop since it changes slowly. A simplified version of the recertification check, expressed conceptually, evaluates each privileged account record for a "last_reviewed_at" field, computes the age against the 90-day threshold, and emits a pass/fail/exception result per account with the reviewer identity attached.

Step four is evidence and mapping: each policy evaluation writes a signed record to the evidence lake tagged with the control catalog ID, and the catalog entry itself carries the fan-out to "RBI IT Governance MD ¶[X], SEBI CSCRF PR.AC-0[Y]" so that a single quarterly run of this check produces evidence simultaneously usable in both an RBI IS audit and a SEBI cyber-audit, and contributes to the access-governance component of the SEBI CCI self-assessment score without any additional manual work. When an account fails the check, the same event automatically opens a remediation case routed to the account owner, and closure of that case (the account being revoked or re-certified) generates the closing evidence record — the full loop from regulatory text to closed, evidenced remediation, without a human touching a spreadsheet.

This same four-step pattern — decompose, instrument, encode, evidence-and-map — applies to every other control family: network segmentation validation (querying firewall and micro-segmentation policy state against a defined segmentation model), patch SLA compliance (querying vulnerability scanner and patch management system state against severity-tiered SLA thresholds), and encryption configuration (querying key-management and TLS configuration state against minimum cipher-suite and key-rotation policy). Once the pattern and the underlying entitlement/asset reconciliation plumbing exist for one control family, extending it to the next is materially faster — the second control family typically takes a third of the effort of the first, and the fifth takes a tenth, because the hard reconciliation and evidence-lake plumbing is shared infrastructure at that point.

Regulatory clauseRBI / SEBI / CERT-In text
Decompose & instrumentatomic assertions, source systems
Policy-as-code checkOPA/Rego, event or scheduled loop
Evidence lakesigned, mapped to N regulators
Auto-remediation caseon failure, closes the loop
Figure 3 — The compliance-as-code lifecycle for a single control, from circular text to closed, evidenced remediation.

Operating model: who owns what in an always-on program

Compliance-as-code fails as a purely tooling exercise if the operating model around it does not change as well, and this is where most BFSI programs stall after an initially promising pilot. The traditional model has a compliance/GRC team that owns the audit relationship and a separate IT/security team that owns the infrastructure being audited, connected only through periodic evidence requests. An always-on model requires those two functions to share a control catalog as a joint artifact, with engineering owning the technical assertion and check logic, and compliance owning the regulatory mapping and the interpretation of ambiguous clauses — both editing the same version-controlled repository rather than compliance writing a policy document that engineering later has to reverse-interpret into technical controls.

This requires a small but critical new role many BFSI organizations are only now formalizing: a control engineer or compliance engineer, sitting organizationally in security engineering but functionally accountable to both the CISO and the Chief Compliance Officer, whose job is specifically to maintain the control catalog, write and test the policy-as-code checks, and manage the evidence-lake mapping. Without this role, the catalog tends to be maintained by whichever team feels the pain first, and it drifts out of sync with the other team's understanding of what a control actually requires.

Exception handling also needs a formal, fast workflow, because always-on monitoring will surface far more control failures than an annual audit ever did — not because the environment got worse, but because visibility improved. A control failure that used to go undetected for months because no one looked is now flagged within minutes. Programs that do not prepare the organization for this spike in visible findings, and do not have a fast triage-and-exception process ready, risk a political backlash against the monitoring program itself ("this tool generates too many false alarms") when in fact the tool is correctly surfacing real, previously-invisible drift. A documented risk-acceptance and compensating-control exception process, with clear approval authority and mandatory aging/review, is what separates a program that survives this initial spike from one that gets quietly disabled six months in.

A maturity roadmap for getting there

Organizations rarely go from spreadsheet-based audit prep to full always-on assurance in one project; a realistic roadmap has four stages. Stage one, typically 0–6 months, is control catalog construction and the selection of the six to eight highest-leverage control families (privileged access, segmentation, patch SLA, encryption, log integrity, vendor access) for initial automation, deliberately choosing controls that map to multiple regulators simultaneously to maximize early ROI and build organizational confidence in the model. Stage two, 6–12 months, builds the policy engine and evidence lake for those initial control families and gets the fast and daily monitoring loops operating reliably, including the exception-handling workflow described above, which needs to exist before the third loop's trend reporting is trustworthy. Stage three, 12–18 months, extends coverage to the long tail of remaining controls, integrates the evidence lake outputs directly into the CCI self-assessment and RBI board-reporting artifacts so those become automated productions rather than annual projects, and begins tying compliance evidence into the same case-management workflow the SOC uses for security incidents. Stage four, ongoing from 18 months, is continuous refinement — tightening drift-duration targets, expanding automated remediation (not just automated detection) for well-understood control failures, and using the accumulated evidence-lake history to demonstrate sustained maturity trends to regulators rather than point-in-time snapshots, which is increasingly what examiners themselves are asking to see.

Throughout this roadmap, the architectural discipline that prevents cost blowout is resisting the temptation to build bespoke tooling for each regulator's specific reporting format. The control catalog and evidence lake should be regulator-agnostic; only a thin, late-stage rendering layer should format evidence into an RBI IS audit template, a SEBI CSCRF cyber-audit submission, or a CERT-In incident report, because those formats change periodically while the underlying control logic is comparatively stable. Organizations that instead build the RBI reporting logic and the SEBI reporting logic as separate systems from the ground up find themselves re-doing the bulk of the engineering work every time a circular is amended, which is precisely the treadmill an always-on assurance program is meant to escape. Identity and access governance in particular benefits from this pattern, since identity security and PAM controls sit at the intersection of nearly every regulator's expectations, and privileged access management tooling that exposes its entitlement and review data through a clean API is what makes the whole catalog-to-evidence pipeline tractable rather than a perpetual integration project.

Insight. Build one regulator-agnostic control catalog and evidence lake with a thin, swappable rendering layer per regulator — not three parallel compliance stacks — or every circular amendment becomes a re-engineering project instead of a template update.

Key takeaways

Frequently asked questions

Does SEBI's CSCRF replace all the earlier SEBI cybersecurity circulars for different intermediary categories?

CSCRF, issued in August 2024, consolidates the previously fragmented circulars covering stock exchanges, depositories, RTAs, KRAs, mutual funds, and other regulated entities into a single unified framework, phased in across categories through 2024–2025. Entities should confirm their specific applicability date and category-specific annexure, since implementation timelines and control thresholds (such as SOC coverage hours and VAPT cadence) differ between Market Infrastructure Institutions and smaller qualified REs even under the consolidated framework.

Is compliance-as-code realistic for legacy core banking and mainframe environments that predate infrastructure-as-code?

Yes, but the instrumentation step looks different: instead of policy-as-code evaluating Terraform plans or Kubernetes manifests, it evaluates periodic or event-driven exports from the mainframe's security manager (RACF, ACF2, Top Secret) and job-scheduling logs through a runtime agent or scheduled extraction job. The policy logic and evidence-lake architecture remain identical; only the data-collection connector changes, which is why decomposing controls into source-system-agnostic assertions in the catalog matters so much.

How does an agentic SOC fit into meeting the CERT-In six-hour reporting window?

An agentic triage layer can classify a detection against CERT-In's reportable-incident categories, pre-populate the required report fields (systems affected, indicators, initial impact assessment), and route it for human review the moment a qualifying alert fires, compressing the largest time sink — manual triage and drafting — down to minutes so the remaining hours are available for verification and sign-off rather than first-draft creation. This is the specific workflow pattern behind agentic SOC and AI-driven XDR alert triage deployments in regulated environments.

What is the single biggest mistake BFSI organizations make when starting a compliance-as-code program?

Building separate automation for each regulator instead of one regulator-agnostic control catalog with a thin per-regulator reporting layer. The second most common mistake is automating detection of control failures without first building the exception-handling and remediation workflow, which causes a visibility spike that overwhelms teams and creates political pressure to roll back the very monitoring that is working correctly.

Move from audit-readiness to always-on assurance

Algomox helps BFSI security and compliance teams build a shared control catalog, continuous monitoring loops, and a tamper-evident evidence lake — deployable across cloud, on-prem, and air-gapped environments to meet RBI, SEBI, CERT-In, and DPDP obligations simultaneously.

Talk to us
AX
Algomox Research
Compliance
Share LinkedIn X