You are reading it here first: Nineteen out of the sixty-nine authorised payment system operators did not submit a System Audit Report (SAR) for the financial year 2020-21 as required by the Reserve Bank of India (RBI), a Right to Information (RTI) response revealed. The central bank began demanding the annual submission of a SAR from all authorised payment system operators starting this year amidst the increasing number of cyber-security attacks and data breaches targeting Indian companies. A SAR covers the security practices of a company among other things. Notable entities that had not submitted a SAR by the September 30 deadline include Visa, Mobikwik, State Bank of India, and Punjab National Bank. The RTI request demanding the list of compliant entities was filed by Srikanth Lakshmanan of CashlessConsumer, a consumer collective on digital payments. In light of the revelation that many entities had not submitted this report, Srikanth told MediaNama: While RBI highlights data security and acts hard on data residency compliance, it is laughable that basic yearly information security auditing and compliance in submission of System Audit Report within prescribed timelines is not tracked and we have seen no action against erring regulated entities. If this is the seriousness towards data security, it exposes that the agenda that drove RBI towards data localization regime is clearly not care for data security. Payment operators that did not submit a SAR for FY 2020-21 Visa Worldwide Pte. Limited, Singapore (Cards Payment Network ) Bank of India (ATM network) Punjab National Bank (ATM network)…
