India Fintech’s Mobile Security Problem: What RBI, CERT-In, and DPDP Actually Require

Key takeaways

• Indian fintech mobile teams sit under a three-layer regulatory stack: prudential (RBI Master Direction on IT Governance, effective 1 April 2024), technical (CERT-In Directions, April 2022, 6-hour reporting), and privacy (DPDP Rules 2025, substantive provisions live 13 May 2027).
• The RBI Master Direction (RBI/2023-24/107) requires VAPT every 6 months on critical systems and annually on non-critical, with documented risk-based justification for non-critical scoping.
• CERT-In’s 6-hour incident notification rule and 180-day log retention requirement are independent of RBI and DPDP — they apply to every entity in India, not just regulated ones.
• This article is the working guide to satisfying all three layers with one coherent mobile security programme.

If you ship a financial services mobile app in India in 2026, you are accountable to three independent regulatory regimes that overlap but do not substitute for each other. Compliance with RBI does not give you DPDP compliance. Compliance with DPDP does not give you CERT-In compliance. Compliance with all three is non-optional for a licensed entity.

This is the practitioner’s guide to what each regime actually requires of a mobile app, where they overlap, where they don’t, and what a single coherent mobile security programme looks like that satisfies all three.

Layer 1 — Prudential (RBI Master Direction on IT Governance).

• Applies to: scheduled commercial banks, small finance banks, payments banks, NBFCs (top, upper, middle layer), credit information companies, AIFIs (EXIM, NABARD, NaBFID, NHB, SIDBI)
• Governs: IT governance, IT risk management, vendor risk, BCP/DR, VAPT cadence, incident response governance
• Reference: RBI/2023-24/107 DoS.CO.CSITEG/SEC.7/31.01.015/2023-24, issued 7 November 2023, effective 1 April 2024
• Enforced by: RBI Department of Supervision

Layer 2 — Technical (CERT-In Directions, April 2022).

• Applies to: every entity (service provider, intermediary, data centre, body corporate, government organisation) in India
• Governs: cyber incident reporting (6-hour rule), system log retention (180-day minimum, in India), NTP synchronisation, KYC retention for VPN / cloud / VPS / data centre operators
• Reference: CERT-In Directions under Section 70B(6) of the IT Act 2000, issued 28 April 2022
• Enforced by: CERT-In, with criminal penalties under IT Act 2000 for non-compliance

Layer 3 — Privacy (DPDP Act 2023 + DPDP Rules 2025).

• Applies to: every Data Fiduciary processing digital personal data of Data Principals located in India
• Governs: notice and consent, lawful processing, Data Principal rights, reasonable security safeguards, breach notification, retention, cross-border transfer, Significant Data Fiduciary obligations
• Reference: DPDP Act 2023 (assented 11 August 2023); DPDP Rules notified 13 November 2025; substantive provisions effective 13 May 2027
• Enforced by: Data Protection Board of India (constituted November 2025); penalties up to ₹250 crore per violation

A licensed Indian fintech with a mobile banking app sits squarely under all three. NPCI guidelines (for UPI), SEBI directives (for capital markets apps), and IRDAI directives (for insurance apps) layer additional scheme-specific requirements on top.

The Master Direction consolidates more than a decade of RBI cyber and IT guidance into a single framework. The mobile-relevant obligations:

Governance and accountability. Senior management responsibility for IT risk, with formal reporting to Board / Risk Committee. An IT Steering Committee (ITSC) with defined responsibilities. A Chief Information Security Officer (CISO) for relevant entities. The CISO reports findings — including mobile-specific findings — into formal risk dashboards for board consumption.

IT strategy and risk management. Documented IT strategy aligned with business strategy, with explicit treatment of mobile channel risk. IT risk assessments at defined frequency. IT risk register maintained and reviewed.

VAPT cadence — the headline mobile obligation. For critical information systems (which includes customer-facing mobile apps for any RE), Vulnerability Assessment (VA) at least every 6 months and Penetration Testing (PT) at least every 12 months. For non-critical systems, a risk-based approach is acceptable but the risk-based justification must be documented. Independent information security experts must conduct the testing. Identified vulnerabilities must be fixed in a time-bound manner.

Vendor risk and outsourcing. Where the entity uses third parties for mobile development, mobile testing, or mobile operations, RBI’s vendor risk assessment requirements apply. The 2023 Outsourcing of IT Services Direction layers on additional obligations including, for critical applications, source code access or escrow.

Incident response. Cyber incident response and recovery management policy that addresses classification, severity assessment, communication strategy. Severity-based escalation. Root cause analysis and lessons learned. Integration with CERT-In notification (Layer 2) is implicit — RBI expects you to satisfy CERT-In as a matter of course.

Business continuity for critical applications. Mobile banking apps are typically classified as critical. RBI expects half-yearly DR drills. RPO targets defined and measured. Backup integrity tested.

Audit and assurance. Internal IT audit at minimum annually. Independent IS audit. Documented closure of audit findings.

The non-bank Payment System Operators (PSOs) Direction issued 30 July 2024 layers additional payment-security controls on PSOs: 12-hour cooling period after mobile/email change before further transactions, secure-by-design SDLC, twice-yearly transaction-data backup testing, security audits and VAPT before deployment or redeployment. Compliance phased: large PSOs by 1 April 2025, medium by 1 April 2026, small by 1 April 2028.

The April 2022 Directions apply to every entity in India, with no exemption for size or sector. The mobile-relevant obligations:

Cyber incident notification within 6 hours of becoming aware. A specific, prescribed list of incident types must be reported. Mobile compromises that involve user account access, fraudulent transactions, malware affecting customer-side mobile environments, data breach involving personal data — all reportable within 6 hours.

System log retention for 180 days, within India. ICT system logs covering authentication, transaction processing, system administration, security events. Logs must be retained in Indian jurisdiction. This affects cloud architecture decisions for any fintech using offshore hosting.

NTP synchronisation to NIC servers or NPL servers. All ICT systems must synchronise time to government-designated NTP sources to ensure forensic timeline integrity.

KYC retention for VPN, cloud service, VPS and data centre operators (5 years post-relationship-end), and for crypto exchanges (5 years).

Empanelled cybersecurity auditor for entities required to undergo cyber audit. CERT-In maintains a list of empanelled auditors.

The 6-hour clock is the most operationally demanding. CERT-In notification is technical and time-pressured; the runbook to satisfy it must be tested before it’s used. A bank that takes 12 hours to determine whether an incident has occurred is non-compliant even if the incident itself is minor.

DPDP applies in addition to RBI and CERT-In. The mobile-app-relevant obligations were covered in detail in [our DPDP article][link to /blog/dpdp-act-compliance-checklist-mobile-apps-india]; the headline points for fintech specifically:

• Consent for each purpose, separately capturable, withdrawable, audit-logged
• Notice in plain language in English plus relevant Eighth Schedule languages
• Reasonable security safeguards (Rule 6) — encryption, access control, logs (≥1 year), backups, breach detection
• Breach notification within 72 hours to the Data Protection Board, plus notification to affected Data Principals
• Significant Data Fiduciary obligations — likely to apply to most large fintech: appointed DPO based in India, annual DPIA, periodic audit, algorithmic system verification

DPDP penalties: up to ₹250 crore per violation for failure to maintain reasonable security safeguards, with no aggregate cap.

The diagram of overlap is useful.

Common ground (all three layers expect):

• Strong authentication for sensitive flows
• Encryption of data in transit and at rest
• Logging of security-relevant events
• Incident response capability
• Periodic security testing
• Documented governance with named accountability

RBI-specific (not directly required by CERT-In or DPDP):

• Specific VAPT cadence (6-monthly / annual) for critical systems
• Source code access or escrow for critical applications
• Specific BCP / DR testing cadence
• Maturity expectation in IT governance practice

CERT-In-specific (not directly required by RBI or DPDP):

• 6-hour incident notification timeline
• Indian-jurisdiction log storage
• NTP synchronisation to NIC / NPL
• KYC retention for specific service categories

DPDP-specific (not directly required by RBI or CERT-In):

• Consent for each purpose with audit log
• Data Principal rights workflow
• 72-hour DPB notification (different clock from CERT-In’s 6-hour)
• Data Processor contract obligations

Where the clocks differ: CERT-In’s 6-hour clock and DPDP’s 72-hour clock both run for an incident involving personal data; they do not substitute. RBI supervisory notification expectations run in parallel. A bank dealing with a cyber incident affecting customer data must notify CERT-In within 6 hours, the DPB within 72 hours (from May 2027), affected Data Principals “without undue delay,” and engage RBI through standard supervisory channels. The runbook must support all four streams.

If your app integrates UPI — and most consumer Indian fintechs do — NPCI’s Mobile App Security Framework adds another layer. Released as NPCI/2025-26/IS/003, the framework specifies:

• Device binding requirements
• Application-level encryption for UPI flows
• Tamper detection requirements
• Permitted vs prohibited libraries
• Specific anti-fraud controls for UPI transaction flows

This is a payment-scheme-level requirement, distinct from RBI / CERT-In / DPDP. Non-compliance can result in suspension from UPI participation, which for most consumer fintechs is a business-ending outcome.

A non-exhaustive survey of 2024–2025 enforcement actions affecting Indian fintech and BFSI mobile operations:

• Paytm Payments Bank (RBI action, 31 January 2024): broad suspension of new customer onboarding and several core operations citing persistent non-compliances and material supervisory concerns including IT and cybersecurity issues.
• ICICI Bank (RBI, August 2025): ₹75 lakh penalty for various deficiencies including aspects of IT governance.
• IndusInd Bank (RBI, December 2024): penalty for non-compliance including aspects related to IT and cybersecurity governance.
• HPE Financial Services (RBI, September 2024): penalty for KYC-related deficiencies.
• Multiple smaller NBFCs and fintechs have faced penalties under the IT Act 2000 / SPDI Rules for personal data security failures, often disclosed quietly without public announcement.

The DPDP enforcement era hasn’t started yet — substantive provisions don’t bite until 13 May 2027. But IT Secretary S. Krishnan has publicly indicated that post-deadline enforcement will be “calibrated initially” but will produce “exemplary actions” to set precedent. The first wave of DPDP enforcement actions is widely expected to target large fintech and consumer apps where compliance gaps are most visible.

The runway is short and the sequencing matters. The plan we use with Indian fintech clients:

Month 1 — Inventory and baseline.

• Catalogue every mobile app in your perimeter: customer-facing, employee-facing, partner-facing
• For each app, capture: criticality classification (RBI sense), data categories processed (DPDP sense), incident history (CERT-In sense)
• Run a baseline scan against MASVS v2.1 + Mobile Top 10 2024 + RBI/CERT-In/DPDP mapping pack
• Identify critical and high findings; document remediation plan

Month 2 — Pipeline and process.

• Wire continuous mobile testing into CI/CD for every app classified critical (RBI definition)
• Define the per-release evidence template that produces RBI-ready, CERT-In-ready and DPDP-ready outputs from a single scan
• Stand up the incident response runbook with parallel CERT-In (6h) / DPB (72h, from 2027) / RBI supervisory paths
• Configure 180-day Indian-jurisdiction log retention

Month 3 — Audit and Board.

• Run an internal audit cycle using the new evidence
• Brief Risk Committee / Board on the dual-/triple-regulator mobile programme
• Engage external empanelled auditor for the next RBI-required VAPT cycle
• Document the DPDP-readiness gap and the May 2027 path

Quarter 2 onwards.

• Steady-state operation
• Roll out to non-critical apps with appropriate cadence
• Track KPIs: scan coverage, MTTR by severity, mean time to incident notification (rehearsed)
• Refresh governance documentation quarterly

The platform is built for this multi-regulator pattern.

• MPTL rule engine — 124 rules mapped to MASVS v2.1 + Mobile Top 10 2024
• India regulator mapping packs — RBI Master Direction, CERT-In Directions, DPDP Rules, NPCI MASF, included on Pro and Enterprise tiers
• CI/CD integrations — GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps
• Continuous Play Store and App Store monitoring — catches post-release SDK changes (critical for vendor-risk evidence under RBI)
• CycloneDX SBOM on every scan — supports CERT-In’s 2025 SBOM Guidelines v2.0 alignment
• Razorpay billing in INR with UPI AutoPay support — designed for Indian buyers, not bolt-on

See [link to /dpdp-compliance] for the DPDP-specific mapping, [link to /pricing] for India-billed pricing.

If you operate an Indian fintech with mobile apps in production:

1. Run a baseline scan. [link to /free-scan] — 30 minutes, signed PDF with RBI / CERT-In / DPDP mapping. See where you actually stand.
2. Audit your CERT-In runbook. Have you actually rehearsed the 6-hour notification? When was the last drill? Who has the authority to file?
3. Review your VAPT contract for RBI alignment. Is it 6-monthly on critical and annual on non-critical, with documented risk basis?
4. Begin the DPDP gap analysis now. 13 May 2027 sounds far. The engineering work to reach it is not.
5. Confirm your log architecture meets the 180-day Indian-jurisdiction requirement. This often surprises cloud-native fintechs whose default architecture stores logs in US or EU regions.

The Indian fintech regulatory stack is one of the most demanding in the world today. The compensation is that the market is one of the largest, fastest-growing, and most digitally engaged. The teams that build a coherent triple-layered mobile security programme in 2026 will spend 2027 and 2028 with cleaner audits, smoother regulator relationships, and the operational capacity to ship fast without burning audit cycles.

---

HEXMobileSuite is the mobile application security platform from Hiesen Cyber Security, with RBI / CERT-In / DPDP mapping packs included. Razorpay billing in INR with UPI AutoPay. Run a free baseline scan at hexmobsuite.hiesencyber.com.