RBI Tech Guidelines
Also known as: RBI IT guidelines · RBI Master Directions
The Reserve Bank of India publishes binding technology requirements for regulated entities — Master Directions on IT governance, the Digital Lending Guidelines (2022), the Payment Aggregator/Gateway licensing framework, and the IT Outsourcing Direction. The combined regime dictates data localisation, vendor-risk posture, incident reporting timelines, and audit trails for any FinTech operating under an Indian payment or lending licence.
Concepts that travel with this one.
Architecture rarely lives in isolation — these are the terms that come up in the same conversation.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is the security standard every entity that stores, processes, or transmits cardholder data has to meet. The current spec is PCI DSS v4.0. The architectural lever is scope reduction: any service that does not touch a PAN can be carved out of audit, and a tokenisation vault is the standard mechanism for shrinking scope from 'whole platform' to a contained set of services.
DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP) is India's national data-protection law. It introduces consent-based processing of personal data, the role of Data Fiduciary, breach notification to the Data Protection Board, and cross-border transfer restrictions to a notified list of countries. TantraDev builds DPDP-aligned consent capture and audit logging into Indian-data products by default — the law's compliance window is narrowing.
FinTech
FinTech is the engineering discipline of building money-movement, lending, and financial-services software under regulatory constraint. The defining architectural pressure is that compliance — PCI DSS, RBI tech guidelines, AML monitoring, audit-trail immutability — is not a layer added late; it dictates how data flows, where services are split, and which boundary trust crosses. Latency budgets are tight (sub-200ms card-network responses), and reconciliation is a first-class system, not a script.
Building a system where RBI Tech Guidelines is the load-bearing decision?
30 minutes on the phone, one page in your inbox — what to build, what to skip, what it will cost. You keep the audit even if we are not the right fit.