Summary
Indian BFSI carries the country's most demanding overlapping regulatory load — RBI cyber and AI governance, SEBI CSCRF for market intermediaries, and PCI DSS v4.0.1 for card systems. This quarter's theme: the shift from point-in-time audits to continuous, examination-grade evidence.
~25
RBI MRM documentation artefacts per AI model
51
PCI v4.0.1 requirements now mandatory
6 hrs
CERT-In incident-reporting window
The quarter's biggest gaps
- AI-model governance is the least-mature area — most banks and NBFCs lack model inventories and independent validation ahead of RBI's MRM regime.
- Evidence quality, not policy existence, is what RBI examinations turn on — and it is where many entities are thinnest.
- PCI v4.0.1's continuous-evidence expectation is under-served by annual-audit operating models.
- Third-party/vendor risk remains a common blind spot across the sector.
By entity type
- Banks: strongest audit muscle, weakest AI-model governance.
- NBFCs: layer-dependent obligations; digital-lending and IT-outsourcing directions are frequent gaps.
- Payment firms: the heaviest stack — PCI v4.0.1 + RBI PA/PSS + DPDP simultaneously.
- Capital-markets intermediaries: SEBI CSCRF deadline-driven; VAPT-submission readiness is the common gap.
What to prioritise this quarter
- Stand up an AI-model inventory and validation programme now.
- Move to continuous evidence for PCI and RBI controls.
- Map overlapping controls once (RBI/PCI/ISO/SOC 2) to cut duplicate effort.
- Use CERT-In empanelled, senior assessors for examination-accepted evidence.
