The plain-English glossary for Indian BFSI compliance.

The Reserve Bank of India is India’s central bank and the primary regulator for banks, NBFCs, payment systems, and many digital lending workflows.

Why it matters · RBI-regulated buyers care deeply about outsourcing, IT governance, cyber resilience, customer data, auditability, KYC, digital lending, and operational risk.

The Securities and Exchange Board of India regulates India’s securities markets, including brokers, mutual funds, exchanges, depositories, portfolio managers, and market infrastructure institutions.

Why it matters · SEBI buyers often require stronger cybersecurity, cyber resilience, SOC monitoring, incident classification, and technology-risk controls.

The Insurance Regulatory and Development Authority of India regulates insurers, insurance intermediaries, and insurance-sector governance.

Why it matters · Insurance software must handle sensitive personal data, claims data, policyholder records, intermediary access, and cyber controls.

The Ministry of Electronics and Information Technology is India’s central ministry for digital policy, including the IT Act and DPDP framework.

Why it matters · MeitY-led rules affect privacy, data processing, digital signatures, cyber policy, and compliance design for all digital vendors.

The Unique Identification Authority of India runs Aadhaar and governs Aadhaar authentication and e-KYC use.

Why it matters · Vendors touching Aadhaar workflows must support the right authentication, consent, identity, security, and ecosystem requirements.

The Indian Computer Emergency Response Team is India’s national agency for cyber incident response and reporting directions.

Why it matters · Vendors must help BFSI customers detect, classify, preserve logs, and report incidents within regulatory timelines.

The Controller of Certifying Authorities licenses and regulates certifying authorities for digital signatures and electronic signatures under the IT Act.

Why it matters · eSign and DSC workflows depend on whether the signing method is legally valid and issued through licensed trust infrastructure.

The National Payments Corporation of India operates major retail payment rails such as UPI, IMPS, RuPay, NACH, and Aadhaar-linked payment infrastructure.

Why it matters · Payment, mandate, lending, collections, and account-verification tools often touch NPCI-linked rails.

India’s Digital Personal Data Protection Act creates obligations for processing digital personal data, including notice, consent, duties of data fiduciaries, and rights of data principals.

Why it matters · BFSI vendors handling customer data must support consent, data minimization, retention, security, breach handling, and contractual processing controls.

The Digital Personal Data Protection Rules, 2025 operationalize parts of the DPDP Act, including phased commencement for specific obligations.

Why it matters · Buyers need to know whether vendors can support compliance timelines, notices, consent mechanisms, child-data handling, and breach workflows.

The Information Technology Act gives legal recognition to electronic records, electronic signatures, cyber offences, certifying authorities, and certain security practices.

Why it matters · It decides when electronic records and electronic signatures are legally recognized in India.

The Prevention of Money Laundering Act is India’s anti-money-laundering framework for reporting entities and financial-sector due diligence.

Why it matters · KYC, onboarding, transaction monitoring, screening, and record-retention tools often need PMLA-aware controls.

RBI’s IT governance direction sets expectations for governance, risk, controls, assurance, vendor risk, business continuity, and auditability for regulated entities.

Why it matters · Software vendors must fit into governance, audit, source-code, access, data-integrity, and third-party-risk controls.

RBI’s IT outsourcing direction governs how regulated entities manage third-party technology service providers and outsourced IT arrangements.

Why it matters · SaaS vendors become part of the regulated entity’s risk perimeter; contracts, audit rights, data controls, and exit plans matter.

SEBI’s Cybersecurity and Cyber Resilience Framework sets cybersecurity and resilience expectations for SEBI-regulated entities.

Why it matters · Vendors serving brokers, AMCs, MIIs, and market intermediaries must support SOC, incident response, cyber drills, access controls, and resilience evidence.

IRDAI’s 2023 guidelines strengthen information and cyber security governance for insurers and insurance intermediaries.

Why it matters · Insurance buyers require security governance, access control, data classification, encryption, incident management, and third-party controls.

CERT-In’s 2022 directions require specified entities to report listed cyber incidents within six hours of noticing or being informed of them.

Why it matters · Vendors must preserve logs, detect incidents fast, provide reporting evidence, and support forensic readiness.

These rules define reasonable security practices for sensitive personal data under India’s IT framework.

Why it matters · They remain relevant for baseline security controls, privacy practices, consent, and sensitive personal information handling.

A person or organization that determines the purpose and means of processing personal data under the DPDP Act.

Why it matters · BFSI institutions are usually data fiduciaries; vendors may be processors but still need contractual and technical safeguards.

The individual to whom personal data relates under the DPDP Act.

Why it matters · Customers, borrowers, policyholders, employees, and users may all be data principals whose rights must be supported.

A data fiduciary designated for heightened obligations based on factors such as volume, sensitivity, risk, and impact.

Why it matters · Large BFSI institutions may need stronger governance, audits, DPO-style ownership, and risk assessments.

Outsourcing that materially affects business operations, customer service, risk management, compliance, or regulatory supervision.

Why it matters · If a SaaS product becomes operationally critical, procurement must evaluate audit rights, exit plans, concentration risk, and resilience.

The risk of relying too heavily on one vendor, cloud, geography, or service provider.

Why it matters · BFSI buyers need multi-vendor, multi-region, or exit strategies when one failure could affect critical operations.

Security controls considered adequate under applicable law, contracts, or regulatory expectations.

Why it matters · Buyers must map vendor controls to security baselines such as access control, encryption, logging, audit, and incident response.

Objectives that ensure systems can withstand, respond to, and recover from cyber incidents.

Why it matters · A product is not just judged by whether it prevents attacks, but whether it helps recover without business collapse.

A regulatory approach that applies deeper scrutiny where risk is higher.

Why it matters · Systemically important institutions, high-volume fintechs, and sensitive-data processors should expect tougher vendor reviews.

A one-time password sent to the mobile number linked to an Aadhaar number, used for Aadhaar authentication and certain e-KYC/eSign flows.

Why it matters · Retail lending, KYC, and Aadhaar-linked signing workflows may require Aadhaar-compatible identity verification.

A regulated electronic signature method that uses Aadhaar or other approved e-KYC-based authentication to issue a short-lived digital signature certificate.

Why it matters · Generic eSignature is not always enough; some Indian workflows need legally valid eSign under the IT Act framework.

A certificate issued by a licensed certifying authority that enables legally recognized digital signatures.

Why it matters · Board resolutions, statutory filings, high-assurance approvals, and certain regulated workflows may require DSC-grade signing.

A video-based customer identification process used by regulated entities under KYC rules.

Why it matters · Vendor tooling must support recording, audit trails, consent, location checks, agent controls, and secure storage.

Electronic Know Your Customer verification, often using Aadhaar, offline XML, OTP, biometric, or other digital identity methods.

Why it matters · Onboarding tools must prove identity, preserve evidence, and avoid unauthorized Aadhaar or personal-data handling.

Electronic National Automated Clearing House mandate setup for recurring payments and collections.

Why it matters · Lenders, insurers, and subscription-based BFSI products need mandate validity, authentication, and payment-rail integration.

A digital authorization that permits recurring debits from a customer’s account.

Why it matters · It affects lending collections, insurance premiums, SIPs, subscription finance, and repayment automation.

Section 5 of the IT Act gives legal recognition to electronic signatures when prescribed conditions are met.

Why it matters · Buyers must distinguish between convenience signatures and signatures that satisfy Indian legal-recognition requirements.

A higher-risk or higher-scale securities intermediary classification under SEBI cyber frameworks.

Why it matters · Type-A entities often face stronger cyber, SOC, and resilience expectations than smaller intermediaries.

The highest-risk layer in RBI’s scale-based NBFC regulatory framework.

Why it matters · A Top Layer NBFC should assume deep supervisory scrutiny and enterprise-grade vendor controls.

A Market Infrastructure Institution, such as a stock exchange, clearing corporation, or depository.

Why it matters · MIIs require very high resilience, availability, cyber governance, and operational continuity.

An Asset Management Company that manages mutual fund schemes and investment products.

Why it matters · AMCs need investor-data controls, SEBI compliance, cybersecurity, access governance, and outsourcing oversight.

An entity that facilitates merchants in accepting payments from customers and settling funds.

Why it matters · Payment aggregators face RBI authorization, cybersecurity, data, settlement, and merchant-risk expectations.

A consent-based financial data-sharing entity under India’s account aggregator framework.

Why it matters · Tools integrated into AA workflows need strict consent, data minimization, security, and audit controls.

A non-bank finance company focused on microfinance lending.

Why it matters · Tools must support small-ticket lending, customer consent, repayment, collections, KYC, and RBI scrutiny.

A bank category focused on financial inclusion, smaller borrowers, and underserved segments.

Why it matters · SFB software must handle banking-grade controls with often leaner operational teams.

A security model that assumes no user, device, network, or workload is trusted by default.

Why it matters · BFSI buyers need identity, device posture, least privilege, segmentation, and continuous verification.

Zero Trust Network Access gives users access to specific applications instead of broad network access.

Why it matters · It can reduce VPN risk, improve access control, and simplify audit evidence for remote and third-party access.

A Security Operations Center that monitors, detects, investigates, and responds to cyber threats.

Why it matters · SEBI, RBI, and insurance cyber expectations increasingly reward operational monitoring, not just policy documents.

Vulnerability Assessment and Penetration Testing identifies weaknesses before attackers exploit them.

Why it matters · Buyers must check whether vendors undergo regular testing and can share remediation evidence.

The transfer of personal data outside India, subject to applicable law, contract, and regulatory controls.

Why it matters · BFSI buyers must understand where customer data is stored, processed, replicated, supported, and backed up.

Keeping certain data within India, either because law, regulator, contract, or internal policy requires it.

Why it matters · Residency can be the difference between an audit-ready product and a conditional-risk product.

A registered or regulated mechanism that helps individuals manage consent for data sharing.

Why it matters · Consent-heavy workflows such as account aggregation and data sharing need trustworthy consent architecture.

A list of countries or destinations to which data transfer may be restricted or prohibited.

Why it matters · Procurement must check whether vendors can restrict data movement, support regional controls, and prove processing locations.

A consolidated RBI direction that groups regulatory instructions on a specific topic.

Why it matters · Master Directions often become the procurement checklist for regulated buyers.

First Loss Default Guarantee is an arrangement where a lending service provider absorbs part of loan losses, subject to RBI rules.

Why it matters · Digital-lending vendors must structure guarantees, disclosures, and risk-sharing within RBI limits.

A Key Fact Statement is a standardized summary of loan terms given to borrowers before execution.

Why it matters · Lending platforms must generate accurate, transparent, auditable KFS disclosures.

Replacing sensitive payment data with tokens to reduce exposure of card or payment credentials.

Why it matters · Payment and checkout tools must reduce data exposure and support compliant payment processing.