Updated: June 24, 2026
A bank branch is a network endpoint that happens to have a counter. When its connectivity drops, the branch does not slow down; it stops. No core banking, no transactions, no service, and a queue of customers watching staff apologise. And when its network is built loosely, with the core banking systems sharing a flat path with branch laptops, the ATM and the guest Wi-Fi, it is not only fragile but non-compliant, because the regulator now treats that branch network as a controlled, audited asset with rules attached.
For a BFSI security head, the branch is where regulation meets reality at scale. You may run hundreds or thousands of them, each a small site that must nonetheless satisfy the RBI's expectations on resilience, segmentation, encryption and data residency, and prove it to an auditor. That is a routing and segmentation problem before it is anything else, and it is solvable with a standard design built on Cisco Catalyst 8000 and Catalyst SD-WAN. Here is what the regulator asks of the branch network, and how to build to it.
More than most branch networks were designed to deliver. The RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices, effective from 1 April 2024, requires regulated entities to manage IT and cyber risk formally, with business continuity and disaster recovery among its focus areas (Business Today on the RBI Master Direction). The RBI's Cyber Security Framework adds baseline controls, of which network segmentation, specifically separating the corporate network from core banking, is a named requirement, alongside encryption and security monitoring.
These translate into concrete demands on the branch:
| RBI expectation | What it means | Branch network control |
|---|---|---|
| Network segmentation | Separate core banking from other systems | VLANs, VRFs and SD-WAN segments dividing core banking, branch staff, ATM, CCTV and guest |
| Business continuity / DR | The branch must keep operating | Multiple transports with automatic failover |
| Encryption in transit | Protect data as it moves | IPsec overlay across the WAN; MACsec on links |
| Payment data localisation | Payment data stored only in India | Controllers and data hosted in India |
| Monitoring and logging | Detect and audit access | Flow telemetry, central logging, single-console visibility |
| Governance and assurance | Documented, auditable controls | Standardised branch design and audit-ready records |
The point is that compliance is not a layer added on top of the branch network. It is the branch network, designed correctly.
Because the regulator treats continuity of service as an obligation, not an aspiration. Business continuity and disaster recovery sit explicitly in the RBI's IT governance expectations, and a branch that cannot transact because its single link failed is a continuity failure the regulator cares about, not merely an inconvenience. The customer who cannot withdraw money does not distinguish between a cut fibre and a policy gap, and neither, increasingly, does an audit.
A single connection of any kind is therefore the wrong design for a regulated branch. The branch needs more than one path to the core, with automatic failover, so that the loss of a link is invisible to the customer at the counter. This is where routing architecture becomes a compliance control: resilience is something you engineer into the branch WAN, not something you promise in a policy document. How many of your branches today would stop serving customers if one circuit went down this afternoon?
By making transport a matter of indifference and failover a matter of milliseconds. A Catalyst 8000 router at the branch, running Catalyst SD-WAN, builds a secure overlay across whatever links the site has: a leased line, business broadband, and 4G or 5G as genuine diversity. The router treats them as interchangeable paths and moves traffic to a healthy one automatically when another degrades, so a failed primary link becomes a silent event rather than a closed branch.
Application awareness sharpens this for banking. The branch inspects traffic and prioritises what matters, keeping core banking transactions on the best path while less critical traffic takes another, so a degraded link slows the email before it ever touches a transaction. The Catalyst 8200 suits a typical branch and the 8300 a larger one or a regional hub, all managed centrally so every branch follows the same resilient design. The result is a branch estate that keeps transacting through the link failures that are inevitable across hundreds of Indian sites, which is precisely what the continuity requirement is asking for.
Clear separation of systems that should never share a path. The RBI names the separation of corporate and core banking, and a real branch has more zones than that: the core banking terminals, the branch staff devices, the ATM, the CCTV and physical security, and any guest or customer Wi-Fi. On a flat branch network, a compromised CCTV camera or a staff laptop sits on the same network as the systems moving money. Segmentation makes that impossible by default.
Catalyst SD-WAN carries these segments end to end, from the branch across the WAN to the data centre, so the separation holds over the network rather than only inside the branch switch. Identity-based policy through Cisco TrustSec tightens it further, controlling which roles may reach which systems regardless of where they connect. Built this way, a branch satisfies the RBI segmentation requirement at the architectural level and contains any intrusion to a single zone, which limits both the damage and the reportable scope of an incident. Segmentation is the control that turns a branch from a soft entry point into a series of locked rooms.
By designing for India from the start, in both where data sits and how it travels. The RBI's payment data localisation requirement means payment system data must be stored only in India, so the SD-WAN management and controllers, and the systems holding regulated data, are hosted within the country rather than in an overseas cloud region. This is a design decision to make at the outset because retrofitting data residency is painful and exposing.
Encryption covers the data in motion. Catalyst SD-WAN encrypts traffic across the overlay with IPsec, so transactions moving between a branch and the data centre are protected over any transport, including the public internet and cellular, and MACsec can protect the links themselves where needed. Together, these satisfy the encryption-in-transit expectation without forcing the bank onto private lines everywhere. The branch can use ordinary, resilient, encrypted internet transport and still meet the regulator's bar, which is also what keeps a large branch estate affordable.
By making the network produce its own evidence. The RBI framework expects documented, auditable controls, and a branch architecture built on central policy and logging supplies exactly that. When every branch follows one standard design, managed from a single console, you can show an auditor the segmentation policy, the access logs, the encryption status and the failover configuration as facts about the live network, not assertions in a binder.
This is where standardisation pays a compliance dividend. A fleet of identically built branches is auditable in a way a collection of one-offs never is, because the control is the same everywhere and the evidence is centrally visible. The monitoring and telemetry the network produces also feed the security oversight the framework expects, turning the branch WAN into a source of assurance rather than a gap the audit has to probe site by site. Could you show an RBI auditor, from one screen today, that every branch is segmented, encrypted and resilient? On a standardised SD-WAN estate, you can.
Resilience and segmentation first, then standardise the result across the estate. The two controls that most directly satisfy the regulator and protect the customer are redundant, failover-capable routing and proper zone separation, so those lead the design. From there, the priority is to make every branch the same: one reference architecture, sized for small and large sites, deployed through zero-touch provisioning and managed centrally, so compliance is uniform and the next branch inherits it automatically.
The sequence matters because a branch estate is rarely refreshed all at once. Move the most exposed and least resilient branches first, prove the standard design, and roll it out site by site, the same disciplined approach any large rollout demands. The mistake to avoid is treating branches as individual projects, which produces the inconsistent, hard-to-audit estate the regulator dislikes. Treat them as one programme delivered many times, and both resilience and compliance scale with you.
A BFSI branch network has to answer to two demanding audiences at once: the customer at the counter who needs the branch to work, and the regulator who needs it to be controlled, and few partners are fluent in both the routing and the regulation. Aligning a Catalyst 8000 and SD-WAN design to the RBI's frameworks, and being able to prove it, is specialised work that sits where networking, security and compliance meet.
Proactive Data Systems has spent 35 years building and running networks for Indian enterprises, including banks and financial institutions, across more than 1,500 customers, as a Cisco Preferred Partner in Networking, Security, Collaboration, Cloud and AI, and Services. We design RBI-ready branch networks on Catalyst 8000 and Catalyst SD-WAN, with the segmentation, encryption, data residency and resilience the frameworks expect, standardised across the estate and documented for audit, and we run them from a 24x7 NOC in India with CCIE-led design and security expertise in the same team. The branch keeps serving customers, and the architecture keeps satisfying the regulator.
Planning a branch network refresh under RBI scrutiny? Ask Proactive for an RBI-readiness assessment of your branch estate. It maps the gaps against the frameworks and gives you a standard design that closes them.
Proactive, Enterprise Networking Team
We'll get back to you shortly.
