Research

RBI, CERT-In & DPDPA Compliance Playbook: MFA as the Foundation of BFSI Security

Indian BFSI organisations in 2026 face four overlapping regulatory frameworks that all require multi-factor authentication.  

  1. SEBI CSCRF mandated MFA for privileged access to market infrastructure with a compliance deadline that has already passed.  
  2. CERT-In's comprehensive audit mandate, in force since July 2025, explicitly requires MFA for all remote access and 180-day log retention.  
  3. The RBI Authentication Mechanisms Directions 2025, effective 1 April 2026, mandate two-factor authentication for all digital payment transactions.  
  4. The DPDPA 2023, with full enforcement on 13 May 2027, requires reasonable security safeguards - a standard that, in 2026, every credible legal interpretation includes MFA for systems handling personal data.  

This playbook maps all four frameworks to specific technical controls, provides a deployment sequence that closes regulatory exposure in priority order, and includes the seven-element evidence package CERT-In auditors will request. 

Up Front 

Three regulators. Four frameworks. Two deadlines already in force. One now effective. One thirteen months away. 

All pointing at the same control gap. All requiring - in different languages but with identical operational meaning - that your organisation knows, with evidence, who accessed what system, when, and from where. 

What This Playbook Contains 

This compliance reference document is built for CISOs, IT heads, and compliance officers at Indian banks, NBFCs, insurance companies, and payment system providers. It is not a product brochure. The regulatory analysis is vendor-neutral. The technology section declares its scope as Cisco Duo specifically, with a link to a multi-vendor comparison for organisations that want one. 

Section by section: 

The Regulatory Landscape - detailed treatment of all four frameworks with specific requirements, effective dates, and what RBI/CERT-In/SEBI examiners will ask for. Includes the RBI IT Governance Master Direction treatment that most compliance content misses entirely.

 

The Control Gaps - composite illustrations drawn from BFSI deployment experience, framed against DSCI's finding that 73% of Indian organisations are unaware of whether they have ever been attacked (DSCI India Cyber Threat Report 2025). The authentication coverage gap, the SMS OTP dependency, the vendor access gap, and the compliance documentation gap. 

 

The MFA Implementation Framework - a regulatory-to-technical requirements map covering all four frameworks; a factor selection matrix by user population (retail customers, branch employees, back-office staff, privileged administrators, vendors); and a six-phase deployment sequence with weeks, actions, and compliance outcomes per phase. 

 

The Architecture Case - Cisco Duo's RADIUS-based integration architecture for legacy BFSI systems; Mumbai data centre residency confirmation; Verified Push and FIDO2 for privileged accounts; and the audit trail that RBI and CERT-In examiners ask for. 

 

The Compliance Calendar - a single table showing all four frameworks, their MFA obligations, current status, and consequence of non-compliance. 

 

Eight Frequently Asked Questions - structured as regulatory requirements questions, not vendor questions, covering NBFCs, data localisation, log retention, SMS OTP sufficiency, DPDPA scope, break-glass procedures, deployment timelines, and MFA mandate status under DPDPA. 

How to Use This Playbook 

The deployment sequence in this playbook is structured to close regulatory exposure in order of urgency, not in order of operational convenience. If your organisation is approaching this with limited time before an examination or audit, the sequence is: credential audit first, privileged access second, VPN and remote access third. The customer-facing payment authentication review is a parallel workstream with a longer timeline - six to eight months for banks on proprietary platforms - and should not block the internal controls deployment. 

The evidence package section is designed to be used from Day 1, not assembled the week before an audit. Every phase of the deployment generates a document that becomes part of the audit evidence package. Read that section before you begin, not after. 

 

SEBI CSCRF - compliance window already closed. SEBI's Cybersecurity and Cyber Resilience Framework mandated MFA for privileged access to all trading systems, risk management systems, and back-office infrastructure. Compliance deadlines for registered market participants - brokers, depository participants, asset management companies, portfolio managers, KYC registration agencies, and market infrastructure institutions - ran from January to April 2025. Organisations that have not deployed MFA for privileged access are already outside the compliance window. The first post-deadline examination cycle is underway. 

 

CERT-In CISG-2025-02 - in force since 25 July 2025. CERT-In's Comprehensive Cyber Security Audit Policy Guidelines (CISG-2025-02) make annual cybersecurity audits mandatory for all Indian organisations - public and private. The guidelines explicitly require MFA for all remote access connections, 180-day log retention stored in India, and named individual accounts for all critical system access. Organisations in BFSI are additionally subject to audit frequency requirements from their sectoral regulators. 

 

RBI Authentication Mechanisms Directions 2025 - effective 1 April 2026. The Reserve Bank of India's Authentication Mechanisms for Digital Payment Transactions Directions, 2025, issued on 25 September 2025, mandate two-factor authentication for all digital payment transactions. At least one factor must be dynamic for non-card-present transactions. The factor independence principle requires that the reliability of one factor must not affect the other. Risk-based authentication is required for higher-value and anomalous transactions. 

 

DPDPA 2023 - full enforcement deadline 13 May 2027 India's Digital Personal Data Protection Act 2023 does not mandate MFA by name but requires data fiduciaries to implement "reasonable security safeguards" for personal data. Every credible legal interpretation of "reasonable safeguards" in 2026 includes MFA for systems storing, processing, or transmitting personal data. The penalty for failure to implement security safeguards is up to ₹250 crore per instance (DPDPA 2023, Schedule 1 Item 4). Unlike RBI penalties, DPDPA penalties are triggered by breach events, not examination cycles. 

What Is - and Is Not - In This Playbook 

This playbook is written by Proactive Data Systems, a Cisco Preferred Security Partner with 35 years of enterprise infrastructure deployment across Indian BFSI organisations. The regulatory analysis reflects frameworks as understood in March 2026. The technology section focuses specifically on Cisco Duo, declared at the opening of that section. 

The playbook does not contain: 

Legal advice. The regulatory analysis describes what frameworks require operationally. It does not constitute legal counsel and should not substitute for independent legal advice on specific compliance obligations. 

A vendor-neutral MFA comparison. A multi-vendor comparison of MFA platforms for Indian enterprises - covering Cisco Duo, Microsoft Entra ID, Okta, ManageEngine, and miniOrange - is available separately here

Specific client case studies. The deployment scenarios are composite illustrations drawn from deployment experience, not descriptions of named clients. 

About Proactive Data Systems 

Proactive Data Systems Pvt Ltd is a Cisco Preferred Security Partner holding Preferred designation across Security, Networking, Collaboration, Cloud and AI, and Services - one of a very small number of partners in India to hold this designation across all five portfolios. Proactive has been deploying security and IT infrastructure across India since 1991. 

 

Delhi · Mumbai · Pune · Bengaluru · Hyderabad · Indore

Frequently Asked Questions

Quick answers to common questions about this resource.

The RBI Authentication Mechanisms Directions 2025, effective 1 April 2026, require two-factor authentication for all digital payment transactions. Both factors must be distinct. For non-card-present transactions, at least one factor must be dynamic — generated uniquely for the specific transaction to prevent replay.

The factor independence principle requires that the two factors operate through independent channels. Separately, the RBI IT Governance Master Direction requires MFA for all employee access to critical information systems, including core banking systems, treasury platforms, and internet banking back-ends. An MFA deployment that satisfies only one of these two frameworks is materially non-compliant with the other.
Yes. CERT-In's Comprehensive Cyber Security Audit Policy Guidelines (CISG-2025-02), effective 25 July 2025, explicitly require MFA for all remote access connections as part of the mandatory annual cybersecurity audit framework. This applies to all private sector organisations operating digital systems in India, not only government entities or critical infrastructure operators. The guidelines additionally require 180-day log retention stored in India, the principle of least privilege across all organisational assets, and named individual accounts for all critical system access. Auditors will examine whether MFA is enforced across all remote access channels, not merely whether it is deployed.
The Digital Personal Data Protection Act 2023 does not mandate MFA by name. It requires data fiduciaries to implement "reasonable security safeguards" to protect personal data. Given that CERT-In explicitly mandates MFA for remote access, RBI requires two-factor authentication for payment transactions, and SEBI CSCRF mandates MFA for privileged access to market infrastructure, the absence of MFA from systems handling personal data is not defensible as "reasonable safeguards" in a post-breach proceeding before the Data Protection Board of India. Organisations that suffer a breach without MFA controls face significant difficulty demonstrating compliance with this standard.
The DPDPA 2023 does not impose a penalty specifically for the absence of MFA. The penalty for failure to implement reasonable security safeguards — the obligation that MFA falls under — is up to ₹250 crore per instance (DPDPA 2023, Schedule 1 Item 4). This penalty is adjudicated by the Data Protection Board of India, once constituted, and is triggered by breach events rather than scheduled examination cycles. This is a materially different enforcement mechanism than RBI or SEBI penalties: there is no scheduled examination to prepare for. The liability crystallises when a breach occurs.
Yes. The Directions apply to all Payment System Providers and Payment System Participants, which include non-bank entities operating within India's payment ecosystem. NBFCs that issue prepaid payment instruments, operate as payment aggregators, or participate in the UPI ecosystem as PSPs are in scope. NBFCs not directly involved in payment transactions are subject to the RBI IT Governance Master Direction rather than the Authentication Directions 2025, but the IT Governance framework independently requires MFA for employee access to critical information systems.
CERT-In requires 180 days of log retention for security events. For MFA compliance, the relevant categories are identity provider and authentication logs (every MFA event, factor used, outcome), remote access logs (VPN session logs, remote desktop logs, third-party access logs), and privileged access logs. All logs must be stored in India. They must be available for export during the audit window. The standard expectation is that these logs feed into a SIEM for correlation and alerting — passive storage alone will not satisfy audit expectations for organisations with higher risk profiles.
RBI's longstanding data localisation expectations and the DPDPA's reasonable safeguards obligation together require that authentication data — user records, device enrolment information, authentication event logs — be processed and stored in India for BFSI organisations. Cloud-delivered MFA platforms that do not operate India-resident infrastructure cannot satisfy this requirement. When evaluating any platform, obtain written confirmation of where authentication data is processed and stored in a form that will satisfy an RBI examiner. This is not a documentation formality — it is a baseline compliance requirement.
For privileged access and remote access — the two highest-priority phases for regulatory compliance — four to six weeks from credential audit completion to acceptance sign-off for a 500 to 2,000-user organisation. Full enterprise deployment, including branch employee access, runs eight to twelve weeks, depending on branch locations and core banking integration complexity.

Customer-facing payment authentication review is a separate, parallel workstream: six to eight months for banks on proprietary or highly customised internet banking platforms; potentially faster for banks on modern third-party platforms with API-accessible authentication flows. The binding constraint on the timeline is almost never the technology — it is the credential audit at the start and the enrolment communication programme for branch employees.

Download Here

Fill the form and get instant access to this research. We will also send a copy to your inbox.

We respect your inbox. We only send what's worth reading!

Thank You!

Enjoy your Research. We have also sent a link to your inbox.

Related Resources

The State of Identity Security in Indian Enterprises

The State of Identity Security in Indian Enterprises
MFA for Indian Manufacturing: A Practical Guide to Securing OT, IT, and the Hybrid Plant

MFA for Indian Manufacturing: A Practical Guide to Securing OT, IT, and the Hybrid Plant
View all Research

Share a few details to get started.

We'll get back to you shortly.