RBI data localisation, met by architecture
The RBI’s 2018 directive on Storage of Payment System Data drew a hard line: regulated payment data stays in India. For any AI that touches that data, the question is where the system runs. Deploying a decisioning service inside the bank’s own VPC answers it structurally — the data never leaves the regulated environment to be processed, so localisation is a property of the deployment rather than a clause in a contract.
What the directive actually says
In April 2018 the RBI directed all system providers to ensure the entire data relating to payment systems operated by them is stored in a system only in India. The directive is narrow in scope — payment-system data — but uncompromising in intent: the supervisory and regulatory access RBI expects is far easier to guarantee when the data physically sits within the country’s jurisdiction.
Where processing abroad is unavoidable, the data is to be brought back to India and any copy held abroad deleted within a defined window. The practical effect for most regulated entities is to treat India-resident storage as the default and offshore movement as a tightly-controlled exception.
Why deployment model is the real control
Most AI vendors process your data on their own infrastructure — you send data to their API, they run the model, they return a result. For regulated payment data that model puts localisation entirely in the vendor’s hands and depends on contractual assurances about where servers sit and how copies are handled.
Vihaya is designed for the opposite posture: the decisioning service runs inside the customer’s own VPC. The data being decided on never crosses the boundary into a Vihaya-operated environment. That makes localisation an architectural fact you can demonstrate, not a representation you have to trust — which is also the posture the RBI IT-outsourcing direction expects for examiner audit rights.
RBI data localisation FAQ
What does the RBI data localisation directive require?
The RBI’s April 2018 directive on Storage of Payment System Data requires that the full end-to-end transaction data relating to payment systems operated in India be stored only within India. Data may be processed abroad in limited cases but must be brought back and the foreign copy deleted within a defined window.
Does it apply beyond payments?
The 2018 directive is specific to payment-system data. But the broader expectation — reinforced by the RBI IT-outsourcing direction and the DPDP Act — is that regulated entities keep tight control over where regulated data lives and who can access it. Localisation is best treated as the default posture, not the exception.
How does in-VPC deployment address it?
Vihaya is designed to deploy as a service inside the bank or NBFC’s own cloud account — typically AWS Mumbai or Azure South India. Regulated data does not leave the customer’s environment to reach a Vihaya-hosted endpoint, so the localisation requirement is met by where the system runs, not by a contractual promise about data handling.
Who is responsible for localisation compliance?
The regulated entity. Vihaya provides a deployment model designed to support localisation; the bank or NBFC remains responsible for its own compliance determination and for satisfying the RBI. No bank has deployed Vihaya yet.
Want to see this in your environment?
30-minute discovery call. We follow up with a draft SOW shortly after.
Talk to us about a pilot