ARTICLE
8 August 2025

Building Compliance In The Cloud: RBI's IFS Cloud And The Future Of Financial Data Localization Under DPDPA, 2023

IL
IndiaLaw LLP

Contributor

IndiaLaw LLP logo

Founded by Managing Partner K.P. Sreejith, INDIALAW began as a small firm in Mumbai with a commitment to client service and corporate-focused legal solutions. From its modest beginnings, the firm has grown into a respected name by prioritizing excellence, integrity, and tailored legal strategies. INDIALAW’s team believes in adapting to each client’s unique needs, ensuring that solutions align with individual circumstances and business goals.

The firm combines its deep understanding of the local business landscape with experience across multiple jurisdictions, enabling clients to navigate complex legal environments effectively. INDIALAW emphasizes proactive service, anticipating client needs and potential challenges to provide timely, high-quality legal support. The firm values lasting client relationships and sees its role as a trusted advisor, dedicated to delivering business-friendly and principled legal counsel.

Explore Firm Details
India's financial system is evolving at the intersection of compliance, data sovereignty, and technological self-reliance. In line with this vision, the Reserve Bank of India (RBI) is set to launch the Indian Financial Services...
India Privacy
Appurv Bhatia

Introduction: Cloud Sovereignty in India's Financial Sector

India's financial system is evolving at the intersection of compliance, data sovereignty, and technological self-reliance. In line with this vision, the Reserve Bank of India (RBI) is set to launch the Indian Financial Services (IFS) Cloud in 2025–26. Developed by Indian Financial Technology and Allied Services (IFTAS), a wholly owned RBI subsidiary, the IFS Cloud will offer secure, dedicated cloud infrastructure for banks, NBFCs, and other regulated financial entities in India.

Beyond a digital upgrade, the IFS Cloud reflects a compliance-first strategy aligned with the Digital Personal Data Protection Act, 2023 (DPDPA), and India's broader digital policy landscape. Its rollout reinforces India's evolving data governance framework and commitment to regulatory autonomy in the financial sector.

What Is the IFS Cloud and Why Does It Matter?

The IFS Cloud is envisioned as a secure, scalable community cloud hosted within India and tailored for regulated financial institutions. Its key objectives are:

  • Enabling complete domestic data storage and processing in line with RBI norms
  • Reducing dependency on foreign cloud vendors such as AWS and Microsoft Azure
  • Providing affordable cloud solutions for small and mid-sized institutions
  • Supporting real-time core banking functions, analytics, and regulatory reporting
  • Promoting domestic innovation and public trust through sovereign infrastructure, aligned with Digital India and Make in India

Legal and Regulatory Framework: RBI's Mandates and DPDPA, 2023

RBI's Data Localization Directives

RBI has consistently championed financial sector data localization, beginning with its 2018 directive requiring all payment system data to be stored in India. This position was further reaffirmed through the Master Direction on Outsourcing of IT Services (April 2023), which mandates:

  • Local-only storage for core banking and payment system data
  • Full access to data by the RBI for audit and regulatory oversight
  • Compliance obligations for third-party service providers, including cloud vendors

The IFS Cloud has been architected to meet these requirements out of the box, reducing fragmentation in compliance and enhancing security and oversight.

Alignment with the Digital Personal Data Protection Act, 2023

The DPDPA, 2023, introduces a flexible, risk-based framework for personal data governance. The DPDPA permits cross-border transfers but allows the Central Government (Section 16) and sectoral regulators (Section 17) to impose restrictions based on public interest or national security.

As noted above, the IFS Cloud directly supports RBI's localization mandates. It also dovetails with the DPDPA's approach by offering a compliant, domestic infrastructure for one of the most sensitive sectors, financial services.

This dual-framework approach, general flexibility under DPDPA and sector-specific stringency from the RBI, allows India to ensure regulatory control without compromising technological growth or global interoperability.

Does Data Need to Be Stored Only Locally?

The Reserve Bank of India (RBI) mandates that data related to core banking operations and payment systems be stored and processed exclusively in India. According to the Master Direction on Outsourcing of IT Services (2023), cross-border storage or duplication of such data is prohibited, unless specifically approved under exceptional circumstances.

In contrast, the Digital Personal Data Protection Act, 2023 (DPDPA) permits cross-border data transfers, except to countries that are explicitly restricted by the Central Government. Under Section 17, sectoral regulators like the RBI are empowered to impose stricter data localization norms where necessary.

This dual framework results in differentiated compliance obligations:

  • For the financial sector, RBI regulations mandate local-only storage, with no foreign replication unless expressly authorized.
  • For other sectors, cross-border transfers are allowed if the destination is not restricted, and retaining a local copy is advisable for compliance and continuity.

This reflects a calibrated approach, stringent for financial data, yet flexible for other sectors to balance compliance and global operations.

Comparative Data Localization Approaches

Jurisdiction Data Localization Requirement
India (RBI – Financial Sector) Mandatory domestic storage; cross-border transfer only with explicit regulatory permission
India (DPDPA – Other Sectors) Cross-border transfers are allowed unless restricted; local copies are recommended
China Strict local-only storage for all critical and personal data; outbound transfers are tightly controlled
EU (GDPR) Transfers permitted with safeguards (e.g., SCCs, adequacy decisions)
United States No federal localization mandate; data transfers largely unrestricted

China enforces a strict 'local-only' model for all critical and personal data, allowing almost no cross-border flexibility. Compared to this, RBI's sector-specific approach is more calibrated and less sweeping, focusing narrowly on financial data while balancing national security, regulatory control, and operational feasibility.

Governance and Sectoral Implications

The RBI envisions that governance of the IFS Cloud will eventually shift to a consortium of financial sector stakeholders. While this promotes shared ownership and inclusivity, it also raises important legal considerations regarding:

  • Liability in case of data breaches or service failures
  • Third-party and subcontractor compliance
  • Dispute resolution and indemnification frameworks
  • Audit rights and regulatory intervention mechanisms

India could consider adapting best practices from collaborative governance models such as NPCI or Gaia-X (EU) to ensure legal safeguards are embedded in this shared infrastructure.

Financial Inclusion and Smaller Institutions

Unlike large banks, many NBFCs, cooperative banks, and smaller institutions lack the digital capacity to independently meet RBI mandates. The IFS Cloud seeks to bridge this gap by:

  • Offering tiered access models based on institutional size and risk profile
  • Providing onboarding support and implementation toolkits
  • Allowing shared services models to reduce the cost of compliance

This supports inclusive innovation and ensures smaller players are not left behind in the shift to secure, cloud-based financial ecosystems.

Conclusion: A Strategic, Compliance-First Innovation

  • IFS Cloud mandates local-only storage for regulated financial data, enabling complete alignment with RBI's directives.
  • It provides built-in compliance infrastructure, especially benefiting small and mid-sized institutions.
  • By reducing dependence on foreign vendors, it promotes cost-effective and sovereign cloud alternatives.
  • The initiative supports India's broader digital goals by integrating compliance, innovation, and financial inclusion.

This initiative is expected to strengthen regulatory compliance while furthering India's goals of digital and economic sovereignty under the Make in India and Digital India missions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Appurv Bhatia
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More