India’s regulators eye continuous, risk-based cyber audits for fintechs

GFF

Industry officials flag that periodic, checklist-driven reviews are no longer adequate for the pace of fintech innovation. They called for a transition to continuous, risk-based audits that build cyber assurance directly into day-to-day supervision.

At the Global FinTech Forum (GFF 2025), Jeevan Sonparote, SEBI, said regulators must keep up with the speed of innovation without stifling it.

“As a regulator, we don’t want to stifle innovation, but we can’t afford to lag behind the curve either,” he said, noting that SEBI’s focus now is on how auditors and entities can evolve from checklist compliance to a continuous-monitoring culture.

He acknowledged that most intermediaries still treat audits as statutory formalities rather than living risk frameworks, a mindset that must change if fintechs are to sustain trust.

Picking up the thread, S. S. Sarma, Scientist at CERT-In, said the agency has advised entities to move from presence-based audits to effectiveness-based assessments and to engage auditors on multi-year contracts instead of one-off reviews.

“The problem when the checklist comes is it only sees the presence of a control, not the effectiveness of the control,” Sarma said. “Give a contract for three years continuously. Make them responsible. Ensure that remediation has been done before closure,” he added.

He also opined that audit findings must be reviewed and adopted by senior management or boards, warning that otherwise “reports will become only a kind of piece of paper.”

The proposal effectively redefines audit from a point-in-time certification to an ongoing assurance process, binding management responsibility to cyber resilience.

Vinayak Godse, Data Security Council of India (DSCI), called this shift inevitable, citing the “blind time” between two audits during which security controls decay.

“Whatever control effectiveness you check decays in the course of time. That’s why we need continuous audit and supervisory technology,” he said.

Godse explained that the entire transaction-processing chain has become unbundled, with fintechs now embedded at every stage, from initiating payments to analysing data.

“Fintechs are now critical parts of the supply chain. Security is hitting both top line and bottom line. If you’re a responsible entity, trust helps you grow, but the cost of compliance is rising sharply.”

According to him, regulators will increasingly use supervisory technology to monitor entities between audits and to generate ecosystem-wide threat intelligence in real time.

Audit practitioners welcomed the regulatory intent but warned that fintech exposure now extends far beyond internal systems.

Krishna Sastry Pendyala, Partner at Ernst & Young, said most cyber incidents his firm investigated stemmed from third-party providers.

“In the last five to six months, various investigations were carried out. Ninety-five percent of the cases, the breach has happened from the vendor side,” Sastry said.

He criticised the prevailing “tick-based, not tech-based” approach to audits, arguing that many organisations still see compliance as a check-box exercise.

“Compliance does not guarantee you won’t be attacked. The regulator’s intervention is required so that organisations move from a compliance mindset to a risk-based approach. Boards have to take ownership.”

Sastry said fintech developers often rely on low-code or open-source components with little visibility on origin or embedded vulnerabilities.

“Sixty percent of fintech code is freely available. Such code you’re downloading and building a product on which you have no visibility,” he warned.

He recommended that every outsourcing contract include a right-to-audit clause, coupled with source-code escrow and a software bill of materials—provisions already echoed in the RBI’s 2021 Master Direction on outsourcing by banks.