System Audit Rules Clarified for Payment System Operators

Live · in forceNo withdrawal recorded as of 20 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.

Issued by RBI: 14 Jun 2011 · Decoded by BankPulse: 20 Jun 2026, 09:18 IST

⏱ ~2 min read

Quick answerRBI clarifies that system audit requirements from a CISA-qualified auditor apply only to entities operating a payment system under the Payment and Settlement Systems Act, 2007, not to participants in systems like RTGS, NEFT, or card networks.

What changed

This circular clarifies that the earlier December 2010 directive on system audits applies solely to payment system operators, not to banks or entities that are merely participants in payment systems such as RTGS, NEFT, CFMS, ECS, NECS, card networks, or ATM networks. It removes any ambiguity about the scope of the audit requirement.

What it means for you

Banks that are participants in payment systems do not need to submit system audit reports from a CISA-qualified auditor for those systems. Only entities that operate a payment system under the Payment and Settlement Systems Act, 2007, must comply. This reduces compliance burden for most scheduled commercial banks.

What you must do

Verify whether your bank operates a payment system under the Payment and Settlement Systems Act, 2007, or is only a participant.
If your bank is only a participant in systems like RTGS, NEFT, or card networks, no system audit report is required under this circular.
If your bank operates a payment system, ensure system audits are conducted by a CISA-qualified auditor as per the December 2010 circular.
Acknowledge receipt of this circular to the RBI as instructed.

Who it affects

All scheduled commercial banks, Payment system operators under the Payment and Settlement Systems Act, 2007, Banks participating in RTGS, NEFT, CFMS, ECS, NECS, card payment systems, and ATM networks

Does this circular require my bank to get a system audit if we use RTGS or NEFT?

No. If your bank is only a participant in RTGS, NEFT, or other listed payment systems, the system audit requirement does not apply. It applies only to entities that operate a payment system under the Payment and Settlement Systems Act, 2007.

What is the effective date of this clarification?

The circular was issued on June 14, 2011, and clarifies the earlier circular dated December 27, 2010. It is effective from the date of issuance.

Who needs to submit a system audit report from a CISA-qualified auditor?

Only entities that operate a payment system under the Payment and Settlement Systems Act, 2007, need to submit such reports. Participants in payment systems are exempt from this requirement.

AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 20 Jun 2026, 09:18 IST

Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=6457&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.