--- title: "Building Compliance in the Cloud: RBI’s IFS Cloud and the Future of Financial Data Localization under DPDPA, 2023" date: 2025-08-05 author: "Appurv Bhatia" url: https://www.indialaw.in/blog/cyber-law/building-compliance-in-the-cloud-rbis-ifs-cloud-and-the-future-of-financial-data-localization-under-dpdpa-2023/ --- # Building Compliance in the Cloud: RBI’s IFS Cloud and the Future of Financial Data Localization under DPDPA, 2023 Posted On - 5 August, 2025 • By - [Appurv Bhatia](https://www.indialaw.in/people/appurv-bhatia/ "Posts by Appurv Bhatia") [![Future of Financial Data Localization under DPDPA, 2023](https://www.indialaw.in/wp-content/uploads/qzw8l2xo5xw.jpg)](https://www.indialaw.in/wp-content/uploads/qzw8l2xo5xw.jpg) ## **Introduction: Cloud Sovereignty in India’s Financial Sector** India’s financial system is evolving at the intersection of compliance, data sovereignty, and technological self-reliance. In line with this vision, the Reserve Bank of India (RBI) is set to launch the Indian Financial Services (IFS) Cloud in 2025–26. Developed by Indian Financial Technology and Allied Services (IFTAS), a wholly owned RBI subsidiary, the IFS Cloud will offer secure, dedicated cloud infrastructure for banks, NBFCs, and other regulated financial entities in India. Beyond a digital upgrade, the IFS Cloud reflects a compliance-first strategy aligned with the Digital Personal Data Protection Act, 2023 (DPDPA), and India’s broader digital policy landscape. Its rollout reinforces India’s evolving data governance framework and commitment to regulatory autonomy in the financial sector. ## **What Is the IFS Cloud and Why Does It Matter?** The IFS Cloud is envisioned as a secure, scalable community cloud hosted within India and tailored for regulated financial institutions. Its key objectives are: - Enabling complete domestic data storage and processing in line with RBI norms - Reducing dependency on foreign cloud vendors such as AWS and Microsoft Azure - Providing affordable cloud solutions for small and mid-sized institutions - Supporting real-time core banking functions, analytics, and regulatory reporting - Promoting domestic innovation and public trust through sovereign infrastructure, aligned with Digital India and Make in India ## **Legal and Regulatory Framework: RBI’s Mandates and DPDPA, 2023** ### **RBI’s Data Localization Directives** RBI has consistently championed financial sector data localization, beginning with its 2018 directive requiring all payment system data to be stored in India. This position was further reaffirmed through the **Master Direction on Outsourcing of IT Services (April 2023)**, which mandates: - Local-only storage for core banking and payment system data - Full access to data by the RBI for audit and regulatory oversight - Compliance obligations for third-party service providers, including cloud vendors The IFS Cloud has been architected to meet these requirements out of the box, reducing fragmentation in compliance and enhancing security and oversight. ### **Alignment with the Digital Personal Data Protection Act, 2023** The **DPDPA, 2023,** introduces a flexible, risk-based framework for personal data governance. The DPDPA permits cross-border transfers but allows the Central Government (Section 16) and sectoral regulators (Section 17) to impose restrictions based on public interest or national security. As noted above, the IFS Cloud directly supports RBI’s localization mandates. It also dovetails with the DPDPA’s approach by offering a compliant, domestic infrastructure for one of the most sensitive sectors, financial services. This dual-framework approach, general flexibility under DPDPA and sector-specific stringency from the RBI, allows India to ensure regulatory control without compromising technological growth or global interoperability. ### **Does Data Need to Be Stored Only Locally?** The Reserve Bank of India (RBI) mandates that data related to core banking operations and payment systems be stored and processed exclusively in India. According to the Master Direction on Outsourcing of IT Services (2023), cross-border storage or duplication of such data is prohibited, unless specifically approved under exceptional circumstances. In contrast, the Digital Personal Data Protection Act, 2023 (DPDPA) permits cross-border data transfers, except to countries that are explicitly restricted by the Central Government. Under Section 17, sectoral regulators like the RBI are empowered to impose stricter data localization norms where necessary. This dual framework results in differentiated compliance obligations: - For the financial sector, RBI regulations mandate local-only storage, with no foreign replication unless expressly authorized. - For other sectors, cross-border transfers are allowed if the destination is not restricted, and retaining a local copy is advisable for compliance and continuity. This reflects a calibrated approach, stringent for financial data, yet flexible for other sectors to balance compliance and global operations. ## **Comparative Data Localization Approaches** | **Jurisdiction** | **Data Localization Requirement** | | --- | --- | | **India (RBI – Financial Sector)** | Mandatory domestic storage; cross-border transfer only with explicit regulatory permission | | **India (DPDPA – Other Sectors)** | Cross-border transfers are allowed unless restricted; local copies are recommended | | **China** | Strict local-only storage for all critical and personal data; outbound transfers are tightly controlled | | **EU (GDPR)** | Transfers permitted with safeguards (e.g., SCCs, adequacy decisions) | | **United States** | No federal localization mandate; data transfers largely unrestricted | China enforces a strict ‘local-only’ model for all critical and personal data, allowing almost no cross-border flexibility. Compared to this, RBI’s sector-specific approach is more calibrated and less sweeping, focusing narrowly on financial data while balancing national security, regulatory control, and operational feasibility. ## **Governance and Sectoral Implications** The RBI envisions that governance of the IFS Cloud will eventually shift to a consortium of financial sector stakeholders. While this promotes shared ownership and inclusivity, it also raises important legal considerations regarding: - Liability in case of data breaches or service failures - Third-party and subcontractor compliance - Dispute resolution and indemnification frameworks - Audit rights and regulatory intervention mechanisms India could consider adapting best practices from collaborative governance models such as NPCI or Gaia-X (EU) to ensure legal safeguards are embedded in this shared infrastructure. ## **Financial Inclusion and Smaller Institutions** Unlike large banks, many NBFCs, cooperative banks, and smaller institutions lack the digital capacity to independently meet RBI mandates. The IFS Cloud seeks to bridge this gap by: - Offering tiered access models based on institutional size and risk profile - Providing onboarding support and implementation toolkits - Allowing shared services models to reduce the cost of compliance This supports inclusive innovation and ensures smaller players are not left behind in the shift to secure, cloud-based financial ecosystems. ## **Conclusion: A Strategic, Compliance-First Innovation** - IFS Cloud mandates local-only storage for regulated financial data, enabling complete alignment with RBI’s directives. - It provides built-in compliance infrastructure, especially benefiting small and mid-sized institutions. - By reducing dependence on foreign vendors, it promotes cost-effective and sovereign cloud alternatives. - The initiative supports India’s broader digital goals by integrating compliance, innovation, and financial inclusion. This initiative is expected to strengthen regulatory compliance while furthering India’s goals of digital and economic sovereignty under the *Make in India* and *Digital India* missions. For further details write to [contact@indialaw.in](mailto:contact@indialaw.in) [Data Protection and Privacy](https://www.indialaw.in/expertise/technology-law/data-protection-and-privacy/) --- # IndiaLaw LLP — Offices & Contact Details --- ## General Contact | | | |---|---| | **Website** | https://www.indialaw.in | | **Primary email** | contact@indialaw.in | | **Primary phone** | +91 836-9995919 | | **Contact form** | https://www.indialaw.in/connect/ | | **Careers (separate channel)** | https://www.indialaw.in/careers/ | --- ## All Offices (9 locations across 8 cities) ### 1. Mumbai — Registered Office & Head Office (Apeejay Chambers) | | | |---|---| | **Address** | Apeejay Chambers, Ground Floor, Wallace Street, Fort, Mumbai – 400 001 | | **Phone** | [022-6924-7400](tel:02269247400) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate · IP | | **Notes** | The HQ. 5 partners based here. Handles PAN-India litigation, arbitration, corporate, banking, IP and real estate practice. Largest team across all offices. | ### 2. Mumbai — Non-Litigation Office (Excelsior, Fort) | | | |---|---| | **Address** | 4th Floor, New Excelsior Theatre Pvt. Ltd., Amrit Keshav Nayak Marg, Fort, Mumbai – 400 001 | | **Phone** | [022-697-40500](tel:022-697-40500) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Non-litigation only — consultations, negotiations, transactional work | | **Notes** | Opened 2024. Litigation and arbitration remain at the Apeejay Chambers head office. | ### 3. Delhi | | | |---|---| | **Address** | Flat No. 1107 & 1108, Prakashdeep Building, Tolstoy Marg, Connaught Place, New Delhi – 110 001 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/delhi/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate | | **Notes** | 3 partners based here. Located near the Supreme Court of India, Delhi High Court and other appellate bodies. | ### 4. Kolkata | | | |---|---| | **Address** | Centre Point Building, Room No. 214, 2nd Floor, Premises No. 21, Hemanta Basu Sarani, Opp. Great Eastern Hotel, P.S. Hare Street, Kolkata – 700 001, West Bengal | | **Phone** | [+91 33 4813 1001](tel:+913348131001) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/kolkata/ | | **Practice focus** | Insolvency & Bankruptcy · Commercial & Civil Litigation · Arbitration · Banking Litigation · Real Estate · Labour & Employment · Consumer | | **Notes** | Advises banks, NBFCs, MSMEs and corporates on transactions and dispute resolution. Works in close coordination with the Mumbai HO. | ### 5. Chennai | | | |---|---| | **Address** | GF-A, 19 Casa Major Road, Egmore, Chennai – 600 008 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/chennai/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Full-fledged office with experienced legal team. Supported by Mumbai HO. | ### 6. Bengaluru (Bangalore) | | | |---|---| | **Address** | INDIALAW LLP, No. 7 Chinnaswamy Mudaliar Road, Shivaji Nagar, Bangalore – 560 051 | | **Phone** | [080-4167-2444](tel:08041672444) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/bengaluru/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate · Family Laws · Labour | | **Notes** | Located near Bangalore High Court. Handles corporate, commercial, banking and matrimonial disputes. | ### 7. Hyderabad | | | |---|---| | **Address** | 403, 4th Floor, Sanatana Ecstasy Building, beside Tanishq Show Room, Himayathnagar, Hyderabad – 500 029, Telangana | | **Phone** | [040-6666-5166](tel:04066665166) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/hyderabad/ | | **Practice focus** | Litigation · Banking · Insolvency & Bankruptcy · Real Estate | | **Notes** | Particularly well known for complex banking matters and real estate transactions. | ### 8. Cochin (Kochi) | | | |---|---| | **Address** | Second Floor, Pulikkal Building, K.K. Padmanabhan Road, Ernakulam North – 682 018, Kerala | | **Phone** | [0484-3583961](tel:04843583961) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/cochin/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Commercial disputes, property litigation, financial-claim arbitrations and real estate transactions. | ### 9. Noida (NCR) | | | |---|---| | **Address** | No. 16 & 17, Silver Offices, 17th Floor, Wave One, Sector 18, Noida – 201 301 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/noida/ | | **Practice focus** | Aviation · Insurance · Mergers & Acquisitions · Corporate | | **Office head** | **Mr. Dinesh Gupta** (joined August 2025 to lead and expand the corporate practice) | | **Notes** | Newest office. Sector-focused on highly regulated industries serving NCR-based clients. | --- ## Quick-Dial Phone List | Office | Phone | |---|---| | Mumbai HO (Apeejay) | 022-6924-7400 | | Mumbai Excelsior | 022-697-40500 | | Kolkata | +91 33 4813 1001 | | Bengaluru | 080-4167-2444 | | Hyderabad | 040-6666-5166 | | Cochin | 0484-3583961 | | **General / Marketing line** | **+91 836-9995919** | Delhi, Chennai and Noida route through the general number. --- ## Social Channels - LinkedIn: https://www.linkedin.com/company/indialaw - X / Twitter: https://twitter.com/Indialawmumbai - Facebook: https://www.facebook.com/indialawllp/ - Instagram: https://www.instagram.com/indialawllp ---