Is CortexData certified for RBI compliance?

RBI doesn't certify lending platforms — banks and NBFCs are certified, and they choose technology that helps them stay compliant. CortexData is engineered to make compliance demonstrable: every Master Direction maps to specific code paths, every regulatory return is generated from the same source-of-truth data, and the audit chain preserves the full evidence trail.

Do you support multi-tenant deployments where each tenant has different compliance requirements?

Yes. Configuration is per-tenant: PSL targets, exposure caps, sanction matrix tiers, retention periods, and language defaults. The compliance framework — the Master Direction implementations themselves — is shared, because RBI rules don't differ by bank.

How do you handle Master Direction updates?

Master Directions evolve. Our engineering process tracks RBI publications quarterly; material changes flow into the platform via versioned policy modules with explicit migration paths. Banks running CortexData get changelog-style notifications with the impact assessment per module.

Can your platform survive an RBI inspection?

It's designed for it. Every loan can be reconstructed end-to-end from the audit chain (origination → underwriting → sanction → disbursement → repayment → closure or NPA → resolution). Every regulatory return ties back to the underlying loan-level data. Every customer artefact is preserved with a stable document ID. We've built CortexData assuming auditors will look — because they will.

Platform · Compliance

Every RBI Master Direction your bank cares about. Mapped, implemented, audit-ready.

CortexData isn't a generic platform with India compliance bolted on — it's engineered around RBI Master Directions from line one.

On this page: every Master Direction we currently implement, what we ship, and where you can verify it. If you want compliance you can demonstrate to an RBI inspector tomorrow morning, this is the substrate.

RBI Digital Lending Guidelines: KFS, cooling-off, fee transparency, grievance
IRACP, PSL, DSB, OSS-3, restructuring, recovery + SARFAESI
Co-Lending Model (Nov 2020) + Securitisation Master Direction (Sept 2021)
Gold Loan, Housing Finance, MSME, KYC Master Directions
Audit log immutability with SHA-256 hash chain + 10-year S3 Object Lock retention
Every regulatory return generated from source-of-truth, not assembled

Request a demo Talk to a solutions architect

RBI-aligned · audit-ready · production-tested

Platform · Compliance module · highlights

01
RBI Digital Lending Guidelines: KFS, cooling-off, fee transparency, grievance
02
IRACP, PSL, DSB, OSS-3, restructuring, recovery + SARFAESI
03
Co-Lending Model (Nov 2020) + Securitisation Master Direction (Sept 2021)
04
Gold Loan, Housing Finance, MSME, KYC Master Directions

Direct lending compliance

Customer-facing artefacts and rights

RBI directive / framework	CortexData implementation
RBI Master Direction — Digital Lending Guidelines (Sept 2022)	Key Fact Statement (Annex II) auto-generation, 7/14-day cooling-off with pro-rata reversal math, fee transparency disclosure, grievance redressal SLA tracking, customer consent ledger
RBI Master Direction — Customer Service in Banks	Banking Ombudsman 30-day SLA tracker, grievance escalation register, ombudsman-route-to-resolution audit trail
RBI Master Direction — Know Your Customer (KYC)	Penny-drop verification, video KYC orchestration, Aadhaar offline XML, PAN, periodic KYC refresh calendar, KYC re-use audit trail under valid consent

Portfolio compliance

Asset classification, exposure, recovery

RBI directive / framework	CortexData implementation
RBI Master Direction — IRACP (Income Recognition, Asset Classification, Provisioning)	Daily NPA classification (Standard / SMA-0/1/2 / Sub-Standard / Doubtful / Loss), provisioning at UCB rates, secured vs. unsecured cuts, monthly IRACP return generator
RBI Master Circular — Priority Sector Lending	PSL classifier at sanction, weaker-sections + MSME-Micro tagging, end-to-end tracking, quarterly PSL Form A return
RBI Master Direction — Resolution Framework / Restructuring	Eligibility gating (ACTIVE + ≥60 days overdue), single non-terminal proposal invariant, dual-control on decide AND activate, board-resolution requirement above threshold
RBI Recovery Guidelines / SARFAESI Act	Append-only legal-escalation tracker (SOFT → DEMAND → LEGAL → SARFAESI 13(2) → 13(4) → SUIT → DECREE → RESOLVED), 60-day cure deadline auto-stamped, threshold gate for SARFAESI
RBI Master Circular — Exposure Norms	Single-borrower exposure cap, group-exposure cap, related-parties register with director-cross-reference, CD-ratio prudential check (warn at 80%, block at 100%)

Product-specific compliance

Per-product regulatory frameworks

RBI directive / framework	CortexData implementation
RBI Master Direction — Gold Loan	Per-pledge LTV math, daily LTV recalc against IBJA spot, margin-call alerts on tier transition, dual-control release, auction governance for unredeemed pledges
RBI Housing Finance Master Direction	LTV bands by ticket size, pre-EMI handling, builder tie-up registry, K-RERA verification adapter for under-construction property
RBI MSME Guidelines (incl. CGTMSE)	MSME classification, CGTMSE coverage workflow, GSTN income verification adapter, restructuring under MSME framework
RBI Master Direction — Co-Lending Model (Nov 2020)	Originator + partner role-split, joint underwriting workflow, single customer interface, daily settlement reconciliation, per-side PSL achievement tracking
RBI Master Direction — Securitisation of Standard Assets (Sept 2021)	MRR / MHP enforcement, true-sale verification, pool eligibility, tranching, RBI quarterly securitisation report
RBI Master Direction — Transfer of Loan Exposures (Sept 2021)	Loan-transfer workflow, beneficial-interest register, partial-transfer support, regulatory disclosure

Regulatory returns

Every return your bank has to file

RBI directive / framework	CortexData implementation
DSB / Form B — Daily Statement of Banking advances	Daily DSB return composing IRACP classification + provisioning + PSL flag, EN/KN/HI rendering, stable document IDs
IRACP Return (monthly)	Pull from active loan book, compute days-as-NPA, apply provisioning by category, render in regulatory format
PSL Form A (quarterly)	Quarter-end PSL achievement by category and weaker-sections, with reconciliation trail
OSS-3 — Quarterly Statement of Advances	PSL-granular sector cuts, RBI 4-tier geography rollup (RURAL / SEMI_URBAN / URBAN / METRO), large-exposure flagging at ₹5 Cr threshold, QoQ growth block
RBI Quarterly Securitisation Report	Pool performance + tranche-level cash-flows + MRR compliance, ready for direct submission
RBI Quarterly Co-Lending Report	Per-partner exposure, PSL achievement split, settlement reconciliation summary

Audit + cybersecurity

Defensible to inspection

RBI directive / framework	CortexData implementation
Audit Log Immutability + 10-year retention	SHA-256 hash chain across the full audit log, periodic verification cron, S3 Object Lock retention sink (COMPLIANCE mode), per-event tamper detection
RBI IT Outsourcing Guidelines	Outsourcing agreement registry, periodic-review calendar, vendor SOC reporting hook, partner due-diligence audit trail
RBI Cyber Security Framework	VAPT-ready posture, network segmentation, secrets management, OWASP-aligned application controls, audit log forwarding to SIEM

Audit chain

Why your audit log can't be tampered with.

Every event — sanction, disbursement, payment, classification change, write-off, recovery — is hashed and chained to the previous event. Tamper with one event and every subsequent hash breaks. The chain runs to an S3 Object Lock retention sink in COMPLIANCE mode.

Step 1

Event

JSON event with entity, action, before/after state, actor, timestamp

Step 2

Hash

SHA-256 of event body + previous-event hash

Step 3

Chain

Append-only chain. Tamper one, every subsequent hash mismatches

Step 4

Sink

S3 Object Lock COMPLIANCE mode. 10-year retention. Immutable by design

Frequently asked questions

Take CortexData to your next regulatory audit.

We'll walk through each Master Direction with your compliance head — and show you exactly where in the platform each requirement is implemented, demonstrated, and logged.

Request a demo Talk to founders