NBFC For IT, CISO, Compliance, Risk & CTO

AI that sits inside your RBI audit perimeter.

Fine-tuned on your credit memos, policies, and regulatory returns. Runs on your hardware. RBI IT Outsourcing Direction + DPDPA 2023 + Section 17(8) 6-hour incident reporting — aligned by design.

Source-Code Escrow 6-Hour Incident Reporting Auditor Walk-In Pilot Pass-Bar Guarantee
audit-perimeter.svg — RBI inspection ready
RBI audit perimeter — OwnAI inside A regulated NBFC perimeter containing the OwnAI deployment, source-code escrow node, SIEM, and an auditor walk-in path. No outbound connection to the public internet. RBI AUDIT PERIMETER · NBFC PREMISES deployment/ OwnAI on your hardware Qwen 3 32B + NBFC adapter Langfuse · Keycloak · Qdrant LIVE your-siem/ SIEM · §17(8) clock escrow/ncc-group Source-code · Day 1 webhook auditors/ RBI inspector · §16(m) Walks in. We meet them. staff/ Credit · Compliance · Branch via SSO · over your LAN PUBLIC INTERNET · NO EGRESS REQUIRED
Built by Rishi Tode · 15 years in semiconductors · Founder & CEO, Reyatech Systems Private Limited · LinkedIn ↗
Glossary — acronyms used on this page
ALMAsset-Liability Management — interest-rate and liquidity gap management mandated by RBI.
NPANon-Performing Asset — loan/advance where interest/principal is overdue per RBI IRACP norms.
IRACPIncome Recognition, Asset Classification & Provisioning norms — RBI prudential guidelines.
NACHNational Automated Clearing House — NPCI-run bulk-payment platform.
FREE-AIRBI's Framework for Responsible and Ethical Enablement of AI — consultative paper, August 2025.
IT Outsourcing MDRBI Master Direction on Outsourcing of IT Services, dated 10 April 2023.
§2 · Use cases

Six workflows for credit, compliance, and branch operations.

Drafting and review assistants for work your credit analysts, compliance officers, and branch staff already do — with audit-grade citation trails on every output.

Credit Memo Drafting UNDERWRITING

Drafts credit assessments from financial statements, bureau reports, and the borrower's filings. Analysts review and decide — never write from scratch.

cites: balance sheets · CIBIL · MCA filings

KYC Document Review KYC MD 2016

Automated extraction and cross-verification of KYC files against the RBI KYC Master Direction. Flags inconsistencies for ops review.

cites: KYC MD 2016 + amendments

RBI Regulatory Reporting RETURNS

Assists in generating RBI returns, ALM reports, IRACP classifications, and large-exposure submissions from your core systems data.

cites: RBI return formats · core-systems data

Compliance Monitoring DRIFT

Continuously screens transactions and policy changes against active RBI Master Directions. Surfaces drift before the next inspection.

cites: active RBI Master Directions

Customer Query Triage FAIR PRACTICE

Triages and drafts responses to routine customer queries with a full audit trail. Branch staff sign and send.

cites: Fair Practice Code · grievance policy

Audit Preparation RBI INSPECTION

Reviews documentation completeness against the most recent RBI inspection guidance. Flags gaps in advance of the scheduled visit.

cites: recent RBI inspection guidance
§3 · Regulatory mapping

Five frameworks, mapped clause-by-clause.

Expand each card for the per-section posture your compliance head will defend in front of an inspector.

RBI IT Outsourcing Master Direction10 April 2023 · §11(g), §11(j), §16(m–o), §17(8)

§16(m–o) — unrestricted audit rights. Your hardware = your auditors and RBI inspectors walk in directly. No vendor intermediation.

§11(g) — source-code escrow with a neutral third party is included from Day 1 of every SOW. No discount tier is allowed to bypass it.

§17(8) — 6-hour incident reporting. Your SIEM sees the event first; no US-vendor latency between event and clock-start.

DPDPA 2023 + DPDP Rules 2025India · Data Protection · Phase 3 binding 13 May 2027

No cross-border transfer. Reyatech operates as Data Processor — DPA template included; we do not become Joint Fiduciary under any circumstance.

Phase 3 obligations bind on 13 May 2027. We are structurally aligned today.

RBI §17(8) — 6-Hour Incident ReportingYour clock · your SIEM · your control

Your SIEM sees every event first because Langfuse runs on your hardware. No US vendor dependency between event and notification.

The 6-hour clock is yours to manage. No "we'll get back to you" from an offshore support queue between the event and your reporting obligation.

RBI FREE-AI FrameworkConsultative paper · August 2025 · binding guidance expected

OwnAI is structurally aligned with FREE-AI's expected hardening:

  • Explainability — citation-grounded RAG; every answer carries source pointers.
  • Auditability — on-prem Langfuse logs, hash-anchored.
  • Traceability — versioned adapters in your model registry.
  • On-prem deployment — production never leaves your hardware.
  • Customer-held model weights — adapter is yours under §7 of the SOW.
Master Direction — IT Governance, Risk, Controls & Assurance7 November 2023 · §16 governance posture

Aligns with the §16 governance posture: clear role allocation, documented risk assessment, periodic third-party review supported.

RACI matrix shipped with every engagement. Customer's IT Risk function retains ownership; Reyatech occupies an advisory + delivery seat.

§4 · Audit-rights deep-dive

Your auditors don't need to leave your premises.

Under §16(m) of the RBI IT Outsourcing Direction, you have unrestricted right to audit Reyatech, our books, and our processes. The mechanical reality of OwnAI makes that straightforward — production runs on your hardware, source code is escrowed, and there is no cloud vendor sitting between your inspector and the evidence.

SOW provisions: §11(g) source-code escrow · §11(j) sub-contractor control · §16(m–o) audit rights · §17(8) 6-hour incident clock — schedule a 30-minute legal walkthrough to review.

  • Production runs on your hardware. Auditors do not need to leave your premises.§16(m)
  • Source code escrowed with a neutral third party on Day 1.§11(g)
  • Adapter weights are yours under §7 of the SOW. Permanent, transferable, irrevocable.§7 SOW
  • RBI inspectors can be walked through the live system. We'll meet you there.§16(o)
§5 · How we compare

Six questions your IT Risk function will ask each vendor.

Compared against the alternatives NBFCs actually evaluate — not strawmen.

Capability OpenAI on Azure IN IBM watsonx M365 Copilot OwnAI
Data residency proof DPA + region pin DPA-based Tenancy-bound On your hardware
§16(m–o) audit fit Vendor-mediated Vendor-led Vendor-led Direct, on-prem
Source-code escrow Not applicable Vendor-only Vendor-only Day-1 escrow
Per-token cost Yes, recurring Yes Per-seat Zero · one-time + AMC
Model swap (vendor exit) Re-platform Re-platform Re-platform Adapter portable to any OSS base
§17(8) 6-hour clock Vendor in path Vendor in path Vendor in path Your SIEM, your clock
§6 · ROI · NBFC scenario

A typical credit + compliance team, costed honestly.

Default: 50 credit analysts + 20 compliance staff. Per-seat tooling baseline. 5-year horizon, including AMC. Substitute your own numbers in the calculator.

All-in cost: setup fee + hardware + 5-year AMC, pre-GST. Cloud baseline assumes per-seat enterprise tooling at current INR ₹ exchange.

§7 · Pilot pass-bar

Pilot pass-bar — what we will refund if we miss.

These are the eval-rubric thresholds we sign in the pilot SOW before kickoff. Miss any of them at the 4-week pilot review and you pay zero. NBFC case studies are in delivery — no production-measured outcomes published yet; honest gap preserved until we have signed customer numbers to share.

PILOT PASS-BAR · REFUND-BACKED
50%
Credit memo first-draft time
Target, against your current baseline across a sample of 50 historical credit memos.
PILOT PASS-BAR · REFUND-BACKED
+60%
KYC review throughput
Target, same headcount, same accuracy bar — measured on a held-out sample of recent KYC files.
PILOT PASS-BAR · REFUND-BACKED
40%
Audit-prep time before RBI inspection
Target, measured on the next scheduled RBI inspection cycle.
Named case studies — under NDA today.
First two NBFC pilots are in delivery; anonymised results publish at Q3. Request a reference call via the discovery call form.
Request a reference call
§8 · NBFC pledges

Four things we will never do — on an NBFC engagement.

Clauses, not slogans. They live in §6 of every NBFC SOW and are countersigned at pilot kickoff.

We never co-mingle customer data across NBFCs. One adapter per customer. Zero cross-customer learning. DPDPA Processor · §2(p)

We never deploy a self-learning production model. Required by supervisory expectations on model risk. RBI §17(7) · Model Risk

We never make production changes outside a customer-approved change-control workflow. IT Governance MD · 7 Nov 2023

We never block your auditor's walk-in. IT Outsourcing MD · §16(m)

Next step

Bring your last RBI inspection report.

A 30-minute call with someone who has read the IT Outsourcing Master Direction line by line. Bring your last inspection findings — anonymised is fine — and we'll walk through how OwnAI would have shortened the audit cycle.

rishi@reyatech.com +91‑7486461783