Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Stop a Breach: 1800 203 6701

Solution

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Payment Data Security Programs
CPISI
CPISI - Hybrid
CPISI - Advanced
CPISI - D
Quantum Security
AI Security
Get Certified
Application
Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

RESOURCES

Case Studies
White Papers
Media Coverage
Blogs
Executive Perspective
News Room
Weekly Threat Watch
Monthly Threat Brief
Infographics
Webinars
Infosec Reports

COMPANY

About Us
Our Leadership
Careers
Corporate Social Responsibility
Elevating Communities
Stewarding Our Planet
Diversity & Inclusion

Solution

Compliance
Security
Privacy
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
ProACT Agentic SOC
Quantum Security
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

Page Name

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Executive Perspective
May 26, 2026
2
MIN READ
The Quiet Death of Annual Compliance
Mahendran Chandramohan
Mahendran Chandramohan
Chief Technology Officer

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

There is a habit, deeply embedded in most financial institutions, of treating compliance as something that happens once a year. An auditor arrives. Evidence is assembled, often in a scramble. A certificate is issued. Everyone exhales for eleven months. That habit is quietly being made obsolete — not by one regulator, but by almost all of them, at once, and largely independently of each other.

That last part is what makes it worth paying attention to. When a single regulator tightens a rule, it is news for that jurisdiction. When the central banks of Saudi Arabia, Malaysia, Indonesia, India, Singapore and South Africa each move in the same direction inside the same eighteen months — without coordinating — it stops being a local story and becomes a signal about where the entire discipline is heading.

We read these frameworks for a living. Laid side by side, they are converging on one demand, and it is not subtle once you see it.

Prove — continuously, and with evidence — that you can withstand and recover from disruption. Not attest once a year that you could.

This piece walks the evidence market by market, weighted toward the regions where this shift is sharpest and least discussed: the Middle East and Africa, South and Southeast Asia. The conclusion is not a forecast. It is simply what the enacted rules and published supervisory direction already say, when you stop reading them one at a time.

1. The Pattern: One global standard, six regulators, one instruction

Guidance is hardening into mandate. What used to be a recommended practice is becoming an enforceable standard. Point-in-time is giving way to continuous. Annual certification is being supplemented — or replaced — by ongoing monitoring, periodic re-assessment, and tested recovery. And oversight is reaching past the institution into its suppliers, pulling cloud providers and software vendors directly into scope.

None of these regulators cites the others. They are arriving at the same destination because they are responding to the same reality: a financial system that now runs on technology it does not own, facing adversaries who do not wait for the audit cycle.

Saudi Arabia (SAMA)

  • What changed: Cyber Security Framework built on maturity levels, with KPI-based monitoring and quarterly board-level reporting to the regulator
  • The signal: Compliance measured as a maturity you sustain and report — not a box ticked annually

Malaysia (BNM)

  • What changed: Updated RMiT policy effective Nov 2025 turned prior guidance into mandatory standards; a new Technology Requirements policy for payment players follows in 2027
  • The signal: The explicit move from best practice to binding obligation

Indonesia (OJK / BI)

  • What changed: POJK 11 & SEOJK 29 require annual cyber-maturity evaluations; BSSN now expects regular crisis simulations
  • The signal: Preparedness reframed as continuous, not reactive

India (RBI)

  • What changed: IT Governance Master Direction plus Cyber Resilience & Digital Payment Security Controls; tested continuity and zero-trust expectations
  • The signal: From perimeter defence to assumed-breach, tested recovery

Singapore (MAS)

  • What changed: TRM Guidelines and binding notices placing technology risk at board level with continuous oversight expectations
  • The signal: The mature regional benchmark others echo

South Africa (SARB / FSCA)

  • What changed: Joint Standard 2 of 2024 in force since June 2025: continuous monitoring, third-party oversight, periodic audits
  • The signal: Resilience as a named, audited obligation

Six markets. One sentence, written six ways. Now look closer at the three regions that matter most and are talked about least.

2. The Global Thread: PCI DSS already said it out loud

Before walking the regional map, one standard deserves to be set apart from it — because it is not regional at all. Wherever a bank touches card data, in Riyadh or Jakarta or Mumbai or Johannesburg, it answers to the same global rulebook regardless of which central bank supervises it. The Payment Card Industry Data Security Standard is the connective tissue running through every market in this article, and it made the continuous-compliance move earlier and more explicitly than any national regulator.

As of 2026, PCI DSS v4.0.1 is the only active version of the standard, and the first full year in which every requirement is validated. The 51 once future-dated requirements introduced in v4.0 became mandatory on 31 March 2025. An organisation that validated under the old v3.2.1 mindset, or treated those requirements as optional, fails its next assessment. That much is enforcement reality.

But the detail that matters most for this article is not a deadline — it is the stated intent. The PCI Security Standards Council has been explicit that a central purpose of v4.x is to move organisations away from the annual compliance scramble and toward continuous, business-as-usual security. That is not an outside interpretation. It is the global payment standard, in its own words, defining compliance as something you sustain rather than something you certify once a year.

Why this reframes everything that follows

If the national regulators in the next sections look like they are converging on continuous, evidence-based supervision, it is worth noticing that the world's most widely adopted security standard got there first. The newer requirements make the point concrete: multi-factor authentication expanded across the cardholder data environment, internal vulnerability scanning on a recurring cadence, and dedicated controls against payment-page script tampering and e-skimming. These are not annual checkboxes. They are continuous controls that must be demonstrably operating on any given day.

One honest nuance, because precision matters here: in early 2025 the Council adjusted how the new payment-page script requirements apply to the simplest category of merchants, in response to industry feedback. The underlying security expectation did not vanish — the path to demonstrating it shifted. The direction is unmistakable even where the mechanics are still being refined.

Hold that in mind as the regional picture unfolds. Each national regulator below is, in effect, extending to its whole financial sector a posture that the payment-security world has already normalised.

3. Middle East & Africa: Maturity you have to sustain

Saudi Arabia's approach is instructive because it never pretended compliance was a yearly event. SAMA's Cyber Security Framework is structured around maturity levels that regulated institutions must reach and then hold, with progress monitored through key performance indicators and reported to the board — and, in defined cases, to the regulator on a recurring basis. The question SAMA asks is not "did you pass an audit," but "what is your maturity, and can you show it is being sustained." That is a fundamentally continuous posture, baked in from the start.

South Africa made the same move more recently and more explicitly. The Joint Standard on Cybersecurity and Cyber Resilience, issued by the Prudential Authority and the FSCA, came into force on 1 June 2025. It requires governance, continuous monitoring, third-party oversight and periodic audits across banks, insurers and other institutions. Sitting alongside it, a SARB directive sets something most frameworks only gesture at: a hard recovery-time expectation for critical financial systems — resumption measured in hours, not days.

Why the recovery-time number matters

A two-hour resumption target for critical systems is not a documentation requirement. You cannot write your way to it. It can only be met by an institution that has tested its recovery, instrumented its systems, and can prove the response works under pressure. This is the difference between compliance-on-paper and resilience-in-practice — and regulators are increasingly writing the rules so that only the latter passes.

And both regimes operate over a data-protection layer — South Africa's POPIA, the Gulf's maturing data laws — that constrains how customer and biometric data can be processed even as institutions are told to collect more of it to fight fraud. The privacy obligation and the security obligation are no longer separate conversations.

4. Southeast Asia: Guidance becomes law

If you want the single clearest example of "guidance hardening into mandate," it is Malaysia. In November 2025, Bank Negara Malaysia issued an updated Risk Management in Technology policy that took requirements which had previously sat at the level of recommendation — particularly around authentication, device binding and fraud prevention — and made them mandatory standards. The industry's long, gentle migration away from SMS one-time passwords stopped being encouraged and started being required. A separate Technology Requirements policy for payment-service players extends similar expectations further into the ecosystem, with effect in 2027.

Indonesia tells the continuous-monitoring half of the story most plainly. OJK's technology and cyber-resilience regulations require commercial banks to run cyber-maturity evaluations on an annual cadence across governance, operations, resilience and data protection — not a one-off certification but a recurring measurement. Bank Indonesia's rules for payment-system providers and the national cyber agency's crisis-management expectations reinforce the same idea from different angles: assessment and simulation as a routine, not an event.

Singapore is the benchmark the region quietly measures itself against. MAS's Technology Risk Management Guidelines and their accompanying binding notices put technology and cyber risk squarely at board level and frame oversight as a continuous responsibility. Much of what Malaysia and others are now codifying, Singapore established as expectation years ago.

The Southeast Asian message is unambiguous: the era in which a financial institution could treat a regulator's "guidance" as optional is closing.

5. India: Resilience in the DNA

India's trajectory mirrors the region and adds its own weight. The Reserve Bank of India's Master Direction on IT Governance, Risk, Controls and Assurance Practices, alongside its Cyber Resilience and Digital Payment Security Controls, has moved the sector decisively past perimeter thinking. The operative assumptions now are zero-trust and, crucially, tested business continuity — banks are expected to rehearse large-scale disruption and demonstrate they can respond, not merely document that they have a plan.

Layered on top is India's Digital Personal Data Protection regime. With the DPDP Rules notified in November 2025 and obligations phasing in through 2027, institutions designated as significant data fiduciaries face recurring data-protection impact assessments and independent audits. The forward challenge is precise and operational: building data pipelines that can honour erasure and consent-withdrawal rights while cleanly preserving the transaction and forensic records that banking, anti-money-laundering and dispute-resolution rules require you to keep. Privacy and forensic retention have to be reconciled inside the same system — and regulators will look closely at how.

6. The Reference: Where the model came from

It would be incomplete not to credit the origin. Europe's Digital Operational Resilience Act, in force since January 2025, is the most prescriptive expression of everything described above: continuous ICT risk management, mandatory incident reporting, resilience testing, and direct supervisory reach into critical technology providers. Global standard-setters — the Basel Committee's principles on operational resilience and outsourcing — supplied the reference model that regulators worldwide have drawn inspiration from.

For institutions across MEA, SEA and India, Europe is less a market to serve than a preview of the supervisory logic now arriving locally. The vocabulary differs by jurisdiction; the direction of travel does not.

AI governance and data-localization rules are actively diverging — the EU has just agreed to defer its high-risk AI obligations, while different markets demand data reside in different places. For a bank operating across several of these jurisdictions, that divergence is precisely where the operational pain concentrates. Convergence on resilience does not mean harmony everywhere.

The Implication

Step back from the individual rules and the strategic conclusion is not "there is more regulation." It is that the nature of compliance has changed, and the institutions that internalise this early will spend less and carry less risk than those still running the annual scramble.

Across every market above, the recurring demand is for demonstrable proof: tested recovery, continuous monitoring, sustained maturity, the ability to reconstruct what happened and when. This is, at its core, a forensic discipline applied to compliance — the capacity to reconstruct, attribute and prove. The institutions that generate this evidence as a natural by-product of how they operate hold a structural advantage over those who assemble it under audit pressure, because the audit is no longer a single moment they can prepare for.

There is a tempting half-truth worth naming: that a genuinely secure organisation is automatically compliant. It is only half true. Real security satisfies the substance of these regimes — but compliance also carries procedural obligations (registrations, reporting cadences, documented assessments) that security alone does not discharge. The honest formulation is narrower and more useful:

  • A secure organisation is not automatically compliant — procedure still matters.
  • But a merely compliant organisation is no longer secure — because compliance is now continuous, and a once-a-year posture cannot keep pace with continuous expectations.

Which leaves one practical question for every security and risk leader reading their own regulator's latest standard: can your organisation prove, on any given day rather than one day a year, that its critical services are secure, resilient and recoverable? If the answer requires a scramble, the gap is already a compliance gap — today's regulators have defined it that way.

The shape of the answer

If periodic certification is dying, what replaces it is not more frequent audits — it is a different operating model. One control fabric that produces durable, queryable evidence continuously, mapped once and satisfying many regulators at once. Evidence by design rather than evidence by scramble. The industry is converging on a name for this posture:

Forensics-driven, continuous compliance.

It is no longer the ambitious end of the market. Read the rules side by side, and it is rapidly becoming the baseline.

A note on sources and currency. This article draws on enacted regulations and published supervisory direction as of 2026, including: SAMA's Cyber Security Framework (Saudi Arabia); Bank Negara Malaysia's RMiT policy (updated November 2025) and Technology Requirements PD; OJK POJK 11 / SEOJK 29 and Bank Indonesia payment-system rules (Indonesia); the RBI Master Direction on IT Governance and Cyber Resilience & Digital Payment Security Controls, and the DPDP Rules 2025 (India); the MAS Technology Risk Management Guidelines (Singapore); the SARB/FSCA Joint Standard 2 of 2024 and POPIA (South Africa); and, as global reference, the EU's DORA and the Basel Committee principles. Regulatory timelines move quickly — specific dates and obligations should be re-verified against the regulator's own publications before any institution relies on them.

SHARE THIS POST

PCI Compliance
Compliance
PCI DSS Compliance
Payment Compliance