RBI Issues IT Governance Master Direction

On 31 May 2024 the Reserve Bank of India (RBI) published the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, consolidating earlier circulars into a single rule set for regulated entities. The direction applies to commercial banks (excluding regional rural banks), NBFCs in the Upper Layer, credit information companies, and select payment system operators. It mandates board-approved IT strategies, risk assessments, third-party governance, and independent assurance frameworks that align with RBI's cyber resilience expectations. This full direction represents RBI's most significant IT governance intervention, establishing unified requirements that previously existed across multiple scattered circulars and guidelines.

Regulatory Evolution and Context

India's financial services sector has experienced rapid digitalization, with banks and NBFCs deploying mobile banking, payment systems, and digital lending platforms at unprecedented scale. This transformation expands attack surfaces and creates systemic risks when technology failures affect large customer bases or interconnected payment systems.

RBI has progressively strengthened technology governance expectations through circulars addressing cyber security frameworks, business continuity planning, and outsourcing guidelines. The Master Direction consolidates and updates these requirements while introducing improved expectations for board oversight, change management, and third-party governance. Regulated entities must treat this direction as a full compliance framework requiring systematic gap assessment and remediation planning.

Board and Senior Management Oversight

Regulated entities must set up a board-level IT strategy committee, approve an IT governance framework, and monitor risk appetite metrics covering availability, data integrity, and cybersecurity incidents. The IT strategy committee should include at least one director with technology expertise and meet quarterly to review IT initiatives, risk posture, and control effectiveness.

Board-approved IT governance frameworks must address organizational structures, roles and responsibilities, policies and procedures, and performance metrics. Risk appetite statements should quantify acceptable levels of system downtime, data loss, and security incidents with escalation triggers when thresholds are breached. Management information systems should provide boards with timely dashboards tracking technology risk indicators and control performance.

IT Service and Change Management

Chapters IV and V enforce configuration baselines, secure software development life cycles, segregation of duties, and change approval workflows tied to impact assessment and rollback plans. Service management practices should align with established frameworks like ITIL, ensuring consistent processes for incident management, problem management, and service request fulfillment.

Configuration management requires maintaining accurate inventories of hardware, software, and network components with baseline configurations documented and monitored for unauthorized changes. Change management processes must assess risks associated with proposed changes, require appropriate approval authorities based on change impact, and ensure rollback procedures exist before setup. Secure software development practices apply to in-house development and should be required from vendors supplying custom applications.

Third-Party and Outsourcing Controls

Entities must inventory critical service providers, conduct due diligence, formalize exit strategies, and ensure access to audit trails for all outsourced IT and cyber operations. The direction significantly expands third-party governance expectations, recognizing that modern financial institutions rely extensively on technology vendors, cloud providers, and managed service providers.

Due diligence should evaluate vendor financial stability, security certifications, regulatory compliance history, and operational capabilities. Contracts must include provisions for regulatory examination access, data protection requirements, service level commitments, and termination assistance. Exit strategies should address data migration, service continuity, and knowledge transfer enabling transitions to alternative providers without service disruption.

Cybersecurity Framework Requirements

The direction incorporates and expands upon earlier RBI cyber security framework requirements, mandating security operations capabilities, vulnerability management programs, and incident response procedures. Security operations centers should provide continuous monitoring of security events with defined procedures for triage, escalation, and response.

Vulnerability management programs should address timely patching, penetration testing, and security assessment of applications and infrastructure. Incident response procedures must address containment, eradication, recovery, and post-incident analysis with defined communication protocols for regulators and affected parties. Red team exercises and cyber drills should test response capabilities periodically.

Independent Assurance Requirements

Annual audits must cover application controls, infrastructure hardening, business continuity, and cyber incident response, with remediation tracked to closure. The direction establishes full assurance scope exceeding previous requirements, requiring independent assessment of technology governance effectiveness beyond traditional IT general controls audits.

Assurance providers should be qualified and independent, with findings reported to audit committees and boards. Remediation tracking should ensure identified control weaknesses are addressed within reasonable timeframes, with persistent gaps escalated to senior management and boards. External certifications including ISO 27001 may support assurance objectives but do not substitute for full audits addressing direction-specific requirements.

Implementation Timeline and Preparation

The direction becomes effective 1 April 2025, providing approximately ten months for regulated entities to achieve compliance. If you are affected, conduct gap assessments comparing current practices against direction requirements, focus on remediation activities based on risk and complexity, and develop setup plans with appropriate milestones and resources. Board and committee charter updates may be necessary to reflect governance expectations.

Policy and procedure documentation requires review and improvement. Third-party contract remediation may require renegotiation with existing vendors. Assurance arrangements should be established with qualified providers capable of delivering required audit scope.