← Back to all briefings

Policy · Credibility 96/100 · · 2 min read

Policy Briefing — RBI Issues IT Governance Master Direction

The Reserve Bank of India finalised a unified IT Governance, Risk, Controls and Assurance Master Direction, forcing banks, NBFC-Upper Layer entities, and payment operators to evidence board oversight, resilience, and third-party assurance before April 2025.

Executive briefing: On 31 May 2024 the Reserve Bank of India (RBI) published the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, consolidating earlier circulars into a single rule set for regulated entities. The direction applies to commercial banks (excluding regional rural banks), NBFCs in the Upper Layer, credit information companies, and select payment system operators. It mandates board-approved IT strategies, risk assessments, third-party governance, and independent assurance frameworks that align with RBI’s cyber resilience expectations.

Key requirements

  • Board and senior management oversight. Regulated entities must establish a board-level IT strategy committee, approve an IT governance framework, and monitor risk appetite metrics covering availability, data integrity, and cybersecurity incidents.
  • IT service and change management. Chapters IV and V enforce configuration baselines, secure software development life cycles, segregation of duties, and change approval workflows tied to impact assessment and rollback plans.
  • Third-party and outsourcing controls. Entities must inventory critical service providers, conduct due diligence, formalise exit strategies, and ensure access to audit trails for all outsourced IT and cyber operations.
  • Independent assurance. Annual audits must cover application controls, infrastructure hardening, business continuity, and cyber incident response, with remediation tracked to closure.

Implementation timeline

  • Effective date. The Master Direction takes effect on 1 April 2025, giving regulated entities ten months to close gaps across governance, risk management, and assurance controls.
  • Interim monitoring. RBI expects boards to receive quarterly progress updates during the transition, with supervisors entitled to request evidence of remediation planning at any time.
  • Legacy circular alignment. The direction supersedes earlier IT outsourcing and cybersecurity circulars; entities must reconcile inherited controls and retire superseded procedures.

Program actions

  • Gap analysis. Map current IT governance artefacts against the Master Direction’s chapters to prioritise policy updates, committee charters, and assurance testing.
  • Vendor governance uplift. Refresh outsourcing registers, service-level agreements, and termination playbooks so material vendors meet RBI’s access, audit, and localisation expectations.
  • Evidence management. Instrument dashboards that surface risk appetite metrics, change records, and audit findings for board reporting and supervisory on-site reviews.

Sources

Zeph Tech is helping Indian financial institutions and payment operators operationalise the Master Direction with programme roadmaps, outsourcing governance packs, and assurance tooling.

  • RBI IT governance
  • Financial regulation
  • Outsourcing controls
  • Cyber resilience
Back to curated briefings