← Back to all briefings
Policy 5 min read Published Updated Credibility 93/100

Policy Briefing — RBI IT Governance Master Direction demands board-owned control evidence by FY 2025

The Reserve Bank of India’s Master Direction on IT Governance, Risk, Controls and Assurance Practices requires banks, NBFC-ULs, payment operators, and credit information companies to document board oversight, resilience testing, and third-party assurance ahead of the 1 April 2025 compliance deadline.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Reserve Bank of India (RBI) issued the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices on 1 April 2024. Regulated entities now face a hard compliance date of 1 April 2025 to operationalise enhanced governance structures, independent assurance, and service-provider controls across the technology estate.

Key requirements

  • Board accountability. Boards must approve an IT strategy and policy, constitute a senior-level IT Strategy Committee, and receive quarterly reporting on cyber incidents, resilience metrics, and project risk.
  • Three lines of defence. The Direction mandates distinct IT risk management, information security, and assurance functions with mandated annual independent audits of critical applications and infrastructure.
  • Outsourcing controls. Institutions must classify critical service providers, maintain exit plans, and ensure contracts include incident reporting windows, data localisation, and regulatory access rights.

Program actions

  • Gap analysis. Map existing RBI circulars (e.g., cyber security framework for banks, NBFC IT guidelines) to the Master Direction’s 32 control expectations to prioritise remediation by Q4 FY 2024-25.
  • Evidence management. Build board reporting packs that combine technology KPIs, scenario testing results, and audit findings to support the annual self-assessment required under Chapter VII.
  • Vendor governance. Refresh service-level agreements to include RBI-mandated clauses on data residency, subcontractor approvals, and regulator inspection rights.

Sources

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • RBI IT governance
  • Technology risk management
  • Outsourcing controls
  • Board oversight
Back to curated briefings