Policy Briefing — RBI IT Governance Master Direction demands board-owned control evidence by FY 2025
The Reserve Bank of India’s Master Direction on IT Governance, Risk, Controls and Assurance Practices requires banks, NBFC-ULs, payment operators, and credit information companies to document board oversight, resilience testing, and third-party assurance ahead of the 1 April 2025 compliance deadline.
Executive briefing: The Reserve Bank of India (RBI) issued the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices on 1 April 2024. Regulated entities now face a hard compliance date of 1 April 2025 to operationalise enhanced governance structures, independent assurance, and service-provider controls across the technology estate.
Key requirements
- Board accountability. Boards must approve an IT strategy and policy, constitute a senior-level IT Strategy Committee, and receive quarterly reporting on cyber incidents, resilience metrics, and project risk.
- Three lines of defence. The Direction mandates distinct IT risk management, information security, and assurance functions with mandated annual independent audits of critical applications and infrastructure.
- Outsourcing controls. Institutions must classify critical service providers, maintain exit plans, and ensure contracts include incident reporting windows, data localisation, and regulatory access rights.
Program actions
- Gap analysis. Map existing RBI circulars (e.g., cyber security framework for banks, NBFC IT guidelines) to the Master Direction’s 32 control expectations to prioritise remediation by Q4 FY 2024-25.
- Evidence management. Build board reporting packs that combine technology KPIs, scenario testing results, and audit findings to support the annual self-assessment required under Chapter VII.
- Vendor governance. Refresh service-level agreements to include RBI-mandated clauses on data residency, subcontractor approvals, and regulator inspection rights.