Policy Briefing — RBI IT Governance compliance attestation due by 31 March 2025
Indian banks, NBFC-Upper Layer entities, credit information companies, and payment operators must certify full adherence to RBI’s IT Governance Master Direction by the close of FY 2024-25.
Executive briefing: The Reserve Bank of India’s Master Direction on IT Governance, Risk, Controls and Assurance Practices enters its enforcement phase on 1 April 2025. Regulated entities must complete remediation, board reporting upgrades, and third-party control testing before filing year-end compliance self-assessments covering FY 2024-25.
Deadline deliverables
- Board certification. Boards must review IT governance effectiveness, approve remediation plans, and capture the attestation in minutes prior to 31 March.
- Independent assurance. Annual audits of critical applications, infrastructure, and cyber defences must be finalised with action plans for control gaps.
- Service provider reviews. Entities must validate exit strategies, data localisation, and incident notification clauses for critical third parties.
Program actions
- Evidence rooms. Assemble documentation for RBI supervisors, including IT strategy committee minutes, risk dashboards, and audit workpapers.
- Scenario testing. Conduct business continuity and cyber incident simulations that demonstrate compliance with Chapter V resilience expectations.
- Supervisory liaison. Engage with RBI inspection teams early to clarify interpretation issues, particularly for NBFC-UL subsidiaries and cross-border outsourcing arrangements.