Governance Briefing — March 31, 2025
Reserve Bank of India’s IT Governance Master Direction reaches full compliance for NBFC-Upper Layer and payment operators, requiring board technology risk committees and independent assurance routines.
Executive briefing: RBI’s Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices mandates that by 31 March 2025 all NBFC-Upper Layer entities and critical payment operators complete implementation. Boards must approve IT governance frameworks, constitute technology strategy committees, and oversee independent assurance of cyber and resilience controls.
Key governance signals
- Board-level committees. Entities must maintain board-approved IT strategy committees and audit committees reviewing technology risk posture.
- Independent assurance. Annual third-party assessments of cybersecurity, cloud governance, and business continuity are required with reporting to the board.
- Risk appetite alignment. Boards must integrate IT risk metrics into enterprise risk appetite statements and monitor key risk indicators monthly.
Action checklist
- Finalize board charters for IT strategy committees, including escalation thresholds and reporting cadence.
- Complete independent audits of cybersecurity controls, cloud configurations, and disaster recovery with remediation plans tracked by the board.
- Update risk appetite dashboards to include IT service availability, cyber incident metrics, and third-party resilience indicators.
Sources
- RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices, 2023
- RBI clarification on implementation timelines for NBFC-UL and payment operators
Zeph Tech helps Indian board technology committees establish risk dashboards, assurance programs, and remediation governance for the March 2025 deadline.