The Reserve Bank of India on 20th October 2022, has notified a Draft Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, to be implemented by the Regulated Entities (REs).
These Directions incorporate consolidated and updated guidelines/ instructions/ circulars on IT Governance, Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management. These Directions shall come into effect six months from the date of issue, i.e., date on which the final Master Direction is placed on the official website of the Reserve Bank of India (RBI).
These Directions shall apply to the following Regulated Entities (REs) unless explicitly exempted:
- Scheduled Commercial Banks (excluding Regional Rural Banks);
- Small Finance Banks;
- Payments Banks;
- All Non-Banking Financial Companies (NBFCs) in Top, Upper and Middle Layers as per Scale Based Regulation (SBR)
- All India Financial Institutions (NHB, NABARD, EXIM Bank SIDBI and NaBFID); and
- Credit Information Companies.
REs shall put in place a robust IT Governance Framework comprising of governance structure and processes necessary to meet the RE’s business/ strategic objectives. The governance framework shall specify the role (including authority) and responsibilities of the Board of Directors (Board) / Board level Committee/ Local Management Committee (in case of foreign banks operating as branches in India) and Senior Management. The Framework must, inter alia, include adequate oversight mechanisms to ensure accountability and mitigation of business risks.
The key focus areas of IT Governance shall include strategic alignment, value delivery, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management.
Strategies, Policies related to IT, Information Systems (IS), Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) shall be approved by the Board and reviewed at least annually. Enterprise-wide risk management policy or operational risk management policy needs to incorporate IT-related risks also.