The Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 is issued to incorporate, consolidate and update the guidelines, instructions and circulars on IT Governance, Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management.
These Directions shall come into effect from April 1, 2024. These Directions shall be applicable to the following entities (collectively referred to as ‘regulated entities’ or ’REs’ in these directions):
- All Banking Companies, Corresponding New Banks and State Bank of India as defined under subsections (c), (da) and (nc) of section 5 of the Banking Regulation Act, 1949 (collectively referred to as ‘commercial banks’ hereinafter).
- Non-Banking Financial Companies (hereinafter referred to as ‘NBFCs’) as defined under clause (f) of section 45I of the Reserve Bank of India Act, 1934 and included in the ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’.
- Credit Information Companies as defined under clause (e) of section 2 of the Credit Information Companies (Regulation) Act, 2005 (hereinafter referred to as ‘Credit Information Companies’ or ‘CICs’).
- EXIM Bank, National Bank for Agriculture and Rural Development (‘NABARD’), National Bank for Financing Infrastructure and Development (‘NaBFID’), National Housing Bank (‘NHB’) and Small Industries Development Bank of India (‘SIDBI’) as established by the Export-Import Bank of India Act, 1981; the National Bank for Agriculture and Rural Development Act, 1981; the National Bank For Financing Infrastructure and Development Act, 2021; National Housing Bank Act, 1987 and the Small Industries Development Bank of India Act, 1989 respectively (hereinafter referred to as ‘All India Financial Institutions’ or ‘AIFIs’).
These Directions shall not be applicable to:
- Local Area Banks
- NBFC-Core Investment Companies