RBI IT Governance, Risk, Controls and Assurance Practices: Implementation Guide for Indian Banks and NBFCs

|

RBI IT Governance — GRC RADAR

Published: 30 May 2026 · 18 min read · Category: RBI IT Governance

Introduction

Until about 2017, IT regulation for India’s financial sector was a patchwork. Banks operated under a 2011 cyber circular updated by the 2016 Cyber Security Framework. NBFCs above ₹500 crore in assets had a 2017 IT Framework. Co-operative banks and smaller NBFCs largely operated on the regulator’s general “fit and proper” expectations. The cost of that fragmentation — different controls, different audit expectations, different incident reporting timelines for entities that often shared customers, payment rails, and third-party vendors — became increasingly visible after every major outage and every fraud incident that travelled across institutional boundaries.

The Reserve Bank of India closed that gap on 7 November 2023 with the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (RBI/2023-24/107), commonly called the ITGRCA Directions. The Master Direction came into force on 1 April 2024 and replaced the older patchwork with a single, principles-based standard for everyone whose technology stack carries systemic or customer-protection weight. If you are an NBFC in the Middle or Upper Layer, a small finance bank, a payments bank, a credit information company, or any scheduled commercial bank, the RBI cybersecurity framework NBFC and bank obligations now flow from this one document — supplemented by adjacent Master Directions on outsourcing, operational resilience, digital lending, and (from 2026) digital banking authorisation.

This guide is written for the people who actually have to implement it: compliance officers, newly appointed CISOs, IT heads, and founders at small-to-mid Indian NBFCs and banks who do not have a 50-person security team or a seven-figure technology budget. We will cover what the framework requires, who must comply, how to read its governance architecture, what the CISO and committee structure should look like, how cyber incident reporting and business continuity expectations land in practice, and how the 2023 Master Direction interacts with the wave of follow-on directions that have landed in 2024, 2025, and 2026.

We will not tell you that cybersecurity matters. You already know that. What you need is a clear read of the framework and a path to compliance that fits the reality of an Indian NBFC or smaller bank.

What the 2023 Master Direction Is — and What It Replaces

The ITGRCA Directions consolidate three decades of fragmented IT guidance into one document built around seven broad themes: IT governance, IT infrastructure and services management, IT and information security risk management, business continuity and disaster recovery, information systems audit, control of outsourced IT services, and the practices around emerging technologies. The structure borrows in spirit from international standards like COBIT and ISO 27001, but the text is written for India’s regulatory model — board accountability, prescribed committee structures, named officer roles, and a supervisory cycle that depends on documented evidence.

The 2016 Cyber Security Framework remains operative for scheduled commercial banks but its substantive IT-governance content is now subsumed by the 2023 Master Direction. The 2017 NBFC IT Framework remains operative for Base Layer NBFCs under the Scale Based Regulation, but for NBFCs in the Middle, Upper, and Top Layers, the 2023 Master Direction is now the operative text. The practical consequence: if you are reading the 2017 NBFC IT Framework as your primary reference and you sit in the Middle or Upper Layer today, you are reading the wrong document.

Who Must Comply — and Who Doesn’t

The 2023 Master Direction is the centerpiece of current RBI IT governance framework compliance obligations. It applies to:

  • All Banking Companies (Scheduled Commercial Banks, excluding Regional Rural Banks)
  • Small Finance Banks (SFBs)
  • Payments Banks
  • Non-Banking Financial Companies (NBFCs) classified as Top Layer, Upper Layer, and Middle Layer under the Scale Based Regulation
  • Credit Information Companies
  • All India Financial Institutions — EXIM Bank, NABARD, NaBFID, NHB, and SIDBI

The Directions explicitly do not apply to Local Area Banks, NBFC-Core Investment Companies, or Base Layer NBFCs. Base Layer NBFCs (broadly, smaller NBFCs without public deposits and below the systemic-importance thresholds) remain under the older 2017 NBFC IT Framework, which is lighter in prescriptive detail but still mandates a baseline IT security policy, incident reporting capability, and a vulnerability assessment programme.

For Scheduled Commercial Banks, the 2023 Master Direction sits alongside the 2016 Cyber Security Framework. For NBFCs in the Middle Layer and above, this is the new floor — and audit cycles already initiated in FY2024–25 are now measuring you against it.

The Governance Architecture: Board, Committees, and Named Officers

The clearest signal that the 2023 Master Direction is a governance document, not a checklist, is its insistence on a specific committee architecture. Three structures must exist; they cannot be collapsed into one another.

Board-level IT Strategy Committee (ITSC). A committee of the Board with a minimum of three directors, chaired by an independent director with substantial IT expertise. The ITSC owns IT strategy alignment with business strategy, IT investment prioritisation, risk-appetite oversight for technology and cyber risk, and review of capacity planning. ITSC meets at least quarterly. For smaller NBFCs without a director carrying IT credentials, this is one of the most common gap items in early supervisory reviews — and one that cannot be remediated retroactively.

Senior-management IT Steering Committee. A management-level committee responsible for translating ITSC direction into operating reality — project prioritisation, vendor selection, the technology investment plan, IS audit response, and incident review. The CISO is a permanent invitee.

Information Security Committee (ISC). A separate senior-management committee with cyber security as its only mandate. The ISC head must be drawn from the risk management vertical, not from IT. This separation is the architectural expression of the principle that information security oversight must not be performed by the people who own IT delivery.

For Indian NBFCs and smaller banks, the most frequent failure mode is folding ISC responsibilities into the IT Steering Committee. That collapse is non-compliant and will be flagged.

The CISO Role — The Single Most Scrutinised Appointment

The RBI CISO appointment requirement under the 2023 Master Direction is the most prescriptive officer-level requirement in the framework. Three constraints define the role.

First, the CISO must be a senior-level executive with relevant qualifications and experience — not a designation handed to a mid-level IT manager to satisfy the form.

Second, the CISO must not have a direct reporting relationship with the Head of IT. The Master Direction specifies the reporting line: the CISO reports to the Executive Director (or equivalent executive) overseeing the risk management function — not into the IT delivery line, and not through a business head. The intent is independence: the person responsible for raising cyber risk concerns cannot report to the person whose delivery commitments those concerns might constrain.

Third, the CISO must not be given any business targets. This rules out hybrid roles where the CISO also carries P&L responsibility for a product or service.

The CISO is a permanent invitee to both the IT Strategy Committee and the IT Steering Committee, and is a core member of the Information Security Committee (whose head must be drawn from the risk-management vertical). The CISO is responsible for the information security policy, the cyber security policy, third-party security risk, vulnerability management, incident response, and the periodic security posture report to the Board.

If you are a smaller NBFC where the existing “IT head” has been informally carrying the CISO title alongside infrastructure delivery, that arrangement is non-compliant and needs to be unwound through a clean appointment.

Cyber Incident Reporting — The Six-Hour Clock

The RBI incident reporting guidelines cyber sit across two instruments, and getting the source right matters. The 2023 Master Direction requires regulated entities to promptly notify the RBI (Department of Supervision) of significant cyber incidents — but it does not itself prescribe a fixed number of hours. The hard clock comes from CERT-In’s April 2022 Directions under Section 70B of the IT Act, which bind RBI-regulated entities as they bind everyone operating in India (and, for payment system operators, the PSO Master Direction carries its own 6-hour rule). The operative timeline in practice:

  • Initial report within 6 hours of noticing or being notified of a reportable cyber incident — this 6-hour clock is CERT-In’s (for banks, the 2016 Cyber Security Framework set a 2-to-6 hour expectation); RBI’s Department of Supervision is notified in parallel as the Master Direction requires
  • A detailed follow-up report — chronological event reconstruction, impact assessment, control-gap analysis, and remediation plan — on the timeline the supervisor specifies for the incident. Note: the 2023 Master Direction does not fix a single “21-day root-cause” deadline, so do not represent one as a hard rule; scope the detailed-report timing to the applicable RBI/CERT-In instruction
  • Ongoing updates if the picture changes materially after the initial report

The threshold for “significant” is not numerically defined, which means it sits with the CISO and the Information Security Committee to interpret. The defensible interpretation: any incident that affects customer data, customer-facing services, financial transactions, or critical internal systems for more than a transient period. Underreporting carries supervisory consequences; overreporting does not.

NBFCs and smaller banks frequently struggle with the operational reality of a 6-hour clock. The detection-to-report pathway needs to be runbook-driven: an on-call rotation, a defined trigger for incident classification, a templated initial report, a named escalation route to the CISO and ISC, and a parallel CERT-In submission workflow. Without this scaffolding, the 6-hour clock is missed even when the technical team identifies the incident in minutes.

Business Continuity and Disaster Recovery — Tested, Documented, Reviewed

The RBI business continuity plan NBFC requirement under the 2023 Master Direction expects every regulated entity to maintain a board-approved BCP and DR framework with the following pieces in place:

  • A documented business impact analysis identifying critical business functions and their recovery priorities
  • Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical system, approved by the ITSC
  • A geographically separate DR site for critical systems, with DR drills conducted at least half-yearly for critical systems (the Master Direction’s cadence) and more frequently for systemically important workloads
  • A documented incident management process linking BCP activation to cyber incident response
  • An annual review of the BCP by the Board

For smaller NBFCs running on cloud infrastructure with managed multi-region failover, the temptation is to treat the cloud provider’s resilience SLA as the BCP. The Master Direction does not accept that substitution. The BCP must be the regulated entity’s own document, reviewed by the regulated entity’s Board, tested by the regulated entity’s staff, with the regulated entity’s own RTO/RPO commitments documented and demonstrated. The cloud provider’s contribution is evidence, not a replacement for the framework.

The 30 April 2024 Guidance Note on Operational Risk Management and Operational Resilience layers on top: it expects entities to identify Critical Operations, set impact tolerances, run severe-but-plausible scenario testing, and demonstrate that the institution can continue Critical Operations even when one or more components fail. For NBFCs, this is the first time operational resilience has been codified as a distinct discipline beyond traditional BCP/DR.

Information Systems Audit — The IS Audit Annual Cycle

The RBI IT audit NBFC requirements under the 2023 Master Direction expect every regulated entity to maintain an Information Systems audit function that is independent of IT operations. The IS audit:

  • Must be conducted at least annually for critical systems
  • Must cover the full IT governance, infrastructure, operations, security, and outsourcing stack
  • Must be performed by qualified personnel — either an internal IS audit team or a CISA / DISA / equivalent qualified external party
  • Must result in a report to the ITSC and the Audit Committee of the Board, with documented management action plans for findings
  • Must follow up on prior-year findings and document closure evidence

For smaller NBFCs, IS audit is often outsourced to a CERT-In empanelled auditor or a Big Four firm. The Master Direction does not prohibit outsourcing, but it does require that the audit programme — scope definition, finding prioritisation, management response, closure tracking — be owned internally. Handing the entire programme to the auditor without internal ownership is a frequent supervisory finding.

Outsourcing — The Adjacent Master Direction You Cannot Ignore

The 2023 Master Direction expects regulated entities to govern IT outsourcing carefully. The detailed obligations live in a separate document: the Master Direction on Outsourcing of Information Technology Services dated 10 April 2023 (effective 1 October 2023). Read together, they require:

  • A board-approved outsourcing policy with a clear materiality framework
  • Due diligence on every IT outsourcing arrangement, including cloud
  • Risk-based contract terms with audit rights, data ownership, breach notification, sub-contracting restrictions, business continuity commitments, and exit terms
  • An exit strategy for every material outsourcing arrangement, tested for feasibility
  • Ongoing monitoring of service-provider performance, security posture, and concentration risk

For NBFCs specifically, the NBFC (Managing Risks in Outsourcing) Directions, 2025 add a further layer covering cloud, SOC, group entities, and offshore outsourcing. Existing IT outsourcing contracts have a transition window until 10 April 2026 or contract renewal, whichever is earlier. If you are running on a multi-year cloud contract signed before 2025, the transition obligation is already on your calendar.

Cyber Resilience for Payment-Touching Entities

If your NBFC operates a payment system — a wallet, a payment gateway, a card scheme, or a UPI-PSP function — the Master Direction on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (RBI/DPSS/2024-25/123, dated 30 July 2024) applies in addition to the 2023 IT Governance Master Direction. The PSO direction is graded by operator size, with the largest PSOs facing the earliest and most demanding obligations covering governance, baseline security, transaction monitoring, fraud risk management, and customer authentication.

The 2026 Obligations — Now Largely in Force

A second wave of obligations arrived across 2026; as of mid-2026 most are already in force and bear flagging in any current compliance roadmap:

  • 1 January 2026 (in force) — Banks must hold authorisation under the RBI (Commercial Banks – Digital Banking Channels Authorisation) Directions, 2025 to continue offering internet banking, mobile banking, USSD, and SMS channels
  • 31 March 2026 (now passed) — Banks were required to submit board-approved compliance and restructuring plans for group-governance ring-fencing, with full alignment due by 31 March 2028
  • 1 April 2026 (in force) — Banks recalibrate liquidity outflow assumptions for digital deposits; banks and payment providers implement revised digital payment authentication mandating dynamic two-factor authentication with at least one dynamic factor. (Note: RBI did not ban SMS-OTP outright — single-factor SMS-OTP is simply no longer sufficient.)
  • 1 July 2026 (still in draft, pending notification) — A revised customer-liability framework for digital banking fraud with uniform compensation timelines

NBFCs are not directly subject to all of these — the digital banking authorisation regime is bank-specific — but NBFCs operating digital lending platforms, payment-adjacent services, or co-lending arrangements with banks will feel these obligations indirectly through partner-bank requirements.

Digital Lending — The Operating Constraint

The RBI (Digital Lending) Directions, 2025, effective 8 May 2025, consolidate the 2022 Digital Lending Guidelines and the 2023 Default Loss Guarantee guidelines into one framework. DLA reporting became effective 15 June 2025; multi-lender LSP arrangement provisions came into force 1 November 2025. Every NBFC using a digital channel — whether its own app or a Lending Service Provider — must comply with KFS disclosure, cooling-off rights, grievance handling, data localisation, and the new multi-lender platform transparency rules.

For NBFCs the question is no longer whether digital lending is regulated; it is how the 2023 IT Master Direction’s governance architecture demonstrably governs the digital lending stack. The CISO, ISC, ITSC, and IS audit programme all need to specifically cover the digital lending application, the LSP integration, and the data flows between them.

The Practical Compliance Checklist

A short, working RBI cybersecurity compliance checklist for an SME NBFC or smaller bank under the 2023 Master Direction:

  • Board-level IT Strategy Committee constituted, chaired by an IT-qualified independent director, meeting quarterly with documented minutes
  • Senior-management IT Steering Committee operational, with the CISO as permanent invitee
  • Information Security Committee separate from IT Steering, chaired from the risk vertical
  • CISO appointed, reporting outside the IT delivery line, no business targets
  • Board-approved IT policy, information security policy, cyber security policy, and BCP — reviewed at least annually
  • Risk register covering technology, cyber, and information risk, owned by the CISO and reported to ISC
  • Documented incident response plan with a 6-hour initial-report runbook (CERT-In 2022 clock) and a root-cause / follow-up report template
  • BCP with documented RTOs and RPOs by system, annual DR drill evidence, and Board review evidence
  • IS audit programme — annual for critical systems, qualified auditor, ITSC and Audit Committee reporting, prior-year finding closure tracked
  • Outsourcing register, board-approved outsourcing policy, exit strategy for every material arrangement, contract review against the 10 April 2023 Outsourcing MD and (for NBFCs) the 2025 NBFC Outsourcing Directions
  • Vulnerability management programme — vulnerability assessment at least half-yearly and penetration testing at least annually for critical / internet-facing systems, with patch SLAs
  • Asset inventory, configuration baselines, secure software development practices for in-house code
  • Third-party / cloud due diligence file for every material vendor
  • Cyber drill cadence — table-top exercises at least annually, technical exercises aligned to incident-response runbook
  • Documented training programme for staff and Board on RBI cyber security guidelines for NBFC and bank obligations

A practitioner who can produce evidence against each of these line items in a supervisory review has the substance of compliance. A practitioner who has documents without exercise evidence has the form but not the substance.

Penalties and Supervisory Consequences

The 2023 Master Direction itself does not specify monetary penalties. Enforcement runs through the supervisory channels under the Banking Regulation Act, 1949 (for banks) and the RBI Act, 1934 (for NBFCs, including penalties for non-compliance under the relevant sections). The realistic enforcement risk profile:

  • Supervisory letters and intensified inspection cycles for incomplete or weak implementation
  • Restrictions on business — fresh branch authorisation, new product approval, fresh borrower onboarding — for entities with material gaps
  • Monetary penalties for specific violations, particularly around incident under-reporting and outsourcing non-compliance
  • For NBFCs, the ultimate sanction is registration cancellation; for banks, it is licence-level action

The pattern over the last three supervisory cycles is that RBI’s preferred enforcement lever is business restriction, not headline-grabbing fines. The cost of weak IT governance shows up as constrained growth.

A Realistic Implementation Roadmap

For a Middle Layer NBFC that has been operating under the older 2017 NBFC IT Framework and is now waking up to the 2023 Master Direction:

Months 0–3. Constitute the ITSC, IT Steering Committee, and ISC. Appoint the CISO with the right reporting line. Adopt board-approved IT, information security, cyber security, BCP, and outsourcing policies. Build the risk register.

Months 3–6. Stand up the incident response runbook. Document the BCP with RTOs/RPOs. Conduct the first annual IS audit. Build the outsourcing register and review every material contract against the 10 April 2023 Outsourcing MD and the 2025 NBFC Outsourcing Directions.

Months 6–12. First DR drill. First Board cyber posture review. First independent VAPT cycle. Close prior-year IS audit findings. Run the first management-level cyber drill.

Months 12+. Embed the annual cycle. Tighten incident-response runbooks against actual incidents. Move from documents to evidence. Prepare for the digital lending, outsourcing 2025, and (for payment-touching entities) the PSO direction overlays.

A twelve-month runway is realistic for an SME NBFC starting from a low base. A six-month runway is realistic only for an entity that already had a serious 2017-framework implementation.

Closing — Substance Over Form

The 2023 Master Direction is unforgiving in one specific way: it is structured around named officers, named committees, and named cycles. You cannot satisfy it with documents alone, and you cannot satisfy it with practice alone. The supervisory review will look for both — the policy, and the meeting minutes that show the policy operating; the BCP, and the drill report that shows it tested; the incident response runbook, and the actual 6-hour report from the last real incident.

For Indian NBFCs and smaller banks, the framework is best read as a forcing function. It pushes you to build the governance architecture you would have built eventually anyway, just earlier than commercial pressure alone would have demanded. The institutions that treat the 2023 Master Direction as a foundation, not as a compliance exercise, will be the ones whose supervisory cycles stop being painful.

The institutions that treat it as a paperwork exercise will find that out the slow way — through the kind of intensified inspection cycle and business-restriction posture that RBI has been increasingly comfortable using.

Start with the committees. Then the CISO. Then the runbooks. Then the evidence. The order matters.