S Ravi BSE , Former Chairman, sheds light on the latest RBI mandate, introducing a comprehensive master direction on information technology governance, risk, controls, and assurance practices for Regulated Entities (REs).
In a significant move aimed at streamlining IT and cyber governance, the Reserve Bank of India (RBI) has issued a comprehensive master direction applicable to Regulated Entities (REs), including scheduled commercial banks, small finance banks, payments banks, NBFCs in various tiers, all India financial institutions, and credit information companies. This directive, effective from April 1, 2024, replaces the existing multiple circulars, offering a more cohesive approach to IT administration.
According to S Ravi BSE, Former Chairman, the master direction is designed to facilitate the easy administration of IT and cyber governance and compliance, consolidating and updating previous guidelines. The move is expected to enhance operational resilience and protect customer interests across the diverse landscape of financial institutions.
In the case of foreign banks, the RBI adopts a ‘comply or explain’ approach, providing flexibility in the applicability of these directions. Sethurathnam Ravi explains that foreign banks are not mandated to constitute specific committees at the branch level. Instead, they can leverage controlling offices, head offices, or regional/zonal committees for compliance, ensuring adherence to governance obligations.
The master direction delineates the roles and authorities of the board of directors, board-level committees, and senior management in fulfilling responsibilities to safeguard customer interests. Ravi emphasizes that the directive updates guidelines on IT governance, risk, controls, assurance practices, and business continuity/disaster recovery management.
Mandatory requirements outlined in the master direction include the establishment of a robust IT Service Management Framework to support information systems and infrastructure. This framework aims to ensure the operational resilience of the entire IT environment, including disaster recovery sites. Additionally, REs are mandated to develop a documented data migration policy, emphasizing a systematic approach to data migration that guarantees integrity, completeness, and consistency.
Addressing the growing concerns around cyber and IT fraud, the RBI underscores the importance of IT applications having audit and system logging capabilities, enabling the provision of audit trails. Ravi adds that the directive highlights the adoption of internationally accepted standards for IT infrastructure, ensuring compliance with existing laws and regulatory instructions.
As financial institutions navigate an increasingly digital landscape, the RBI’s master direction seeks to fortify the sector against evolving cyber threats and promote a standardized and secure IT ecosystem.