Master Direction on IT Governance, Risk, Controls and Assurance Practices from RBI

Objective

Provide a structure and strong governance framework for technology in the Banking and Financial segment. The regulators have been working in this direction of strengthening control frameworks for technology services including outsourcing. This newly released Master Direction shall come into effect from April 1, 2024 and consolidates earlier circulars across a gamut of activities.

Applicability

These guidelines are applicable to the following Regulated Entities (REs), unless explicitly exempted:

• Scheduled Commercial Banks (excluding Regional Rural Banks)
• Small Finance Banks
• Payments Banks
• All Non-Banking Financial Companies (NBFCs) in Top, Upper, and Middle Layers as per Scale-Based Regulation (SBR)
• All India Financial Institutions (NHB, NABARD, EXIM Bank SIDBI, and NaBFID)
• Credit Information Companies

Regulated Entities as defined above need to establish a Governance Framework in technology which is in sync with the entity’s business/strategic objectives. This framework would define authority and responsibilities at each level of management from the Board to Local Area Management Committees. It must encompass adequate oversight mechanisms to ensure technology-related strategic risks.

Need Gap

Digital technology has brought seismic changes in the banking sector and the Master direction addresses the same. This article delves into the key drivers set by regulators to strengthen resilience in the sector.

• Technology has ceased to be a business enabler and become a key part of the strategy
• The advent of digital technology has changed the way banks operate and with the value it has added, there are new types of risks that have come forth
• Co-lending and collaborations between new-age entities and traditional banks have resulted in complexities in managing systems and areas like s such as data security and integrations
• The digital transformation requires agility, scalability, and adaptability. The capability to navigate is crucial for meeting evolving expectations.
• Increased reliance on digital platforms have led to a surge in cybercrimes. The integrity of financial systems becomes a top priority in such cases
• The introduction of regulations with heightened consequences have made compliance of IT security to norms an absolute necessity.

Themes and the Guiding Direction

• Creating role for the Board as regulators have emphasized the establishment of a Board-level IT committee
• Provide a direction for best practices in software development to enhance speed, efficiency, and quality
• Sustaining regular technology updates and creating disaster management plans
• Fortifying the ecosystem with IT risk reviews and comprehensive frameworks
• Enforcing security protocols like data encryption to ensure data security in a sensitive sector
• Monitoring and continuous auditing with detailed reporting to bolster monitoring and supervision needs to be part of a clear directional strategy
• Requirement of robust incident response plans with emphasis on effectiveness and efficiency

This article is an insightful analysis of the pivotal highlights of the comprehensive framework designed to steer financial institutions through the evolving digital landscape.