The Reserve Bank of India has issued new master guidelines encompassing ‘information technology governance’, along with risk management, control measures, and assurance processes for regulated entities such as banks and non-banking financial companies (NBFCs).
These directions will come into effect from April 1, 2024. They are not applicable to Local Area Banks and NBFC- Core Investment Companies. The key focus areas of IT governance will include strategic alignment, risk management, resource management, performance management and business continuity and disaster recovery management.
Under this, REs will put in place a robust IT Governance Framework based on the aforementioned focus areas that specifies the governance structure and processes necessary to meet the RE’s business/ strategic objectives; specifies the roles (including authority) and responsibilities of the Board of Directors / Board level Committee and Senior Management and includes adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/ information security risks.
The REs will establish a Board-level IT Strategy Committee. The Senior Management of the RE will ensure execution of the IT strategy approved by the Board. REs will appoint a sufficiently senior level, technically competent and experienced official in IT related aspects as Head of IT Function. the Head of IT Function shall ensure effective assessment, evaluation and management of IT controls and IT risk, including the implementation of robust internal controls, to secure the RE’s information assets and comply with extant internal policies, regulatory and legal requirements on IT related aspects.
The master direction is available on the RBI website.