RBI Mandates IT Services Framework for REs – An analysis by S Ravi, former BSE Chairman

S Ravi BSE, Former Chairman shares information on the latest RBI mandated IT Services Framework for REs. REs shall facilitate the easy administration of IT and cyber governance and compliance, in place of the prevalent multiple circulars. The new comprehensive master direction on information technology governance, risk, controls and assurance practices to be implemented by Regulated entities (REs) comprising of scheduled commercial banks (excluding regional rural banks); small finance banks; payments banks; NBFCs in top, upper and middle layers; all India financial institutions and credit information companies effective from 1st April 2024 shall facilitate the easy administration of IT and cyber governance and compliance, in place of the prevalent multiple circulars.

S Ravi, former BSE Chairman informs that in the case of foreign banks, the directions state that they shall be subject to a ‘comply or explain’ approach in terms of the applicability of these Directions and they do not need to constitute any Committees (Board or Executive level) referred in this Master Direction at the branch level. S Ravi, former BSE Chairman explains that they have been given the flexibility to leverage upon controlling office/ head office/ regional/ zonal Committees for compliance with this Master Direction as long as governance obligations/responsibilities outlined for the prescribed committees are met.

According to S Ravi BSE Former Chairman’s views, the master direction clearly outlines the role (including authority) of the board of directors, board-level committee and senior management of these REs in discharging their responsibilities to protect the interests of customers and consolidates and updates the guidelines, instructions and circulars on IT Governance Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management issued earlier.

The former BSE Chairman affirms that the master direction makes it mandatory for the REs to put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including Disaster Recovery sites). Further its stresses the need to have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency.

In the wake of cyber and IT fraud, RBI in its master direction has stressed the need for IT applications to have the necessary audit and system logging capability and ability to provide audit trails. Sethurathnam Ravi, former BSE Chairman also asserts further that in order to strengthen the IT infrastructure, the RBI through its direction highlights the need to adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing controls to be compliant with extant laws and regulatory instructions.