TL;DR for founders
If your fintech is partnered with a bank or NBFC in India, that partner is now locked into the RBI IT Governance Master Direction dated 7 November 2023 (in force 1 April 2024). Expect: a board-level IT Strategy Committee reviewing your integration, a CISO independently signing off on your security posture, annual Information Systems audits, and contractual flow-down of the RBI's cloud-outsourcing and vendor-risk rules. Budget 4–6 weeks of diligence lead-time per bank partnership, and confirm your SOC 2 / ISO 27001 / VAPT packs are ready. First step this week: map every bank/NBFC relationship and ask each partner's CISO for the IT Governance MD compliance questionnaire.
Who this playbook is for
In scope — Regulated Entities ("REs") that must comply from 1 April 2024:
- Scheduled Commercial Banks — public sector, private sector, foreign, small finance, and payments banks (excluding Regional Rural Banks, which have a deferred/separate implementation track)
- Non-Banking Financial Companies — all NBFCs in the Upper Layer and Middle Layer of the scale-based regulatory architecture, and other NBFCs as notified
- Cooperative Banks — Primary Urban Cooperative Banks, Central Cooperative Banks (CCBs) and State Cooperative Banks (StCBs)
- All India Financial Institutions (AIFIs) — EXIM Bank, NABARD, NHB, SIDBI and NaBFID
- Credit Information Companies — registered under the Credit Information Companies (Regulation) Act, 2005
Contractually in scope (non-REs):
- Fintech partners and technology service providers to the above — contractually bound via outsourcing and vendor-risk clauses traceable to Chapter V of the Master Direction
- Cloud service providers supporting RE workloads
- Managed security service providers, application vendors, and BCP/DR co-location providers
Not in scope:
- Regional Rural Banks (separate RBI implementation path)
- Local Area Banks below the RBI's notified thresholds
- Non-RE fintechs operating purely peer-to-peer without a bank/NBFC partnership — though they should monitor, because SaaS-to-bank vendor onboarding now turns on this MD
Key definitional anchor: the Master Direction uses the term "Regulated Entity" consistently with RBI's scale-based regulatory framework. Where a group entity is both an RE and a SEBI-registered intermediary, it must comply with both the RBI IT Governance MD and the SEBI Cybersecurity and Cyber Resilience Framework (Master Circular dated 20 August 2024 — 'CSCRF').
Prerequisites
Everything below must be in place before the Board can credibly sign off on MD compliance. The Master Direction is a governance instrument — the evidence lives in minutes, charters and audit reports, not in technical consoles alone.
Documents needed:
- Board-approved IT Governance Framework document describing roles, responsibilities and reporting lines of the IT Strategy Committee of the Board ('ITSC'), IT Steering Committee, CIO, CISO and internal IT audit function
- Board-approved Information & Cyber Security Policy ('ISP') — refreshed at least annually; reviewed on material change
- Board-approved IT Outsourcing Policy covering due diligence, contractual risk allocation, cloud governance, concentration risk, and exit management — traceable to Chapter V of the MD and to the RBI Master Direction on Outsourcing of Information Technology Services (where applicable)
- Board-approved Business Continuity Plan ('BCP') and Disaster Recovery Plan ('DRP') with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) per critical service, including at least one annual live DR invocation test
- IT Risk Register maintained by the CISO, mapped to the RE's overall enterprise risk register, reviewed quarterly by the Board Risk Management Committee
- Vendor and cloud inventory with criticality tags (Critical / Material / Non-Material), current DPA/data-localisation posture, and last-reviewed date
- Incident response policy integrating the CERT-In 6-hour reporting obligation under Direction (ii) of the 28 April 2022 CERT-In Directions issued under Section 70B(6) of the Information Technology Act, 2000 ('IT Act')
- Annual IT Assurance Report template aligned with the MD's Chapter VII ('Assurance Practices')
Roles required:
- IT Strategy Committee of the Board — minimum of three Directors, chaired by an independent Director, with at least one technically competent Director; meets at least four times a year
- IT Steering Committee — senior management, chaired by a whole-time Director or a CXO; meets at least quarterly
- Chief Information Officer (CIO) — senior management, reporting to the MD/CEO
- Chief Information Security Officer (CISO) — sufficiently senior, functionally independent of IT operations, with a direct or dotted line to the Risk Committee / Board
- Head of IS Audit — in-house or outsourced; the assurance function must be independent of the CISO and IT operations
Approvals needed:
- Board resolution constituting/reconstituting the ITSC with current terms of reference
- Board resolution approving the current ISP, IT Outsourcing Policy and BCP/DRP
- Annual Board minute noting the IT Assurance Report and directing any corrective action
Step-by-step compliance process
Step 1: Constitute the IT Strategy Committee of the Board (ITSC) and approve terms of reference
What: Formally constitute (or reconstitute) the ITSC under Chapter II of the Master Direction, with the minimum composition, meeting cadence and terms of reference the MD prescribes.
Where: Board meeting; recorded in Board minutes; charter filed with the Company Secretary.
How: Appoint at least three Directors, ensure the Chair is an independent Director and at least one member is technically competent. The ITSC's minimum mandate includes: approving the IT strategy and policy; ensuring IT investments represent balance of risks and benefits; directing IT risk-management practices; overseeing critical IT projects; and reporting to the Board at least quarterly. Cadence: at least four meetings per financial year, and more during major transformation programmes.
Templates: See Section 6 below — ITSC Charter Excerpt.
Common mistakes: Treating an IT Sub-Committee of the Audit Committee as the ITSC (it is not — the MD requires a standalone committee); chairing with an executive Director; failing to appoint any technically competent member; missing the quarterly cadence.
Step 2: Anchor the IT governance policy to institutional strategy
What: Document how IT investment, IT risk appetite and IT operating model align to the RE's business strategy, stated risk appetite and capital plan.
Where: Board-approved IT Governance Framework document; referenced in the Board Risk Management Committee charter.
How: Map each IT spend category and each critical IT service to a business line and to a stated risk-appetite threshold. The ITSC must see this mapping annually.
Common mistakes: IT strategy that reads as a three-year vendor wish-list rather than a business-aligned plan; no articulated IT risk appetite; no traceability from board-level strategy to project-level funding.
Step 3: Appoint the CIO and CISO with MD-compliant reporting lines
What: Under Chapter III of the MD, appoint a CIO responsible for IT strategy execution, and a CISO responsible for information and cyber security — with the CISO functionally independent of IT operations.
Where: Board resolution; appointment letters referencing the MD obligations; role description filed with HR.
How: CIO reports to the MD/CEO and chairs the IT Steering Committee; CISO reports to a sufficiently senior officer (Chief Risk Officer or equivalent) with a functional reporting line to the Board Risk Management Committee. Both roles must have sufficient authority, budget, and access to act independently.
Common mistakes: CISO reporting into the CIO (breach of the independence principle); CISO role treated as a part-time charge on an infosec manager; CISO's budget bundled into the IT OpEx with no ring-fence.
Step 4: Establish the IT risk management framework and risk register
What: Build and operate an IT risk management framework with a documented methodology (identification, assessment, treatment, monitoring), a live risk register, and periodic reporting to the Board Risk Management Committee.
Where: Risk register in a controlled repository; reports tabled to the ITSC quarterly and Board Risk Management Committee at prescribed cadence.
How: Adopt a recognised framework such as ISO/IEC 27001 and NIST Cybersecurity Framework 2.0 (February 2024) as referenced in the MD. Classify risks by inherent/residual rating, map controls, assign owners, set review cadence, and track remediation against timelines.
Common mistakes: Static risk register populated once and never updated; no mapping of technical controls to risks; no evidence that board-level acceptance of residual risks is being exercised.
Step 5: Approve and operationalise the Information & Cyber Security Policy
What: Maintain a Board-approved ISP covering identification, protection, detection, response and recovery across the RE's ICT estate.
Where: ISP document; implementation standards and procedures cascaded below it.
How: Cover at minimum — data classification; access control; cryptography; secure SDLC; network and endpoint security; logging and monitoring; personnel security; third-party security; incident response; BCP/DR. Align obligations with the DPDP Act, 2023, Section 43A of the IT Act, and where applicable the Aadhaar (Data Security) Regulations, 2016. Review annually and on material change.
Common mistakes: ISP silent on cloud controls; cryptography section that does not state a key-management standard; no linkage to the incident response policy.
Step 6: Enforce access controls and privileged access management
What: Implement role-based access control, least privilege, strong authentication, and a dedicated Privileged Access Management ('PAM') solution for administrative access.
Where: Identity and access management stack; PAM tool; HR leaver/joiner/mover process.
How: All administrative access routed through PAM with session recording; just-in-time elevation preferred over standing privilege; multi-factor authentication for all privileged and remote access; quarterly access reviews by business owners; automated leaver-access revocation on the day of separation.
Common mistakes: Shared admin accounts outside PAM; quarterly access reviews that are rubber-stamped; service-account password rotation not enforced.
Step 7: Enforce change management and patch management
What: Operate a formal change management process and a documented patch management policy with criticality-based SLAs.
Where: Change advisory board; configuration management database; vulnerability and patch-management tool.
How: All changes to production must be classified (standard / normal / emergency), risk-assessed, approved by the change advisory board (except pre-approved standard changes), and recorded. Critical vendor patches must be applied within SLAs aligned to the CVSS severity; zero-day patches follow the emergency process. Track patch SLA breach as a KRI at the CISO dashboard.
Common mistakes: "Emergency" change used as a routine bypass; patching SLA tracked at the device level rather than at business-service level.
Step 8: Run BCP/DR with stated RTO/RPO and live testing
What: Maintain a Business Continuity Plan and Disaster Recovery Plan with service-wise RTOs and RPOs, and conduct at least one annual live DR invocation for critical services.
Where: BCP/DR documents; DR site contracts; test reports tabled before the ITSC.
How: Classify services as Critical / Important / Non-Critical; set RTOs (e.g., internet banking RTO ≤ 30 minutes) and RPOs; conduct a full-switchover DR drill at least once a financial year; document lessons and remediate within 90 days. Table the drill report before the ITSC and Board Risk Management Committee.
Common mistakes: Table-top exercises being reported as "DR drills"; RTOs stated as aspirations but never measured; no alternate site connectivity testing.
Step 9: Operate IT outsourcing due diligence, vendor management and cloud governance
What: Under Chapter V of the MD, enforce a documented approach to outsourcing of IT services covering pre-engagement due diligence, contract requirements, ongoing oversight, concentration risk, and exit management.
Where: Vendor lifecycle management system; outsourcing contracts; cloud governance artefacts.
How: Classify each vendor as Critical / Material / Non-Material. For Critical and Material engagements, perform onboarding due diligence including financial, legal, security (ISO 27001 / SOC 2) and BCP assessment; require contractual audit rights, RBI inspection rights, data-localisation and data-portability clauses, incident notification and cooperation clauses (aligned with CERT-In's 6-hour rule), and an exit plan. For cloud engagements, require clear demarcation of the shared-responsibility model, region restrictions for Indian data, key-management posture, and a written cloud exit plan. Review at least annually.
Common mistakes: Treating SaaS purchases as "non-outsourcing"; contracts that silently waive RBI audit rights to a foreign arbitrator; no cloud exit plan; concentration in a single hyperscaler without an articulated risk acceptance.
Step 10: Commission IS audit and independent assurance
What: Under Chapter VII of the MD, commission an annual Information Systems Audit and ongoing independent assurance covering governance, operations, security and outsourcing.
Where: Internal IS audit function or external audit firm; Audit Committee of the Board and ITSC.
How: The IS audit plan is approved by the Audit Committee of the Board; covers all critical IT systems at least once a year and a rolling coverage of non-critical systems over 2–3 years; uses a recognised methodology (ISACA standards, CObIT, ISO 27001 audit). VAPT of internet-facing applications at least annually and on material change. External penetration testing at cadence set by the Board. Audit findings tracked to closure with named owners.
Common mistakes: IS audit performed by a team reporting to the CIO (breach of independence); findings open for years with no board-level visibility; VAPT reports not re-tested after remediation.
Step 11: File annual IT assurance and regulatory reporting to RBI
What: File annual IT assurance certifications, incident reports, and any other return prescribed by RBI to its Department of Regulation / Department of Supervision / Cyber Security and IT Examination ('CSITE') Cell.
Where: RBI's prescribed return formats; CSITE portal for scheduled entities; email channels for supervisory correspondence.
How: Maintain a calendar of returns (annual IT assurance summary, BCP-test outcome summary, cyber-incident aggregates, material outsourcing returns). File on time with board-level sign-off. Respond to RBI queries with the ITSC in the loop.
Common mistakes: Treating the assurance certification as a tick-box exercise; missing CSITE supervisory queries; inconsistency between internal audit narrative and the RBI-facing certification.
Step 12: Continuously align with adjacent regulatory frameworks
What: Keep the MD compliance posture aligned with adjacent obligations — CERT-In Directions 2022, RBI Digital Payment Security Controls MD (2021), RBI Cyber Security Framework in Banks (2016) and the UCB graded framework (2019), SEBI CSCRF (2024 + clarifications 2024, 2025), the DPDP Act, 2023 and DPDP Rules 2025, and the Aadhaar Data Security Regulations, 2016 where applicable.
Where: ISP cross-reference annex; compliance calendar; Board Risk Management Committee dashboard.
How: Maintain a control-to-regulation mapping matrix — one control can satisfy multiple frameworks. When any framework issues a clarification or update (e.g., SEBI CSCRF Technical Clarifications of August 2025), refresh the matrix within 60 days and table the delta at the ITSC.
Common mistakes: Running each framework's compliance in a silo; duplicating controls rather than mapping; missing DPDP Rule 7 breach-intimation integration into the incident response runbook.
Timeline
| Milestone | Statutory deadline | Realistic timeline |
|---|---|---|
| MD effective date | 1 April 2024 | — |
| Gap assessment against MD chapters I–VII | — | Month 1–2 from kick-off |
| ITSC reconstitution and charter approval | From effective date | Month 2–4 |
| CIO/CISO appointment with MD-compliant reporting lines | From effective date | Month 2–4 |
| ISP, IT Outsourcing Policy, BCP/DRP refresh and Board approval | Annual | Month 4–6 |
| IT risk register populated and first quarterly review to BRMC | Quarterly | Month 5–6 |
| Vendor/cloud inventory rebaselined and contract remediation kick-off | Ongoing | Month 6–9 |
| First annual IS audit completed | At least annually | Month 9–12 |
| First annual Board-signed IT Assurance Report tabled to RBI | At least annually | Month 10–12 |
| Annual BCP/DR invocation test | At least annually | Month 10–12 |
| SEBI CSCRF / DPDP / CERT-In cross-framework map refresh | Ongoing | Month 11 and on each new framework issuance |
The MD does not grant a blanket transition period beyond its effective date — a Regulated Entity expected to comply from 1 April 2024 must be able to demonstrate operating governance from that date. A 9–12 month remediation runway is a practical project-management view, not a regulatory grace period.
Template clauses / language
Template A — IT Strategy Committee Charter (excerpt)
CHARTER OF THE IT STRATEGY COMMITTEE OF THE BOARD
(Constituted under Chapter II of the Reserve Bank of India (Information Technology
Governance, Risk, Controls and Assurance Practices) Directions, 2023)
1. Composition
1.1 The Committee shall comprise not less than three Directors, of whom:
(a) the Chair shall be an Independent Director;
(b) at least one member shall be technically competent in information
technology matters, as determined by the Board;
(c) the Chief Executive Officer shall be a permanent invitee.
1.2 The Chief Information Officer and the Chief Information Security Officer
shall attend all meetings unless expressly recused.
2. Cadence
2.1 The Committee shall meet at least four times in each financial year, with
not more than four months between any two consecutive meetings.
3. Terms of reference
3.1 Approve the Bank's IT strategy and policy documents and ensure alignment with
institutional strategy.
3.2 Ensure that the Bank has put in place an effective IT governance structure,
IT risk management framework, and IT assurance framework.
3.3 Review, at least annually, the Information & Cyber Security Policy, the IT
Outsourcing Policy, the Business Continuity and Disaster Recovery Plans, and
the IT Risk Register.
3.4 Oversee critical IT projects and material IT outsourcing engagements.
3.5 Review the outcomes of Information Systems audits, VAPT, BCP/DR invocation
tests, and cyber incidents.
3.6 Report to the Board at the end of each meeting and at least quarterly.
Template B — Annual IT Assurance Report — Executive Summary (skeleton)
ANNUAL IT ASSURANCE REPORT — FINANCIAL YEAR [YYYY-YY]
Prepared for: The Board of Directors and the IT Strategy Committee
Prepared by : Chief Information Officer and Chief Information Security Officer
Reviewed by : Head of Internal Audit; External IS Auditor [Firm]
1. Scope — All IT services, applications and infrastructure supporting the Bank's
critical and material business lines, covering on-premises, co-located and cloud
environments.
2. Governance posture
- ITSC met [N] times during the year; attendance [%]; material decisions [list].
- CIO/CISO roles held continuously; independence of CISO confirmed.
3. Control operating effectiveness
- IS Audit completed across [N] critical systems; findings: High [N] / Medium
[N] / Low [N]; closure rate within committed timeline [%].
- VAPT of internet-facing applications conducted [N] times; all High findings
closed and re-tested.
4. Outsourcing and cloud
- Material vendors [N]; annual reviews completed on [N]; exit plans updated
for all Critical vendors.
5. Incident posture
- Reportable cyber incidents [N]; CERT-In notifications filed within the
statutory 6-hour window: [%]. DPDP-reportable breaches [N].
6. BCP/DR
- Live DR invocation completed on [Date]; all Critical services met RTO/RPO;
lessons remediated within 90 days.
7. Board certification
"The Board has reviewed this Report and is of the opinion that the Bank's IT
governance, risk, controls and assurance practices materially comply with the
Reserve Bank of India (Information Technology Governance, Risk, Controls and
Assurance Practices) Directions, 2023."
Internal audit checklist
Run before the Audit Committee of the Board tables the annual IT Assurance Report.
- ITSC composition — current roster has ≥ 3 Directors, Chair is Independent, ≥ 1 technically competent member, CEO standing invitee.
- ITSC cadence — ≥ 4 meetings this financial year, minutes on record, material decisions reported to Board.
- CIO appointment letter — on file; reporting line to MD/CEO.
- CISO appointment letter — on file; functional independence from IT operations confirmed in writing.
- ISP — Board-approved within the last 12 months; version-controlled.
- IT Outsourcing Policy — covers pre-engagement due diligence, contracts, ongoing oversight, concentration risk, and exit management; last Board-approved within the last 12 months.
- BCP/DRP — stated RTO/RPO per Critical service; at least one live DR invocation in the financial year with a documented outcome.
- IT Risk Register — updated within the last quarter; top 10 risks reviewed by BRMC this quarter.
- Vendor inventory — criticality-tagged; all Critical vendors reviewed in the last 12 months; all Material vendors reviewed in the last 18 months.
- Cloud posture — documented shared-responsibility demarcation; Indian-region restriction on Indian data where required; written exit plan for each Critical cloud workload.
- IS audit plan — Audit Committee approved; all Critical systems covered this year; findings tracked to closure.
- VAPT — internet-facing apps tested at least annually; High findings closed and re-tested.
- CERT-In 6-hour integration — incident response runbook triggers CERT-In email to
incident@cert-in.org.inwithin 4-hour internal buffer. - DPDP Rule 7 integration — personal-data breaches trigger parallel intimation to the Data Protection Board of India and to affected Data Principals.
- Cross-framework map — SEBI CSCRF / RBI Digital Payment Security Controls MD / UCB 2019 graded framework / Aadhaar Data Security Regulations reconciled.
What if things go wrong
Failure 1 — CISO reports into CIO
- Symptom: RBI CSITE inspection finding that the CISO lacks functional independence.
- Cause: Legacy reporting line never rewired after the MD came into force.
- Action: Rewire reporting to the Chief Risk Officer with a dotted line to the Board Risk Management Committee; update the Information & Cyber Security Policy; minute the change at the next ITSC; file a corrective action plan with CSITE within the timeline specified in the inspection letter.
Failure 2 — DR drill never actually invoked
- Symptom: "DR tests" reported to the ITSC turn out to have been paper-based table-top exercises.
- Cause: Operational fear of production impact; informal downgrading of a live drill.
- Action: Schedule a live invocation for a Critical service within the next 90 days in an off-peak window; book board-approved downtime; publish lessons to the ITSC; amend the BCP/DR plan to require at least one live invocation per financial year.
Failure 3 — Cloud vendor refuses RBI audit rights
- Symptom: Hyperscaler template contract excludes RBI inspection.
- Cause: Boilerplate adopted without negotiation.
- Action: Negotiate the RBI inspection clause via the vendor's enterprise agreement addendum; where unwilling, document a risk acceptance at the ITSC and the Board Risk Management Committee with a migration plan; engage RBI CSITE proactively if the vendor is Critical.
Failure 4 — Reportable incident missed the CERT-In 6-hour window
- Symptom: SOC analyst logged the incident but runbook escalation stalled overnight.
- Cause: 24×7 on-call was not in place at the CERT-In PoC level.
- Action: File the CERT-In notification immediately with a transparent cover note; file the DPDP intimation under Rule 7 if personal data was involved; brief the ITSC within 72 hours; revise the runbook, refile Annexure II, and stand up a 24×7 on-call.
Failure 5 — Cross-regulator misalignment
- Symptom: Controls inventory prepared for SEBI CSCRF differs from the RBI MD submission.
- Cause: Frameworks run in silos by different teams.
- Action: Build a single controls matrix mapping every control to all applicable frameworks; assign a single control owner; table the matrix at the ITSC; retire duplicate policy clauses.
Founder checklist
- Map every bank/NBFC relationship this week — the MD turns every one of those contracts into a Chapter V outsourcing engagement. Identify who your partner's CISO is and ask for their vendor-due-diligence pack.
- Assemble a "bank-ready" security dossier by 30 June 2026 — ISO 27001 or SOC 2 Type II, latest VAPT report, BCP summary, DPA, data-localisation posture, RBI-inspection clause comfort letter. Budget ₹8–15 lakh for first-time ISO 27001 certification.
- Wire CERT-In reporting into your runbook — your bank partner will contractually demand a 2-hour internal notification window so they can still make their 6-hour CERT-In deadline. Rehearse in a tabletop this quarter.
- Build a cloud exit story — name the primary and secondary cloud, state your data-portability plan, and document how the partner bank can operate if you disappear overnight.
- Escalate any RBI audit-rights clause carve-out — this is the single most common dealbreaker in fintech-bank contracting under the MD; solve it early with an enterprise addendum or accept that the deal will not close.
FAQ
How does this Master Direction interact with the CERT-In Directions of 28 April 2022?
The IT Governance MD operates at the governance and controls layer; the CERT-In Directions operate at the incident-reporting layer. A regulated entity must have board-approved IT governance and cyber-security policies under the MD, and must separately notify CERT-In within 6 hours of any Annexure I incident under Direction (ii) of the 28 April 2022 Directions issued under Section 70B(6) of the Information Technology Act, 2000. Compliance with one does not discharge the other — the controls framework must enable the 6-hour reporting, but filing alone does not demonstrate controls compliance.
If we are a SEBI-registered stockbroker and also a bank, do we follow the RBI MD or the SEBI CSCRF?
Both. The RBI IT Governance MD applies to the banking arm and the SEBI Cybersecurity and Cyber Resilience Framework (Master Circular dated 20 August 2024, as clarified on 31 December 2024 and in August 2025) applies to the SEBI-registered activity. Where controls overlap, the stricter control wins. The IT Strategy Committee minutes should explicitly record the dual-framework position and maintain a control-to-framework mapping matrix to avoid duplicative policy clauses.
Do Primary Urban Cooperative Banks (UCBs) have to comply from 1 April 2024?
Yes — Primary UCBs are within the scope of the IT Governance MD from the common effective date of 1 April 2024, but the graded cyber-security expectations from the RBI circular of 31 December 2019 (Comprehensive Cyber Security Framework for Primary UCBs) continue to apply in parallel depending on the bank's digital-product footprint (Levels I–IV). The IT Governance MD sets governance and assurance obligations; the 2019 framework sets technical control baselines calibrated for the UCB sector. Central Cooperative Banks and State Cooperative Banks are similarly covered.
How does the MD interact with the DPDP Act, 2023 and DPDP Rules 2025?
The MD requires a Board-approved Information & Cyber Security Policy covering personal-data protection obligations under applicable law. Once the DPDP Act, 2023 (Act 22 of 2023) is fully operational with the DPDP Rules 2025 (G.S.R. 846(E), 13 November 2025), every Regulated Entity that is a Data Fiduciary must integrate Rule 6 security safeguards, Rule 7 breach-intimation procedures, and (where notified as a Significant Data Fiduciary) the Section 10 DPDP Act additional obligations into its MD-mandated information-security framework. The DPDP regime is an additional layer, not a substitute — non-compliance exposes the RE to both RBI supervisory action and DPDP Board penalties under Section 33 of the DPDP Act, 2023.
How often must the information security audit be conducted under the MD?
The MD requires an independent Information Systems Audit at least annually and information security audits of critical IT systems at least once every financial year, with reports placed before the ITSC and the Audit Committee of the Board. VAPT of internet-facing applications is expected at least annually, plus post-change VAPT on any material change to the IT environment. Entities with large digital-payment footprints should align cadence with the stricter of (a) this MD, (b) the RBI Master Direction on Digital Payment Security Controls dated 18 February 2021, and (c) any sectoral regulator's framework (such as the SEBI CSCRF for entities that are also SEBI-registered).
Sources
Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 — notified 7 November 2023, effective 1 April 2024. Available at https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=12562
RBI Master Direction on Digital Payment Security Controls — 18 February 2021. Available at https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12032
RBI Cyber Security Framework in Banks — Notification dated 2 June 2016. Available at https://www.rbi.org.in/Commonman/English/scripts/Notification.aspx?Id=1721
RBI Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks — Graded Approach — 31 December 2019. Available at https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NOTI129BB26DEA3F5C54198BF24774E1222E61A.PDF
CERT-In Directions under Section 70B(6) of the IT Act, 2000 — dated 28 April 2022 (No. 20(3)/2022-CERT-In). Available at https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) — Master Circular — 20 August 2024, as clarified on 31 December 2024 and in August 2025. Available at https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
Information Technology Act, 2000 — particularly Sections 43A (sensitive personal data), 70B (CERT-In) and 81 (overriding effect). Available at https://www.indiacode.nic.in/handle/123456789/1999
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), Sections 8 and 10; DPDP Rules 2025 (G.S.R. 846(E), 13 November 2025).
Banking Regulation Act, 1949 — Section 47A (monetary penalties); Reserve Bank of India Act, 1934 — Section 58G (penalties for NBFCs). Available at https://www.indiacode.nic.in/
This playbook is prepared by Veritect Legal Intelligence for general informational purposes and does not constitute legal advice. Regulated Entities should consult qualified counsel for institution-specific advice. Statutory citations are current as of 21 April 2026.