Instead of the current various circulars, REs will make it easier to manage IT and cyber governance and compliance through the new master direction by RBI. The new comprehensive master direction on information technology governance, risk, controls, and assurance practices will be implemented by Regulated entities (REs), which include scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, NBFCs in top, upper, and middle layers, all India financial institutions, and credit information companies, on April 1, 2024. S Ravi, former BSE Chairman interprets on how this shall facilitate the easy administration of IT and cyber governance and compliance, in place of the prevalent multiple circulars.
S Ravi, former BSE Chairman explains that in the case of foreign banks, the directions state that they shall be subject to a ‘comply or explain’ approach in terms of the applicability of these Directions and they do not need to constitute any Committees (Board or Executive level) referred in this Master Direction at the branch level. They have been given the flexibility to leverage upon controlling office/ head office/ regional/ zonal Committees for compliance with this Master Direction as long as governance obligations/responsibilities outlined for the prescribed committees are met.
The master directive clearly defines the role (and power) of these REs’ boards of directors, board-level committees, and senior management in carrying out their responsibility to protect consumer interests. The former BSE Chairman make it clear that it consolidates and updates previously released guidelines, instructions, and circulars on IT governance risk, controls, assurance practices, and business continuity/disaster recovery management.
S Ravi Bse, also informs that while the approval of strategies and policies related to the IT function lies in the hands of the Board, these directions put the responsibility on the CEO to institute effective oversight on the planning and execution of IT Strategy as well as to ensure that cyber security posture of the RE is robust; and overall, IT contributes to productivity, effectiveness and efficiency in business operations. The directives identify a Chief Information Security Officer (CISO) who will be in charge of driving IT/cyber security, compliance, and related regulatory criteria, as well as managing the RE’s policies. From a regulatory standpoint, REs must verify that an acceptable vendor risk assessment process and controls proportionate to evaluated risk and materiality are in place. Furthermore, the REs will be responsible for maintaining an enterprise data dictionary to enable data exchange throughout applications and information systems.
S Ravi Bse, also shares details about the RBI who have through their master direction, recognized the increased relevance of IT infrastructure in the financial services space. They have detailed the mandatory implementation and review of the IT systems and applications in order to keep a check on the processes, data security and integrity, disaster recovery management as well as business continuity in order to protect the interest of various stakeholders including customers.
The directions mandate the adoption of several procedures and processes like IT Strategic Planning, Service Level Management (SLM), product approval and quality assurance process (for new IT-based business products) in order to ensure that the banking sector delivers secure products and services to its clients. Sethurathnam Ravi, former BSE Chairman concludes quoting that in this era of digitisation and increasing threats, the master direction provides the required structure and procedures to secure banking systems.