RBI Master Circular No: RBI/DNBS/2016-17/53 (08-Jun-17) Master Direction - Information Technology Framework for the NBFC Sector

Master Direction DNBS.PPD.No.04/66.15.001/2016-17

In exercise of the powers conferred in terms of clause (b) of sub-section (1) of 45-L of the Reserve Bank of India Act, 1934 (Act 2 of 1934), the Reserve Bank of India being satisfied for the purpose of enabling it to regulate the credit system of the country to its advantage it is necessary so to do, hereby issues Master Directions - Information Technology Framework for the NBFC Sector, 2017 hereinafter specified.

Dr. Sathyan David,

Chief General Manager

Enclosure: Information Technology Framework for NBFC Sector- Directions


The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices.

2. Accordingly, directions on IT Framework for the NBFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for NBFCs and their customers are enclosed. NBFCs may have already implemented or may be implementing some of the requirements indicated in the circular. NBFCs are therefore required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions.

3. The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The directions are categorized into two parts, those which are applicable to all NBFCs with asset size above ` 500 crore (Considered Systemically Important) are provided in Section-A. Directions for NBFCs with asset size below ` 500 crore are provided in Section-B.

4. NBFCs may place these directions before their Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by September 30, 2017.

5. NBFCs- Systemically Important shall comply with the Master Directions by June 30, 2018 and other NBFCs (asset size below ` 500 crore) shall comply by September 30, 2018.



1. IT Governance

IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC''s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management.

Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees.

The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry.

1.1 IT Strategy Committee: NBFCs are required to form an IT Strategy Committee. The chairman of the committee shall be an independent director and CIO & CTO should be a part of the committee. The IT Strategy Committee should meet at an appropriate frequency but not more than six months should elapse between two meetings. The Committee shall work in partnership with other Board committees and Senior Management to provide input to them. It will also carry out review and amend the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance. Its deliberations may be placed before the Board.

1.2 Roles and Responsibilities of IT Strategy Committee: Some of the roles and responsibilities include:

· Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place;

· Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business;

· Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable;

· Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources;

· Ensuring proper balance of IT investments for sustaining NBFC''s growth and becoming aware about exposure towards IT risks and controls.


2. NBFCs may formulate a Board approved IT policy, in line with the objectives of their organisation comprising the following:

a. An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC;

b. NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.

c. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available.

d. The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012)


3. Information Security

Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets:

a. Confidentiality -- Ensuring access to sensitive data to authorized users only.

b. Integrity -- Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization.

c. Availability -- Ensuring that uninterrupted data is available to users when it is needed.

d. Authenticity -- For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine.

3.1 The IS Policy must provide for a IS framework with the following basic tenets:

a. Identification and Classification of Information Assets. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset.

b. Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT