RBI Master Directions Guide for IT Governance & Cyber Resilience

For financial institutions in India, the arrival of the Reserve Bank of India (RBI) Master Directions signals a major shift. The regulatory bar has moved. More than ever, boards and senior leadership must treat technology risk and cybersecurity as core strategic issues.

In this comprehensive guide, we walk you through the essential mandates introduced by the RBI Master Directions, show why they matter, and highlight how organisations can adapt.

If you are a CISO, IT Head or senior leader, you’ll see how this goes beyond compliance and moves into genuine operational resilience.

Understanding RBI Master Directions

Let’s revisit the basics first. The term “RBI Master Directions” refers to regulatory pronouncements by the RBI that consolidate and update rules for regulated entities.

In our context the two major ones are:

• The Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (ITG-RC&AP), 2023, which becomes effective from 1 April 2024.
• The Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs), 2024, issued on 30 July 2024.

Together these directions clearly signal the RBI’s enhanced expectations for IT governance, third-party risk, continuity management and payment-security controls. For better understanding of who needs to comply with the RBI regulations and how you can do it successfully, read our blog post on Implementation Guidelines for RBI Master Directions.

Enhanced IT governance for Regulated Entities (REs)

This section precontsents the key mandates of the ITG-RC&AP directive and their implications.

1. Applicability

This Master Direction applies to “Regulated Entities” (REs) including scheduled commercial banks, small finance banks, payments banks, credit information companies, and NBFCs in the top/upper/middle layers, as well as All India Financial Institutions (AIFIs).

2. Board oversight and strategy

The board must approve and annually review strategies and policies in areas such as IT, information security, cybersecurity and business continuity/disaster recovery. In other words, top leadership cannot delegate these into oblivion.

3. IT Strategy Committee (ITSC)

REs are required to set up an IT Strategy Committee. This committee must meet at least quarterly. The chairperson has to be an independent director with significant IT experience (minimum seven years). The committee must ensure that the IT budget aligns with the institution’s digital maturity and threat environment.

4. CISO independence

A senior executive (at the level of General Manager or equivalent) must be designated as the Chief Information Security Officer (CISO). Importantly, the CISO must not report directly to the Head of IT but should instead report to the Executive Director (or equivalent) overseeing risk management. The CISO must present cybersecurity preparedness quarterly to the board or the risk/IT oversight committee.

Why this matters

In our experience, many financial institutions treated cybersecurity as just a technical function under IT. The RBI’s Directions forces a governance-first mindset: board accountability, independent voice for cybersecurity, quarterly review cycles. These are all intended to elevate cyber risk to board-level visibility and make it part of strategic decision-making.

Operational resilience and third-party risk management

The revised RBI Master Directions drive forward operational resilience and vendor risk in a way that is more prescriptive than many prior guidelines.

1. Vulnerability assessment & penetration testing

Critical systems (and systems in the DMZ with customer interfaces) must undergo vulnerability assessments at least every six months, and penetration testing at least once a year.

2. Disaster recovery drills

For critical systems, disaster recovery drills are mandated at least half-yearly. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must be minimised (“near-zero” RPO for critical systems). The configuration at primary data-centre (DC) and DR site must be identical.

3. Vendor management and escrow/source-code requirement

For critical applications, vendors must either provide the source code or place it in escrow. REs must assess vendor risk, avoid single-point failure concentration, and ensure their third-party relationships do not undermine resilience.

Why this matters

Ransomware, supply-chain risk, and third-party failures have become very real. These mandates ensure that resilience is not just theoretical but tangible. You test your DR, ensure you can recover and make sure vendors are under scrutiny. In our experience, executing such drills, obtaining escrow arrangements, budgeting for vendor risk is where many organisations struggle.

Digital payment security controls for non-bank PSOs

There are key technical controls RBI mandates for all applicable entities. And for non-bank payment system operators (PSOs), the RBI has set out detailed mandates in the 2024 Master Directions.

1. Applicability & timeline

The Directions apply to authorised non-bank PSOs. The compliance timeline is phased: large PSOs by April 1, 2025; medium PSOs by April 1, 2026; and small PSOs by April 1, 2028.

Key controls: secure transactions, vendor sourcing, data testing & audits

• PSOs must enforce a 12-hour cooling period after any change to a registered mobile number or email ID before further transactions can be made.
• When sourcing vendors, PSOs must prioritise obtaining the source code rather than just escrow.
• Back-up data must be tested at least twice a year to ensure usability and successful recovery of transaction data. Security audits and VAPT must be carried out before deployment or redeployment of services.

2. Governance, baseline and payment-specific controls

The Directions covers: board-approved information security policy, cyber-crisis management plan, identity & access controls, network segmentation, application life-cycle security. In addition, it also mentions:

• Data leak prevention
• Multi-tier architecture
• Patch/change management
• Mobile, card and prepaid payment instruments

Why this matters

The digital payments ecosystem is sprawling. PSOs often rely on multiple vendors, gateways, APIs, unregulated entities. The RBI’s Directions recognise that risk and makes it clear that being secure means doing more than just ticking boxes. If you operate as a PSO, this Directions define your baseline.

Key benefits and strategic implications

Integrating and complying with these RBI Master Directions delivers more than regulatory satisfaction. It builds business resilience, trust and competitive advantage.

Benefits for financial institutions include:

• Elevated cyber-risk visibility: With board oversight and quarterly reviews you break silos and make cybersecurity part of the strategic agenda.
• Improved operational resilience: Regular DR drills and vendor-risk management reduce downtime risk, reputational damage and financial losses.
• Stronger payment ecosystem trust: For PSOs, adherence to these mandates reassures partners and customers, and may unlock new business opportunities.
• Better third-party control: With stricter vendor code-access, escrow, testing requirements, the dependency risk is explicitly addressed.

Strategic implications cover:

• Compliance is non-negotiable but this is more than a compliance exercise. The organisations that win tomorrow will make governance and resilience part of their DNA.
• Budgeting and staffing must reflect the new mandates. Boards must approve, committees must meet, the CISO must be independent, drills must happen.
• Technology and vendor strategy must be revisited: is your vendor code accessible? Do you run half-yearly DR drills? Do you have cooling periods?
• For PSOs, product development must incorporate security from the outset (secure-by-design). Payment flows, customer onboarding, vendor ecosystems must be hardened.

Implementation roadmap for financial institutions

Here’s how we help senior leaders and their teams turn the new mandates into action—rather than another document exercise.

• Conduct a gap assessment: Compare current state of your IT governance, cyber resilience, vendor-risk programme and payment-security controls against the mandates in both Directions.
• Board engagement & governance setup: Ensure that the Board (or its sub-committee) approves the relevant strategy/policy. Set up (or reconstitute) the ITSC for REs; ensure quarterly meetings.
• Define roles & responsibilities: Elevate the CISO role. Ensure independence from IT operations and assign clear accountabilities across business, risk, IT and cyber.
• Revise vendor-risk and third-party frameworks: For critical applications, enforce source-code/escrow requirements. Perform concentration-risk assessments.
• Operational resilience testing: Schedule and conduct VAPT at required frequency. Perform half-yearly DR drills. Validate near-zero RPO targets for critical systems.
• Payment-security controls for PSOs: Enforce 12-hour cooling period post email/mobile change, test transaction-data backups twice a year, enforce secure-by-design SDLC.
• Training and culture: Ensure employee awareness, board training, tabletop-crisis simulations for payment fraud, third-party failures, cyber-incidents.
• Monitoring and reporting: Define Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) linked to the mandates. Provide quarterly dashboards to the board/committee.

Conclusion

The RBI Master Directions represents a strong regulatory push toward more measurable, accountable, and strategic cyber resilience in the financial sector. For REs the focus is on IT governance at the board level, vendor risk and operational resilience. For PSOs the emphasis lies in payment-security controls, vendor code access, and secure environments.

If you’d like help aligning your institution with these mandates, partner with us today. Our RBI Master Directions compliance capabilities will help you transform regulatory compliance into strategic cyber advantage.

RBI Master Directions Guide FAQs

What is the difference between the IT governance Master Directions and the payment-security Master Directions issued by RBI?

The IT governance Directions (ITG-RC&AP, 2023) applies to regulated entities (banks, NBFCs etc.) and focuses on board oversight, IT strategy, vendor risk, VA/PT, DR drills. Meanwhile the payment-security Directions (Cyber Resilience & Digital Payment Security Controls, 2024) applies to non-bank PSOs and centres on baseline security for digital payments (cooling-periods, vendor code access, transaction-data testing).

By when do entities need to comply with these Directions?

For the IT governance Directions: effective from 1 April 2024. For the PSO payment-security Directions: large PSOs by 1 April 2025, medium by 1 April 2026, small by 1 April 2028.

Does the RBI Master Directions require obtaining vendor source code for all third-party apps?

It mandates that for critical applications, REs (or PSOs) must either obtain the source code or put in place a source-code escrow arrangement. It emphasises obtaining the source code as a priority.

How often must DR drills and VA/PT be carried out under the Directions for REs?

Vulnerability assessment: at least once every six months; penetration testing: at least once every 12 months (for critical/DMZ systems). DR drills for critical systems: at least half-yearly.