RBI Master Direction on IT Governance (ITGRCA) — a practitioner reference

ControlForge free guide · 2026-05-24 · Reflects Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023, effective 1 April 2024

Quick reference

Applies to: Scheduled Commercial Banks (excluding Regional Rural Banks); Small Finance Banks and Payments Banks; Foreign Banks operating in India through branch mode (on "comply or explain"); NBFCs in the Middle Layer, Upper Layer, and Top Layer of the SBR framework; Credit Information Companies (CICs); EXIM Bank, NABARD, NaBFID, NHB, and SIDBI.
Excluded: Local Area Banks; NBFC-Core Investment Companies (NBFC-CICs); Base Layer NBFCs.
Mandatory or voluntary: mandatory regulation; binding on all Regulated Entities (REs) listed above.
Year issued: 7 November 2023; came into force 1 April 2024.
Issuing body: Reserve Bank of India.
Penalties: monetary penalties under Section 47A of the Banking Regulation Act, Section 58G of the RBI Act, or Section 30 of the Payment and Settlement Systems Act depending on entity type. Supervisory action including restrictions on new business, public disclosure of enforcement. Recent fines on Indian banks for IT governance failings have ranged from ₹50 lakh to ₹5 crore per violation.
ControlForge density: 55 controls curated across the 7 chapters of the Master Direction; cross-walked extensively with RBI CSF, ISO/IEC 27001:2022, NIST CSF 2.0, and SEBI CSCRF.

What it is

The Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 — referred to throughout as ITGRCA — is the consolidated and modernised IT governance Master Direction for India's banking and non-banking financial sector. It came into force on 1 April 2024 and superseded the patchwork of earlier RBI guidelines on IT governance, IT risk management, business continuity, IS audit, and information security practices that had accumulated since 2011.

ITGRCA's structural purpose is to establish IT governance at the highest level — Board, Board IT Strategy Committee (BITSC), IT Steering Committee, Chief Information Officer / Head of IT, Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) — with explicit role separation, reporting lines, and meeting cadences. It complements (but does not replace) the operational Cyber Security Framework (CSF) for banks issued in 2016 and updated since; CSF sits under ITGRCA, addressing the operational cyber controls, while ITGRCA sets the governance superstructure.

A distinctive feature: ITGRCA bridges what used to be three separate regulatory streams — IT governance, business continuity/DR management, and Information Systems audit — into a single Master Direction. This is the most consequential change for RE compliance teams: where previously IT audit had been governed by RBI's IS Audit guidelines from 2011, ITGRCA now folds IS audit obligations into the same instrument as IT governance and risk.

The 2024 ITGRCA also imports the Chief Compliance Officer independence requirements that had been emerging across RBI's broader compliance-function reforms — particularly the requirement for quarterly closed-door meetings between the CCO and the Board Audit Committee without senior management present, a structural protection for compliance independence that supervisory examinations now actively test.

Structure at a glance

The Master Direction is organised into 7 chapters:

Chapter I — Preliminary (definitions, applicability, scope).
Chapter II — Governance Framework: IT governance structure, Board IT Strategy Committee, IT Steering Committee, roles of Board / Senior Management / Head of IT / CISO.
Chapter III — IT Infrastructure & Services Management: IT service management framework, application security and life cycle management, data migration, change management, capacity management, cryptographic controls.
Chapter IV — IT and Information Security Risk Management: information security policy, risk management framework, identity and access management, network security, endpoint security, security operations centre, vulnerability assessment, security testing, cyber incident response and recovery.
Chapter V — Business Continuity and Disaster Recovery Management: BCP policy, BCP framework, BCP testing, disaster recovery.
Chapter VI — Information Systems (IS) Audit: IS audit framework, audit charter, Head of IS Audit, audit scope and methodology, follow-up and reporting.
Chapter VII — Repeal and Other Provisions: lists circulars repealed, interpretation, other laws.

ITGRCA explicitly references and is read together with: - The Cyber Security Framework for Banks, 2016 (CSF) — operational cyber controls. - The RBI Master Direction on Outsourcing of IT Services, 2023 (ITO) — third-party / outsourcing controls. - The RBI Cyber Resilience and Digital Payment Security Controls, 2024 — for non-bank payment system operators specifically.

For ITGRCA-scoped REs, these instruments form a coherent regulatory stack: ITGRCA at the governance top, CSF for cyber operations, ITO for outsourcing, sectoral CIMS reporting for incident notification.

Who must comply

ITGRCA applies to:

Scheduled Commercial Banks including private and public sector banks, foreign banks operating in India (excluding Regional Rural Banks).
Small Finance Banks and Payments Banks.
Primary (Urban) Co-operative Banks in Tier 3 and Tier 4 categories (Tier 1 and Tier 2 UCBs follow a separate, lighter framework).
NBFCs in the Middle, Upper, and Top Layers of the Scale Based Regulation (SBR) framework (asset size and systemic-importance thresholds determine the layer). Base Layer NBFCs are excluded.
Credit Information Companies (CICs).
All India Financial Institutions: EXIM Bank, NABARD, NaBFID, NHB, SIDBI.

Specifically excluded: Local Area Banks; NBFC-Core Investment Companies; Base Layer NBFCs.

Foreign Banks operating in India through branch mode follow ITGRCA on a "comply or explain" basis — references in ITGRCA to the "Board of Directors" are interpreted for them as references to the Head Office or controlling office that has oversight over Indian branch operations.

The scoping is one of the more involved aspects of ITGRCA in practice: NBFC categorisation (Base / Middle / Upper / Top) is dynamic and based on asset size and systemic-importance criteria reviewed annually. A Middle Layer NBFC that grows above the Upper Layer threshold acquires new obligations under ITGRCA on transition, not at the next year-end.

Core obligations

The ITGRCA framework imposes obligations across five interrelated pillars.

IT governance structure (Chapter II). The Board approves the IT strategy, the IT-related risk appetite, and the Cyber Security Policy. The Board IT Strategy Committee (BITSC) — chaired by an Independent Director with majority Independent Directors — meets at least quarterly to provide direction on IT strategy, monitor the implementation, and review the IT-related risk position. The IT Steering Committee, at executive level, includes the CIO/Head of IT, CISO, business heads, and operates monthly. The Head of IT Function is responsible for delivery of IT operations; the CISO is independent of the operations function, reports to the MD/CEO or to a designated Director (not to the CTO or operations function), and has the authority to escalate to the Board. Maps into ControlForge clusters cl-policy, cl-roles-responsibilities, cl-it-governance-board, and cl-isms-context.

IT service management and infrastructure (Chapter III). REs maintain a documented IT Service Management framework supporting operational resilience across data centres, networks, applications, and DR sites. Documented policies for data migration with stage-wise signoffs from business and application owners and audit-trail maintenance. Change management with documented impact assessment, secure and timely review, and rollback procedures. Capacity management with periodic review against business growth. Application security: secure SDLC, vulnerability remediation, integration of security testing into release gates. Cryptographic controls: approved algorithms, key management, HSM usage for high-value keys. Maps into cl-configuration-management, cl-change-management, cl-secure-development, cl-cryptography, and cl-bcp-ict-readiness.

IT and information security risk management (Chapter IV). Board-approved Information Security Policy separate from the broader IT Policy, reviewed annually. Documented risk management framework identifying and quantifying IT risks including cyber, operational technology, third-party, and data risks. Identity and access management with strong authentication (MFA mandatory for privileged and administrative access), session management, and quarterly access reviews. Network security with defence in depth, segmentation, intrusion detection. Endpoint security with EDR coverage on all endpoints and servers. Security Operations Centre with 24×7 monitoring; for smaller REs, MSSP-based SOC with documented bank-side oversight. Vulnerability assessment at least annually and after significant change. Security testing including penetration testing with manual methodology (not just scanning). Cyber incident response: documented procedure, tested via tabletop exercise, integrated with CIMS 6-hour and CERT-In 6-hour reporting. Maps into cl-access-rights, cl-multi-factor-authentication, cl-network-protection, cl-monitoring-activities, cl-vapt-cycle, cl-incident-response-execution, and cl-ir-reporting.

Business continuity and disaster recovery (Chapter V). Board-approved BCP Policy integrated with the Cyber Crisis Management Plan. Documented BCP framework identifying critical services, RTO/RPO per service, alternate-site capability, communication procedures. Annual BCP testing that exercises actual failover (not desktop walk-through); cyber-specific recovery scenarios including ransomware and destructive-attack recovery. Immutable / air-gapped backups as a ransomware resilience measure. Maps into cl-bcp-ict-readiness, cl-backup, cl-cyber-rehearsal, and cl-cyber-resilience.

Information Systems (IS) audit (Chapter VI). IS audit charter approved by the Audit Committee of the Board. Head of IS Audit independent of IT operations, reports to the Audit Committee. Risk-based audit plan covering all in-scope systems with frequency calibrated to risk; minimum annual audit of critical systems. CERT-In empanelled lead auditor for VAPT and pen testing engagements. Audit follow-up with documented closure of findings; audit reports tabled at the Audit Committee with management action plans tracked to closure. Maps into cl-mandatory-audit, cl-internal-audit, cl-vapt-cycle, and cl-audit-trail.

The Chief Compliance Officer (CCO) independence requirement runs across the framework: the CCO reports directly to the MD/CEO and to the Audit Committee, with a quarterly closed-door meeting with the Audit Committee without senior management present — a structural protection that supervisory exams test by reviewing the minutes of those closed-door meetings.

How auditors test ITGRCA

ITGRCA audits typically run as one of three patterns:

RBI supervisory inspection. RBI's Department of Supervision conducts on-site inspections under the Banking Regulation Act / RBI Act. Inspections are risk-based; ITGRCA is now a standard inspection scope. Inspectors review Board minutes, BITSC minutes, IS audit reports, VAPT reports, BCP test reports, CIMS submission history, and observe operational controls. Findings flow into the inspection report; significant findings trigger supervisory action.

Internal IS audit as required by Chapter VI. Annual cycle covering risk-based scope. Reports to the Audit Committee. Findings tracked through to closure with re-test evidence.

External assurance through CERT-In empanelled firms for VAPT and through Big-4 / specialist firms for ITGRCA gap analyses and ISO 27001 audits that overlap with ITGRCA. External audit is not mandated by ITGRCA itself but is standard practice for material REs preparing for supervisory inspection.

Evidence patterns at an ITGRCA-relevant inspection:

Board-approved Information Security Policy and Cyber Security Policy with date trail of revisions.
BITSC minutes with quarterly cadence; IT Steering Committee minutes with monthly cadence.
CISO appointment letter, organogram showing reporting line independence from IT operations.
CCO appointment letter, evidence of CCO–Audit Committee closed-door quarterly meetings.
IS Audit Charter, Head of IS Audit appointment, IS Audit Plan, sample audit reports, audit closure log.
Vendor risk assessment files for critical vendors (cloud, core banking, AML/KYC).
VAPT reports with manual penetration testing evidence and CERT-In empanelment proof.
BCP test reports including cyber-specific scenarios.
CIMS submission history for the inspection period.

Common variations across firm sizes: larger REs operate dedicated IS audit teams; smaller REs use co-sourced models with external firms. UCBs in Tier 3/4 follow lighter scoping but still need the governance superstructure. NBFCs in the Middle Layer often face the steepest jump from informal IT governance to formal ITGRCA-aligned structures.

How it relates to other frameworks

ITGRCA sits at the top of the RBI cyber-and-IT regulatory stack for banks, NBFCs, and related entities. It explicitly integrates with:

RBI Cyber Security Framework for Banks (CSF) 2016: ITGRCA Chapter IV references and incorporates CSF's operational cyber controls. CSF remains in force as the operational layer under ITGRCA's governance umbrella.
RBI Master Direction on Outsourcing of IT Services (ITO) 2023: third-party risk management and IT outsourcing arrangements. ITGRCA's Chapter II requires Board oversight of outsourcing; ITO provides the operational requirements.
RBI Cyber Resilience and Digital Payment Security Controls 2024: for non-bank payment system operators; concept-equivalent to ITGRCA + CSF for the payments sector.
CERT-In Direction 70B: 6-hour incident reporting requirement applies in parallel to RBI CIMS reporting; ITGRCA's incident response requirements integrate both.
DPDPA 2023 + Rules 2025: personal data breach notification under DPDPA layers with ITGRCA's incident reporting from May 2027.
ISO/IEC 27001:2022: ITGRCA Chapter IV maps substantially to ISO 27001 Annex A controls. ISO 27001 certification does not substitute for ITGRCA compliance but reduces audit friction.
NIST CSF 2.0: useful as a structural reference; ITGRCA's risk management framework is more prescriptive but the Govern / Identify / Protect / Detect / Respond / Recover categories align.
SEBI CSCRF: for SEBI-regulated entities; concept-equivalent to ITGRCA + CSF for capital markets.
IRDAI Information and Cyber Security Guidelines 2023: concept-equivalent for insurance sector.

ControlForge cross-walks ITGRCA into general governance and operational clusters, allowing organisations under multiple Indian regulators (e.g. payment banks under RBI + SEBI-registered MF distributors) to satisfy overlapping requirements through unified evidence.

Common pitfalls

Five recurring failure patterns observed in early ITGRCA implementations and supervisory inspections:

BITSC composition or cadence missing. The Board IT Strategy Committee exists on paper but doesn't meet quarterly, or meets without the required Independent Director majority, or merges with other Board sub-committees. Fix: standalone BITSC with documented charter, quarterly cadence with formal minutes, majority of Independent Directors.
CISO reports to CTO / Head of IT. Common at smaller REs where the IT and security functions are merged under one head. ITGRCA requires CISO independence — the reporting line cannot be through the operations function being secured. Fix: CISO reports directly to MD/CEO or to a designated Director; the reporting line is documented in the organogram and Board-approved.
CCO–Audit Committee closed-door meetings not happening. The CCO meets with the Audit Committee in the regular committee schedule but the without-senior-management quarterly meeting either doesn't happen or isn't minuted. Supervisory inspections specifically ask for these minutes. Fix: scheduled quarterly closed-door meeting with formal but appropriately confidential minute-keeping.
IS audit scope omits cloud, AI, AML/KYC vendors. The IS audit charter covers in-house systems but doesn't reach into the cloud configuration, the AI fraud-detection vendor, or the AML/KYC SaaS. Modern RE operations push so much through third parties that an in-house-only audit scope is materially incomplete. Fix: IS audit scope explicitly covers all critical systems including vendor-hosted, with right-to-audit clauses in the vendor contracts.
BCP testing limited to non-cyber scenarios. BCP test is annual but covers data-centre power, network outage, hardware failure — and not ransomware recovery, destructive attack recovery, or supply-chain compromise. ITGRCA Chapter V explicitly requires cyber-specific scenarios. Fix: annual cyber-scenario tabletop and at least biennial live cyber recovery testing.

Two further patterns worth flagging:

Repealed circulars still referenced in internal policies. ITGRCA explicitly repeals a list of earlier circulars; internal policies that cite the repealed instruments are stale. Audit-defensible compliance requires policy refresh against ITGRCA's repealed-list. Fix: policy refresh project tied to ITGRCA effective date (1 April 2024); cite ITGRCA paragraphs rather than the repealed circulars.
Foreign-bank "comply or explain" treated as opt-out. Foreign banks operating through branch mode apply ITGRCA on "comply or explain" — meaning explicit explanation for any non-compliance, not opt-out. Some foreign branches have treated the option as silent non-compliance; supervisory inspections push back. Fix: documented compliance posture per ITGRCA paragraph; explanation for each deviation, signed off at the controlling-office level.

Inspection-cycle expectations. RBI's ITGRCA-focused inspections have evolved a recognisable pattern through 2024-2026: examiners arrive with a structured workpaper aligned to the seven chapters; ask for the Board-approved policy library and Board / BITSC minutes upfront; spend significant time on the IS Audit chapter evidence (audit charter, audit plan, sample reports, closure tracking); review cyber incident records with deep-dive into one or two recent incidents tracing the full response and reporting path; and close with a structured discussion of the entity's roadmap for any open gaps. Entities that prepare an inspection-ready evidence pack aligned to the chapter structure find the engagement materially smoother than entities that attempt to assemble evidence on demand during the inspection itself. Pre-inspection rehearsal — a mock inspection conducted by internal audit or by an external specialist firm — has become standard practice for material REs anticipating inspection in the next financial cycle.

When to use this framework

ITGRCA is mandatory for the entities in scope; the relevant questions are operational:

Phasing the compliance build. Most REs cannot achieve full ITGRCA compliance in a single quarter. RBI accepts a phased approach with documented roadmap, milestones, and risk-prioritised order of implementation.
Integration with existing ISO 27001 / NIST CSF programmes. REs holding ISO 27001 typically already address ~60% of ITGRCA's operational requirements; the gap is in the specific RBI governance structure (BITSC, IT Steering Committee, CCO independence) and the IS Audit chapter.
Engaging external advisory for ITGRCA gap analysis is common; engaging external IS audit firms is standard for material REs.
Mid-Layer NBFCs transitioning to Upper Layer: the jump in obligation depth is material; plan well ahead of the SBR transition date.

ITGRCA does not apply to non-RBI-regulated entities. Indian organisations outside the financial sector but operating cyber-mature programmes can still treat ITGRCA's governance structure as a reference for board-level IT and cyber risk oversight — particularly the BITSC + IT Steering Committee + CISO independence model — but the binding obligations apply only to scoped REs.