What is the right risk management framework for my organisation?

RiskPedia's AI Advisor matches your industry, maturity and goals to one of 26 frameworks including ISO 31000, COSO ERM, NIST RMF, ISO 27001, Basel III/IV, Solvency II, DORA, NIS2 and SOC 2 in under two minutes.

What is the CERT-In 6-hour incident reporting rule?

CERT-In Directions under Section 70B IT Act 2000 (April 28, 2022, effective June 25, 2022) require every Indian organisation to report 26 categories of cyber incidents to incident@cert-in.org.in within 6 hours of noticing. 180-day log retention in India, Indian NTP sync, and VPN/cloud KYC are also mandatory.

When does the DPDP Act become enforceable?

The DPDP Act 2023 received Presidential assent on Aug 11, 2023. DPDP Rules 2025 were notified by MeitY on Nov 13, 2025. Consent Manager registration opens approximately Nov 2026 and core Data Fiduciary obligations + the Data Protection Board become enforceable approximately May 2027 with penalties up to Rs 250 Cr.

What is RBI MD-ITGRC 2023?

RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) replaces the 2011 IS Master Direction. It covers IT governance, cybersecurity, third-party risk management, data localisation, 6-hour incident reporting, annual CERT-In empanelled IS audits and cloud risk management for all regulated entities.

What is SEBI CSCRF 2024?

SEBI's Cybersecurity and Cyber Resilience Framework (2024) applies to all capital market entities — stock exchanges, depositories, brokers, mutual funds, AIFs, portfolio managers and KRAs. It mandates cyber audits, governance, third-party risk, SOC monitoring, incident reporting and cyber resilience testing.

India Regulatory Hub

IBAIndustry body · est. 1946 · 250+ member banks · est. 1946 · Banking · Industry body (not a regulator)

Indian Banks' Association

Industry-body model policies — non-binding but widely adopted; RBI references IBA standards in supervision.

Content verified: June 2026

Members covered

250+ banks

Primary document

IBA Model Cybersecurity Policy for Banks

Relationship to RBI

Complementary — translates RBI intent into operational guidance

Review cycle

Annual

Layer 0 — Framework overview · free

The Indian Banks' Association (IBA), founded in 1946 with over 250 member banks today, is an industry body — not a statutory regulator. That distinction matters: IBA guidelines do not carry the legal force of RBI master directions. Yet IBA model policies are widely adopted by Indian banks because they translate RBI's principle-based language into operational templates any bank can apply, and because RBI's own supervisory teams reference IBA standards when evaluating bank controls.

Three IBA content areas matter most for risk and compliance leaders. The IBA Model Cybersecurity Policy for Banks operationalises RBI's MD-ITGRC 2023 governance and control expectations — board structures, CISO independence, vendor risk programmes, cyber-hygiene training cadences. The IBA KYC/AML Master Circular consolidates customer-identification, video-KYC, e-KYC-via-Aadhaar and periodic KYC-update standards that go beyond RBI's minimum text. And the IBA Board Governance Norms set expectations for risk-committee composition, CISO reporting lines and board-level cyber risk reporting frequency.

Where IBA truly adds value is **operational granularity**: vendor questionnaire templates banks can issue to fintech partners, fraud-prevention SOPs for OTP and account-takeover, and shared standards for digital-onboarding so a bank's audit trail looks the same as its peers'. Smaller and mid-sized banks lean heavily on IBA templates; large public-sector and private banks adopt IBA as a baseline and layer their own controls on top.

IBA also coordinates with RBI on emerging-risk consultations — recent areas include digital lending operational risk, AI in credit decisions and outsourcing concentration risk. Watch IBA bulletins for early signals of what RBI will eventually formalise in a master direction.

The layers below cover the IBA control catalogue, an applicability matrix by bank type, the review cadence, and the (informal) consequences of non-adoption.

Primary sources: Indian Banks' Association (IBA) Model Cybersecurity Policy for Banks · IBA KYC/AML Master Circular · IBA Board Governance Norms. IBA guidelines are not legally binding like RBI circulars, but RBI references IBA standards in supervision and audit findings.

IBA — ibanews.org

The deep-dive layers

Layer 1 Pro

Control Catalogue — IBA Model Cyber Policy

Key areas from the IBA Model Cybersecurity Policy and adjacent master circulars, mapped to RBI MD-ITGRC where applicable.

10 entries · Risk Managers · Auditors — implementation

Layer 2 Email unlock

Applicability Matrix — by bank type

Which IBA guidance documents each bank type typically adopts in full vs. partially.

8 entries · GRC Consultants · Compliance Officers — scoping

Layer 3 Email unlock

Review & Adoption Calendar

IBA's annual review cycle and the bulletins that signal upcoming RBI direction changes.

7 entries · Risk Managers · Sales — early-warning planning

Layer 4 Pro

Consequences of Non-Adoption

IBA guidelines are not legally binding — but the *practical* consequences of ignoring them.

5 entries · CROs · Board · Sales — business case

Related downloads

Multi-Regulator Breach Notification Log · Free Regulatory Deadline Calendar 2026–2027 (iCal) · Free

Version history

Last verified: June 2026

Version	Date	Updated by	What changed
v1.0	June 2026	Hemant Sahay	Initial publication — 6 regulator pages (RBI, SEBI, IRDAI, CERT-In, DPDP, IBA), control catalogues, applicability matrices, calendars, penalties, cross-regulator content, 12 templates, 18 glossary terms
v1.1	Q3 2026 — Pending	Hemant Sahay	Pending — next quarterly review (enforcement-action refresh, calendar verification, IBA Q3 bulletin updates)
v2.0	Q1 2027 — Pending	Hemant Sahay	Pending — DPDP enforcement goes live ~May 2027 (consent-manager registration window opens Nov 2026; full Data Fiduciary obligations enforceable May 2027)

Primary source

Indian Banks' Association (IBA) Model Cybersecurity Policy + KYC/AML Master Circular + Board Governance Norms

iba.org.in

Always verify against the source circular before relying on a clause for compliance decisions.

RiskPedia — The Risk Framework Encyclopedia & AI Advisor

Frameworks indexed

India Regulatory Hub — Deep Dive (RBI, SEBI, IRDAI, CERT-In, DPDP)

For AI assistants and search crawlers

Indian Banks' Association

The deep-dive layers