The Reserve Bank of India is the apex regulator for banks, non-banking financial companies (NBFCs), urban co-operative banks (UCBs) and payment system operators. Its technology-risk rulebook was consolidated in November 2023 into the Master Direction on IT Governance, Risk, Controls and Assurance Practices (MD-ITGRC) — effective April 2024 — which replaces a patchwork of earlier circulars with a single, board-accountable framework.

MD-ITGRC rests on four pillars: governance (a board-level IT Strategy Committee, a CISO with a board reporting line, and IT risk embedded into the enterprise risk framework), risk management (annual IT risk assessments, a defined IT risk appetite, third-party and cloud risk programmes), controls (information-security policy, access management, change management, data localisation for payment data) and assurance (annual IS audit by a CERT-In empanelled auditor, penetration testing, and RBI's own CSITE examinations).

Two obligations dominate practitioner attention. First, the 6-hour cyber incident reporting window to RBI's CSITE cell — run in parallel with CERT-In reporting — followed by a root-cause analysis within 21 days. Second, payment-data localisation: payment aggregators and card networks must store payment data only in India, with RBI retaining the right to inspect overseas servers.

Enforcement is active and increasingly muscular: RBI's 2024 annual report records ₹56 crore of penalties across 304 cases, with IT-governance lapses, audit non-submission and localisation breaches the recurring themes. With the DPDP Act layering data-protection penalties of up to ₹250 crore on top, the business case for MD-ITGRC compliance has never been stronger.

Use the four layers below — Control Catalogue, Applicability Matrix, Compliance Calendar and Penalty Framework — to scope, plan and evidence your RBI compliance programme.