IT Framework for NBFCs

As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc.

To enhance the safety

Business Continuity Planning

Information Security Policy

IT Framework for NBFCs

As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for NBFCs and their customers, the Reserve Bank of India (RBI) has come up with the Information Technology Framework for the NBFC Sector.

Applicability: The directions have been categorised into two parts:

  1. Directions applicable to all NBFCs with asset size above Rs500 crore
  2. Directions for NBFCs with asset size below Rs 500 crore

For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:

  1. Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Directions.
  2. Formation of Committees:
    • IT Strategy Committees and
    • IT Steering Committees
  3. Policies to be framed and implemented by the Board:
    • Information Technology Policy
    • Information Security Policy
    • Cyber Security Policy
    • Change Management Policy
    • Policy for Information System Audit (IS Audit)
    • Business Continuity Planning Policy
  4. Reporting requirement with RBI to be complied with
  5. Conduct of IS Audit to form an integral part of the Internal Audit system

Systemically Important NBFCs i.e. with asset size below Rs500 crore

The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The Board has to take up the task of preparing the gap analysis before the end of the third quarter; accordingly, the background work for this has to be initiated at the earliest.

NBFCs with asset size below Rs500 crore

The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:

  1. To have a Board approved Information Technology policy/Information system policy in place
  2. IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases