RBI IT Framework for NBFCs: Tier-wise Requirements Explained

The RBI IT Framework: An Overview

The Reserve Bank of India issued its Master Direction on Information Technology Framework for the NBFC Sector to address growing IT and cybersecurity risks in the non-banking financial sector. The framework applies to all NBFCs registered with RBI, but the depth of requirements varies based on the NBFC's category and asset size. The primary categories covered include NBFC-Investment & Credit Companies (NBFC-ICC), NBFC-Micro Finance Institutions (NBFC-MFI), NBFC-Factors, Mortgage Guarantee Companies, Housing Finance Companies (HFCs), and others.

The framework covers five broad areas: IT Governance, IT Infrastructure & Services Management, IT and Cyber Security, Business Continuity Planning, and IT Audit.

Tier Classification: How It Works

RBI classifies NBFCs primarily by asset size. The largest NBFCs — particularly those with assets above ₹500 crore — face substantially more detailed requirements than smaller entities. The scale-based approach means:

• Larger NBFCs (NBFC-ML and equivalent): Full IT governance framework, board-level IT committee, annual IS audit by CISA-certified auditor, comprehensive cybersecurity policy, DR site with defined RTO/RPO, vendor management policy.
• Mid-size NBFCs: Core IT governance requirements, IS audit, BCP/DR documentation, information security policy.
• Smaller NBFCs: Basic requirements including IS policy, access controls, and incident reporting, with lighter audit obligations.

IT Governance Requirements

All NBFCs above a certain size are required to establish a board-level IT Strategy Committee or assign IT oversight to an existing board committee. Key governance requirements include:

• IT Strategy Policy approved by the board — covering IT-business alignment, risk appetite, and IT investment decisions
• IT Steering Committee at senior management level for operational IT decisions
• Defined roles and responsibilities for IT and information security functions
• Cybersecurity Policy — covering access control, network security, data protection, and incident response
• Vendor Management Policy for all third-party IT service providers

IS Audit Requirements

RBI requires IS audits for NBFCs, and the auditor qualification requirements are specific. For larger NBFCs, the IS audit must be conducted by an auditor with CISA (Certified Information Systems Auditor) certification or equivalent. The audit must cover all IT systems, applications, network infrastructure, and cybersecurity controls. Key points:

• IS audit must be conducted at least annually for larger NBFCs
• Auditors must be independent (not involved in implementation)
• The audit report must be placed before the board
• Critical and high findings must be remediated within defined timelines
• Audit findings and remediation status must be reported to RBI as required

BCP and Disaster Recovery Requirements

• Business Continuity Plan documented and board-approved
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined for all critical systems
• Disaster Recovery site established (physical or cloud) with data replication
• BCP/DR drill conducted at least annually with documented results
• BCP and DR tested to ensure the NBFC can resume operations within defined RTO

Cybersecurity Controls

• Cybersecurity policy covering network, endpoint, application, and data security
• Vulnerability Management programme including regular VAPT
• Privileged Access Management for admin and system accounts
• Multi-factor authentication for remote access and internet banking/mobile apps
• Log management with retention requirements
• Incident response and reporting procedures (including RBI incident reporting)
• Cyber insurance (recommended for larger NBFCs)

NBFCs that partner with fintechs through digital lending arrangements face an additional layer of IT requirements. The digital lending infrastructure — apps, APIs, LSP systems — must all be covered by your IT governance framework, not just your core CBS.

Infosek Team

Common Compliance Gaps

• IS audits conducted but not by CISA-certified auditors (a specific RBI requirement for larger NBFCs)
• BCP documented but never tested — test records not maintained
• Third-party/LSP systems not covered in the IT governance framework
• Cybersecurity policy exists but predates digital channel additions (mobile app, API, web portal)
• No vendor due diligence conducted for cloud providers and IT service partners
• Incident reporting process undefined — staff do not know when or how to report to RBI

If your NBFC is also active in digital lending, additional requirements apply — see our guide on RBI Digital Lending Guidelines: 10 Mistakes Lenders Are Still Making in 2025. For NBFCs in DLG arrangements with fintechs, our article on RBI DLG Rules Explained covers the specific compliance implications.