How FinStack ensures complete compliance as per RBI's Master Directions
Understand the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices by RBI and see how FinStack's No-Code Loan Origination System (LOS) helps you stay compliant.
Key Highlights & Implications
On October 20, 2022 the Reserve Bank of India (RBI) released the Draft Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices. Following the draft guidelines, RBI came out with Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices on Nov 7, 2023 with an objective to tighten the governance framework for technology within banking segment. The Master Direction has been in effect since April 1, 2024.
Applicable to the following Regulated Entities (REs)
- Scheduled Commercial Banks (excluding Regional Rural Banks)
- Small Finance Banks
- Payments Banks
- Non-Banking Financial Companies (except NBFC-Core Investment Companies)
- Credit Information Companies
- All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI)
Navigating the regulations
Chapter II - IT Governance | RE Responsibilities |
---|---|
4. IT Governance Framework | Enforce a IT governance framework to:
|
5. Role of the Board of Directors | Board of Directors must approve and annually review all strategies & policies for IT, cyber security, information assets, business continuity, and incident response. |

6. IT Strategy Committee of the Board (ITSC) | Establish a Board-level IT Strategy Committee (ITSC) with at least 3 directors, with an independent director as Chairperson who has substantial IT expertise that meet quarterly. Their responsibilities are to:
|
7. Senior Management and IT Steering Committee | Senior Management must:
|
8. Head of IT Function | The Head of IT must be senior, technically capable, and experienced and act as the first line of defence. Their responsibilities are to:
|
Chapter III - IT Infrastructure & Services Management | FinStack Assurance |
---|---|
9. IT Services Management(a) REs shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including DR sites).(b) A Service Level Management (SLM) process shall be put in place to manage the IT operations while ensuring effective segregation of duties.(c) REs shall ensure identification and mapping of the security classification (in terms of Confidentiality, Integrity, and Availability) of information assets based on their criticality to the REs' operations.(d) For seamless continuity of business operations, REs shall avoid using outdated and unsupported hardware or software and shall monitor software's end-of-support (EOS) date and Annual Maintenance Contract (AMC) dates of IT hardware on an ongoing basis.(e) REs shall develop a technology refresh plan for the replacement of hardware and software in a timely manner before they reach EOS. | FinStack's Service Level Agreements (SLAs) ensure regular updates and a minimum 99% uptime with a well defined escalation matrix. Our platform is DR compliant and you can find more details about the same in Disaster Recovery Management. |
10. Third-Party Arrangements(i) mitigate concentration risk;(iii) mitigate risks associated with single point of failure;(v) provide high availability (for uninterrupted customer service); and(vi) manage supply chain risks effectively. | FinStack's API marketplace lets you distribute your KYC, AML and other APIs for loan onboarding and underwriting across various API vendors. This ensures that:
|
10. Third-Party Arrangements(ii) eliminate or address any conflict of interests; | From a business objective perspective, FinStack is purely a Technology Service Provider and does not engage in lending itself - neither on its own books, nor as a DSA/BC/Agent to other lenders. |
10. Third-Party Arrangements(iv) comply with applicable legal, regulatory requirements and standards to protect customer data; | FinStack's entire platform is VAPT compliant and is securely deployed on the lender's cloud. This ensures that:
|
11. Capacity Management(a) REs shall ensure that information systems and infrastructure are able to support business functions and ensure availability of all service delivery channels.(b) On an annual or more frequent basis, REs shall proactively assess capacity requirement of IT resources. REs shall ensure that IT capacity planning across components, services, system resources, supporting infrastructure is consistent with past trends (peak usage), the current business requirements and projected future needs as per the IT strategy of the RE.(c) The assessment of IT capacity requirements and measures taken to address the issues shall be reviewed by the ITSC. | FinStack is battle tested to handle thousands of loans in a single day.FinStack's plug-n-play infrastructure allows lenders to scale horizontally as well as vertically to handle growing and variable demand. |

12. Project Management(a) REs shall follow a consistent and formally defined project management approach for IT projects undertaken by them. The project management approach shall, inter alia, enable appropriate stakeholder participation for effective monitoring and management of project risks and progress.(b) While adopting new or emerging technologies, tools, or revamping their existing ones in the technology stack, REs shall follow a standard enterprise architecture planning methodology or framework.(c) Adoption of new or emerging technologies shall be commensurate with the risk appetite and align with the overall Business/ IT strategy of the RE. It should facilitate optimal creation, use, or sharing of information by a business in a secure and resilient way.(d) REs shall maintain enterprise data dictionary to enable the sharing of data among applications and information systems and promote a common understanding of data.13. Change and Patch Management(a) The business impact of implementing patches/ changes (or not implementing a particular patch/ change request) are assessed;(c) Any changes to an application system or data are justified by genuine business needs and approvals supported by documentation and subjected to a robust change management process; | Owing to the fundamental no-code nature of the platform, most changes can be made without making any modifications to the source code.In case there are any change requests, FinStack coordinates with the lender's team while following Agile Project Management with Waterfall Methodology.FinStack always under promises and overdelivers on change requests. The lender is always informed of third party vendor risks, expected delays or downtimes before mutually establishing project requirements for any change requests. |
12. Project Management(e) REs shall ensure that maintenance and necessary support of software applications is provided by the software vendors and the same is enforced through formal agreement. | Maintenance and Support are included in FinStack's service fee and covered in the SLA ensuring a minimum 99% uptime along with a well defined escalation matrix. |
12. Project Management(f) REs shall obtain the source codes for all critical applications from their vendors. Where obtaining of the source code is not possible, REs shall put in place a source code escrow arrangement or other arrangements to adequately mitigate the risk of default by the vendor. REs shall ensure that all product updates and programme fixes are included in the source code escrow arrangement. | FinStack provides source code of its application only under exceptional conditions and with additional commercials.However, when source code copy is not involved FinStack ensures (with or without code escrow) that the source code copy is provided to the lender along with all product updates and programme fixes in the following events:
|
12. Project Management(g) REs shall obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur.(h) Any new IT application proposed to be introduced as a business product shall be subjected to product approval and quality assurance processes.13. Change and Patch Management(a) The patches/ changes are applied/ implemented and reviewed in a secure and timely manner with necessary approvals;(c) Mechanism is established to recover from failed changes/ patch deployment or unexpected results. | Any change in the product (in the form of updates or bug fixes), along with any change in configurations on our no-code platform (whenever done by FinSack) are only deployed only after mutual agreement over email or a mutually agreed written sign-off.All changes and deployments are made in a blue-green manner with incremental rollouts. Latest features are initially exposed to only a subset of power users identified by the lender and rolled out gradually once the same are battle tested over some time. |

14. Data Migration ControlsREs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc. | All the logs that are generated (audit related or not) can be streamed into any service using our fluentd connector.Custom ETL pipelines for migration or MIS report generations are part of FinStack's platform setup efforts (if requested).All migrations are applied only after mutual agreement over email or a mutually agreed written sign-off. |
15. Audit Trails(a) Every IT application which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails.(b) The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes.(c) REs shall put in place a system for regularly monitoring the audit trails and system logs to detect any unauthorised activity. | For any action performed on the FinStack platform, audit logs are captured for all users including but not limited to borrower themselves, DSA/RMs, internal as well as external teams like credit, ops, legal, technical, RCU etc which capture:1. User Identification details2. Device Location3. Device Fingerprint4. TimestampThe lender decides the TTL for the log persistence along with the platform on which they shall be stored. |
16. Cryptographic controlsThe key length, algorithms, cipher suites and applicable protocols used in transmission channels, processing of data and authentication purpose shall be strong. REs shall adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls shall be compliant with extant laws and regulatory instructions. | FinStack uses industry standards like:
|
17. Straight Through Processing(a) In order to prevent unauthorised modification of data, REs shall ensure that there is no manual intervention or manual modification in data while it is being transferred from one process to another or from one application to another, in respect of critical applications.(b) Data transfer mechanism between processes or applications must be properly tested, securely automated with necessary checks and balances, and properly integrated through "Straight Through Processing" methodology with appropriate authentication mechanism and audit trails. | FinStack natively meets all requirements for Straight Through Processing (STP). However, in the real world and practical scenarios, a significant number of loan applications (unsecured as well as secured) cannot be served with STP.It is possible that borrowers may have spelling mistakes on their PoI/PoA or other supplementary documents that require manual correction, overwriting or declarations.Therefore, for any action performed on the FinStack platform, audit logs are captured for all users including but not limited to borrower themselves, DSA/RMs, internal as well as external teams like credit, ops, legal, technical, RCU etc which capture:1. User Identification details2. Device Location3. Device Fingerprint4. Timestamp |
18. Physical and Environmental Controls(a) REs shall implement suitable physical and environmental controls in Data Centre and Disaster Recovery sites used by them.(b) The DC and DR sites should be geographically well separated so that both the sites are not affected by a similar threat associated to their location.(c) REs shall ensure that their DC and DR sites are subjected to necessary e-surveillance mechanism. | FinStack's services are hosted on the lender's cloud. Therefore DR sites need to be provisioned by lenders.From FinStack's side - we can provision disaster recovery through cross data centre replication with Active Passive topology as long as the lender's cloud provider and infra components support the same.Our platform is DR compliant and you can find more details about the same in Disaster Recovery Management. |
19. Access Controls(a) Access to information assets shall be allowed only where a valid business need exists. REs shall have documented standards and procedures, which are approved by the ITSC and kept up to date for administering need-based access to an information system.(b) Personnel with elevated system access entitlements shall be closely supervised with all their systems activities logged and periodically reviewed.(c) REs shall adopt multi-factor authentication for privileged users of i) critical information systems and ii) for critical activities, basis the RE's risk assessment. | FinStack's highly configurable and granular Role Based Access Control (RBAC) allows you to control, govern and monitor which users can "view", "edit" and/or "delete" any and all aspects of your digital lending.For any action performed on the FinStack platform, audit logs are captured for all usersMultifactor authentication using TOTPs, SMS / Email OTPs can be configured for a group of users (based on branch, location and/or job function etc.) as well as for individual users. |
20. Controls on Teleworking(a) Ensure that the systems used and the remote access from alternate work location to the environment hosting RE’s information assets are secure;(b) Implement multi-factor authentication for enterprise access (logical) to critical systems;(c) Put in place a mechanism to identify all remote-access devices attached/connected to the RE’s systems; and(d) Ensure that data/ information shared/ presented in teleworking is secured appropriately. | FinStack recommends that lenders use a VPN of their choice for supporting teleworking to allow authorised access only in a controlled network.Most VPNs track, record, restrict and allow access based on device fingerprints as well as IP addresses. |
21. Metrics(a) REs shall define suitable metrics for system performance, recovery and business resumption, including Recovery Point Objective (RPO) and Recovery Time Objective (RTO), for all critical information systems.(b) For non-critical information systems, REs shall adopt a risk-based approach to define suitable metrics.(c) REs shall implement suitable scorecard/ metrics/ methodology to measure IT performance and IT maturity level. | FinStack's Service Level Agreements (SLAs) ensure a minimum 99% uptime with a well defined escalation matrix.The Recovery Point Objective (RPO) and Recovery Time Objective (RTO) shall be defined on the basis of the lender's DR policy. |
- Continuously identify and reduce IT & Cyber risks
- Have clear governance & accountable roles
- Actively test for weaknesses
- Respond quickly to incidents
- Keep the Board, committees, and CISO always in the loop.
Chapter IV - IT and Information Security Risk Management | RE Responsibilities |
---|---|
22. Periodic review of IT related risks | Keep IT & Cyber Risks Updated — Annually at Minimum
|
23. IT and Information Security Risk Management Framework | Build & Maintain a Strong IT & InfoSec Risk Framework
|
24. Information Security Policy and Cyber Security Policy | 1. REs must establish:
2. Appoint a CISO (senior executive, ideally GM level) with the following fucntion:
3. Set up an Information Security Committee (ISC) under the ITSC. The ISC should:
|
25. Risk Assessment | REs must:
|
26. Conduct of Vulnerability Assessment (VA) / Penetration Testing (PT) | For critical systems & DMZ systems with customer interfaces:
|
27. Cyber Incident Response and Recovery Management | REs must ensure that they have a detailed Cyber Incident Response & Recovery Management Policy which:
|
- Clear Business Continuity Plans (BCP) and Disaster Recovery (DR) Policy.
- Setting pre-approved Recovery Time Objectives (RTO) and Recovery Point Objectives (RTO) which are real and practical, not just theoretical.
- Conducting DR drills on a half-yearly basis which should simulate reality with a whole business day's operations being conducted on DR site.
- Ensuring that backups are restorable, with matching configurations, while keeping all third parties aligned.

Chapter V - Business Continuity and Disaster Recovery Management | FinStack Assurance |
---|---|
28. Business Continuity Plan (BCP) and Disaster Recovery (DR) Policy(a) The BCP and DR policy shall adopt best practices to guide its actions in reducing the likelihood or impact of the disruptive incidents and maintaining business continuity. The policy shall be updated based on major developments/ risk assessment.(b) RE's BCP/ DR capabilities shall be designed to effectively support its resilience objectives and enable it to rapidly recover and securely resume its critical operations (including security controls) post cyber-attacks/ other incidents. | RBI recommends RE's to follow the ISO 22301 international standard for business continuity management system (BCMS).FinStack provides a robust Disaster Recovery (DR) Management System to suppliment and compliment your BCP. |
29. Disaster Recovery Management(a) Periodicity of DR drills for critical information systems shall be at least on a half-yearly basis and for other information systems, as per RE's risk assessment.(b) Any major issues observed during the DR drill shall be resolved and tested again to ensure successful conduct of drill before the next cycle.(c) The DR testing shall involve switching over to the DR / alternate site and thus using it as the primary site for sufficiently long period where usual business operations of at least a full working day (including Beginning of Day to End of Day operations) are covered.(d) REs shall regularly test the BCP / DR under different scenarios for possible types of contingencies, to ensure that it is up-to-date and effective.(e) REs shall backup data and periodically restore such backed-up data to check its usability. The integrity of such backup data shall be preserved along with securing it from unauthorised access.(f) REs shall ensure that DR architecture and procedures are robust, meeting the defined RTO and RPO for any recovery operations in case of contingency.(g) REs should prioritise achieving minimal RTO (as approved by the RE's ITSC) and a near zero RPO for critical information systems.(h) In a scenario of non-zero RPO, REs shall have a documented methodology for reconciliation of data while resuming operations from the alternate location.(i) REs shall ensure that the configurations of information systems and deployed security patches at the DC and DR are identical.(j) REs shall ensure BCP and DR capabilities in critical interconnected systems and networks including those of vendors and partners. REs shall ensure demonstrated readiness through collaborative and co-ordinated resilience testing that meets the REs's RTO. | All forms of persistent data (relational, non-relational, static files and logs) are replicated using a master-slave configuration such that all data is actively replicated from the master data centre to the slave data centre i.e. from primary site to the recovery site.This helps FinStack provide eventual consistency for the entire system across data centres allowing you to restore the system to a sub-zero RPO.For sub-zero RTO, FinStack assists the REs to keep their certificates updated as well as to keep whitelisted IPs in the recovery data centre with all third party vendors.Note: Zero RPO is not possible across data centres owing to the latencies involved in cross data centre replication. |
- Annually review the IS Audit Policy that is established by the RE.
- Review critical issues highlighted related to IT / information security / cyber security and provide appropriate direction and guidance to the RE's management.
REs must also establish a seperate IS Audit function or resources who:
- Possess required professional skills and competence within the Internal Audit function.
- Takes responsibility and accountability for external resources used for conducting IS audits in areas where skills are lacking within the RE.
REs should carry out IS Audit planning by adopting a risk-based audit approach and consider, wherever possible, a continuous auditing approach for critical systems, performing control and risk assessments on a more frequent basis.