How FinStack ensures complete compliance as per RBI's Master Directions

Understand the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices by RBI and see how FinStack's No-Code Loan Origination System (LOS) helps you stay compliant.

Key Highlights & Implications

On October 20, 2022 the Reserve Bank of India (RBI) released the Draft Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices. Following the draft guidelines, RBI came out with Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices on Nov 7, 2023 with an objective to tighten the governance framework for technology within banking segment. The Master Direction has been in effect since April 1, 2024.

Applicable to the following Regulated Entities (REs)

  • Scheduled Commercial Banks (excluding Regional Rural Banks)
  • Small Finance Banks
  • Payments Banks
  • Non-Banking Financial Companies (except NBFC-Core Investment Companies)
  • Credit Information Companies
  • All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI)

Navigating the regulations

RBI's Master Directions are summarised over 7 chapters out of which the first (Chapter I - Preliminary) and last chapter (Chapter VII – Repeal and Other Provisions) cover the applicability and repeal of older instructions respectively.
Chapter II of the Master Directions cover the responsibilities of the RE in terms of establishing the board of directors, committees and members who will enforce and govern the company's technological functions.
Chapter II - IT GovernanceRE Responsibilities
4. IT Governance FrameworkEnforce a IT governance framework to:
  • Focus on strategic alignment, risk management, resource & performance management, and business continuity/disaster recovery.
  • Define clear structures, roles, and processes — covering the Board, Board committees, and Senior Management.
  • Include regular IT risk assessments in the overall risk management policy.
5. Role of the Board of DirectorsBoard of Directors must approve and annually review all strategies & policies for IT, cyber security, information assets, business continuity, and incident response.
RBI recommended org structure for governance and risk
6. IT Strategy Committee of the Board (ITSC)Establish a Board-level IT Strategy Committee (ITSC) with at least 3 directors, with an independent director as Chairperson who has substantial IT expertise that meet quarterly. Their responsibilities are to:
  • Oversee IT strategy planning and ensure it aligns with business goals.
  • Ensure robust governance, clear accountability, and enough skilled people.
  • Confirm risk assessment & management processes for IT & cyber security are in place.
  • Make sure IT budgets match the institution’s tech maturity and risk environment.
  • Review BCP/DR plans at least annually.
7. Senior Management and IT Steering CommitteeSenior Management must:
  • Implement Board-approved IT strategy.
  • Ensure IT/IS operations run effectively & securely.
  • Maintain a culture of IT risk awareness and strong cyber security posture.
  • Use IT to boost productivity & efficiency.
IT Steering Committee (made up of Senior Management from IT & business) must:
  • Assist ITSC with strategic planning and performance oversight.
  • Oversee business continuity & disaster recovery processes.
  • Make sure the IT architecture meets regulatory requirements.
  • Must meet at least quarterly and regularly report to the ITSC & CEO.
8. Head of IT FunctionThe Head of IT must be senior, technically capable, and experienced and act as the first line of defence. Their responsibilities are to:
  • Make sure IT projects align with strategy & policy.
  • Maintain an effective org structure for IT.
  • Set up strong disaster recovery and business continuity.
  • Continuously assess & manage IT controls and risk to secure information assets and comply with all internal & external requirements.
Chapter III of the Master Directions mandates REs to show RBI that their IT infrastructure, vendors, people, and processes are robust, secure, scalable, and well-governed for daily operations as well as disaster recovery with clear accountability at every step.
Chapter III - IT Infrastructure & Services ManagementFinStack Assurance
9. IT Services Management
(a) REs shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including DR sites).
(b) A Service Level Management (SLM) process shall be put in place to manage the IT operations while ensuring effective segregation of duties.
(c) REs shall ensure identification and mapping of the security classification (in terms of Confidentiality, Integrity, and Availability) of information assets based on their criticality to the REs' operations.
(d) For seamless continuity of business operations, REs shall avoid using outdated and unsupported hardware or software and shall monitor software's end-of-support (EOS) date and Annual Maintenance Contract (AMC) dates of IT hardware on an ongoing basis.
(e) REs shall develop a technology refresh plan for the replacement of hardware and software in a timely manner before they reach EOS.

FinStack's Service Level Agreements (SLAs) ensure regular updates and a minimum 99% uptime with a well defined escalation matrix.

Our platform is DR compliant and you can find more details about the same in Disaster Recovery Management.

10. Third-Party Arrangements
(i) mitigate concentration risk;
(iii) mitigate risks associated with single point of failure;
(v) provide high availability (for uninterrupted customer service); and
(vi) manage supply chain risks effectively.
FinStack's API marketplace lets you distribute your KYC, AML and other APIs for loan onboarding and underwriting across various API vendors. This ensures that:
  • Automatic fallbacks are configured and put in place for any failing third party API.
  • There is no single point of failure due to a downstream third party API vendor.
10. Third-Party Arrangements
(ii) eliminate or address any conflict of interests;
From a business objective perspective, FinStack is purely a Technology Service Provider and does not engage in lending itself - neither on its own books, nor as a DSA/BC/Agent to other lenders.
10. Third-Party Arrangements
(iv) comply with applicable legal, regulatory requirements and standards to protect customer data;
FinStack's entire platform is VAPT compliant and is securely deployed on the lender's cloud. This ensures that:
  • Customer data is never visible or accessible to FinStack.
  • Trade secrets, credit policies, credit appraisal processes and models are never visible, known or exposed to FinStack.
11. Capacity Management
(a) REs shall ensure that information systems and infrastructure are able to support business functions and ensure availability of all service delivery channels.
(b) On an annual or more frequent basis, REs shall proactively assess capacity requirement of IT resources. REs shall ensure that IT capacity planning across components, services, system resources, supporting infrastructure is consistent with past trends (peak usage), the current business requirements and projected future needs as per the IT strategy of the RE.
(c) The assessment of IT capacity requirements and measures taken to address the issues shall be reviewed by the ITSC.
FinStack is battle tested to handle thousands of loans in a single day.
FinStack's plug-n-play infrastructure allows lenders to scale horizontally as well as vertically to handle growing and variable demand.
FinStack's Microservice Architecture
12. Project Management
(a) REs shall follow a consistent and formally defined project management approach for IT projects undertaken by them. The project management approach shall, inter alia, enable appropriate stakeholder participation for effective monitoring and management of project risks and progress.
(b) While adopting new or emerging technologies, tools, or revamping their existing ones in the technology stack, REs shall follow a standard enterprise architecture planning methodology or framework.
(c) Adoption of new or emerging technologies shall be commensurate with the risk appetite and align with the overall Business/ IT strategy of the RE. It should facilitate optimal creation, use, or sharing of information by a business in a secure and resilient way.
(d) REs shall maintain enterprise data dictionary to enable the sharing of data among applications and information systems and promote a common understanding of data.
13. Change and Patch Management
(a) The business impact of implementing patches/ changes (or not implementing a particular patch/ change request) are assessed;
(c) Any changes to an application system or data are justified by genuine business needs and approvals supported by documentation and subjected to a robust change management process;
Owing to the fundamental no-code nature of the platform, most changes can be made without making any modifications to the source code.
In case there are any change requests, FinStack coordinates with the lender's team while following Agile Project Management with Waterfall Methodology.
FinStack always under promises and overdelivers on change requests. The lender is always informed of third party vendor risks, expected delays or downtimes before mutually establishing project requirements for any change requests.
12. Project Management
(e) REs shall ensure that maintenance and necessary support of software applications is provided by the software vendors and the same is enforced through formal agreement.
Maintenance and Support are included in FinStack's service fee and covered in the SLA ensuring a minimum 99% uptime along with a well defined escalation matrix.
12. Project Management
(f) REs shall obtain the source codes for all critical applications from their vendors. Where obtaining of the source code is not possible, REs shall put in place a source code escrow arrangement or other arrangements to adequately mitigate the risk of default by the vendor. REs shall ensure that all product updates and programme fixes are included in the source code escrow arrangement.
FinStack provides source code of its application only under exceptional conditions and with additional commercials.
However, when source code copy is not involved FinStack ensures (with or without code escrow) that the source code copy is provided to the lender along with all product updates and programme fixes in the following events:
  • The company is no longer operational or has pivoted to a different business model / segment.
  • There is a material breach in the SLAs which are not resolved within 30 days of formal communication.
  • The company is acquired by another lender (conflict of interest) or if the company is unable to provide services as per SLAs post acquisition.
12. Project Management
(g) REs shall obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur.
(h) Any new IT application proposed to be introduced as a business product shall be subjected to product approval and quality assurance processes.
13. Change and Patch Management
(a) The patches/ changes are applied/ implemented and reviewed in a secure and timely manner with necessary approvals;
(c) Mechanism is established to recover from failed changes/ patch deployment or unexpected results.
Any change in the product (in the form of updates or bug fixes), along with any change in configurations on our no-code platform (whenever done by FinSack) are only deployed only after mutual agreement over email or a mutually agreed written sign-off.
All changes and deployments are made in a blue-green manner with incremental rollouts. Latest features are initially exposed to only a subset of power users identified by the lender and rolled out gradually once the same are battle tested over some time.
FinStack's Deployment Strategy
14. Data Migration Controls
REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc.
All the logs that are generated (audit related or not) can be streamed into any service using our fluentd connector.
Custom ETL pipelines for migration or MIS report generations are part of FinStack's platform setup efforts (if requested).
All migrations are applied only after mutual agreement over email or a mutually agreed written sign-off.
15. Audit Trails
(a) Every IT application which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails.
(b) The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes.
(c) REs shall put in place a system for regularly monitoring the audit trails and system logs to detect any unauthorised activity.
For any action performed on the FinStack platform, audit logs are captured for all users including but not limited to borrower themselves, DSA/RMs, internal as well as external teams like credit, ops, legal, technical, RCU etc which capture:
1. User Identification details
2. Device Location
3. Device Fingerprint
4. Timestamp
The lender decides the TTL for the log persistence along with the platform on which they shall be stored.
16. Cryptographic controls
The key length, algorithms, cipher suites and applicable protocols used in transmission channels, processing of data and authentication purpose shall be strong. REs shall adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls shall be compliant with extant laws and regulatory instructions.
FinStack uses industry standards like:
  • TLS 1.2/1.3 for all data in transit.
  • AES-256 or higher for data at rest.
  • RSA-2048 or ECC keys for certificate-based auth.
FinStack's entire platform is VAPT compliant and crypto controls are covered during the same.
All passwords are hashed and salted using bcrypt with strong rounds.
17. Straight Through Processing
(a) In order to prevent unauthorised modification of data, REs shall ensure that there is no manual intervention or manual modification in data while it is being transferred from one process to another or from one application to another, in respect of critical applications.
(b) Data transfer mechanism between processes or applications must be properly tested, securely automated with necessary checks and balances, and properly integrated through "Straight Through Processing" methodology with appropriate authentication mechanism and audit trails.
FinStack natively meets all requirements for Straight Through Processing (STP). However, in the real world and practical scenarios, a significant number of loan applications (unsecured as well as secured) cannot be served with STP.
It is possible that borrowers may have spelling mistakes on their PoI/PoA or other supplementary documents that require manual correction, overwriting or declarations.
Therefore, for any action performed on the FinStack platform, audit logs are captured for all users including but not limited to borrower themselves, DSA/RMs, internal as well as external teams like credit, ops, legal, technical, RCU etc which capture:
1. User Identification details
2. Device Location
3. Device Fingerprint
4. Timestamp
18. Physical and Environmental Controls
(a) REs shall implement suitable physical and environmental controls in Data Centre and Disaster Recovery sites used by them.
(b) The DC and DR sites should be geographically well separated so that both the sites are not affected by a similar threat associated to their location.
(c) REs shall ensure that their DC and DR sites are subjected to necessary e-surveillance mechanism.
FinStack's services are hosted on the lender's cloud. Therefore DR sites need to be provisioned by lenders.
From FinStack's side - we can provision disaster recovery through cross data centre replication with Active Passive topology as long as the lender's cloud provider and infra components support the same.
Our platform is DR compliant and you can find more details about the same in Disaster Recovery Management.
19. Access Controls
(a) Access to information assets shall be allowed only where a valid business need exists. REs shall have documented standards and procedures, which are approved by the ITSC and kept up to date for administering need-based access to an information system.
(b) Personnel with elevated system access entitlements shall be closely supervised with all their systems activities logged and periodically reviewed.
(c) REs shall adopt multi-factor authentication for privileged users of i) critical information systems and ii) for critical activities, basis the RE's risk assessment.
FinStack's highly configurable and granular Role Based Access Control (RBAC) allows you to control, govern and monitor which users can "view", "edit" and/or "delete" any and all aspects of your digital lending.
For any action performed on the FinStack platform, audit logs are captured for all users
Multifactor authentication using TOTPs, SMS / Email OTPs can be configured for a group of users (based on branch, location and/or job function etc.) as well as for individual users.
20. Controls on Teleworking
(a) Ensure that the systems used and the remote access from alternate work location to the environment hosting RE’s information assets are secure;
(b) Implement multi-factor authentication for enterprise access (logical) to critical systems;
(c) Put in place a mechanism to identify all remote-access devices attached/connected to the RE’s systems; and
(d) Ensure that data/ information shared/ presented in teleworking is secured appropriately.
FinStack recommends that lenders use a VPN of their choice for supporting teleworking to allow authorised access only in a controlled network.
Most VPNs track, record, restrict and allow access based on device fingerprints as well as IP addresses.
21. Metrics
(a) REs shall define suitable metrics for system performance, recovery and business resumption, including Recovery Point Objective (RPO) and Recovery Time Objective (RTO), for all critical information systems.
(b) For non-critical information systems, REs shall adopt a risk-based approach to define suitable metrics.
(c) REs shall implement suitable scorecard/ metrics/ methodology to measure IT performance and IT maturity level.
FinStack's Service Level Agreements (SLAs) ensure a minimum 99% uptime with a well defined escalation matrix.
The Recovery Point Objective (RPO) and Recovery Time Objective (RTO) shall be defined on the basis of the lender's DR policy.
Chapter IV of the Master Directions mandates REs to show RBI that they:
  • Continuously identify and reduce IT & Cyber risks
  • Have clear governance & accountable roles
  • Actively test for weaknesses
  • Respond quickly to incidents
  • Keep the Board, committees, and CISO always in the loop.
Chapter IV - IT and Information Security Risk ManagementRE Responsibilities
22. Periodic review of IT related risksKeep IT & Cyber Risks Updated — Annually at Minimum
  • Include IT & Cyber Security risks in your overall risk management policy.
  • The Risk Management Committee of the Board (RMCB), with the IT Strategy Committee (ITSC), must review and update this at least once a year.
23. IT and Information Security Risk Management FrameworkBuild & Maintain a Strong IT & InfoSec Risk Framework
  • Have a clear Information Security management function, with controls & processes to handle all identified risks — these must be reviewed regularly.
  • Define roles & responsibilities for everyone involved, including third parties — remove any overlap or accountability gaps.
  • Identify your critical information systems and give them extra protection.
  • Ensure secure storage, transfer, and processing of all data.
24. Information Security Policy and Cyber Security Policy1. REs must establish:
  • An Information Security Policy.
  • A Cyber Security Policy and Cyber Crisis Management Plan (CCMP) covering scope, ownership, structure, and consequences for non-compliance.
2. Appoint a CISO (senior executive, ideally GM level) with the following fucntion:
  • Must have the right expertise.
  • No reporting line to Head of IT; no business targets.
  • CISO's office must be properly staffed.
  • Budget must match the threat landscape.
  • CISO should report directly to risk leadership and be a permanent invitee to ITSC & IT Steering Committee.
  • CISO must present a cyber risk review to the Board/RMCB/ITSC at least quarterly.
3. Set up an Information Security Committee (ISC) under the ITSC. The ISC should:
  • Include the Chief Information Security Officer (CISO) and reps from risk, business, and IT.
  • Be headed by someone from the risk management vertical.
  • Develop, approve, and monitor security projects, incidents, audits, and training.
  • Keep the ITSC and CEO regularly informed.
25. Risk AssessmentREs must:
  • Assess every information asset using industry security standards & frameworks.
  • Make sure all staff and vendors follow security and acceptable-use policies.
  • Review security infrastructure & policies at least annually, adapt to new threats, and guard against phishing & spoofing.
26. Conduct of Vulnerability Assessment (VA) / Penetration Testing (PT)For critical systems & DMZ systems with customer interfaces:
  • Vulnerability Assessment (VA): Performed every 6 months.
  • Penetration Testing (PT): Performed every 12 months.
  • VA/PT during system life cycle (pre/post implementation, upgrades, etc.)
For Non-critical systems: Decide frequency based on risk.
Use trained, independent experts.
PT must be on production environment; if not possible, test environment must match production.
Fix identified vulnerabilities quickly and ensure they don’t come back.
Have a documented VA/PT approach (scope, scoring, coverage) — applies to cloud-hosted systems too.
FinStack assures:
  • FinStack's entire platform is VAPT compliant. Our service includes coordinating with your internal as well as external teams during audits to ensure that FinStack's services remain compliant as per CERT-In and RBI's recommendation.
  • Vulnerabilities and issues identified during the first round of assessment are promptly fixed and deployed to make sure that the same are resolved by the second assessment during any VAPT audit.
27. Cyber Incident Response and Recovery ManagementREs must ensure that they have a detailed Cyber Incident Response & Recovery Management Policy which:
  • Classify & assess incidents.
  • Communicate clearly to contain impact and recover quickly.
In case there is an incident, REs must:
  • Analyse each incident (forensically if needed) — fix root causes, take preventive steps.
  • Maintain clear, documented incident response procedures with defined roles.
  • Have clear escalation/reporting channels for the Board, Senior Management, and customers.
  • Notify CERT-In and RBI proactively as required.
REs must regularly test response plan through drills, and improve using lessons learned.
Chapter V of the Master Directions mandates REs to plan, test, and prove to RBI that they can continue critical operations securely and with minimal downtime even after major disruptions. This includes:
  • Clear Business Continuity Plans (BCP) and Disaster Recovery (DR) Policy.
  • Setting pre-approved Recovery Time Objectives (RTO) and Recovery Point Objectives (RTO) which are real and practical, not just theoretical.
  • Conducting DR drills on a half-yearly basis which should simulate reality with a whole business day's operations being conducted on DR site.
  • Ensuring that backups are restorable, with matching configurations, while keeping all third parties aligned.
FinStack's DR Strategy
FinStack's Disaster Recovery Management policy follows Active Passive Topology to provide near zero Recovery Point Objective (RPO) and near zero Recovery Time Objective (RTO).
Chapter V - Business Continuity and Disaster Recovery ManagementFinStack Assurance
28. Business Continuity Plan (BCP) and Disaster Recovery (DR) Policy
(a) The BCP and DR policy shall adopt best practices to guide its actions in reducing the likelihood or impact of the disruptive incidents and maintaining business continuity. The policy shall be updated based on major developments/ risk assessment.
(b) RE's BCP/ DR capabilities shall be designed to effectively support its resilience objectives and enable it to rapidly recover and securely resume its critical operations (including security controls) post cyber-attacks/ other incidents.
RBI recommends RE's to follow the ISO 22301 international standard for business continuity management system (BCMS).
FinStack provides a robust Disaster Recovery (DR) Management System to suppliment and compliment your BCP.
29. Disaster Recovery Management
(a) Periodicity of DR drills for critical information systems shall be at least on a half-yearly basis and for other information systems, as per RE's risk assessment.
(b) Any major issues observed during the DR drill shall be resolved and tested again to ensure successful conduct of drill before the next cycle.
(c) The DR testing shall involve switching over to the DR / alternate site and thus using it as the primary site for sufficiently long period where usual business operations of at least a full working day (including Beginning of Day to End of Day operations) are covered.
(d) REs shall regularly test the BCP / DR under different scenarios for possible types of contingencies, to ensure that it is up-to-date and effective.
(e) REs shall backup data and periodically restore such backed-up data to check its usability. The integrity of such backup data shall be preserved along with securing it from unauthorised access.
(f) REs shall ensure that DR architecture and procedures are robust, meeting the defined RTO and RPO for any recovery operations in case of contingency.
(g) REs should prioritise achieving minimal RTO (as approved by the RE's ITSC) and a near zero RPO for critical information systems.
(h) In a scenario of non-zero RPO, REs shall have a documented methodology for reconciliation of data while resuming operations from the alternate location.
(i) REs shall ensure that the configurations of information systems and deployed security patches at the DC and DR are identical.
(j) REs shall ensure BCP and DR capabilities in critical interconnected systems and networks including those of vendors and partners. REs shall ensure demonstrated readiness through collaborative and co-ordinated resilience testing that meets the REs's RTO.
All forms of persistent data (relational, non-relational, static files and logs) are replicated using a master-slave configuration such that all data is actively replicated from the master data centre to the slave data centre i.e. from primary site to the recovery site.
This helps FinStack provide eventual consistency for the entire system across data centres allowing you to restore the system to a sub-zero RPO.
For sub-zero RTO, FinStack assists the REs to keep their certificates updated as well as to keep whitelisted IPs in the recovery data centre with all third party vendors.
Note: Zero RPO is not possible across data centres owing to the latencies involved in cross data centre replication.
Chapter VI - Information Systems (IS) Audit of the Master Directions mandates REs to establish an Audit Committee of the Board (ACB) for exercising oversight of IS Audit of the RE. The functions of the ACB are:
  • Annually review the IS Audit Policy that is established by the RE.
  • Review critical issues highlighted related to IT / information security / cyber security and provide appropriate direction and guidance to the RE's management.

REs must also establish a seperate IS Audit function or resources who:

  • Possess required professional skills and competence within the Internal Audit function.
  • Takes responsibility and accountability for external resources used for conducting IS audits in areas where skills are lacking within the RE.

REs should carry out IS Audit planning by adopting a risk-based audit approach and consider, wherever possible, a continuous auditing approach for critical systems, performing control and risk assessments on a more frequent basis.