In February 2016, hackers breached the Bangladesh Bank's systems and sent fraudulent SWIFT messages to the Federal Reserve Bank of New York, attempting to steal nearly a billion dollars. They got away with $81 million. The attack did not target an Indian bank, but it landed squarely in the RBI's consciousness — because if SWIFT messaging could be compromised at one central bank, the same vulnerability existed everywhere. Four months later, in June 2016, the RBI issued the Cyber Security Framework for Banks (RBI/2015-16/418) — the first comprehensive directive requiring every bank in India to have a Board-approved cyber security policy, a dedicated Security Operations Centre, and an incident reporting mechanism to the RBI's CSITE cell.
Before this, cyber security in banking was addressed through scattered circulars. Technology risk management was a subset of operational risk. IT governance was a line item in broader governance frameworks. The 2016 circular changed the institutional posture. Cyber security was no longer a technology problem to be delegated to the IT department — it was a board-level governance responsibility with direct supervisory consequences.
The intellectual foundation for this shift had been laid five years earlier. In January 2011, the RBI released the report of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, chaired by G. Gopalakrishna, then Executive Director of the RBI. The Gopalakrishna Committee recommended that banks establish dedicated information security functions, implement continuous vulnerability assessment, and report cyber incidents to a centralised authority. These recommendations shaped every subsequent technology risk mandate — from the 2016 framework to the November 2023 IT Governance Directions to the entity-specific directions of November 2025.
The urgency was real. Indian banks were rapidly digitising — UPI launched in 2016, digital lending was accelerating, and core banking solutions were being rolled out to co-operative banks that had previously operated on manual ledgers. Every new digital channel was a new attack surface.
The 2016 Cyber Security Framework
The June 2016 circular mandated several structural requirements simultaneously. Banks had to establish a distinct cyber security policy, separate from their broader IT policy, because the threat landscape required dedicated attention:
"In order to address the need for the entire bank to contribute to a cyber-safe environment, the Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks." — Cyber Security Framework for Banks, Para 4
Banks were required to set up a Security Operations Centre for continuous real-time surveillance, appoint a Chief Information Security Officer at a senior enough level to have direct access to the Board, conduct regular vulnerability assessments and penetration testing, and establish a Cyber Crisis Management Plan addressing detection, response, recovery, and containment. The framework also tackled a behavioural problem — banks were reluctant to disclose incidents:
"It is observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks." — Cyber Security Framework for Banks, Para 14
Mandatory incident reporting to the RBI followed. Banks were required to report all unusual cyber security incidents — whether successful or merely attempted — in a specified format.
The UCB Technology Push
For urban co-operative banks, the challenge was more fundamental. Many UCBs lacked even basic Core Banking Solutions when the cyber security framework was issued. The RBI had been pushing CBS adoption since March 2013, when it directed all UCBs to implement CBS — a prerequisite for everything from automated KYC compliance to real-time transaction monitoring. System audits by CISA-qualified auditors were mandated from December 2010. Business Continuity Planning and vulnerability assessment requirements followed in June 2013.
The link between technology infrastructure and fraud prevention became painfully clear with the PMC Bank collapse, where manual overrides in the CBS had been used to hide thousands of crore in fictitious loans. The RBI responded with a directive on system-based asset classification for UCBs in August 2020, mandating automated NPA classification through the CBS to eliminate the manual tampering that had enabled the fraud. The reason for making it system-based rather than policy-based was that PMC had demonstrated how easily manual processes could be overridden by determined insiders. That circular has since been superseded by the November 2025 entity-specific directions.
The November 2023 IT Governance Directions
In November 2023, the RBI issued the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (RBI/2023-24/107), applicable to scheduled commercial banks, small finance banks, payments banks, and large NBFCs. This replaced earlier piecemeal circulars with a comprehensive overhaul that went far beyond cyber security into the full IT governance stack: IT strategy committees at the Board level, IT steering committees in senior management, capacity management, change and patch management, cryptographic controls, disaster recovery, and audit trails.
The Direction also formalised the graded approach to technology regulation. The RBI recognised that a large private sector bank and a mid-size NBFC face different threat profiles and have different institutional capacities. The framework scales requirements accordingly — the baseline applies to everyone, but the depth of implementation expected from a systemically important bank is materially different from what is expected of a smaller entity.
Enforcement: The Cost of Non-Compliance
The RBI has not been hesitant about penalising technology and security failures. Yes Bank was penalised Rs 6 crore in October 2017 for, among other violations, delayed reporting of an information security incident involving its ATMs. Bajaj Finance was penalised Rs 2.50 crore in January 2021 for violations that included non-compliance with outsourcing risk management directions — a reminder that cyber security extends to the entire vendor and outsourcing chain, not just internal systems.
The Digital Payment Security Controls Direction (February 2021) added a payment-specific security layer covering internet banking, mobile payments, card transactions, and UPI — requiring multi-factor authentication, end-to-end encryption, and real-time fraud monitoring for every digital payment channel.
The November 2025 Integration
The November 2025 entity-specific directions completed the consolidation. Cyber security and IT governance provisions are now embedded directly into the regulatory framework for every entity type — commercial banks, NBFCs, UCBs, RRBs, small finance banks. Technology compliance is no longer a parallel track running alongside prudential regulation. It is woven into credit facilities directions, responsible business conduct directions, and governance directions for every supervised entity — because the RBI recognised that in a digitised banking system, technology failures are prudential failures.
The arc from the Gopalakrishna Committee's 2011 recommendations to the 2025 consolidation traces a regulatory philosophy in motion. What began as advisory guidance became a mandatory framework, then a standalone Master Direction, and finally an integrated component of entity-level supervision. The attack surface keeps expanding — digital lending, API-based banking, cloud infrastructure, AI-driven decisioning — and the regulatory architecture has had to expand with it.
Governing Master Directions:
- Master Direction on Digital Payment Security Controls (RBI_MD_12032)
- Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI_MD_12562)
Companion articles:
- How the RBI Protects Banks From Cyber Attacks
- The Rules Banks Must Follow When They Outsource
Last updated: April 2026