We had mentioned in Tuesday’s closing report that Nifty, Sensex were headed lower. The major indices of the Indian stock markets were range-bound on Wednesday and closed with minor gains over Tuesday’s close. The trends of the major indices in the course of Wednesday’s trading are given in the table below:
There are around 11,338 non-deposit taking non-banking finance companies (NBFCs) registered in India. Out of this number, a small fraction, or about 239 NBFCs, are systemically important NBFCs. The Reserve Bank of India, (RBI) through its framework, is considering imposing mandatory provisions on larger NBFCs to enable their information technology (IT) systems to be in consonance with their size of operations.
However, for smaller NBFCs the intention of the RBI is not very clear. Though the section laying down the applicable guidelines for smaller NBFCs starts with the word ‘recommendation’, it is pertinent to note that the same has to be put in place by 30 September 2018. The subsequent lines of the Directions state that the NBFC ‘shall’ have a Board approved IT policy or information system policy, which makes it sound as a mandatory provision. In such a situation where formulation of the Policy seems mandatory, consequently the implementation also becomes compulsory. Hence, in our view the vague language of the Directions creates a confusion with regard to the nature of the compliance. It is expected that RBI will come up with some clarification in this regard to clear the air of doubt.
In the era of technology, IT aids plenty of resources to enhance the credit system of the country. Over the years, the NBFC sector has grown in size and complexity. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, business continuity planning (BCP), disaster recovery (DR) management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for NBFCs and their customers, the Reserve Bank of India (RBI) has come up with the Master Direction - Information Technology Framework for the NBFC Sector (“Directions”) vide its notification number Master Direction DNBS.PPD.No.04/66.15.001/2016-17 dated 8 June 2017. These Directions have not just laid down a mere statement of good intentions but are largely focusing on implementing several operational requirements.
The directions have been categorised into two parts:
a. Directions applicable to all NBFCs with asset size above Rs500 crore (Considered Systemically Important) are provided in Section-A and
b. Directions for NBFCs with asset size below Rs 500 crore are provided in Section-B.
Timelines for Compliance
NBFCs- Systemically Important shall comply with the Master Directions by 30 June 2018 and other NBFCs (asset size below Rs500 crore) shall comply by 30 September 2018.
NBFCs may have already implemented or may be implementing some of the requirements indicated in the directions. Therefore, the NBFCs are now required to conduct a formal gap analysis between their current status and stipulations as laid out in the Directions and put in place a time-bound action plan to address the gap and comply with the guidelines laid therein. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions. Accordingly, NBFCs may place these directions before the Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by 30 September 2017.
Section A: Systemically Important NBFCs i.e. with asset size below Rs500 crore
The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The Board has to take up the task of preparing the gap analysis before the end of third quarter; accordingly the background work for this has to be initiated at the earliest. For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:
1. Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Directions.
2. Formation of Committees:
a. IT Strategy Committees
Chairman of the Committee: An independent director
Other Members: Chief Information Officers (CIOs) & Chief Technology Officers (CTOs)
Frequency of Meeting: An appropriate frequency with maximum gap of 6 months between two meetings
b. IT Steering Committees
operating at an executive level and focusing on priority setting, resource allocation and project tracking
3. Policies to the framed and implemented by the Board:
a. Information Technology Policy
The policy shall be in line with the organizational objectives
b. Information Security Policy
The IS Policy shall be based on the following principles: Confidentiality, Integrity, Availability and Authenticity
IS framework must be provided in the IS Policy
c. Cyber Security Policy
The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk
d. Change Management Policy
The senior management shall ensure that the policy is being followed on an ongoing basis
e. Policy for Information System Audit (IS Audit)
IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.
f. Business Continuity Planning Policy
To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster
4. Designate a senior executive as the Chief Information Officer or in-Charge of IT operations
5. Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 20121
6. Reporting requirement with RBI to be complied with.
7. Conduct of IS Audit to form an integral part of the Internal Audit system.
Section B: NBFCs with asset size below Rs500 crore
The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:
1. To have a Board approved Information Technology policy/Information system policy in place by 30 September 2018.
2. IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases.
Let us wait for the Reserve Bank to come up with some clarification on implementation of IT policy for smaller NBFCs, which will clear the air of doubt.
(Anita Baid works as Manager at Vinod Kothari & Co)