Money & Banking
RBI’s IT framework for NBFCs lacks clarity

There are around 11,338 non-deposit taking non-banking finance companies (NBFCs) registered in India. Out of this number, a small fraction, or about 239 NBFCs, are systemically important NBFCs. The Reserve Bank of India, (RBI) through its framework, is considering imposing mandatory provisions on larger NBFCs to enable their information technology (IT) systems to be in consonance with their size of operations.

However, for smaller NBFCs the intention of the RBI is not very clear. Though the section laying down the applicable guidelines for smaller NBFCs starts with the word ‘recommendation’, it is pertinent to note that the same has to be put in place by 30 September 2018. The subsequent lines of the Directions state that the NBFC ‘shall’ have a Board approved IT policy or information system policy, which makes it sound as a mandatory provision. In such a situation where formulation of the Policy seems mandatory, consequently the implementation also becomes compulsory. Hence, in our view the vague language of the Directions creates a confusion with regard to the nature of the compliance. It is expected that RBI will come up with some clarification in this regard to clear the air of doubt.
In the era of technology, IT aids plenty of resources to enhance the credit system of the country. Over the years, the NBFC sector has grown in size and complexity. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, business continuity planning (BCP), disaster recovery (DR) management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for NBFCs and their customers, the Reserve Bank of India (RBI) has come up with the Master Direction - Information Technology Framework for the NBFC Sector (“Directions”) vide its notification number Master Direction DNBS.PPD.No.04/66.15.001/2016-17 dated 8 June 2017. These Directions have not just laid down a mere statement of good intentions but are largely focusing on implementing several operational requirements.


The directions have been categorised into two parts:

a. Directions applicable to all NBFCs with asset size above Rs500 crore (Considered Systemically Important) are provided in Section-A and
b. Directions for NBFCs with asset size below Rs 500 crore are provided in Section-B.

Timelines for Compliance

NBFCs- Systemically Important shall comply with the Master Directions by 30 June 2018 and other NBFCs (asset size below Rs500 crore) shall comply by 30 September 2018.
NBFCs may have already implemented or may be implementing some of the requirements indicated in the directions. Therefore, the NBFCs are now required to conduct a formal gap analysis between their current status and stipulations as laid out in the Directions and put in place a time-bound action plan to address the gap and comply with the guidelines laid therein. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions. Accordingly, NBFCs may place these directions before the Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by 30 September 2017.

Section A: Systemically Important NBFCs i.e. with asset size below Rs500 crore

The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The Board has to take up the task of preparing the gap analysis before the end of third quarter; accordingly the background work for this has to be initiated at the earliest. For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:

1. Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Directions.

2. Formation of Committees:
a. IT Strategy Committees

Chairman of the Committee: An independent director
Other Members: Chief Information Officers (CIOs) & Chief Technology Officers (CTOs)
Frequency of Meeting: An appropriate frequency with maximum gap of 6 months between two meetings

b. IT Steering Committees

operating at an executive level and focusing on priority setting, resource allocation and project tracking

3. Policies to the framed and implemented by the Board:
a. Information Technology Policy

The policy shall be in line with the organizational objectives
b. Information Security Policy

The IS Policy shall be based on the following principles: Confidentiality, Integrity, Availability and Authenticity
IS framework must be provided in the IS Policy

c. Cyber Security Policy

The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk

d. Change Management Policy

The senior management shall ensure that the policy is being followed on an ongoing basis

e. Policy for Information System Audit (IS Audit)
IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.
f. Business Continuity Planning Policy
To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster
4. Designate a senior executive as the Chief Information Officer or in-Charge of IT operations

5. Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 20121

6. Reporting requirement with RBI to be complied with.

7. Conduct of IS Audit to form an integral part of the Internal Audit system.

Section B: NBFCs with asset size below Rs500 crore

The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:

1. To have a Board approved Information Technology policy/Information system policy in place by 30 September 2018.
2. IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases.

Let us wait for the Reserve Bank to come up with some clarification on implementation of IT policy for smaller NBFCs, which will clear the air of doubt.

(Anita Baid works as Manager at Vinod Kothari & Co)


Modi to travel on Kochi Metro, Sreedharan excluded from dais
Prime Minister Narendra Modi will on Saturday travel on a Kochi Metro train when he inaugurates Kerala's first metro, it was announced on Wednesday. But "Metro man" E. Sreedharan has not been given a seat on the dais.
In the first 25-km phase, trains will run for 13 km between Palarivattom and Aluva. Work is on the remaining section.
Those on the dais will be Modi, Governor P. Sathasivam, Information and Broadcasting Minister M. Venkaiah Naidu and Chief Minister Pinarayi Vijayan.
Elias George, the Managing Director of Kochi Metro Rail Corp, told the media that the list of invitees to the dais was prepared and sent to the Prime Minister's Office. "The final list is made by the PMO. We have no role in this."
After hearing about the exclusion of Sreedharan, Chennithala and local legislator P.T.Thomas, Vijayan has written to the Prime Minister's office to include these three also.
But now Ernakulam Lok Sabha member K.V.Thomas, state Transport Minister Thomas Chandy and Kochi Mayor Soumini Jain have been allowed on the dais.
Sreedharan told reporters in Thiruvanthapuram that he is not aware of this issue but was not concerned by it.
"There is nothing untoward in this and I do not have any complaints. I am leaving for Kochi now and would take part in the inauguration," he said.
Among others who have been excluded from the dais are former Chief Minister Oommen Chandy.
Reacting to the exclusion of Sreedharan from the dais, P.T. Thomas said: "This shows the arrogance of the BJP.
"When the foundation stone for Kochi Metro was laid by then Prime Minister Manmohan Singh, none was left out from the dais. This is Kerala's dream project and key people behind this are now asked to sit in the audience. This is totally unfair."
Work on Kochi Metro began in 2012 after the Chandy government entrusted the project to Delhi Metro Rail Corp, with its principal advisor Sreedharan overseeing it.
Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.




2 weeks ago

Modi will take the credit of the Metro and plant the BJP seeds in the state of Kerala.
He never shies away when cutting a ribbon of a massive project.
He will start off in the local language as usual..

Govt says chiefs and members of regulatory bodies cannot have both salary and pension
The Indian government on Wednesday said that chairpersons and members of regulatory bodies cannot draw both salary and pension. After implementation of the seventh central pay commission report, pay and allowances of chairpersons and full-time members of several regulatory bodies have been de-linked from government salaries. 
According to Department of Personnel and Training (DoPT), in case such officers receive pension, then it will be deducted in accordance with the prevailing orders applicable to the re-employed pensioner. Their pay is governed by the orders issued by the Department of Expenditure. 
As per existing norms, chairpersons and members are deemed to have retired from central or state government service on the date of their appointment to any regulatory authority.
The pay and allowances of the chief and members of Telecom Regulatory Authority of India (TRAI), Insurance Regulatory and Development Authority (IRDA), Central Electricity Regulatory Commission (CERC), Securities and Exchange Board of India (SEBI) and Competition Commission of India (CCI), Pension Fund Regulatory and Development Authority (PFRDA), Petroleum and Natural Gas Regulatory Board (PNGRB), Warehousing Development and Regulatory Authority (WDRA), Airports Economic Regulatory Authority of India (AERAI), Railway Development Authority (RDA) and Insolvency and Bankruptcy Board of India (IBBI) have also been de-linked.
The directive comes as there have been complaints against chairpersons and members of a few regulatory bodies for receiving pension in addition to the salary.
"With the latest order, such persons will have to face a cut in their salary. The amount of pension will be deducted from their salary," an official from DoPT had said.
With respect to the existing members of the remaining regulatory bodies set up under the Acts of Parliament, the pay commission has recommended normal replacement pay.


We are listening!

Solve the equation and enter in the Captcha field.

To continue

Sign Up or Sign In


To continue

Sign Up or Sign In



The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)