1.2. IT Strategy Committee UCBs may consider setting up a Board level IT Strategy Committee with a minimum of two directors as members, one of whom should be a professional director. For this purpose, NBFCs should develop, with the approval of their Board, a Change Management Policy that encompasses the following: prioritizing and responding to change proposals from business. The reports to be submitted by authorised PAs are listed in Annex 3. ‘Ts’ – date of intimation by the merchant to the intermediary about shipment of goods. There should be a right mix of skills and understanding of legal and regulatory requirements so as to assess the efficacy of the framework vis-à-vis these standards. This shall be implemented by the bank either with the in-house team managing the infrastructure or through the service provider if their infrastructure is hosted at a shared location at the service provider’s end. 6.2 Recovery strategy/ Contingency Plan- NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. 11.2. Information on other charges such as convenience fee, handling fee, etc., if any, being levied shall also be displayed upfront by the PA. 12.2. Recommendations for NBFCs with asset size below ₹ 500 crore. 4.1. 2.1. b) Payment to any other account on specific directions from the merchant. 8.12. 8.1. This shall enable sharing of data across applications and systems, promote a common understanding of data across IT and business users and prevent creation of incompatible data elements. Detailed guidelines to this end are appended. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks. 4.3 IT Enabled Management Information System. The IT systems shall have: Basic security aspects such as physical/ logical access controls and well defined password policy; A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information; Requirements as regards Mobile Financial Services, Social Media and Digital Signature Certificates as indicated in para 3.18, 3.10 & 3.11 above; System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc. The Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a PA. 3.4. 8.4.3. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. Indicative baseline technology-related recommendations for adoption by the PAs (mandatory) and PGs (recommended) are: The requirements for the entities in respect of IT systems and security are presented below: 1.1. 9. 3.1 The IS Policy must provide for a IS framework with the following basic tenets: Identification and Classification of Information Assets. 4.5 MIS for Supervisory requirements - The MIS that help management in taking strategic decisions shall also assist in generating the required information/returns for the supervisor. Develop a comprehensive set of metrics that provides for prospective and retrospective measures, like key performance indicators and key risk indicators. In exercise of the powers conferred in terms of clause (b) of sub-section (1) of 45-L of the Reserve Bank of India Act, 1934 (Act 2 of 1934), the Reserve Bank of India being satisfied for the purpose of enabling it to regulate the credit system of the country to its advantage it is necessary so to do, hereby issues Master Directions - Information Technology Framework for the NBFC Sector, 2017 hereinafter specified. 3 These controls are applicable for the UCBs who are developing the application softwares (ex: core banking solution) themselves or through their subsidiaries. Board members may be sensitised on various technological developments and cyber security related developments periodically. d) Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc. For technology outsourcing, requisite audit trails and logs for administrative activities should be retained and accessible to the NBFC based on approved requests. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide circular No.DBOD.NO.BP.40/21.04.158/2006-07 dated November 3, 2006 on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks” and other follow up circular(s) shall also be applicable. It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. Extract from the fifth Bi-monthly Monetary Policy Statement, 2019-20 announced on December 05, 2019, 3. In the processing of an online transaction the following timelines are involved: ‘Tp’ – date of charge / debit to the customer’s account against the purchase of goods / services. NBFC should adopt a Board approved BCP Policy. PAs shall submit the System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI. A good MIS should take care of information needs at all levels in the business including top management. The UCB shall have a Board approved IT-related strategy and policies covering areas such as: Existing and proposed hardware and networking architecture for the UCB and its rationale, Standards for hardware or software prescribed by the proposed architecture, Strategy for outsourcing, in-sourcing, procuring off-the-shelf software, and in-house development, Desired number and level of IT expertise or competencies in UCB's human resources, plan to bridge the gap (if any) and requirements relating to training and development, Strategy for keeping abreast with technology developments and to update systems as and when required. Disable remote connections from outside machines to the network hosting critical payment infrastructure (Ex: RTGS/NEFT, ATM Switch, SWIFT Interface). Implement centralised policies through Active Directory or Endpoint management systems to whitelist/blacklist/restrict removable media use. 3.1. The same shall be reported immediately to the DPSS, RBI, Central Office, Mumbai. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. 1.7.2. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. Third step is to look at deep packet inspection approaches, iv. 8.1 IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases. System enabled identification and classification of Special Mention Accounts and NPA as well as generation of MIS reports in this regard. Ensure the software integrity of the ATM Switch/SWIFT related applications. d) Payment of commission to the intermediaries. UCBs having at least one of the criteria given below: Additional controls include Advanced Real-time Threat Defence and Management, Risk based transaction monitoring. (PCB).MC.No.3/12.05.001/2015-16 Master circular dated July 1, 2015 all UCBs have been advised to set up an Audit Committee (ACB) at the Board level. Penetration testing of public facing systems as well as other critical applications are to be carried out by professionally qualified teams.