🧠 IT Regulatory Compliance in Banking
Rules, laws, guidelines, policies & standards that banks must follow to ensure secure, reliable, transparent, and risk-free use of IT systems.
Objectives
✔ Protect customer data & privacy
✔ Prevent fraud & cyber-attacks
✔ Ensure secure digital banking
✔ Maintain business continuity & resilience
✔ Strengthen RBI supervision & compliance
🧱 CHAPTER 1 — RBI IT Regulations & Guidelines
1️⃣ RBI Cyber Security Framework for Banks (Circular – 2 June 2016)
Applicability
👉 All Scheduled Commercial Banks (incl. Foreign bank branches in India)
Focus
🔑 Cyber Security + Cyber Resilience (not just IT security)
Mandatory Requirements
| Requirement | Explanation |
|---|---|
| Board-approved Cyber Security Policy | must align with bank’s IT & risk strategy |
| Cyber Crisis Management Plan (CCMP) | Detection → Response → Recovery → Containment → Communication |
| Cyber-SOC (Security Operations Centre) | 24×7 monitoring of logs, alerts & threats |
| Incident Reporting | All incidents (successful or attempted) must be reported to RBI within 2–6 hours |
Technical Controls Expected
- Baseline security for network, servers, applications & endpoints
- Strong access control (MFA, strong passwords, unique IDs)
- Periodic VAPT & Red Teaming
- DLP (Data Loss Prevention) + continuous log monitoring
📌 Key Exam Line:
Cyber Security Framework = Policy + CCMP + SOC + Reporting + VAPT
2️⃣ RBI Master Direction – IT Governance, Risk, Controls & Assurance (2023)
Scope
✔ Banks (except RRBs), Small Finance Banks, Payment Banks, Local-Area Banks, NBFCs
📅 Effective from 1 April 2024
Governance
| Body | Responsibility |
|---|---|
| Board / IT Strategy Committee | IT strategy, cybersecurity, projects, outsourcing |
| CIO / Head IT | Manages IT Operations |
| CISO (independent role) | Information Security & Reports directly to Board/Committee |
IT Risk Requirements
- Formal IT Risk Framework (Identify → Assess → Mitigate → Monitor)
- Change Management – no unauthorized production changes
- Data Integrity Controls – no manual modification between systems
Assurance & Audit
- Independent IT / IS Audit
- Regular review: Access controls, logs, configurations, DR tests, vendors
Vendor / Source Code Requirements
| Requirement | Purpose |
|---|---|
| Own source code / Escrow | Control & security |
| Vendor certificate | No malware / vulnerabilities |
3️⃣ RBI Master Direction – Digital Payment Security Controls (DPSC), 2021
Who must comply?
Banks, Small Finance Banks, Payments Banks, Card issuers, UPI/IMPS operators, Wallets, PPIs
Objectives
🔐 Minimum security standards for internet/mobile banking, cards, wallets, UPI
Major Requirements
| Area | Requirement |
|---|---|
| Authentication | Strong Customer Authentication / Multi-factor |
| Application Security | Secure coding, reviews, security testing |
| Card Security | PCI-DSS compliance, Tokenization for stored cards |
| Fraud Management | Real-time monitoring, alerts, block rules |
4️⃣ RBI Guidelines – Outsourcing of IT Services (2023)
Purpose
To manage IT outsourcing risks (operational, cyber, legal, vendor failure risks)
Key Principles
- Bank remains responsible → Accountability cannot be outsourced
- Board-approved Outsourcing Policy
- Maintain central outsourcing register
Before Outsourcing
- Due diligence of vendor (financial, technical, security)
- Risk assessment & classification
Contract / SLA Minimum clauses
✔ Data confidentiality
✔ Right to audit by bank & RBI
✔ Breach notification rules
✔ Data deletion after exit
5️⃣ Storage of Payment System Data – Data Localisation (6 April 2018)
Core Rule
📍 All payment data must be stored only in India (end-to-end)
Examples of mandatory stored data
- Customer details (Name, mobile, Aadhaar, PAN)
- Account & transaction data
- Credentials (OTP, PIN, password)
If processed outside India
⏱ Must be brought back & stored in India within 24 hours
🚫 Must be deleted from foreign systems post-processing
📌 Exam Tip:
Data localisation = India-only storage + 24-hour return + deletion abroad
🔁 Memory Trick: 4 Pillars of IT Regulations — “COPS”
| Letter | Meaning |
|---|---|
| C | Cyber Security Framework (2016) |
| O | Outsourcing Guidelines (2023) |
| P | Payment Security (DPSC 2021) + Data Localisation 2018 |
| S | System-wide IT Governance Direction (2023) |
🧱 CHAPTER 2 — Cyber Security & Risk Controls in Banking
1️⃣ Cyber Security Basics
| Term | Meaning |
|---|---|
| Cyber Security | Protecting banking systems & data from cyber threats |
| Cyber Risk | Risk of financial loss, fraud, disruption |
🎯 CIA Triad = Confidentiality + Integrity + Availability
2️⃣ Key Cyber Threats
| Threat | Meaning | Example |
|---|---|---|
| Phishing | Fake emails | KYC update scam |
| Vishing / Smishing | Call / SMS fraud | Fake OTP call |
| Malware / Ransomware | Encrypt + lock | ATM switch locked |
| DDoS | Flood attack | UPI/IMPS downtime |
| MITM | Communication hijack | Public Wi-Fi |
| SQL Injection | Database attack | Login page hack |
| Data breach | Unauthorized data theft | Card data stolen |
3️⃣ Security Controls in Banks
🔐 Technical Controls
- Firewalls, WAF, IDS/IPS
- Encryption
- Endpoint security
- Tokenization
- Patch management, secure coding
👤 Access Control
- Least privilege, role-based access
- MFA
- Maker-Checker
- Periodic ID reviews
🛰 Monitoring**
- 24×7 SOC (Security Operations Centre)
- SIEM log monitoring
- Real-time fraud detection
4️⃣ VAPT
| VA | PT |
|---|---|
| Finds vulnerabilities | Tries to exploit |
| 📌 Mandatory for CBS / UPI / ATM Switch / Mobile/Internet banking |
5️⃣ BCP & DR
| Term | Meaning |
|---|---|
| BCP | Continue business during disruption |
| DR | Recover systems from backup |
RTO / RPO Standards
| System Type | RTO | RPO |
|---|---|---|
| Critical (CBS, UPI, Cards, IMPS) | 15-30 min | Near-zero few minutes |
| High-priority | 1–4 hrs | Few hours |
| Non-critical (HR, Internal systems) | Up to 24 hrs | 24 hrs+ |
Cyber Crisis Management Plan (CCMP)
Incident response steps: Prepare → Detect → Contain → Recover → Report
Customer Protection
- SMS / Email alerts
- Zero liability if quickly reported + no negligence
🔥 Most Important Quick Facts (Exam Favorite)
| Topic | Key Point |
|---|---|
| Incident Reporting to RBI | within 2–6 hours |
| SOC Mandatory | 24×7 |
| Tokenization | Replaces PAN |
| Data Localisation | India-only data storage |
| BCP + DR | Continuity + Recovery |
| ISO 27001 | Security certification |
🎯 Revision Mnemonics
| Topic | Trick |
|---|---|
| Defence Layers | PAM-SLED |
| Phishing types | V-SPEM |
| IT Regulations | COPS |
📌 One-Line Summary
Secure IT + Strong Governance + Rapid Reporting = IT Compliance in Banking
🎯 50 MCQs
🔹 CHAPTER 1: BASICS & LEGAL / REGULATORY FRAMEWORK (10 MCQs)
Q1. IT-specific regulatory compliance in Indian banks mainly aims at:
a) Increasing branch expansion only
b) Reducing staff strength
c) Ensuring secure, reliable and compliant use of technology in banking
d) Promoting cash transactions
Answer: c) Ensuring secure, reliable and compliant use of technology in banking
Explanation: IT compliance focuses on safe and regulated use of IT systems in banks. 👉 (HIGHLY IMPORTANT)
Q2. The primary regulator for IT-related guidelines for banks in India is:
a) SEBI
b) IRDAI
c) Reserve Bank of India (RBI)
d) Ministry of Corporate Affairs
Answer: c) Reserve Bank of India (RBI)
Explanation: RBI issues IT, cyber security, digital payment and outsourcing guidelines for banks. 👉 (HIGHLY IMPORTANT)
Q3. Which Act provides the legal framework for electronic records and cybercrime in India?
a) Companies Act, 2013
b) Banking Regulation Act, 1949
c) Information Technology Act, 2000 (and its amendments)
d) Payment and Settlement Systems Act, 2007
Answer: c) Information Technology Act, 2000 (and its amendments)
Explanation: IT Act, 2000 deals with e-records, digital signatures and cyber offences.
Q4. Which of the following is NOT a key objective of IT regulation in banks?
a) Protecting customer data
b) Ensuring business continuity
c) Preventing cyber fraud
d) Maximising bank’s speculative trading profits
Answer: d) Maximising bank’s speculative trading profits
Explanation: IT compliance is about risk control and protection, not speculation.
Q5. Which of the following best describes “IT Governance” in banks?
a) Only hardware purchasing
b) Framework to ensure IT supports business goals with proper control and accountability
c) Only software licensing
d) Only data backup
Answer: b) Framework to ensure IT supports business goals with proper control and accountability
Explanation: IT governance links IT strategy, risk and controls with business objectives.
Q6. Information Security in banks mainly focuses on:
a) Branch decoration
b) Confidentiality, Integrity and Availability (CIA) of information
c) ATM branding
d) Interest rate policies only
Answer: b) Confidentiality, Integrity and Availability (CIA) of information
Explanation: CIA triad is core to any information security program. 👉 (HIGHLY IMPORTANT)
Q7. The Payment and Settlement Systems Act mainly regulates:
a) Staff salary structure
b) Payment systems like NEFT, RTGS, UPI, cards etc.
c) Only mutual funds
d) Only cash transactions
Answer: b) Payment systems like NEFT, RTGS, UPI, cards etc.
Explanation: PSS Act regulates payment and settlement systems in India.
Q8. Which of these is a statutory obligation of banks regarding customer data?
a) Free Wi-Fi at all branches
b) Protecting customer information from unauthorised access or disclosure
c) Publishing customer details online
d) Sharing data with any third party on demand
Answer: b) Protecting customer information from unauthorised access or disclosure
Explanation: Privacy and data protection are central compliance requirements.
Q9. IT policy in banks is usually approved by:
a) Watchman
b) System Administrator
c) IT vendor
d) Board of Directors or a Board-level committee
Answer: d) Board of Directors or a Board-level committee
Explanation: IT is a strategic area; Board oversight is mandatory.
Q10. Which international standard is widely used as a benchmark for Information Security Management Systems (ISMS) in banks?
a) ISO 9001
b) ISO/IEC 27001
c) ISO 14001
d) ISO 50001
Answer: b) ISO/IEC 27001
Explanation: ISO 27001 focuses on information security management. 👉 (HIGHLY IMPORTANT)
🔹 CHAPTER 2: IT GOVERNANCE, RISK, CYBER SECURITY & BCP/DR (15 MCQs)
Q11. A Security Operations Centre (SOC) in a bank is primarily responsible for:
a) Loan sanctioning
b) Monitoring and responding to security events in IT systems
c) Customer relationship management
d) Branch expansion planning
Answer: b) Monitoring and responding to security events in IT systems
Explanation: SOC continuously monitors logs, alerts and threats.
Q12. Cyber Security Framework for banks issued by RBI requires:
a) Only antivirus installation
b) Only CCTV installation
c) A Board-approved Cyber Security Policy and Cyber Crisis Management Plan
d) Only password change policy
Answer: c) A Board-approved Cyber Security Policy and Cyber Crisis Management Plan
Explanation: Policy & crisis plan are mandatory components of the framework. 👉 (HIGHLY IMPORTANT)
Q13. Business Continuity Plan (BCP) in banks is intended to:
a) Increase interest rates
b) Ensure critical operations continue during and after disruptions
c) Merge branches
d) Replace staff periodically
Answer: b) Ensure critical operations continue during and after disruptions
Explanation: BCP is about resilience and continuity of services.
Q14. Disaster Recovery (DR) site is:
a) Extra parking space
b) Alternative data centre used when primary site fails
c) A type of insurance policy
d) Training centre for staff
Answer: b) Alternative data centre used when primary site fails
Explanation: DR site helps quickly restore IT services after failure.
Q15. Which of the following best describes Vulnerability Assessment and Penetration Testing (VAPT)?
a) HR performance review
b) Identifying and testing security weaknesses in systems and applications
c) Office infrastructure planning
d) Testing new branch layouts
Answer: b) Identifying and testing security weaknesses in systems and applications
Explanation: VAPT helps find and fix security gaps before attackers exploit them. 👉 (HIGHLY IMPORTANT)
Q16. Which principle is essential for access control in banks’ IT systems?
a) Last-in-first-out
b) Least privilege
c) Unlimited access
d) Random selection
Answer: b) Least privilege
Explanation: Users get only the minimum access required to perform their job.
Q17. In IT risk management, “segregation of duties” helps to:
a) Increase overtime
b) Improve interior design
c) Reduce fraud and errors by dividing critical tasks
d) Reduce teamwork
Answer: c) Reduce fraud and errors by dividing critical tasks
Explanation: Maker–checker separation is a classic control.
Q18. Which of the following is a typical Key Risk Indicator (KRI) in IT security?
a) Number of savings accounts opened
b) Volume of term deposits
c) Number of critical vulnerabilities found in VAPT
d) Average queue time at counters
Answer: c) Number of critical vulnerabilities found in VAPT
Explanation: KRIs highlight areas of potential IT risk exposure.
Q19. Multi-Factor Authentication (MFA) is used in digital banking mainly to:
a) Speed up printing
b) Reduce SMS cost
c) Provide additional security by requiring more than one verification factor
d) Avoid passwords
Answer: c) Provide additional security by requiring more than one verification factor
Explanation: Example: password + OTP + biometric. 👉 (HIGHLY IMPORTANT)
Q20. Which of the following is an example of a “logical access control” in banks?
a) Guard at branch gate
b) User ID and password for CBS login
c) CCTV camera
d) Fire extinguisher
Answer: b) User ID and password for CBS login
Explanation: Logical access relates to control of system access.
Q21. In cyber security, “phishing” mainly refers to:
a) Physical theft of hardware
b) Fraudulent attempts to obtain sensitive information via fake emails/links
c) Server patching
d) Offsite backup
Answer: b) Fraudulent attempts to obtain sensitive information via fake emails/links
Explanation: Phishing is a major cyber risk for customers and staff.
Q22. Who is ultimately responsible for cyber security in a bank?
a) SOC analyst
b) IT vendor
c) Board of Directors and Top Management
d) Only CISO
Answer: c) Board of Directors and Top Management
Explanation: Accountability lies at the highest governance level. 👉 (HIGHLY IMPORTANT)
Q23. A Cyber Crisis Management Plan (CCMP) in banks is used for:
a) Printing passbooks
b) Responding to and recovering from major cyber incidents
c) Managing HR disputes
d) Planning new products
Answer: b) Responding to and recovering from major cyber incidents
Explanation: CCMP defines roles, steps and communication during a cyber crisis.
Q24. Encryption in digital banking is mainly used to:
a) Compress files
b) Protect data confidentiality during storage and transmission
c) Clean databases
d) Randomise account numbers
Answer: b) Protect data confidentiality during storage and transmission
Explanation: Encryption scrambles data so that only authorised parties can read it.
Q25. Regular patch management in IT systems is essential to:
a) Increase hardware cost
b) Fix security vulnerabilities and software bugs
c) Reset user passwords
d) Upgrade office furniture
Answer: b) Fix security vulnerabilities and software bugs
Explanation: Unpatched systems are a major source of cyber risk.
🔹 CHAPTER 3: DIGITAL PAYMENTS, CUSTOMER PROTECTION & APPLICATIONS (15 MCQs)
Q26. Which RBI document lays down security controls for internet banking, mobile banking and card-based payments?
a) Basel III Guidelines
b) Master Direction on Digital Payment Security Controls
c) FEMA regulations
d) SARFAESI Act
Answer: b) Master Direction on Digital Payment Security Controls
Explanation: This direction prescribes security requirements for digital payment channels. 👉 (HIGHLY IMPORTANT)
Q27. Tokenisation of card data means:
a) Printing card numbers on receipts
b) Replacing actual card number with a unique alternate code (token)
c) Deleting card number from all systems
d) Linking card with PAN card
Answer: b) Replacing actual card number with a unique alternate code (token)
Explanation: Tokenisation reduces risk of card data theft during transactions.
Q28. For UPI transactions, customer authentication is generally done using:
a) Signature on paper
b) Just mobile number
c) UPI PIN and device binding
d) Only Aadhaar number
Answer: c) UPI PIN and device binding
Explanation: UPI combines registered device + UPI PIN for security.
Q29. Which of the following is an example of strong customer authentication?
a) Username only
b) ATM card alone
c) Card + PIN + OTP
d) Date of birth only
Answer: c) Card + PIN + OTP
Explanation: Combination of more than one factor improves security.
Q30. In case of unauthorised electronic transactions, customer liability guidelines are issued by:
a) IRDAI
b) SEBI
c) RBI
d) Ministry of Home Affairs
Answer: c) RBI
Explanation: RBI guidelines define zero / limited liability conditions for customers. 👉 (HIGHLY IMPORTANT)
Q31. Which is the correct approach for banks to handle customer complaints of digital fraud?
a) Ignore and close
b) Register complaint, block channels, investigate and credit as per RBI liability norms
c) Block only for 1 hour
d) Share OTP publicly
Answer: b) Register complaint, block channels, investigate and credit as per RBI liability norms
Explanation: Banks must follow defined grievance and compensation framework.
Q32. NPCI (National Payments Corporation of India) primarily functions as:
a) Bank regulator
b) Retail payments system operator (UPI, IMPS, RuPay etc.)
c) Insurance company
d) Stock market regulator
Answer: b) Retail payments system operator (UPI, IMPS, RuPay etc.)
Explanation: NPCI builds and operates national retail payment systems.
Q33. AEPS (Aadhaar Enabled Payment System) uses which factor for customer authentication?
a) PIN only
b) Card only
c) Aadhaar number + biometric authentication
d) Cheque leaf
Answer: c) Aadhaar number + biometric authentication
Explanation: AEPS allows basic transactions using Aadhaar + fingerprint/iris.
Q34. Which technology feature helps monitor online transactions for fraud in real time?
a) Word processor
b) Fraud Detection Engine integrated with payment switch
c) Printer
d) Spreadsheet
Answer: b) Fraud Detection Engine integrated with payment switch
Explanation: FDE flags suspicious transactions using rules and analytics.
Q35. RBI expects banks to send SMS/e-mail alerts for:
a) Only deposits
b) All electronic/ATM card transactions and major changes in account
c) Only government accounts
d) No digital alerts
Answer: b) All electronic/ATM card transactions and major changes in account
Explanation: Alerts help customers detect unauthorised activity quickly.
Q36. In net banking, session timeout is a control used to:
a) Slow down system
b) Log out inactive users to prevent misuse
c) Increase advertising time
d) Extend transaction time
Answer: b) Log out inactive users to prevent misuse
Explanation: It reduces risk if customer leaves system unattended.
Q37. Which of the following is a compliance requirement for mobile banking apps of banks?
a) No encryption needed
b) Use of default passwords
c) Secure coding, encryption, app hardening and regular security testing
d) Unlimited root access to users
Answer: c) Secure coding, encryption, app hardening and regular security testing
Explanation: RBI insists on secure development and testing practices.
Q38. Digital Rupee (CBDC) issued by RBI is expected to:
a) Be fully anonymous without any records
b) Provide secure, traceable digital legal tender
c) Replace all banks
d) Only work offline
Answer: b) Provide secure, traceable digital legal tender
Explanation: CBDC combines legal tender status with digital features and compliance. 👉 (HIGHLY IMPORTANT)
Q39. In case of electronic funds transfer disputes (NEFT/RTGS), which mechanism helps speedy resolution?
a) Lok Adalat
b) RBI’s directions on failed/returned transactions and nodal officers
c) Income Tax Act
d) FEMA alone
Answer: b) RBI’s directions on failed/returned transactions and nodal officers
Explanation: RBI defines timelines and responsibilities for such complaints.
Q40. In Internet Banking, HTTPS protocol ensures:
a) Faster download only
b) Encrypted and secure connection between browser and server
c) No need of passwords
d) Unlimited bandwidth
Answer: b) Encrypted and secure connection between browser and server
Explanation: HTTPS uses SSL/TLS to encrypt data in transit.
🔹 CHAPTER 4: OUTSOURCING, DATA PROTECTION & NEW TECHNOLOGIES (10 MCQs)
Q41. As per RBI’s IT outsourcing guidelines, who is ultimately responsible for outsourced activities?
a) Service provider
b) Outsourcing consultant
c) The bank itself
d) Software vendor
Answer: c) The bank itself
Explanation: Responsibility for compliance and customer protection cannot be outsourced. 👉 (HIGHLY IMPORTANT)
Q42. Before outsourcing critical IT functions, banks must:
a) Only negotiate price
b) Conduct due diligence and risk assessment of the service provider
c) Ask for brand promotion
d) Ignore security terms
Answer: b) Conduct due diligence and risk assessment of the service provider
Explanation: Banks must ensure capability, security and reliability of vendors.
Q43. Service Level Agreements (SLAs) in IT outsourcing should clearly define:
a) Only vendor profits
b) Office layout
c) Performance levels, security requirements, incident handling and penalties
d) Festival bonuses
Answer: c) Performance levels, security requirements, incident handling and penalties
Explanation: SLAs formalise expectations and responsibilities.
Q44. Data localisation requirements for payment data in India generally mandate:
a) Storage of data outside India only
b) Storage of full end-to-end payment data within India
c) Storage only in cloud outside India
d) Only partial storage in India
Answer: b) Storage of full end-to-end payment data within India
Explanation: RBI directed that payment system data be stored in India for supervision and security.
Q45. While using cloud services, banks must ensure:
a) Only low price
b) Data security, regulatory compliance and ability to access logs/audit trails
c) No encryption
d) No contracts
Answer: b) Data security, regulatory compliance and ability to access logs/audit trails
Explanation: Cloud usage does not dilute regulatory expectations.
Q46. In fintech partnerships (e.g., for UPI/loan apps), banks must:
a) Let fintech fully control compliance
b) Use fintech logo only
c) Ensure partner complies with RBI norms and protect customers
d) Ignore data sharing issues
Answer: c) Ensure partner complies with RBI norms and protect customers
Explanation: Banks remain responsible for regulated activities done via partners.
Q47. Data retention policies in banks should be:
a) Random and undocumented
b) As per regulatory requirements, business needs and privacy norms
c) Based only on vendor advice
d) Fixed to 1 month always
Answer: b) As per regulatory requirements, business needs and privacy norms
Explanation: Records must be retained for minimum mandated periods securely.
Q48. Which of the following is a major risk in IT outsourcing if not properly managed?
a) More in-house skills
b) Dependence on vendor and possible service disruption or data misuse
c) Lower security costs
d) Better control
Answer: b) Dependence on vendor and possible service disruption or data misuse
Explanation: Concentration and data risks are key outsourcing concerns.
Q49. When using emerging technologies like AI/ML in credit or fraud models, banks must:
a) Ignore model risk
b) Ensure fairness, explainability, data security and regulatory compliance
c) Use only foreign data
d) Avoid documentation
Answer: b) Ensure fairness, explainability, data security and regulatory compliance
Explanation: Model governance is an important part of IT risk management.
Q50. The main purpose of periodic IT audit in banks is to:
a) Improve décor
b) Evaluate effectiveness of IT controls, security and regulatory compliance
c) Reduce staff
d) Decide interest rates
Answer: b) Evaluate effectiveness of IT controls, security and regulatory compliance
Explanation: IT audit provides independent assurance on IT risk and compliance posture. 👉 (HIGHLY IMPORTANT)