Reserve Bank of India IT Risk Management

What RBI IT Risk Master Direction expects at IT asset retirement

The Master Direction on IT Risk Management (April 2023) requires regulated entities to establish formal asset disposition processes covering: (1) inventory reconciliation at retirement; (2) data sanitisation matched to the asset class and data classification; (3) chain-of-custody from retirement to disposal; (4) auditable certificate of destruction; (5) retention of disposition records for the regulator-mandated period. Operationally, this maps cleanly to the Maxicom engagement model: pickup with signed manifest, NIST SP 800-88 Rev. 1 Purge or IEEE 2883-2022 Sanitize per media, per-asset Certificate of Destruction, 8-year retention in our compliance vault.

RBI Outsourcing Master Direction implications

The Master Direction on Outsourcing of IT Services (April 2023) governs the relationship between regulated entities and IT-service vendors — Maxicom included where we are the disposition vendor under contract. Key requirements: (1) due-diligence on the vendor before engagement; (2) board-approved outsourcing policy covering the engagement; (3) data-protection clauses in the contract; (4) right of audit by the regulated entity and by RBI; (5) exit clauses. Maxicom MSAs include all of these as standard. RBI inspection of a regulated entity's ITAD vendor is not routine but is contractually permitted; we cooperate fully where it occurs.

Cyber Security Framework — incident reporting obligations

The RBI Cyber Security Framework (June 2016, with subsequent updates) requires regulated entities to report certain cyber incidents to RBI. ITAD-relevant incidents (loss of data-bearing media, unauthorised disclosure from retired-asset data, gap in chain-of-custody) fall in scope. Maxicom's incident-response playbook coordinates with the customer's RBI reporting workflow including the Banking Ombudsman channel and the IT Examination cell.

Branch-network refresh under RBI

Indian BFSI runs the most disciplined branch-network refresh cycles in our pipeline — Tier-1 banks refresh laptop fleets across 3,000-5,000 sites on 3-year cycles, with stringent customer-PII destruction requirements. RBI inspection of a refresh engagement typically focuses on: (1) inventory completeness — every branch reconciled; (2) PII handling — customer-data-bearing drives separately tracked; (3) destruction trail — per-asset certificates retained; (4) settlement integrity — no off-book disposal, no unauthorised channel routing. Maxicom's programme-engagement model is purpose-built for this profile.

What RBI inspection actually checks

When RBI inspects a regulated entity's ITAD documentation, the four-criterion check is consistent: per-asset granularity, standard citation, verification evidence, chain-of-custody continuity. Maxicom certificates pass all four. Where the RBI inspection includes site visit to the destruction facility, we accommodate (with standard NDA on the inspector side); facility audits are typically completed in 1-2 business days.