Bankpulse
BanksHomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsRBI UniverseMethodologyGlossaryCircularsAskAnswersChangelogReviewsAbout
HomeCirculars › RBI/2010-11/494

RBI Issues Final Guidelines on IT Security and Cyber Fraud for Banks

Live · in forceNo withdrawal recorded as of 20 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
Issued by RBI: 29 Apr 2011  ·  Decoded by BankPulse: 20 Jun 2026, 10:00 IST
⏱ ~2 min read
📄 Official RBI source ↗
Quick answerRBI has issued final guidelines from the Gopalakrishna Working Group on IT security, cyber fraud, and technology risk management. Banks must conduct gap analysis and implement risk-based measures commensurate with their technology use, with a time-bound action plan.

What changed

RBI released final guidelines based on the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, covering nine areas including IT governance, information security, IS audit, IT operations, outsourcing, cyber fraud, BCP, customer awareness, and legal aspects. The guidelines are risk-based and not one-size-fits-all; banks must perform a formal gap analysis and create a time-bound action plan for compliance. New guidelines supersede earlier ones in case of direct conflict, but earlier guidelines remain adjunct where no conflict exists.

What it means for you

Banks must now systematically assess their current IT security posture against these new RBI stipulations and address gaps within a defined timeline. The risk-based approach means smaller banks with limited technology use may not need to implement all measures, while tech-heavy banks must comply fully. This will likely increase compliance costs and require dedicated project management for IT security upgrades.

What you must do

Who it affects

All scheduled commercial banks (excluding RRBs), IT and information security teams, Internal audit and compliance departments, Senior management and board of directors, Vendors providing IT services to banks

Do these guidelines apply to all banks uniformly?

No, the guidelines are risk-based and not one-size-fits-all. Banks with extensive technology use must implement all stipulations, while those with limited tech leverage may only need relevant measures. For example, banks without transactional internet banking need not implement specific measures for that facility.

What should we do if we have already implemented some of these measures?

You must still conduct a formal gap analysis comparing your current status with the new guidelines. If there is a direct conflict with an earlier RBI guideline, the new guideline takes precedence. Otherwise, earlier guidelines remain adjunct.

Are we allowed to use alternative technologies not mentioned in the guidelines?

Yes, the guidelines are technology neutral except where a specific technology is legally required or suggested for enhanced security. Banks may adopt equivalent or better technologies after a diligent evaluation.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 20 Jun 2026, 10:00 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=6366&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.