RBI’s Cybersecurity Framework: What Banks Need to Know About Password Security

India’s banking sector handles a vast and growing volume of sensitive financial data, and that makes it a consistent target for attackers. The Reserve Bank of India (RBI) recognized this and issued a series of cybersecurity circulars requiring banks to get their defenses in order. If you’re responsible for IT security at a regulated bank, here’s what the framework demands and what a compliant password policy actually looks like.

Who does it apply to?

The RBI’s cybersecurity framework (circular RBI/2015-16/418, issued June 2, 2016) applies to all scheduled commercial banks operating in India; nationalized banks, private banks, and foreign banks alike. One notable structural requirement is that IT operations and IT security must function as two separate teams, giving cybersecurity its own dedicated oversight rather than being absorbed into general IT management.

Continuously block 5 billion+ compromised passwords in your Active Directory

Why it matters

The RBI has been direct about why this framework exists: as banks have adopted more technology, the number and impact of cyber incidents have increased significantly, particularly in the financial sector. The framework isn’t just a compliance checkbox; it’s a response to real attacks on banking infrastructure, many of which succeeded because of weak access controls, inadequate authentication, and unmonitored privileged accounts.

The consequences of falling short go beyond fines. In April 2024, the RBI barred Kotak Mahindra Bank from onboarding new customers through its online and mobile banking channels and from issuing new credit cards with immediate effect. The RBI’s own statement cited specific deficiencies in user access management, data security, patch management, and IT risk governance across two consecutive years of inspections. The bank’s share price dropped over 10% the same day. The restrictions weren’t lifted until February 2025, after the bank completed a full external audit to the RBI’s satisfaction.

The framework also requires banks to report any unusual cyber incident to the RBI within two to six hours of discovery: a tight window that demands mature detection and response capabilities.

What the framework mandates

The RBI circular sets out 23 baseline controls covering everything from network security and patch management to anti-phishing and customer education. For IT admins focused on access control, the most relevant section is Baseline Control 8: User Access Control and Management.

Within that, the key password-related requirements are:

• 8.4 — Centralized authentication and strong password policy: Banks must implement centralized authentication and authorization for all systems — applications, operating systems, databases, network devices, and remote connections. This explicitly includes enforcing a strong password policy, multi-factor authentication (MFA), where risk assessment warrants it, the principle of least privilege, and separation of duties.
• 8.6 — Minimize invalid logons and deactivate dormant accounts: Banks must have controls in place to limit invalid login attempts and ensure dormant accounts are identified and deactivated. Unmonitored accounts left active are a well-known attack vector.
• 8.7 — Monitor abnormal logon patterns: Banks must detect and act on unusual changes in login behavior — a clear signal that anomaly detection and logging need to be in place.

What a compliant password policy looks like

The RBI framework requires strong password controls, but doesn’t prescribe exact numbers – that’s left to implementation. Specops Password Auditor has defined two configuration tiers to help banks meet the standard (download our free, read-only tool here).

Which tier is right for your organization depends on your risk profile and the sensitivity of the systems involved. High-privilege accounts and systems with access to customer data are natural candidates for the stricter configuration:

RBI Strict (recommended for higher-risk environments):

RBI Standard (baseline compliance):

MFA and account lockout

Password policy alone isn’t enough. RBI 8.4 specifically calls out MFA where risk assessment indicates it’s needed. For any systems with access to sensitive data or administrative functions, that threshold is going to be met. Specops Secure Access can provide a second authentication factor for Windows logons (including RDP) and RADIUS connections commonly used by VPNs.

On the account lockout side, Specops uReset handles secure self-service password resets with multiple verification methods that map directly to the out-of-band reset requirements in the framework. To address the invalid logon controls in 8.6, Specops uReset also supports CAPTCHAs, geo-blocking, and IP range restrictions to limit exposure to brute-force attempts on the self-service reset surface.

Getting started

The RBI framework is broad, but the access control requirements can be addressed systematically. A good starting point is getting your password policy configuration right with Specops Password Policy. As the Kotak case illustrates, user access management is one of the first places the RBI looks when something goes wrong. To see how Specops Password Policy easily maps to your current Active Directory setup, book a demo with an expert.