The Reserve Bank of India issued the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 (“Directions”), which have come into effect on and from October 1st, 2023 and are applicable to Schedule Commercial Bank including Foreign Banks located in India, Local Banks, Small Finance Banks, and Payments Banks but excluding Regional Rural Banks, Primary (Urban) Co-operative Banks excluding Tier 1 and Tier 2 Urban Co-operative Banks, Credit Information Companies (CICs), Non- Banking Financial Companies (“NBFCs”) but excluding Base Layer NBFCs and All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI) (“REs”). It is essential to note that foreign banks operating in India through branch mode must interpret references to the ‘Board’ or ‘Board of Directors’ as pertaining to the head office or controlling office overseeing branch operations in India.

1) RETROSPECTIVE AND PROSPECTIVE EFFECT

2) APPLICABILITY

These Directions shall apply to Material Outsourcing of IT Services arrangements entered by the REs. The term “Material Outsourcing of IT Services” shall include any such services which: 

(a) if disrupted or compromised will significantly impact the RE’s business operations; or 

(b) may have material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information. 

The “Outsourced IT Services” will include the following:

3) ROLES AND RESPONSIBILITIES OF THE REs

The guidelines underscore the critical responsibility of REs in overseeing outsourced activities. The Board and Senior Management bear ultimate accountability and must ensure that service providers adhere to the same standards and obligations as the REs themselves. To this end, REs are mandated to maintain a robust grievance redressal mechanism and compile an inventory of services provided by service providers.

1. Governance Framework: A comprehensive governance framework is essential for effective oversight of outsourcing activities. REs intending to outsource IT activities must formulate a board-approved IT outsourcing policy encompassing roles and responsibilities, selection criteria for service providers, risk assessment methodologies, disaster recovery plans, and termination processes. The Board is entrusted with approving policies and establishing administrative frameworks, while Senior Management is responsible for policy formulation and risk evaluation.

2. Evaluation and Engagement of Service Providers: Prior to engaging service providers, REs must conduct meticulous due diligence to assess their capabilities and suitability. Evaluation criteria should span qualitative, quantitative, financial, operational, legal, and reputational factors. The subsequent agreement between REs and service providers should be legally binding and encompass critical aspects such as service level agreements, data confidentiality, and liability clauses.

3. Risk Management: Mitigating risks associated with outsourcing activities requires a robust risk management framework. REs must identify, measure, mitigate, and manage risks comprehensively. Additionally, they are required to establish business continuity plans (BCP) and disaster recovery plans (DRP) to ensure uninterrupted operations during emergencies.

4. Monitoring and Control of Outsourced Activities: Maintaining effective oversight of outsourced IT activities is paramount for REs. Regular audits, performance monitoring, and periodic reviews of service providers are essential components of this oversight. Access to relevant data and business premises must be granted for oversight purposes.

5. Outsourcing within a Group / Conglomerate: While REs are permitted to outsource IT activities within their business group or conglomerate, they must ensure the adoption of appropriate policies and service level agreements. Maintaining an arm’s length relationship with group entities and adhering to identical risk management practices is imperative.

6. Cross-Border Outsourcing: Engaging service providers based in different jurisdictions necessitates a thorough understanding of associated risks. REs must closely monitor country risks, political, social, economic, and legal conditions, and ensure compliance with regulatory requirements. Contingency and exit strategies must be in place to mitigate potential disruptions.

7. Exit Strategy: Incorporating a clear exit strategy in outsourcing policies is essential for ensuring business continuity during and after termination of outsourcing arrangements. Alternative arrangements and procedures for data removal, transition, and cooperation between parties must be clearly defined.

4) EXCLUSIONS

The following services/ activities are excluded from the ambit of “Outsourcing IT Services” (non-exhaustive list):

• Corporate Internet Banking services obtained by regulated entities as corporate customers/ sub members of another regulated entity
• External audit such as Vulnerability Assessment/ Penetration Testing (VA/PT), Information Systems Audit, security review
• SMS gateways (Bulk SMS service providers)
• Procurement of IT hardware/ appliances
• Acquisition of IT software/ product/ application (like CBS, database, security solutions, etc.,) on a licence or subscription basis and any enhancements made to such licensed third-party applications by its vendor (as upgrades) or on specific change requests made by the RE.
• Any maintenance service (including security patches, bug fixes) for IT Infra or licensed products, provided by the Original Equipment Manufacturer (OEM) themselves, in order to ensure continued usage of the same by the RE.
• Applications provided by financial sector regulators or institutions like CCIL, NSE, BSE, etc.
• Platforms provided by entities like Reuters, Bloomberg, SWIFT, etc.
• Any other off the shelf products (like anti-virus software, email solution, etc.,) subscribed to by the regulated entity wherein only a license is procured with no/ minimal customisation
• Services obtained by a RE as a sub-member of a Centralised Payment Systems (CPS) from another RE
• Business Correspondent (BC) services, payroll processing, statement printing

In addition to the above, certain vendors/ entities will not be considered as a third-party service provider for these Directions. A non-exhaustive list is provided below:  

• Vendors providing business services using IT. Example – BCs
• Payment System Operators authorised by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007 for setting up and operating Payment Systems in India
• Partnership based Fintech firms such as those providing co-branded applications, service, products (would be considered under outsourcing of financial services)
• Services of Fintech firms for data retrieval, data validation and verification services such as (list is not exhaustive): (a) bank statement analysis; (b) GST returns analysis; (c) fetching of vehicle information; (d) digital document execution; and (e) data entry and call centre services.
• Telecom Service Providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of the data
• Security/ Audit Consultants appointed for certification/ audit/ VA-PT related to IT infra/ IT services/ Information Security services in their role as independent third-party auditor/ consultant/ lead implementer.
• The RBI’s IT Outsourcing Directions represent a significant regulatory milestone aimed at enhancing the resilience and integrity of IT outsourcing practices within the financial sector. By delineating clear roles, responsibilities, and standards, these guidelines seek to foster transparency, accountability, and risk mitigation in outsourcing arrangements. Compliance with these directives is essential for REs to maintain operational stability and safeguard customer interests in an increasingly digitalized financial landscape.

Related posts:

Budget 2023 – Applicability of Angel Tax for foreign investors from April 1, 2023 What is Blockchain Technology ? What are Cross Border Payments? Wholesale and Retail payments with RBI Guidelines in India Compliance with the Indian Digital Personal Data Protection Act, 2023