The Reserve Bank of India (“RBI”), on 10th April 2023, issued the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 (“Master Directions on IT Outsourcing”). The Master Directions on IT Outsourcing have been issued in furtherance of the relevant proposal made in the Statement on Development and Regulatory Policies dated 10th February 2022 (“2022 Statement”). As per the 2022 Statement, the RBI noted that, in order to improve efficiencies, Regulated Entities (“REs”) have been “leveraging and outsourcing critical IT services” to access latest technologies through fin-tech players which makes them vulnerable to financial, operational and reputational risks. Accordingly, the RBI proposed regulatory guidelines to address aspects such as risk management framework for IT outsourcing, managing concentration risk, periodic risk assessment and outsourcing to foreign service providers. Thereafter, in June 2022, the RBI released the draft Master Directions on IT Outsourcing for public comments. Based on the proposal and public consultation the Master Directions on IT Outsourcing have been issued which will come into effect from 1st October 2023 to provide adequate time to REs to comply with the requirements.
Some of the key features of the Master Directions on IT Outsourcing are as follows:
- Applicability: The Master Directions on IT Outsourcing apply to entities regulated by the RBI, including, inter alia, all banking companies, corresponding new banks, the State Bank of India, Primary Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies and Material Outsourcing of Information Technology (“IT”) Services arrangement.
- Key Definitions: Some of the key definitions provided in the Master Directions on IT Outsourcing are as follows:
- Material Outsourcing of IT Services: Services which, if disrupted or compromised, have the potential to significantly impact the REs’ business operations or may have material impact on REs’ customers in the event of any unauthorised access, loss or theft of customer information.
- Outsourcing: This term has been defined in ‘Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks’ to mean “bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future”
- Outsourcing of IT Services: Outsourcing of activities such as IT infrastructure management, maintenance and support, services and operations related to Data Centres, Cloud Computing Services, etc.
- Service Providers: These are providers of IT or IT enabled services and include entities related to RE or those belonging to the same as group/conglomerate to which the RE belongs.
- Role of REs: The REs must comply with certain obligations, some of which are listed below:
- The Board and Senior Management of REs will be responsible for the outsourced activity. The REs have to ensure that outsourcing does not diminish the REs’ obligations.
- Irrespective of whether the service provider is based in India, it would be the duty of REs to ensure that the outsourcing neither impedes not interferes with the ability of the REs to oversee and manage its activities.
- REs must evaluate the need for Outsourcing of IT Services based on a comprehensive assessment of the benefits, risks and availability of commensurate processes to manage those risks.
- REs must have a grievance redressal mechanism for addressing the grievances related to outsourced services. Outsourcing arrangements will not affect the rights of the customer against the REs.
- Further, REs are also required to create an inventory of services provided by the service providers, map their dependency on third parties, and periodically evaluate information received from the service providers.
- REs must also perform appropriate due diligence while considering or renewing the Outsourcing of IT Services arrangements. The Master Directions on IT Outsourcing provide a non-exhaustive list of aspects that must be considered while undertaking such due diligence.
- REs are also required to ensure that their rights and obligations and of their service providers are clearly defined on a legally binding agreement clearly defining the nature of the legal relationship between the parties as well as the terms and conditions governing the contract. As was the case with due diligence requirement, the Master Directions on IT Outsourcing also provide a list of aspects that must be included in the legally binding agreement. These Master Directions on IT Outsourcing mandate storage of data in India as per the extant regulatory requirements. Moreover, REs are also required to ensure that the agreement contains clauses pertaining to removal/destruction of data, hardware and all records (digital and physical). Through this agreement, it would also be ensured that the service providers are prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the RE or the regulator.
- Governance Framework: REs intending to outsource IT services must place a comprehensive Board approved IT outsourcing policy incorporating, inter alia, the roles and responsibilities of the Board, senior management, IT functions, and business functions, criteria for selection of such activities as well as service providers, delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, etc.
- Risk Management Framework: In addition to the above, REs are also required to place a risk management framework for Outsourcing IT Services to comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements. As per the Master Directions on IT Outsourcing, confidentiality and integrity of data and information pertaining to the customers that is available to the service provider will be the responsibility of the REs. Among other obligations, RE(s) are also required to ensure that cyber incidents are reported to them by the service provider without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the Third Party Service Provider.
- Cross-Border Outsourcing: In the event a service provider is based abroad, then REs are required to monitor, on a continuous basis, government policies as well as the political, social, economic and legal conditions of jurisdiction in which the service provider is based. Further, REs must also establish procedures for mitigating the country risks by having, inter alia, appropriate contingency and exit strategies. It must also be ensured that availability of records to the RE and the RBI will not be affected under any circumstances including in case of liquidation of the service provider. Such an arrangement shall only be entered into with parties operating in jurisdictions that uphold confidentiality clauses and agreements and the governing law of the arrangement shall be clearly specified. Moreover, REs must ensure the right of the RE and the RBI to direct and conduct audit or inspection of the Service Provider who is based in a foreign jurisdiction is not affected.
- Exit Strategy: An exit strategy for different scenarios, while ensuring business continuity during and after exit must be included in the Outsourcing of IT Services policy. Such a strategy must also identify alternative arrangements including regarding performance of an activity by a different service provider or RE itself.
In addition to the Outsourcing of IT Services, the Master Directions on IT Outsourcing also provide guidance on usage of cloud computing services and outsourcing of security operations centers.
The ubiquitous use of technology has allowed various types of entities, including entities that are critical in the banking and finance sector, to leverage IT and IT enabled services for their businesses. Given this development and the associated risks, the RBI has issued this Master Directions on IT Outsourcing to safeguard the interests of the stakeholders involved to provide a streamlined risk management framework in relation to services that can materially impact the REs and their customers. These Master Directions on IT Outsourcing are a step in the right direction as they extensively lay down the expectations of the RBI from REs such that the outsourcing arrangements do not impede the ability of the REs to operate responsibly and for ensuring consumer confidence.
Having said that, the Master Directions on IT Outsourcing could potentially lead to operational challenges. The Master Directions on IT Outsourcing have placed significant obligations on the REs thereby increasing their compliance burden. Further, REs will probably be expected to revaluate existing agreements and, if required, enter into fresh agreements with service providers in order to address the aspects to be mentioned in the legally binding agreement as required under the Master Directions on IT Outsourcing.
While the intention behind introducing the Master Directions on IT Outsourcing is vested in the interest of the regulated entities and consumers, the effectiveness of the Master Directions on IT Outsourcing will only become clear in the fullness of time.
Link to the Master Direction on Outsourcing of Information Technology Services: – https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12486
Link to the Statement on Developmental and Regulatory Policies:- https://rbidocs.rbi.org.in/rdocs/PressRelease/PDFs/PR1694B4C39F1315F4456386C99197132C5E4C.PDF