RBI Proposes Common Standards For IT Outsourcing Arrangements Across Regulated Entities

Reserve Bank of India, on Thursday, released draft master directions for outsourcing of information and technology services by all regulated entities. These regulated entities will include scheduled commercial banks, local area banks, small finance banks, payments banks, urban cooperative banks with asset size of Rs 1,000 crore and above, all non-bank finance companies, credit information companies and all India finance institutions.

According to the regulator, the regulated entities outsource substantial portion of their IT activities to third party service providers, which may expose these entities to significant risk.

In its draft master circular, the RBI said that regulated entities seeking to outsource their IT services do not need to obtain prior approval of the regulator.

"However, such arrangements shall be subject to on-site/off-site monitoring and inspection/scrutiny by the supervising authority," the RBI said.

The service providers eligible for such outsourcing arrangements may include third party entities or entities which are part of the regulated entity's group. They may also includes sub-contractors to whom the third-party service providers may further outsourced.

The services being outsourced may include the following:

• IT infrastructure management, maintenance and support.

• Network and security solutions maintenance.

• Application development, maintenance and testing.

• Services and operations related to data centres.

• Cloud computing services.

• Managed security services.

• Application service providers including ATM switch ASPs.

• Management of IT infrastructure and technology services associated with payment system ecosystem.

As part of this draft master circular, the regulated entities are required to adequately assess the necessity and criticality of outsourcing IT services. The board should provide a clear IT outsourcing framework, where specific roles and responsibilities of board members, management and IT function at the regulated entity must be defined.

Such outsourcing will also not absolve the regulated entities from their duty toward customers, the RBI said.

In its guidelines, the regulator has also specified that:

• All customer redressal would be the responsibility of the principal entity and not of the third party service provider.

• Thorough due diligence of these service providers, their dependability and demonstrated capability must be done, before engaging them.

• The service provider's own due diligence process before engaging a sub-contractor must also be checked.

• Access to customer information by staff of the service provider shall be on ”need to know basis”.

• Service providers who may lead to reputational harm should be avoided.

• If the outsourcing agent is working with multiple regulated entities for such arrangements, it must be ensured that there is no combining of documents, information, records and assets.

• The impact of concentration risk posed by multiple outsourcing to the same service provider must be assessed.

• Regulated entities shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity plan and disaster recovery plan.

• Regular audits must be conducted of the service providers and their sub-contractors.

• When employing group companies as outsourcing agents, regulated entities must ensure that the criteria for selection must be objective and adequate demarcation of resources must be maintained.

• Outsourcing arrangements with group companies should not hamper the RBI's ability to conduct supervision.

The RBI has invited comments and suggestions on its draft circular by July 22. The final guidelines will be issued considering the feedback received.