Listen to this post
New RBI IT Outsourcing Directions Industry Implications

Background

The Reserve Bank of India (“RBI”) has issued the RBI Master Direction on Outsourcing of Information Technology Services, dated April 10, 2023 (“Directions”), that will come into effect on October 1, 2023, in line with its earlier Draft Master Direction on Outsourcing of IT Services, dated June 23, 2022 (“Draft Directions”). The RBI’s message to Regulated Entities (“RE”) via these Directions is clear – the liability of Regulated Entities (“RE”) towards their customers does not get diminished due to such outsourcing arrangements or on account of engaging Third Party Service Providers (“TPSP”), nor does it impede effective supervision by the RBI. Outsourcing activities for financial services were already regulated (“Existing Guidelines”), but not for information technology (“IT”) services. In line with the Existing Guidelines, the idea is that core functional areas of RE cannot be outsourced.

Implications

The Directions follow the Draft Directions and the Existing Guidelines while introducing an appendix with two indicative lists of services/ activities not considered under Outsourcing of IT Services and Vendors/ Entities not considered as TPSPs, respectively.

The Directions apply to ‘material outsourcing of information (IT) services’, defined  as services which: (i) if disrupted/ compromised have the potential to significantly impact the business operations of RE; and (ii) may have material impact on RE’ customers if there is any unauthorised access, loss or theft of customer information.

Key highlights

i. Grievance redressal framework: RE must retain the responsibility of customer grievance redressal.

ii. Governance Framework: RE must put in place a board-approved comprehensive IT outsourcing policy, governing the roles and responsibilities of the board, committees of the board, senior management, IT function, business function, oversight and assurance functions in respect of outsourcing of IT services.

iii. Due Diligence: RE must conduct due diligence on TPSPs based on a risk-based approach, taking into consideration various qualitative, quantitative, legal, reputational and operational factors, along with associated risks.

iv. Monitor/ Control: RE must conduct periodic audits to assess key factors such as performance of service providers, risk management activities adopted, etc.  

v. Risk Management Framework: RE must put in place a robust risk management framework, including the identification, measurement, mitigation/ management and reporting of risks.

vi. Confidentiality and Security: RE must also be responsible for ensuring that customer data with TPSPs are secure and confidential, with access on a need-to-know basis.

vii. Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP): TPSPs must have an established framework for BCP and DRP.

viii. Outsourcing to Business Group/ Conglomerate: On the condition that a board-approved policy is in place, RE can outsource IT activities to its business group/ conglomerate.

ix. Cloud Computing Services: Factors RE must take into consideration while adopting cloud computing services from cloud TPSPs are outlined.  

ix. Security Operations Centre (“SOC”): Outsourcing of operations to an SOC may carry certain risks, particularly since the data is not only stored and processed at an external location, but also managed by a third party.

Conclusion

These Directions are likely to lead to major changes in the market related to outsourcing arrangements between RE and TPSPs. There is specific focus on data privacy and protection, with the inclusion of confidentiality clauses in the outsourcing agreement as well as segregation of customer data into separate pools by TPSPs such that only a lending RE would have access to the borrower’s data. However, a few challenges remain, such as the inclusion of Payment System Operators and simplifying cloud service management and security procedures. It is important now for RE to reimagine their businesses with these safeguards, including the day-to-day operations and the existing contractual framework of such RE.


Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ganesh Kumar Ganesh Kumar

Senior regulatory advisor with Cyril Amarchand Mangaldas. Mr. S. Ganesh Kumar prior to joining Cyril Amarchand Mangaldas has an illustrious career of over 36 years with the Reserve Bank of India (“RBI”) and was an executive director (“ED”) with…

Senior regulatory advisor with Cyril Amarchand Mangaldas. Mr. S. Ganesh Kumar prior to joining Cyril Amarchand Mangaldas has an illustrious career of over 36 years with the Reserve Bank of India (“RBI”) and was an executive director (“ED”) with the RBI, primarily looking after the Department of Information Technology, Department of Payment and Settlement Systems and Department of External Investments and Operations at RBI.

Mr. Kumar joined the RBI in 1984 and as a career central banker, has served in the areas of payment systems, supervision, foreign exchange, information technology and Government and Bank Accounts at the RBI. Prior to being promoted as ED, Mr. Kumar was the Chief General Manager-in-Charge, Department of Information Technology at RBI.

Photo of Anu Tiwari Anu Tiwari

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private…

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters. Anu advises financial services clients on matters before the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Ministry of Finance, Enforcement Directorate and appellate tribunals. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Lakshmi Prakash Lakshmi Prakash

Partner, specialising in Projects, Structured Finance and Insolvency at the Bangalore office of Cyril Amarchand Mangaldas. Lakshmi has wide range of expertise in advising private equity plyers, lenders (both public and private international bans) and other investors in the renewable energy, real estate

Partner, specialising in Projects, Structured Finance and Insolvency at the Bangalore office of Cyril Amarchand Mangaldas. Lakshmi has wide range of expertise in advising private equity plyers, lenders (both public and private international bans) and other investors in the renewable energy, real estate and transportation sectors. She has also advised resolution professional, committee of creditors and resolution applicants in the IBC process. She can be reached at lakshmi.prakash@cyrilshroff.com

Photo of Vishrut Jain Vishrut Jain

Senior Consultant in the financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Vishrut has represented various Indian and multinational fintech and information / emerging technology companies on transactional, enforcement and regulatory matters. He can be reached at vishrut.jain@cyrilshroff.com.