The Reserve Bank of India (“RBI”) has issued the RBI Master Direction on Outsourcing of Information Technology Services, dated April 10, 2023 (“Directions”), that will come into effect on October 1, 2023, in line with its earlier Draft Master Direction on Outsourcing of IT Services, dated June 23, 2022 (“Draft Directions”). The RBI’s message to Regulated Entities (“RE”) via these Directions is clear – the liability of Regulated Entities (“RE”) towards their customers does not get diminished due to such outsourcing arrangements or on account of engaging Third Party Service Providers (“TPSP”), nor does it impede effective supervision by the RBI. Outsourcing activities for financial services were already regulated (“Existing Guidelines”), but not for information technology (“IT”) services. In line with the Existing Guidelines, the idea is that core functional areas of RE cannot be outsourced.
The Directions follow the Draft Directions and the Existing Guidelines while introducing an appendix with two indicative lists of services/ activities not considered under Outsourcing of IT Services and Vendors/ Entities not considered as TPSPs, respectively.
The Directions apply to ‘material outsourcing of information (IT) services’, defined as services which: (i) if disrupted/ compromised have the potential to significantly impact the business operations of RE; and (ii) may have material impact on RE’ customers if there is any unauthorised access, loss or theft of customer information.
i. Grievance redressal framework: RE must retain the responsibility of customer grievance redressal.
ii. Governance Framework: RE must put in place a board-approved comprehensive IT outsourcing policy, governing the roles and responsibilities of the board, committees of the board, senior management, IT function, business function, oversight and assurance functions in respect of outsourcing of IT services.
iii. Due Diligence: RE must conduct due diligence on TPSPs based on a risk-based approach, taking into consideration various qualitative, quantitative, legal, reputational and operational factors, along with associated risks.
iv. Monitor/ Control: RE must conduct periodic audits to assess key factors such as performance of service providers, risk management activities adopted, etc.
v. Risk Management Framework: RE must put in place a robust risk management framework, including the identification, measurement, mitigation/ management and reporting of risks.
vi. Confidentiality and Security: RE must also be responsible for ensuring that customer data with TPSPs are secure and confidential, with access on a need-to-know basis.
vii. Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP): TPSPs must have an established framework for BCP and DRP.
viii. Outsourcing to Business Group/ Conglomerate: On the condition that a board-approved policy is in place, RE can outsource IT activities to its business group/ conglomerate.
ix. Cloud Computing Services: Factors RE must take into consideration while adopting cloud computing services from cloud TPSPs are outlined.
ix. Security Operations Centre (“SOC”): Outsourcing of operations to an SOC may carry certain risks, particularly since the data is not only stored and processed at an external location, but also managed by a third party.
These Directions are likely to lead to major changes in the market related to outsourcing arrangements between RE and TPSPs. There is specific focus on data privacy and protection, with the inclusion of confidentiality clauses in the outsourcing agreement as well as segregation of customer data into separate pools by TPSPs such that only a lending RE would have access to the borrower’s data. However, a few challenges remain, such as the inclusion of Payment System Operators and simplifying cloud service management and security procedures. It is important now for RE to reimagine their businesses with these safeguards, including the day-to-day operations and the existing contractual framework of such RE.