IT Services Outsourcing - RBI’s Master Direction

The Reserve Bank of India (RBI) released the master direction to regulate outsourcing of information technology (IT) services by Regulated Entities (REs) on in April 2023. RBI’s released the draft of the Master Directions for public comments, in June 2023. It has been notified that these directions shall come into effect from 1 October 2023.

Applicability of Master Directions

REs that shall fall under the ambit of the provisions of the Master Directions are Scheduled Commercial Banks, Cooperative Banks, Local Area Banks, Non-banking Financial Companies (NBFCs), Credit information Companies (CIC), and All India Financial Institutions.

Goal of the Master Direction

The aim of RBI’s Master Directions is for REs to ensure that outsourcing agreements do not decrease their ability to fulfill their responsibilities towards their customers and does not hinder the supervising authority from supervising effectively. REs do not need to acquire any prior approvals from the RBI if they want to outsource any IT or IT-enabled services. However, such agreements would be subject to on-site/off-site monitoring and inspection/scrutinization by the supervising authority.

Framework

Grievance Redressal

REs must have an effective grievance redressal structure that is not in any way compromised by the outsourcing. This basically means that REs shall be liable to address and resolve customers’ complaints related to the services that have been outsourced.

Implementation of IT Outsourcing Policy

REs must have an IT Board capable of the below mentioned functions:

• Helping the Management identify, measure, mitigate, and manage the extent of IT outsourcing risks in the company.
• Ensure maintenance of a central database of all IT outsourcing arrangements, which can be accessed for reviews by the Board, Senior Management, Auditors, and Supervisors.
• Effective monitoring and supervision of outsourced activities to make sure that providers of such services comply with the established performance standards and deliver seamless services and reporting to seniors. They must also enable and assist with regular due diligence and report any risks they come across.
• Prepare relevant documents mandatory for contractual arrangements; this shall include service level management, keeping track of vendor’s operations, critical risk indicators, and classification of vendors as per the determined risks.

Key Responsibilities of REs

REs must make sure that the Service Providers are not owned/controlled by any director, senior management or authorizer of the REs’ outsourcing arrangements, or even their relatives. It is imperative to ensure compliance with these guidelines as the same has been provided under the Companies Act, 2013. You may only be exempt from adhering to these provisions if an exception for the same has been approved by the Board or a similar level RE committee.

REs are obligated to maintain the privacy and integrity of their customers’ information, which is shared with the Service Providers. Furthermore, they must also develop an inventory for the IT services provided by the different Service Providers.

Due Diligence on Service Providers

REs must conduct due diligence on the Service Providers while taking risk-based approach and consider the numerous qualitative, quantitative, legal, operational, and reputational aspects along with related risks.

Outsourcing Agreement

REs must make sure that all rights and responsibilities of REs and their Service Providers are distinctly stated in a lawfully binding written contract. It is imperative for REs to ensure the following provisions are listed in outsourcing agreements:

• Specifics of outsourced activities.
• REs’ and RBI’s rights related to assessing, monitoring and performing inspections.
• Law(s) that shall govern the contract.
• Crucial provisions for removing or destroying business data, hardware and records.
• Limitations on Service Providers relating to erasing, purging, revoking, altering, or changing any data during the transitioning or exit period.
• The kind of data/information that the Service Provider is allowed to share with RE’s customers and/or any other relevant individual/entity.
• The responsibility of Service Providers to ensure compliance with the RBI’s directions related to outsourced activities.
• All data must only be stored in India, as mandated by the current regulatory guidelines.
• Clause mandating adequate back-to-back arrangements between Original Equipment Manufacturer (OEMs) and Service Providers.

Risk Management Structure

REs must develop a risk management structure for outsourced activities, which effectively handles the processes and undertakes the responsibility to identify, measure, mitigate, manage, and report the risks of outsourcing IT services.

Timely Report Cyber Events

• REs are obligated to make sure that they receive reports for all cyber incidents from the Service Providers without any unnecessary delay. This is necessary to ensure that the REs can report the same to the RBI within six hours of Service Providers detecting the issue.
• REs must also keep an eye on the Service Provider’s management processes and security methods to track potential data breaches and immediately inform the RBI in case security has been breached or some confidential details of customers have been leaked.

Business Continuity and Disaster Recovery Strategies

It is the REs responsibility to make sure that the Service Providers build a strong framework to document, maintain and test various strategies related to business continuity and disaster recovery. When preparing such strategies, REs must look for alternative Service Providers and consider the possibility of having to bring the outsourced IT services back in-house in case of an emergency, along with the costs, resources and time that would be required to deal with such circumstances.

Monitor and Manage Outsourcing Services

REs must establish a management infrastructure for monitoring and managing IT services and conducting regular audits of Service Providers with respect to the outsourced activities and sharing reports on the same with the upper management. In case any issue is spotted in such reports, the Board must be informed of the same.

Further, the RE is expected to, at least once every year, review the financial and operational conditions of the Service Provider to assess whether it can continue to deliver as per the expected standards. Conducting such due diligence reviews shall bring into light any degradation or breach in the performance standards, confidentiality and security and also in business continuity preparations and strategies.

Outsourcing within a Group/Conglomerate

REs can plan for outsourcing IT services within a business conglomerate considering a policy that has been approved by the Board is already in place for the arrangement. REs’ risk management methods with respect to Service Providers within the business conglomerate must be similar to what is defined for a non-related entity.

Cross-Border Outsourcing

• When REs outsource IT services to a Service Provider based out of India, they shall be required to keep a close eye on the Service Provider’s country’s political, economic, legal, and social conditions along with its government policies on a regular basis.
• In addition, they must develop robust processes to mitigate the risks they may come across. Furthermore, REs must ensure that there are no hindrances in the availability of records even if the Service Provider goes through liquidation.