The Reserve Bank of India (RBI) on June 23 issued draft guidelines for outsourcing of information technology (IT) services by lenders.
The underlying principle of these guidelines is that the regulated entities must ensure that their outsourcing arrangements neither diminish their ability to fulfil their obligations to customers nor impede effective surveillance by the supervising authority, the central bank said.
Through this explainer, Moneycontrol answers five key questions on why the regulator had to issue the new guidelines.
What do the draft guidelines say?
As per draft norms, lenders must consider all relevant laws, regulations, guidelines and conditions of approval while performing its due diligence during outsourcing of IT services. They should identify the list of services provided by the third-party service provider, including key entities involved in their supply chains. Lenders must also map their dependency on other parties and periodically evaluate the information received from service providers.
Lenders are also required to ensure that the service provider shall neither impede nor interfere with the ability of the regulated entity to effectively oversee its activities nor impede the supervising authority in carrying out the supervisory functions and objectives.
“The guidelines make an explicit mention of cloud infrastructure, something which has always been a bit of interpretational conversation at various regulated entities. Laying down a framework helps drive clarity for institutions like ours who are heavily engaged with lenders through SaaS application and for AI consulting work,” said Amit Das, chief executive officer and co-founder of Think360.ai.
“A significant part of the document is a continuation of existing circulars, but the embracing of modern technology stack and its applications is a welcome gesture,” he added.
To whom do these guidelines apply?
The norms are applicable to all scheduled commercial banks, excluding regional rural banks. Small finance banks (SFBs), payments banks, urban cooperative banks with up to Rs 1,000 crore of assets, all non-banking financial companies (NBFC) except those in the lower layer, and local area banks should also follow these directives, the RBI said.
Regulated entities seeking to outsource IT and IT-enabled services (ITeS) do not require prior approval from the RBI. However, such arrangements shall be subject to on-site and off-site monitoring and inspections by the supervising authority, it added.
What type of third-party service providers can lenders work with?
The third-party service provider, if not a group company, must not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the regulated entity, or their relatives. The entities are also expected to have a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing,” the regulator said.
Regulated entities intending to outsource any of their IT activities are expected to put in place a comprehensive board-approved IT outsourcing policy, among others.
Why did the RBI launch specific new guidelines on outsourcing of IT services?
According to Das, each bank currently has signed numerous partnerships with fintechs for different solutions, which calls for better scrutiny of outsourcing of services.
Lenders have been extensively leveraging IT and (ITeS) in their businesses, products and services with increasing dependence on third parties. Such reliance, however, exposes lenders to various risks, the RBI said.
“The underlying principle of these Directions is that the RE (regulated entity) should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority,” the central bank said.
What action has the RBI taken on lenders violating existing IT outsourcing norms?
The RBI had barred global payments network Mastercard from enrolling new customers in India in 2021 for violating data storage norms.
It had also barred HDFC Bank from offering new digital services in 2021 and asked the bank to fix accountability in frequent data centre outages.After showing improvement in compliance with the new norms, the central bank recently lifted curbs on both Mastercard and HDFC Bank. Paytm Payments Bank, which was barred by the RBI from onboarding new customers on March 11, however, still faces RBI restrictions. An email sent to Paytm by Moneycontrol did not receive a response.