Moneycontrol PRO
Upcoming Webinar:Watch a panel of experts discuss: Challenges of continuously evolving regulation for Cryptocurrency, on 7th July at 3pm. Register Now
you are here: HomeNewsBusiness

RBI issues IT outsourcing framework for regulated entities

The central bank aims to ensure effective management of attendant risks in outsourcing IT activities via these directives, the banking regulator said.

June 23, 2022 / 07:00 PM IST

The Reserve Bank of India (RBI) on June 23 issued a broader framework for financial services entities to address technology-related risks.

The framework was issued in the backdrop of rising instances of technical glitches, fraud, and irregularities in the IT systems of banks.

“Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT-enabled services (ITeS) in their business, products, and services with increasing dependence on third parties,” the central bank said. “Such reliance on IT/ITeS provided by third parties exposes the REs to various risks.”

In February, the RBI had said that it will release draft guidelines on the risk management framework for outsourcing IT Services, managing related concentration risk, its periodic risk assessment, and aspects of outsourcing of IT Services to foreign service providers.

The provisions of these directions are applied to all scheduled commercial banks, excluding regional rural Banks, local area banks, and small finance banks.


They are also applicable to payments banks, primary (urban) co-operative banks having asset size of Rs 1,000 crore and above, and non-banking financial companies in the top, upper and middle layers. They are also applicable to credit information companies and All India Financial Institutions like National Housing Bank, NABARD, and SIDBI, among others.

Outsourcing of IT Services mainly covers IT infrastructure management, maintenance and support, Network and security solutions maintenance, application development, maintenance and testing, cloud computing services among others, the regulator said.

Regulated entities desirous of outsourcing of IT and IT-enabled services shall not require prior approval from the RBI. However, such arrangements shall be subject to on-site or off-site monitoring and inspection/ scrutiny by the supervising authority, the RBI said.

These entities shall evaluate the need for outsourcing of IT Services based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. In this process, such entities shall consider important aspects, such as determining need for outsourcing based on criticality of activity to be outsourced, determining expectations or outcome from outsourcing, determining success factors and cost-benefit analysis and deciding the model for outsourcing.

Further, the regulated entities shall ensure that in the outsourcing of IT Services engagement, wherein such outsourcing services support their financial services, the applicable directions issued by RBI on managing risks and the code of conduct in outsourcing of financial services are adhered to.

Entities are also required to take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by it if the same activity was not outsourced, the banking regulator said. Accordingly, the entities shall not engage an IT service provider that would result in reputation of regulated entity being compromised or weakened.

The RBI said that the regulated entities shall establish an inventory of services provided by the service providers, including key entities involved in their supply chains, map their dependency on third parties and periodically evaluate the information received from the service providers.

They are also required to ensure that the service provider shall neither impede nor interfere with the ability of the regulated entities to effectively oversee and manage its activities nor impede the supervising authority in carrying out the supervisory functions and objectives, the central bank said.

The service provider, if not a group company, is not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the regulated entity, or their relatives. The entities are also expected to have a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing, the regulator said.

The entity intending to outsource any of its IT activities is expected put in place a comprehensive board approved IT outsourcing policy. The policy shall incorporate role and responsibilities of the Board, Board Committee and Senior Management, IT function, business function, and oversight & assurance functions in respect of outsourcing of IT services, said the RBI.

The outsourcing of IT Services policy shall contain a clear exit strategy with regard to outsourced IT activities/ IT enabled services, while ensuring business continuity during and after exit, the RBI said.

“The strategy should include exit strategy for different scenarios of exit or termination of services (e.g., change of service provider ownership, liquidation, merger/ acquisition, undesirable changes due to change in regulatory requirements affecting the service provider, security breach, regulatory action on the service provider, etc.) with stipulation of minimum period to execute such plans, as necessary,’ the directive said.

In documenting an exit strategy, the regulated entity should identify alternative arrangements, which may include performing the activity by a different service provider or itself, the central bank said.
Moneycontrol News
first published: Jun 23, 2022 06:48 pm
ISO 27001 - BSI Assurance Mark