RBI directions on outsourcing IT services fills a regulatory lacuna in tech-related issues

The RBI has placed great emphasis on consumer data protection and accordingly, has focussed on cross-border outsourcing activities to secure data localisation.

In keeping with the current trend of conducting financial services virtually, many regulated entities (RE) have resorted to outsourcing their information technology services to meet the exponential demand, time constraints and prohibitive costs. However, this trend has the regulator worried about the risk of operational resilience and data privacy, since vital tasks of the Indian financial system were being outsourced.

The Reserve Bank of India (RBI), in response to its concerns, published Master Direction on Outsourcing of Information Technology Services on April 10, 2023, which lays downs the specific requirements that REs must comply with when outsourcing information technology services and IT-enabled services to third-party service providers (service providers). The RBI has stated that the underlying principle of the directions is to ensure that outsourcing arrangements neither diminish the ability of the REs to fulfil their obligations to customers nor impede effective supervision by the supervising authority. In this article, we explore how successful the directions are in establishing such a framework.

Risk Mitigation Measures

The directions primarily aim to regulate ‘material’ outsourcing arrangements, i.e., an operation which can specifically impact the RE’s business, if such systems are compromised. At the outset, the RBI sets out the parameters for conducting due diligence to select competent service providers and specifies the minimum requirements for any outsourcing agreement to ensure adequate accountability and effective risk mitigation measures.

The onus is squarely on the RE to retain control and ascertain that the ‘outsourced activity’ has complied with legal and regulatory obligations. The directions also mandate the REs to adopt a business continuity and disaster management plan. We believe this is a welcome step as the directions not only fills the lacuna of regulating technology-related issues, but also prescribes scrutiny and monitoring of service providers to thwart any risk and strengthen cybersecurity. However, the directions notably exclude payment system operators (authorised under Payment and Settlement Act, 2007) and partnership-based fintech firms.

Another notable change is that the directions provide detailed guidance to a RE to establish best practices for monitoring and compliance of inter alia cloud infrastructure and ‘securities operation centre’. This has brought clarity and a clear framework to the erstwhile ambiguous and interpretative ‘core function’ of the REs and the extent of their duty and responsibility towards outsourced activities. We believe this is a good attempt at creating a level playing field amongst REs and plugging the loopholes in accountability. Separately, the RBI has placed great emphasis on consumer data protection and accordingly, has focussed on cross-border outsourcing activities to secure data localisation. In this regard, efforts are on to create separate pools of data so that an entity has access only to relevant data.

Responsibilities of Senior Management

The success of the directions lies in its effective implementation. The RBI has provided a 180-day (until October 1, 2023) window for the REs to adopt the process and establish scientific protocols. Considering the directions largely stay true to the draft regulations issued by the RBI last year, the REs ought to have commenced with the spadework. The establishment of a clear IT outsourcing policy (as prescribed by the directions) by the REs at the earliest can serve as an internal roadmap to its senior management and its various departments for setting and implementing the requirements under the directions.

The directions correctly thrust great responsibility on the boards and senior management of the RE’s for its successful adoption, which we believe adds teeth to the regulations. However, the REs have the ultimate autonomy to outsource to related parties (if its board approves) and formulate internal policies for the selection of service providers. It remains to be seen how well the conflict-of-interest parameters are addressed in practice.

Lastly, the directions direct REs to provide a robust grievance redressal mechanism, but the accountability buck stops at RE and the directions expressly clarify, that the rights of the customer vis-à-vis RE are not comprised or diluted, and RE cannot take a defence that the functions were outsourced.

We believe that the master direction marks a major step forward in regulating IT services. The idea is to arrest the threat of unauthorised access, prevent the loss or theft of customer information, and establish best principles on governance, risk and safety in digital platforms to maintain the reputation and stability of the REs.

- With inputs from Vishrut Jain, senior consultant, Cyril Amarchand Mangaldas.

Anu Tiwari is Partner and Co-head, Fintech and Lakshmi Prakash is Partner, Cyril Amarchand Mangaldas. Views are personal and do not represent the stand of the publication.