IGI Logo

The Reserve Bank of India (RBI) has proposed guidelines for the outsourcing of Information Technology (IT) Services to ring-fence banks and other regulated entities from financial, operational and reputational risks. According to RBI's draft Master Direction on Outsourcing of IT Services, regulated entities (REs) will not require prior approval from the central bank for the outsourcing of IT and IT-enabled services.

The draft said the underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. Banks, payment banks, cooperative banks, credit information companies, NBFCs and other regulated entities, would be required to put in place a comprehensive board-approved IT outsourcing policy. Outsourcing of any activity of the RE shall not diminish its obligations as also of its Board and senior management, who shall be ultimately responsible for the outsourced activity. RE shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the RE if the same activity was not outsourced.

The draft specifies the role of the board and senior management, besides norms pertaining to the usage of cloud computing services and outsourcing of the Security Operations Center (SOC). The RBI has also proposed that the REs should set up a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing, meaning responsibility for redressal of customers’ grievances related to outsourced services would rest with them. As per the draft, a risk management framework for the outsourcing of IT services should comprehensively deal with the processes and responsibilities for the identification, measurement, mitigation/ management and reporting of risks associated with outsourcing.