Master Direction on Outsourcing of Information Technology Services

Introduction

The Reserve Bank of India (“RBI”) vide notification no. RBI/2023-24/102 dated April 10, 2023, released the RBI (Outsourcing of Information Technology Services) Directions, 2023 (“Directions”) effective from October 1st, 2023, and will be applicable to entities such as the commercial banks, urban co-operative banks, non-banking financial companies, credit information companies, etc. (“Regulated Entities”).

According to the RBI, Regulated Entities have been extensively leveraging Information Technology (“IT”) and IT enabled services to support their business models, products and services offered to their customers. Hence, to mitigate the degree of risks while outsourcing the IT services, these Directions will ensure that the outsourcing arrangements neither diminish the ability of the Regulated Entities to fulfill its obligations towards the customers nor impede effective supervision by the RBI.

Key Highlights

The following are some of the key provisions enumerated under the Directions:

• Role of the Regulated Entity
  Under the Directions, one of the primary roles of the regulated entity is to ensure that the service provider engaged in rendering the IT services exercises the highest standard of care without comprising the reputation of the regulated entity. Furthermore, the supervisory functions and objectives of the RBI are not hampered whilst the IT services are being outsourced. In addition to this, a comprehensive assessment shall be carried out by the Regulated Entities in terms of benefits and risks associated with outsourcing and accordingly evaluate the need for outsourcing and attendant risks. Lastly, a robust grievance redressal mechanism will be implemented for redressing the grievances of the customers in relation to outsourcing the IT services and ensure that such outsourcing in no way affects the rights of a customer against the Regulated Entities.
• Governance Framework
  Before outsourcing any of the IT services or activities, a board approved comprehensive IT outsourcing policy shall be put in place which shall incorporate the roles and responsibilities of the board, senior management, IT function, business function as well as oversight and assurance functions. Some of the underlying objectives of the policy is to (i) evaluate the risks and materiality of all the existing and prospective IT sourcing arrangements; (ii) monitor, manage, mitigate, and report any risks associated with IT outsourcing, to the board committee in a timely manner; and (iii) ensure business continuity plans including exit of any third-party service provider, etc.
• Outsourcing Agreement
  Under the Directions, a legally binding agreement shall be executed which clearly defines the rights and obligations of the Regulated Entities and the service providers respectively. As far as the enforceability and the legal effect of the agreement is concerned, the terms and conditions of the agreement shall be carefully defined and vetted by the regulated entity’s legal counsel. Some of the elements that require one’s attention whilst drafting the agreement are as follows: (i) types of data/information that the service provider is permitted to share with the customers of the Regulated Entities or any other party; (ii) obtaining prior consent from the Regulated Entities before the sub-contractors are engaged by the service providers so as to make the service providers contractually liable for the performance and practices of its sub-contractors; and (iii) maintain confidentiality of data of the Regulated Entities and its customers and put in place a non-disclosure agreement in terms of the information retained by the service provider to ensure service provider’s liability to the Regulated Entities in the event of any security breach and leakage of information, etc.

Apart from the aforesaid provisions, the central bank also delved into the provisions pertaining (including but not limited) to cross-border outsourcing, exit strategy, risk management, evaluation and engagement of the service providers, etc. Furthermore, under the Directions by way of appendix, the RBI has also shared an indicative list of the services which do not fall under the ambit of the outsourcing of the IT services along with the list of the vendors/entities who are not considered as third-party service providers.

Conclusion
Keeping in mind the exponential growth of the fintech industry and the constant efforts hammered into by our Hon’ble Prime Minister, towards making India the hub for digital innovation, the steps taken by the RBI towards regulating the financial sector entities in terms of outsourcing of IT services is a step in the right direction. It is interesting to note that the Directions encompasses a comprehensive list of the provisions that are required to be incorporated under the outsourcing agreement. Nonetheless, the RBI has given adequate time to the Regulated Entities to re-visit their outsourcing arrangements and comply with the requirements enclosed under the Directions.