Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT-enabled services (ITeS) in their business, products and services with increasing dependence on third parties. Such reliance on IT/ITeS provided by third parties exposes the REs to various risks.
It was announced in the Statement on Developmental and Regulatory Policies, released with the bi-monthly Monetary Policy Statement dated February 10, 2022, that draft guidelines on risk management framework for Outsourcing of IT Services, managing related concentration risk, its periodic risk assessment and aspects of outsourcing of IT Services to foreign service providers, will be issued by the Reserve Bank of India.
Accordingly, the Reserve Bank has released a draft Master Direction on Outsourcing of IT Services, for comments of stakeholders and members of public.
This advisory covers all Registered Entities as listed below :
- Scheduled Commercial Banks (excluding Regional Rural Banks)
- Local Area Banks
- Small Finance Banks
- Payments Banks
- Primary (Urban) Co-operative Banks having asset size of ₹1000 crore and above
- Non-Banking Financial Companies in Top, Upper and Middle Layers
- Credit Information Companies
- All India Financial Institutions (NHB, NABARD, SIDBI, EXIM Bank and NaBFID)
The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. REs desirous of outsourcing of IT and IT enabled services shall not require prior approval from RBI. However, such arrangements shall be subject to on-site/ off-site monitoring and inspection/ scrutiny by the supervising authority.
These Directions shall apply to material Outsourcing of IT Services arrangements (as defined in para 1.7 below) entered by the REs.
What the Draft document contains ?
- Service Provider
- Information Technology (IT) Outsourcing
- Material Outsourcing of IT Services
- Criticality of Outsourcing of IT Services
- RE’s role in Outsourcing of IT Services- Regulatory and Supervisory requirements
- Governance Framework
- Role of the Board
- Role of the Senior Management
- Role of IT Function
- Evaluation and engagement of Service Providers
- Outsourcing Agreement
- Risk Management
- Business Continuity Plan and Disaster Recovery Plan
- Monitoring and Control of Outsourced Activities
- Outsourcing within a Group/ Conglomerate
- Additional requirements for cross-border outsourcing
- Exit Strategy
Comments / feedback from REs and other stakeholders may be submitted by July 22, 2022 through email with the subject line ‘Feedback on Master Direction on Outsourcing of IT Services’.
The final Master Direction shall be issued by Reserve Bank after considering the feedback received.
Download the Draft Master Direction Document released by RBI from the button below :