RBI is making IT outsourcing tougher for banks, and that’s a good thing

REs outsource substantial portions of their IT activities to third parties.
Listen to this story

Over the years, the Indian financial institutions have been outsourcing critical IT services to accelerate efficiency. However, this exposes them to significant risks.

Recently, in its Draft Master Direction on Outsourcing of IT Services, the Reserve Bank of India (RBI) has issued guidelines for the outsourcing of IT services to protect financial entities in the country from financial, operational and reputational risks. 

Now, Regulated Entities (REs) will need to have IT outsourcing policies in place and also evaluate their need for outsourcing based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. Further, REs will also be required to have a robust grievance redressal mechanism among other things.


Sign up for your weekly dose of what's up in emerging technology.

RBI has been tightening regulations on the financial sector recently and has been cracking down on fintechs.

Earlier this year, RBI barred Paytm Payments Bank from onboarding new customers, citing ‘material supervisory concerns’. The apex bank even directed Paytm to appoint an IT audit firm to conduct a comprehensive audit of its IT system.

Even though REs do not require approval from the central bank for entering into such outsourcing agreements, such arrangements will be subject to inspection from time to time.

The apex bank has also asked different stakeholders to present their views in this regard. The final master direction will be issued by the RBI after taking into consideration the feedbacks/ suggestions.

The provisions of these directions will be applicable to:

  • Scheduled commercial banks (excluding regional rural banks)
  • Local area banks
  • Small finance banks
  • Payments banks
  • Primary (urban) co-operative banks having asset size of INR 1000 crore and above
  • Non-banking financial companies in top, upper and middle layers
  • Credit information companies
  • All India financial institutions such as NHB, NABARD, SIDBI, EXIM Bank and NaBFID


Digitalisation has changed the banking landscape tremendously. Now,  more and more customers are now relying on digital channels to avail banking services, which makes it imperative for REs to have operational resilience.

In 2021, the RBI banned HDFC Bank from selling new credit cards due to power failures in its primary data centres. Similarly, RBI also banned Mastercard from onboarding new customers as the company was non-compliant with directions on Storage of Payment System Data. These developments show RBI’s intent. 

The guidelines are being drafted by RBI to ensure REs fulfil their obligations and protect customers from any potential risks.

“REs have been extensively leveraging Information Technology (IT) and IT enabled services (ITeS) to support their business models and products and services offered to their customers. REs also outsource substantial portions of their IT activities to third parties. Such reliance on IT/ ITeS provided by third parties expose the REs to significant risks,” RBI said.

Further, the apex bank said REs should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. 

Relevant for IT services such as:

  • IT infrastructure management
  • Network and security solutions maintenance
  • Application development, maintenance and testing
  • Services and operations related to data centres
  • Cloud computing services
  • Managed security services
  • Application Service Providers (ASPs) including ATM Switch ASPs5
  • Management of IT infrastructure and technology services associated with payment system ecosystem

Why is it a good thing?

To stay competitive and increase efficiency, more and more REs tend to outsource IT services. With no proper framework in place, a major disruption at one of these third parties could pose a significant threat towards the financial stability and safety of multiple financial institutions.

The REs need to have business continuity and disaster recovery plans in place in case of a major breach or contract termination.  

The guidelines drafted by the RBI are to mitigate such risk and eliminate any events that could put REs in trouble.

Further, the guidelines also mentions the use of cloud infrastructure. In this context, RBI stated that ​​while leveraging cloud services, REs must ensure that outsourcing of IT Services policy addresses the entire lifecycle of data. That is, from generation of the data, its entry into the cloud, until the data is permanently erased/ deleted. 

Data privacy and data protection are also important factors to consider. Having robust guidelines in place could help reduce the risk of data breach.

Another positive upshot of these new guidelines could be that REs work on building robust IT infrastructure within India rather than outsourcing it to firms based in foreign countries. However, the neobanks, who operate on an outsourced model, might find it hard to adhere to the policies. 

A global trend

The RBI is not the first supervisory body to tighten the rules around IT outsourcing. In November 2020, the Financial Stability Board, a global organisation tasked with devising standards around risk management, published a paper for public consultation on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships. 

In 2019, the European Banking Authority drafted the EBA Guidelines on outsourcing arrangements. The guidelines were published following increasing interest from European and UK regulators on how banks and financial money institutions utilise new fintech solutions and the extent to which they can outsource IT functions and technologies.

During the same period, the Monetary Authority of Singapore (MAS), the city-state’s apex bank, also issued guidelines on outsourcing IT services by players in the domestic financial sector. In fact, some of the guidelines drafted by the RBI are similar to those drafted by MAS.

More Great AIM Stories

Pritam Bordoloi
I have a keen interest in creative writing and artificial intelligence. As a journalist, I deep dive into the world of technology and analyse how it’s restructuring business models and reshaping society.

Our Upcoming Events

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan, 2023

Conference, in-person (Bangalore)
Rising 2023 | Women in Tech Conference
16-17th Mar, 2023

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
27-28th Apr, 2023

Conference, in-person (Bangalore)
MachineCon 2023
23rd Jun, 2023

Conference, in-person (Bangalore)
Cypher 2023
20-22nd Sep, 2023

3 Ways to Join our Community

Whatsapp group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our newsletter

Get the latest updates from AIM