Over the years, the Indian financial institutions have been outsourcing critical IT services to accelerate efficiency. However, this exposes them to significant risks.

Recently, in its Draft Master Direction on Outsourcing of IT Services, the Reserve Bank of India (RBI) has issued guidelines for the outsourcing of IT services to protect financial entities in the country from financial, operational and reputational risks. 

Now, Regulated Entities (REs) will need to have IT outsourcing policies in place and also evaluate their need for outsourcing based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. Further, REs will also be required to have a robust grievance redressal mechanism among other things.

RBI has been tightening regulations on the financial sector recently and has been cracking down on fintechs.

Earlier this year, RBI barred Paytm Payments Bank from onboarding new customers, citing ‘material supervisory concerns’. The apex bank even directed Paytm to appoint an IT audit firm to conduct a comprehensive audit of its IT system.

Even though REs do not require approval from the central bank for entering into such outsourcing agreements, such arrangements will be subject to inspection from time to time.

The apex bank has also asked different stakeholders to present their views in this regard. The final master direction will be issued by the RBI after taking into consideration the feedbacks/ suggestions.

The provisions of these directions will be applicable to:

• Scheduled commercial banks (excluding regional rural banks)

• Local area banks

• Small finance banks

• Payments banks

• Primary (urban) co-operative banks having asset size of INR 1000 crore and above

• Non-banking financial companies in top, upper and middle layers

• Credit information companies

• All India financial institutions such as NHB, NABARD, SIDBI, EXIM Bank and NaBFID

Purpose

Digitalisation has changed the banking landscape tremendously. Now,  more and more customers are now relying on digital channels to avail banking services, which makes it imperative for REs to have operational resilience.

In 2021, the RBI banned HDFC Bank from selling new credit cards due to power failures in its primary data centres. Similarly, RBI also banned Mastercard from onboarding new customers as the company was non-compliant with directions on Storage of Payment System Data. These developments show RBI’s intent. 

The guidelines are being drafted by RBI to ensure REs fulfil their obligations and protect customers from any potential risks.

“REs have been extensively leveraging Information Technology (IT) and IT enabled services (ITeS) to support their business models and products and services offered to their customers. REs also outsource substantial portions of their IT activities to third parties. Such reliance on IT/ ITeS provided by third parties expose the REs to significant risks,” RBI said.

Further, the apex bank said REs should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. 

Relevant for IT services such as:

• IT infrastructure management

• Network and security solutions maintenance

• Application development, maintenance and testing

• Services and operations related to data centres

• Cloud computing services

• Managed security services

• Application Service Providers (ASPs) including ATM Switch ASPs5

• Management of IT infrastructure and technology services associated with payment system ecosystem

Why is it a good thing?

To stay competitive and increase efficiency, more and more REs tend to outsource IT services. With no proper framework in place, a major disruption at one of these third parties could pose a significant threat towards the financial stability and safety of multiple financial institutions.

The REs need to have business continuity and disaster recovery plans in place in case of a major breach or contract termination.  

The guidelines drafted by the RBI are to mitigate such risk and eliminate any events that could put REs in trouble.

Further, the guidelines also mentions the use of cloud infrastructure. In this context, RBI stated that ​​while leveraging cloud services, REs must ensure that outsourcing of IT Services policy addresses the entire lifecycle of data. That is, from generation of the data, its entry into the cloud, until the data is permanently erased/ deleted. 

Data privacy and data protection are also important factors to consider. Having robust guidelines in place could help reduce the risk of data breach.

Another positive upshot of these new guidelines could be that REs work on building robust IT infrastructure within India rather than outsourcing it to firms based in foreign countries. However, the neobanks, who operate on an outsourced model, might find it hard to adhere to the policies. 

A global trend

The RBI is not the first supervisory body to tighten the rules around IT outsourcing. In November 2020, the Financial Stability Board, a global organisation tasked with devising standards around risk management, published a paper for public consultation on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships. 

In 2019, the European Banking Authority drafted the EBA Guidelines on outsourcing arrangements. The guidelines were published following increasing interest from European and UK regulators on how banks and financial money institutions utilise new fintech solutions and the extent to which they can outsource IT functions and technologies.

During the same period, the Monetary Authority of Singapore (MAS), the city-state’s apex bank, also issued guidelines on outsourcing IT services by players in the domestic financial sector. In fact, some of the guidelines drafted by the RBI are similar to those drafted by MAS.