The Reserve Bank of India (RBI) has released a draft “Master Direction on Outsourcing of Information Technology (IT) Services”, wherein it has proposed norms for the outsourcing of IT services to ring-fence banks and other regulated entities from financial, operational and reputational risks. As per the latest norm, the regulated entities (REs) will not require prior approval from the central bank for the outsourcing of IT and IT-enabled services.
As per the draft, the banks, payment banks, cooperative banks, credit information companies, non-banking financial companies (NBFCs) and other regulated entities, would be required to put in place a comprehensive board-approved IT outsourcing policy. The draft specifies the role of the board and senior management, besides norms pertaining to the usage of cloud computing services and outsourcing of the Security Operations Center (SOC). The RBI has also proposed that the REs should set up a robust grievance redressal mechanism. With this norm, the responsibility for redressal of customers’ grievances related to outsourced services would rest with them.
Besides, the draft further notes that a risk management framework for the outsourcing of IT services should comprehensively deal with the processes and responsibilities for the identification, measurement, mitigation/ management and reporting of risks associated with outsourcing. Entities regulated by the RBI should also require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Also, a RE could outsource any IT activity/IT-enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place, the draft said, while proposing an additional requirements for cross-border outsourcing. The RBI has invited comments from stakeholders by July 22, 2022 on the draft policy.
