With the increasing internet penetration in India, various sectors, including the financial sector, are adopting newer and more efficient technologies. In order to access these technologies easily, financial institutions have been outsourcing their IT services to third-party providers. However, this practice exposes them to significant financial, operational, and reputational risks, as highlighted by the Reserve Bank of India (RBI). To address these concerns, the RBI released Master Direction on Outsourcing of Information Technology Services, effective from April 10, 2023.
This action followed the RBI's Statement on Developmental and Regulatory Policies in February 2022, where the risks associated with regulated outsourcing of IT Services entities such as banks and non-bank financial companies were expressed. The Draft Master Direction on Outsourcing IT Services was initially released in June 2022, leading to the introduction of the current Outsourcing Directions as a legally binding framework.
Applicability & Effective Date
It is worth noting that the current governing law for IT service outsourcing in the NBFC sector, the Master Direction - Information Technology Framework for the NBFC Sector (IT Directions), determines applicability based on the NBFC's asset size. If the NBFC's asset size exceeds Rs. 500 crores, the IT outsourcing provisions of the IT Directions apply. However, with the introduction of the Master Directions, the applicability is now directly linked to the categorization of the NBFC under the SBR Framework. Therefore, the provisions of the Master Direction will not be applicable to base-layer NBFCs.
The effective date of the Master Directions is October 01, 2023. The Outsourcing Directions apply specifically to arrangements made for the material outsourcing of IT Services by Regulated Entities (REs). The term "Outsourcing of IT Services" encompasses various activities such as the outsourcing of IT infrastructure management, maintenance and support, network and security solutions and maintenance (hardware, software, or firmware), services and operations related to data centers, and the management of IT infrastructure and technology services associated with the payment system ecosystem.
Material outsourcing of IT services refers to services that, if disrupted or compromised, could have a significant impact on the RE's business operations or a material impact on the RE's customers in case of unauthorized access, loss, or theft of customer information.
There are certain services and vendors that fall outside the scope of the Outsourcing Directions. This includes services that are not considered "outsourcing of IT Services," such as corporate internet banking services, external audit services like vulnerability assessment/penetration testing, SMS gateways, off-the-shelf software products under license, payroll processing, and IT hardware procurement. Additionally, vendors who are not classified as "Third-Party Service Providers," such as business correspondents, payment system operators, co-branding fintech partners, telecom service providers, IT security, and audit consultants, are also exempt from the outsourcing directions.
In cases where REs utilizes cloud computing services and outsource security operations center services, the outsourcing directions impose additional requirements. These requirements include the adoption of a cloud adoption policy and security measures, disaster recovery and incident response plans, audits, adequate oversight, physical access controls in certain areas, and other specified measures.
Key Obligations Under The Outsourcing Directions
- Due Diligence: As per the Outsourcing Directions, regulated entities (REs) must assess the necessity of outsourcing based on the criticality of the activity, expected outcomes, success factors, cost-benefit analysis, and the outsourcing model. Thorough due diligence should be conducted, considering factors such as the service provider's experience, financial stability, ability to meet commitments under adverse conditions, business reputation and culture, and the political, economic, social, and legal environment of the service provider's jurisdiction.
- Governance: Outsourcing does not relieve the RE, its board, or senior members of their responsibilities. The RE should ensure that the service provider maintains the same high standard of care in performing the activities as the RE would have if the activity was not outsourced. Additionally, if the service provider is not a group company, it should not be owned or controlled by any directors, key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. However, this requirement can be waived with board approval and proper oversight and monitoring. REs must have a board-approved outsourcing policy that encompasses roles, responsibilities, criteria for outsourcing, disaster recovery, termination processes, exit strategies, and business continuity within the outsourcing framework. The Outsourcing Directions outline specific responsibilities for the board, senior management, and the IT function of the RE.
- Grievance Redressal: The RE should maintain an uncompromised grievance redressal mechanism, regardless of outsourcing arrangements.
- Outsourcing Agreement: REs must have a legally binding written agreement with each service provider. The agreement should provide flexibility for the RE to retain adequate control over the outsourced activity or the right to intervene when necessary. It should also clearly define the nature of the relationship between the RE and the service provider. The Outsourcing Directions specify key provisions that should be included in the agreement, such as service definitions, monitoring, and assessment mechanisms, sub-contracting with prior consent, and contingency plans. The regulator should have the authority to inspect the service provider and its sub-contractors, as well as access the RE's infrastructure and data stored or processed by the service provider and its sub-contractors. The service provider must comply with RBI's directions and other applicable laws, including the Information Technology Act, of 2000. The agreement should address data-related aspects, including data localization requirements, details of data processing and sharing, the service provider's liability for confidentiality/security breaches, and more.
- Risk Assessment and Exit: REs is responsible for their customer’s activities, including incidents related to cybersecurity, information confidentiality, and integrity. REs must conduct risk assessments, maintain a risk management framework, and ensure that incidents, including cyber incidents and service disruptions, are reported to them by the service provider without undue delay. REs should report such incidents to the RBI within six hours of detection, as opposed to the immediate reporting requirement proposed in the Draft Directions.
- Management Framework and Audit: The Outsourcing Directions prescribe a management framework for monitoring and controlling outsourced activities, including service uptime, service levels, and certifications. REs must conduct regular audits of service providers by external or internal auditors. Pooled audits of a service provider are permitted for REs availing services from the same provider, provided the audit requirements are effectively met.
- Existing guidelines: While the Outsourcing Directions specifically address the outsourcing of IT services, the existing outsourcing framework continues to apply to regulated entities (REs) for non-core activities, including financial services. Depending on the scope of outsourcing activities, both the Outsourcing Directions and the existing framework may be applicable. Payment system operators are governed by the RBI Framework for Outsourcing of Payment and Settlement-related Activities by Payment System Operators, 2021.
- Applicability of the Outsourcing Directions: The determination of materiality in relation to the Outsourcing Directions may pose a challenge for REs. The definition of "Material Outsourcing of IT Services" is broad and open to interpretation, and there are no specific obligations outlined for material outsourcing. The obligations mentioned in the Outsourcing Directions generally apply to outsourcing of IT services, which has a wider definition than material outsourcing. REs may choose to apply the obligations across all outsourcing of IT services, which could have significant implications for service providers in terms of compliance requirements.
- Renewal and New Agreements: REs will need to review their existing outsourcing agreements and reassess their outsourcing arrangements, particularly for REs operating across multiple jurisdictions due to cross-border provisions. The agreements must be renewed to align with the obligations outlined in the Outsourcing Directions within the specified timeline. REs entering new outsourcing arrangements must carefully evaluate the requirements set forth in the Outsourcing Directions and ensure compliance within the applicable timeline.
- Impact on Service Providers: REs' heightened compliance requirements under the Outsourcing Directions may lead to passing on certain compliance obligations to service providers in order to meet their own legal obligations. The specific compliance requirements imposed on service providers may vary depending on the RE's contractual approach, wording, and extent of compliance. These may include audit rights for the RE and RBI, data storage and confidentiality norms, immediate reporting of cyber incidents, and the RE's ability to amend certain terms of the agreement for risk management purposes. Service providers should be aware of the RE's legal obligations and negotiate their agreements, accordingly, ensuring that the obligations imposed are reasonable and within the scope of the Outsourcing Directions.
What is the difference between the Outsourcing Directions and the existing outsourcing framework for regulated entities (REs) in India?
The Outsourcing Directions specifically focus on the outsourcing of IT services, while the existing framework covers the outsourcing of various non-core activities, including financial services. Both frameworks may apply to REs depending on the scope of their outsourcing activities.
How will the Outsourcing Directions impact service providers in the financial sector?
Service providers may face increased compliance requirements from REs due to the heightened obligations outlined in the Outsourcing Directions. These may include audit rights, data storage, and confidentiality norms, immediate reporting of cyber incidents, and potential flexibility for the RE to amend certain agreement terms for risk management purposes.
What should REs consider when renewing or entering into new outsourcing agreements?
REs need to carefully review and align their existing outsourcing agreements with the obligations outlined in the Outsourcing Directions within the prescribed timeline. For new agreements, REs must evaluate the requirements set forth in the Directions and ensure compliance from the start. This includes assessing the impact on cross-border provisions and considering the implications for service providers in terms of meeting the REs' compliance requirements.
King Stubb & Kasiva,
Advocates & Attorneys
Click Here to Get in Touch
New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: firstname.lastname@example.org