In order to ensure effective management of risks in outsourcing of IT activities by banks, non-banking financial companies, and other regulated entities, the Reserve Bank of India issued a draft ‘Master Direction on Outsourcing of IT Services’. Regulated entities have been extensively leveraging IT and IT-enabled services to support their business models and products and services offered to their customers, and they also outsource a substantial portion of their IT activities to third parties, which exposes the entities to significant risks, the central bank said.
The draft has been released for comments of stakeholders and members of the public. The last date for comments and feedback is July 22, 2022 The draft said that the underlying principle is that the regulated entities should ensure that outsourcing arrangements neither diminish their ability to fulfill their obligations to customers nor impede effective supervision by the supervising authority.
Regulated entities desirous of outsourcing IT and IT-enabled services shall not require prior approval from the RBI, said the draft, adding that such arrangements, however, shall be subject to on-site or off-site monitoring and inspection and scrutiny by the supervising authority. Further, the draft said that the regulated entities shall evaluate the need for outsourcing of IT services based on a comprehensive assessment of attendant benefits, risks, and availability of commensurate processes to manage those risks.
In this process, they shall consider important aspects, such as determining the need for outsourcing based on the criticality of the activity to be outsourced, determining expectations or outcomes from outsourcing, determining success factors and cost-benefit analysis, and deciding the model for outsourcing. On grievance redressal mechanism, the draft said responsibility for redressal of customers’ grievances related to outsourced services shall rest with the regulated entities.
The RBI has shown concerns about risks attached to cross-border outsourcing, saying that the engagement of a service provider based in a different jurisdiction exposes to risk. “To manage such risk, the regulated entity shall closely monitor the service provider’s country’s government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. Further, it shall be ensured that availability of records to the regulated entity and the supervising authority will not be affected even in case of liquidation of the service provider,” the draft said.
Lastly, the draft said the Outsourcing of IT Services policy shall contain a clear exit strategy with regard to outsourced IT activities or IT-enabled services while ensuring business continuity during and after exit.