(Vikram Jeet Singh & Arjun Paleri)
Banks and financial institutions rely on cutting edge information technology solutions to provide services to their clients, and also to keep up with innovations driven by fintechs and FinServ start-ups. Outsourcing IT services is widespread in banks, as it is in most other sectors of the economy. Central banks and regulators have long sought to balance the risks of IT outsourcing with benefits in efficiency and cost-savings.
The Reserve Bank of India (“RBI”) notified a much anticipated overhaul of bank IT outsourcing regulations on April 10, 2023. These are the Master Direction on Outsourcing of Information Technology Services, bearing no. RBI/2023-24/102 (“Directions”).
These Directions follow an extensive consultation process, that saw the RBI issue draft rules and invite public comments during 2022. The stated underlying principle of these Directions is to ensure that outsourcing arrangements neither diminish banks' and other regulated entities’ ("RE") ability to fulfil their obligations to customers, nor impede effective supervision by the RBI. You will also notice an increased focus on data security and protection in these Directions, compared to past versions.
In a welcome move, these new Directions will apply only from October 1, 2023. The new Directions can be accessed here.
Here are some of the major points governed by these Directions. We have also added our quick-reactions to some of these changes, below.
Applicability: These Directions apply to ‘Regulated Entities’, that include licensed banks, non-banking financial companies, credit information companies, certain institutional lenders, and also foreign banks operating in India. That said, unregulated third parties providing services to banks and other REs may see some of these compliances ‘trickle down’ to their contracts.
No Prior Approval: These Directions continue the regulatory treatment that no prior approval of the regulator is required while availing outsourcing. The RE, of course, needs to ensure that such outsourcing is in line with all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, and also consider reputational impacts.
Outsourcing Policy and Supervision: REs will continue to require an outsourcing policy approved by their own Board of Directors (“Board”). ‘Senior Management’ of the RE is also required to ensure review and oversight; in addition, the RE’s in-house IT function is tasked with monitoring and supervising the relevant outsourced activity.
Due Diligence on IT Service Providers: Due diligence on providers should take into consideration qualitative, quantitative, financial, operational, legal and reputational factors. In addition to conflicts of interest, operational ability, etc., the ability to segregate RE’s data, and ensuring data protection, are aspects to be considered.
Binding Agreements: Outsourcing arrangements have to be via binding contracts, which should address (inter alia) access to all records, etc., by the RE, compliance with applicable data protection regulations, storage of data (as applicable to the concerned REs) only in India as per extant regulatory requirements, reporting requirements in case of a security breach, and obligation of the service provider to comply with directions issued by the RBI in relation to the activities outsourced to the service provider.
Risk Management and Business Continuity: Improving corporate governance around outsourcing is a major part of these Directions. REs are required to put in place a risk management framework for outsourcing operations, including for the identification, measurement, mitigation, management, and reporting of risks associated with such arrangements. In particular REs are to ensure that cyber incidents are reported to the RE by the service provider without undue delay.
Cross Border Outsourcing: While cross-border outsourcing is allowed, it involves certain additional compliance, including formulating policies for addressing any country specific risk, specifying an exit strategy in extreme situations, and explicitly saving the right of the RE and the RBI to direct and conduct audits or inspections of the service provider, even if it is based in a foreign jurisdiction.
What Happens Next: These new Directions will apply from October 1, 2023, giving businesses a 6-month window to implement its requirements. Some of these may require a ‘root-and-branch’ reappraisal of the outsourcing process flow, particularly when it comes to data protection matters. Contracting templates and manuals will also have to be updated, and SOPs created to handle long-lead matters. You should consider allocating teams and resources to understand their impact on your business, as well.
As always, should you have any questions on how this will affect your business, please feel free to write to us at practicemanager@btglegal.com.