RBI regulates outsourcing of IT Services by financial entities

-Anirudh Grover, Executive | finserv@vinodkothari.com

1. Introduction

With the penetration of the internet in India, newer and more efficient technologies are being built and these dynamic technologies are being leveraged by various sectors of the economy, and the financial sector is one of them. Financial institutions have extensively been outsourcing their IT services requirements to third parties in order to get easier access to newer technologies. In this process of availing the services of a third party, financial institutions expose themselves to significant financial, operational, and reputational risk as the Reserve Bank of India has pointed out.

Accordingly, the RBI in the year 2022 had in its Statement on Developmental and Regulatory Policies proposed to issue draft directions on outsourcing of IT services since the existing Directions on Managing Risks and Code in Outsourcing of Financial Services (‘Guidelines on Outsourcing of Financial Services’) as provided for in the Master Direction- Non Banking Financial Company- Systemically Important Non Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016 (Updated as on December 29, 2022) (‘SI Directions’)  specifically excluded IT services from its ambit. Following which on June 23, 2022 the RBI issued Draft Master Direction on Outsourcing of IT Services (‘Draft IT Outsourcing Directions’) for public comments. We had briefly in our previous write up discussed the introduction of the Draft IT Outsourcing Directions. 

Now, the RBI on April 10, 2023, has issued the final directions on IT Outsourcing Directions i.e. Master Directions of IT Outsourcing Directions (‘Master Directions’) basis the public comments by largely adopting what had been proposed in the Draft IT Outsourcing Directions.  Through this write-up, the writer will be capturing the key aspects which the Regulated Entity (‘RE’) will have to take into consideration for outsourcing their IT services.

2. Applicability & Effective Date

The Master Direction is inter-alia applicable on banking companies, primary co-operative banks, non-banking financial companies in the Middle, Upper and Top Layer as per the Scale Based Regulations.  It will be relevant to note here that in the Master Direction – Information Technology Framework for the NBFC Sector (‘IT Directions’) which is the present governing law for the outsourcing of IT Services by NBFCs, the applicability is based on the asset size of the NBFC i.e. if the asset size of the NBFC is above Rs. 500 crores the IT Outsourcing provisions would be applicable. With the introduction of the Master Directions,  this applicability has now been linked directly with the categorization of the NBFC under the SBR Framework, hence, the provisions of Master Direction will not be applicable to base-layer NBFCs.

The effective date of the Master Directions is October 01, 2023, in this regard a key question arises as to whether the existing agreements or the new agreements will have to comply with these Master Directions. It will be relevant to note here that RBI has provided a glide path approach for existing material outsourcing agreements and new material outsourcing agreements which is as follows:

• Existing Outsourcing Agreements

1. For agreements renewable before the Effective Date: The provisions of Master Direction shall be complied (preferably) by the renewal date which shall not be later than 12 months from the issuance of the Master Direction
2. For agreements renewable on or after the Effective Date: The provisions of Master Direction shall be complied with preferably by the renewal date or 36 months from the issue of this Master Direction whichever is earlier.

• New Outsourcing Agreements: 

1. For agreements that come into force before the Effective Date: The provisions of this Master Direction shall be complied preferably as on the agreement date but not later than 12 months from the issuance of these Master Direction
2. For agreements that come into force on or after the Effective Date: The provisions of this Master Direction shall be complied with as on the agreement date itself.

Thus, it can be said in the interim i.e. till the effective date of the aforesaid outsourcing agreements are not triggered, the RE despite being classified in layers above the base layer can continue to follow the IT Directions wherein specific guidelines have been provided for IT services outsourcing.

3. Definitions

The Master Directions have inserted a few new definitions that were not part of the IT Directions but were part of the Draft IT Outsourcing Directions. These definitions are of the terms (i)Material Outsourcing of IT Services, (ii) Service Provider, (iii) Group, and (iv) Outsourcing and Outsourcing of IT Services. It will be important to  note here that largely all these defined terms are premised or are similar to the lines of the definitions provided in the Guidelines on Outsourcing of Financial Services  . This can be seen from the comparative table below:

Particulars	Guidelines on Outsourcing of Financial Services	Master Directions
Material Outsourcing	Material Outsourcing are those which, if disrupted, have the potential to significantly impact the business operations, reputations, profitability or customer service	“Material Outsourcing of IT Services” are those which:  a) if disrupted or compromised shall have the potential to significantly impact the RE’s business operations; or  b) may have material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information.
Outsourcing	‘Outsourcing’ is defined as the NBFC’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future	‘Outsourcing’ may be defined as a bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future

Additionally, as mentioned above, apart from these two definitions there are a few other notified definitions as well that have been incorporated in the Master Directions. In respect of which, the RE must provide key emphasis and  attention towards the definition of Service Provider wherein vide Appendix III of the Master Directions, the RBI has notified an inclusive list of activities that must not be considered as Services/ Activities under the Master Directions. Additionally in Appendix III they have also notified Vendors / Entities who are not considered as Third-Party Service Provider (‘TPSP’).

4. Governance Framework

IT Outsourcing Policy

From the governance point of view, the RE has been mandated to put in place a comprehensive board approved policy covering the following key aspects: 

• Roles and Responsibilities of the Board, Board Committees and Senior Management;
• Criteria for selection of IT activities being outsourced and the service providers which can also be group entities or cross border service providers provided certain pre-conditions are met such as the arm’s length basis of arrangement (in the case of group entities acting as service providers). 

It will be relevant to note here that RE was including the activity of outsourcing of IT services as a part of the Information Technology Policy however now from the Effective Date, RE will have to draft and put in place a policy dealing specifically on outsourcing of IT Services. It can be contended here that this requirement of IT Outsourcing Policy can be complied with by incorporating a section in the existing outsourcing policy REs have in place as the regulatory requirements pertaining to outsourcing are similar across services.  

Role of Board, Senior Management, and IT Function

In the IT Directions, largely the responsibility for the purposes of Outsourcing of IT Functions was entrusted with IT Strategy Committee, however, in the Master Directions the responsibilities with respect to governance have been demarcated by clearly deciphering the responsibilities of the board, senior management and IT function. The term board and senior management are evidently quite self explanatory however the term IT function may require explanation. Albeit the RBI with respect to this has not provided any particular definition however from a general standpoint and by reading the roles and responsibilities it can be safely presumed that IT function will mainly include the IT team that is capacitated with the required qualifications to understand the intricacies of the IT function and thereby assist senior management and the board in understanding the IT function. 

 The hierarchy in this regard can be seen from the figure below:

5. Role & Responsibilities of the Regulated Entity

The Role of the RE  has been sub-classified into the following four categories:

6. Engagement of Service Providers

It shall be incumbent for the RE to undertake due diligence before engaging a Service Provider which shall be based on a risk-based approach by taking into consideration qualitative, quantitative, financial, operational, legal and reputational factors. Further, wherever possible it shall also obtain independent reviews and market feedback on the Service Provider to supplement its own assessment. As a reference, the Master Directions have enlisted an inclusive list of aspects that shall be considered by the RE for conducting due diligence which includes factors such as capability, financial soundness, business reputation, information/ cyber security risk assessment, etc. It may be noted that this inclusive list of aspects is also a part of existing Guidelines on Outsourcing of Financial Services, hence RE can apply a similar approach in conducting due diligence for the purposes of outsourcing IT services which they have already in place for outsourcing financial services.

7. Outsourcing Agreement

The Master Directions have further mandated RE (similar to what has been provided in the case of Guidelines for Outsourcing of Financial Services) to enter into legally binding agreements defining clearly the rights and obligations of each of the service providers of the RE. This legally binding agreement shall be carefully vetted by the legal counsel of the RE. The minimum contents of what all has to be included in the Outsourcing Agreement have also been provided in the Master Direction which draws reference from para 5.5 of the Code for Outsourcing of Financial Services.

8. Risk Management

Public confidence and customer trust in the RE is a prerequisite for the stability and reputation of the RE and hence the Master Directions have mandated the RE to put in place a Risk Management Framework that shall comprehensively deal with processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with outsourcing of IT services arrangements.  The RE in these Master Directions are largely big asset-size companies therefore they will have multiple service providers dealing in various IT services. Thus it becomes all the more imperative for RE to have in place systems to assess the risks amongst these service providers and thereby develop an environment of control wherein all the service providers have access to the RE data, systems, records, or resources.

9. Reporting of Cyber Attacks

Since, IT outsourcing requires data sharing amongst service providers which may expose the service provider to cyber attacks resulting in unauthorized access to data in the hands of cyber attackers, the RE shall ensure that the cyber incidents are reported to the RE by the service provider without any undue delay, so that it is reported to the RBI within 6 hours of detection by the Service Provider.

10. Business Continuity and Disaster Plan

Unfettered access to services is also another aspect that comes into the picture while considering the risk management framework therefore it has been mandated for the RE to ensure that their service providers have a robust framework documenting  maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan. While this covers the outsourced front, however, it has also been specified for the RE to consider the possibly of bringing the outsourced activity back in-house in an emergency situation. Further, in situations of unexpected terminations or insolvency/liquidation of the service provider, the RE shall ensure that measures are in place for removing all the assets from the possession of the Service Provider. 

11. Monitoring and Control of Outsourced Activities

Once outsourced the monitoring and controlling of those outsourced activities also plays an extremely important role in the whole framework for outsourcing of activities. In this regard, the following actions can be undertaken by the RE:

• Monitoring the performance, uptime of the systems and resources, service availability, adherence to SLA requirements, and incident response mechanism,
• Conducting regular audits either by the internal auditors of the RE or external auditors acting on behalf of the RE. 

Further, to deal with situations of a multiplicity of audits for the same Service Provider a solution of shared/pooled audit has been introduced which will allow the RE to either pool their audit resources or engage an independent third-party auditor to jointly audit a common service provider

Concluding Remarks

The Master Directions are intended to specifically regulate the increasing outsourcing of IT services by financial entities. Though, the provisions are mostly on the same lines as the existing Guidelines on Outsourcing of Financial Services, the REs will now have to ensure the compliance with for IT services outsourcing.

---