IT Outsourcing Under the RBI’s 2025 Directions: What Has Changed?

/0 Comments/in /by

By Archisman Bhattacharjee & Avikal Kothari | Finserv@vinodkothari.com  

Introduction

On November 28, 2025, the Reserve Bank of India (“RBI”) issued the Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025 (“Outsourcing Directions”), thereby repealing the erstwhile directions governing IT outsourcing and financial services outsourcing. For the purposes of this article, our discussion is confined to Chapter IV of the Outsourcing Directions, which specifically deals with outsourcing of information technology (“IT”) services. While the Outsourcing Directions largely represent a consolidation of the existing regulatory framework as also clarified by the RBI in its Consolidation of Regulations – Withdrawal of Circulars dated November 28, 2025, they also provide enhanced clarity and structure to the regulatory expectations applicable to IT outsourcing arrangements of NBFCs. This article seeks to examine whether, and to what extent, any additional or expanded obligations have been introduced by the RBI under the consolidated framework.

Applicability

Chapter IV of the Outsourcing Directions, dealing with IT services outsourcing is applicable on NBFC-ML and above, which was also the case for the Erstwhile IT Outsourcing Directions

Transitional Timeline for Compliance of Existing IT Outsourcing Arrangements

The erstwhile IT Outsourcing Directions had become applicable with effect from October 1, 2023. Under the Outsourcing Directions, the RBI has now prescribed a specific transition mechanism for existing IT outsourcing arrangements. In this regard, para 2 of the Outsourcing Directions provides that:

“These Directions shall come into force with immediate effect

Provided that for Non-Banking Financial Companies covered under the scope of these Directions, as mentioned in paragraph 3, their existing Information Technology (IT) outsourcing agreements, regardless of whether they are due for renewal on or after the effective date of these Directions, shall comply with the provisions of these Directions either at the time of renewal or by April 10, 2026, whichever is earlier.”

Given that the Outsourcing Directions are primarily in the nature of a consolidation exercise and do not introduce materially new obligations, the timeline up to April 10, 2026 appears to be intended to provide NBFCs with a reasonable window to align their existing IT outsourcing agreements with the consolidated framework. Accordingly, NBFCs should utilise this transition period to review, amend, and, where necessary, renegotiate their existing IT outsourcing contracts to ensure full compliance with the Outsourcing Directions within the prescribed timeline.

Against this backdrop, it becomes important to examine the substantive requirements laid down under Chapter IV of the Outsourcing Directions in relation to outsourcing of IT services to third-party vendors. The following section discusses the key regulatory expectations and compliance obligations applicable to NBFCs when engaging third-party service providers for IT outsourcing.

  1. Expanded scope of Service Provider Definition

The definition of “service provider” as defined under paragraph 58(3) of the Outsourcing Directions is expansive and extends beyond the primary contracting entity to include sub-contractors, third-party vendors, and entities forming part of the service delivery chain. Further the Outsourcing Directions under paragraph 58(4)have also now defined the term “sub-contractor” to mean:

“… those providing material / significant IT services to the service provider and is specific to the material / significant IT services arrangement that the NBFC has entered into with the service provider”

Accordingly, a sub-contractor that provides material or significant IT services to a service provider, where such services are critical to the delivery of the outsourced arrangement to the NBFC, would also fall within the ambit of the Outsourcing Directions. For instance, where an NBFC avails a SaaS solution from a third-party service provider, any entity that supplies core software or technology to such SaaS provider, without which the service cannot be effectively rendered, may be regarded as a material service provider for the purposes of the Outsourcing Directions. 

While the erstwhile IT Outsourcing Directions did prescribe certain obligations in respect of sub-contractors (and the obligations of NBFCs vis-à-vis their primary service providers largely remain unchanged under the Outsourcing Directions), the current framework introduces greater clarity on who qualifies as a “sub-contractor.”

Actionables for NBFCs:
NBFCs should reassess their existing IT outsourcing landscape to identify all arrangements that fall within the expanded scope, including indirect or layered service delivery models. Vendor inventories should be updated to capture not only primary service providers but also material sub-contractors and supply-chain entities involved in the provision of IT services.  Furthermore, NBFCs are advised suitably amend its existing policies to clearly specify the framework and criteria for identification of sub-contractors. This may, inter alia, include requiring service providers to furnish a list of their appointed sub-contractors along with details of the functions performed by each, and undertaking an assessment, in consultation with the relevant service provider, to determine whether such sub-contractors are material or non-material.

  1. Audit and Due Diligence 

The Outsourcing Directions require NBFCs to conduct risk-based due diligence of IT service providers, this includes tracking system performance, uptime, service availability, Service Level Agreement,  compliance and incident response on an ongoing basis. Regular risk-based audits of service providers, including sub-contractors, have been formalised, with an option to rely on pooled audits or recognised third-party certifications, though this does not dilute the NBFC’s responsibility for data security and system availability. NBFCs must also periodically review the financial and operational strength of service providers to identify any deterioration in performance, security or resilience. Access rights have been strengthened, requiring service providers to provide unrestricted access to relevant data and premises for NBFCs, auditors and regulators. 

Actionables for NBFCs:

NBFCs should strengthen vendor due diligence processes and establish mechanisms for periodic review of service providers. Oversight frameworks should extend to subcontractors and material supply-chain entities, with clear accountability resting on the primary service provider. Overall, the changes make due diligence an ongoing obligation rather than a one-time exercise, requiring NBFCs to strengthen internal monitoring structures, audit planning and vendor risk management practices. 

Further, considering that the RBI has mandated compliance of the agreements with the Outsourcing Directions by April 10, 2026, it is advisable for NBFCs to undertake a comprehensive review of the service level agreements and other contractual arrangements executed with all its material IT vendors to ensure alignment with the requirements set out under paragraphs 33, 34, 73 and 74 of the Outsourcing Directions.

Additionally, prior to April 10, 2026, NBFCs are suggested to conduct audits of its material service providers to verify:

  1. compliance with the contractual obligations agreed between the NBFC and the respective vendor; and
  2. adherence by such vendors to the applicable requirements prescribed under the IT outsourcing framework.

Alternatively, the Company may also rely on globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits.

Where, based on such review or audit, the NBFC forms the view that a vendor is not in compliance with the contractual terms or applicable regulatory requirements, the NBFC should require the vendor to implement corrective action within defined timelines and, where necessary, amend or renegotiate the existing agreements to ensure alignment with the Outsourcing Directions. 

Further, the NBFC should appropriately document such reviews, audits, and remediation measures and place the same before the senior management, in accordance with the requirements of paragraph 78 of the Outsourcing Directions, and/or before such a committee as may be identified under the NBFC’s IT Outsourcing Policy. Any material or adverse developments should also be escalated to the Board in alignment with the requirements of paragraph 78 of the Outsourcing Directions.

In cases where remediation or contractual modification is not feasible, the Company should maintain an exit plan/exit strategy, including identification of alternate service providers and/or arrangements for bringing the outsourced services in-house, so as to ensure continuity of critical operations and minimal disruption to customers.

Conclusion

The Outsourcing Directions mark a significant step by the RBI towards consolidating and strengthening the regulatory framework governing IT outsourcing by NBFCs. While the underlying obligations remain broadly consistent with the erstwhile regime, the transition period up to April 10, 2026 provides NBFCs with a critical opportunity to holistically reassess their IT outsourcing arrangements, rationalise vendor ecosystems, and embed robust contractual, operational, and governance safeguards. NBFCs that proactively undertake structured reviews, strengthen vendor risk management, and institutionalise ongoing monitoring mechanisms will be better positioned not only to achieve regulatory compliance but also to enhance operational resilience and customer trust.

Ultimately, IT outsourcing under the Outsourcing Directions is no longer a purely contractual or procurement function—it is a core governance and risk management responsibility. Treating it as such will be essential for NBFCs navigating an increasingly digital and interconnected financial services ecosystem.

See our other resources:

  1. RBI regulates outsourcing of IT Services by financial entities
  2. IT Governance: Upgrade needed by April 01, 2024
  3. https://vinodkothari.com/2023/11/it-governance-risk-control-and-assurances-practices-directions-2023/
You might also like
Tokenisation of Real World Assets - The Way Ahead for Creating Securities
Recent Updates to HFC Directions: What you need to know
Year 2023 in retrospect: Regulatory changes for NBFCs
Simplifying the KYC process and business identifier
Banks Faces Looming Loan Restructuring
Co-Lending and GST: Does the relationship between co-lenders constitute a supply that may be subject to GST?
RBI amends mode of payment and remittance norms for units of Investment vehicles
Revamped Fraud Risk Management Directions: Governance structure, natural justice, early warning system as key requirements
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *