Skip to main content

Outsourcing of Information Technology Services by RBI regulated entities

Reserve Bank of India (RBI) has issued directions on outsourcing of information technology services by the regulated entities.

What is the objective of the directions?

Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. REs also outsource substantial portion of their IT activities to third parties, which expose them to various risks.

The underlying principle of the directions on outsourcing of information technology services is to ensure that outsourcing arrangements neither diminish REs ability to fulfil its obligations to customers nor impede effective supervision by the Reserve Bank of India (RBI).

From when are the directions effective?

The directions on outsourcing of information technology services will come into effect from October 01, 2023.

With respect to existing outsourcing arrangements that are already in force as on the date of issuance of the directions, REs shall ensure that –

  • The agreements that are due for renewal before October 01, 2023, comply with the directions as on the renewal date (preferably), but within 12 months from the date of issuance of the directions.
  • The agreements that are due for renewal on or after October 01, 2023, comply with the directions as on the renewal date or 36 months from the date of issuance of the directions whichever is earlier.

With respect to new outsourcing arrangements, REs shall ensure that –

  • The agreements that come into force before October 01, 2023, comply with the directions as on the agreement date (preferably) but within 12 months from the date of issuance of the directions.
  • The agreements that come into force on or after October 01, 2023, shall comply with the provisions of the directions from the date of agreement itself.

Which entities are covered under the directions?

The directions shall be applicable to the following REs –

  • Commercial Banks including Foreign Banks, Local Area Banks (LABs), Small Finance Banks (SFBs), Payments Banks (PBs)
  • Primary Co-operative Banks in ‘Tier 3’ and ‘Tier 4’ as defined under revised regulatory framework for Urban Co-operative Banks (UCBs)
  • Non-Banking Financial Companies in ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’ as defined under Scale Based Regulation (SBR) framework for NBFCs
  • Credit Information Companies (CICs)
  • All India Financial Institutions (AIFIs) –
    • Export-Import Bank of India (EXIM Bank)
    • National Bank for Agriculture and Rural Development (NABARD)
    • National Bank for Financing Infrastructure and Development (NaBFID)
    • National Housing Bank (NHB) 
    • Small Industries Development Bank of India (SIDBI)

Which arrangements are covered under the directions?

The directions shall apply to Material Outsourcing of Information Technology (IT) Services arrangements entered by the REs.

“Material Outsourcing of IT Services” are those which –

  • If disrupted or compromised shall have the potential to significantly impact the RE’s business operations; or
  • May have material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information.

What are the regulatory and supervisory requirements in respect of outsourcing arrangements?

  • Outsourcing of any activity shall not diminish RE’s obligations as also of its Board and Senior Management, who shall be ultimately responsible for the outsourced activity. 
  • RE shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the RE, if the same activity was not outsourced. 
  • REs shall not engage an IT service provider that would result in reputation of RE being compromised or weakened.
  • Notwithstanding whether the service provider is located in India or abroad, the REs shall ensure that the outsourcing should neither impede nor interfere with the ability of the RE to effectively oversee and manage its activities. 
  • RE shall ensure that the outsourcing does not impede the RBI in carrying out its supervisory functions and objectives.
  • REs shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. However, an exception to this requirement may be made with the approval of Board / Board level Committee, followed by appropriate disclosure, oversight and monitoring of such arrangements. The Board shall inter-alia ensure that there is no conflict of interest arising out of third-party engagements.

What shall be the grievance redressal mechanism under outsourcing arrangements?

  • REs shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RE.
  • Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws.
What are other instruction regarding outsourcing arrangements?
  • REs shall evaluate the need for Outsourcing of IT Services based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks.
  • In considering or renewing an Outsourcing of IT Services arrangement, appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis. 
  • REs shall ensure that their rights and obligations and those of each of their service providers are clearly defined and set out in a legally binding written agreement. 
  • RE intending to outsource any of its IT activities shall put in place a comprehensive Board approved IT outsourcing policy.
  • REs shall put in place a Risk Management framework for Outsourcing of IT Services that shall comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements. 
  • Public confidence and customer trust in REs is a prerequisite for their stability and reputation. Hence, REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. Access to customer information by staff of the service provider shall be on need-to-know basis. 
  • REs shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and / or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers. 
  • REs shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
  • REs shall have in place a management structure to monitor and control its Outsourced IT activities.
  • RE may outsource any IT activity / IT enabled service within its business group / conglomerate, subject to the conditions similar to those applicable in case of third-party.
  • The engagement of a service provider based in a different jurisdiction exposes the RE to country risk. RE shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, as well as establish sound procedures for mitigating the country risk. 
  • The Outsourcing of IT Services policy shall contain a clear exit strategy with regard to outsourced IT activities / IT enabled services, while ensuring business continuity during and after exit.


References

Reserve Bank of India. (2023, April 10). 'Master Direction on Outsourcing of Information Technology Services'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12486&Mode=0


Follow at - Telegram   Instagram   LinkedIn   Twitter   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Modified Interest Subvention Scheme for Agricultural Loans

Reserve Bank of India (RBI) has published the modified interest subvention scheme (MISS) for short term loans for agriculture and allied activities availed through Kisan Credit Card (KCC) during the financial year 2025-26. Which loans are covered under modified interest subvention scheme (MISS)? The short-term crop loans and short-term loans for allied activities including animal husbandry, dairy, fisheries, bee keeping etc. up to an overall limit of ₹3 lakh to farmers through KCC during the year 2025-26 will be covered for interest subvention. Which lending institutions are covered under MISS? The MISS is applicable to the lending institutions viz. Public Sector Banks (PSBs) and Private Sector Banks (in respect of loans given by their rural and semi-urban branches only), Small Finance Banks (SFBs) and computerized Primary Agriculture Cooperative Societies (PACS) ceded with Scheduled Commercial Banks (SCBs), on use of their own resources.  How much is the interest subvention? The a...
Post a Comment
Read more

Reserve Bank - Integrated Ombudsman Scheme, 2026 (RB-IOS, 2026)

Reserve Bank of India (RBI) has issued Reserve Bank - Integrated Ombudsman Scheme, 2026. Who is RBI Ombudsman and RBI Deputy Ombudsman? RBI may appoint one or more of its officers as RBI Ombudsman and RBI Deputy Ombudsman, to carry out the functions entrusted to them under the Reserve Bank - Integrated Ombudsman Scheme (RB-IOS).  The appointment of RBI Ombudsman or RBI Deputy Ombudsman shall be for up to 3 years at a time. RBI Ombudsman shall have the power to examine and close all complaints.   RBI Deputy Ombudsman shall have the power to close those complaints falling under clause 10 of the RB-IOS (i.e. non-maintainable complaints) and complaints resolved as per the provisions of the clause 14(8)(a) to 14(8)(c) of the RB-IOS (i.e. complaint resolved / withdrawn). Which entities are covered under the RB-IOS? RB-IOS shall be applicable to the following Regulated Entities (REs) – Commercial Banks Regional Rural Banks  State Co-operative Banks Central Co-operative Bank...
Post a Comment
Read more

Internal Ombudsman for Regulated Entities (Banks, NBFCs, PPI Issuers and CICs)

Reserve Bank of India (RBI) has issued directions on Internal Ombudsman for regulated entities. To whom shall the directions on Internal Ombudsman (IO) be applicable? The directions on IO shall be applicable to the following Regulated Entities (REs) – Commercial Banks (other than Small Finance Banks, Payment Banks, and Local Area Banks) having 10 or more banking outlets in India as on March 31, 2025, whether such bank is incorporated in / outside India Small Finance Banks having 10 or more banking outlets in India as on March 31, 2025 Payments Banks having 10 or more banking outlets in India as on March 31, 2025 Non-Banking Financial Companies (NBFCs) fulfilling the following criteria as on March 31, 2025 – Deposit-taking NBFCs (NBFCs-D) with 10 or more branches Non-Deposit taking NBFCs (NBFCs-ND) with asset size of ₹5,000 crore and above and having public customer interface Non-Bank Prepaid Payment Instruments Issuers having more than 1 crore Prepaid Payment Instruments (PPIs) outstan...
Post a Comment
Read more

Financial Literacy Week (FLW) 2026

Reserve Bank of India (RBI) has observed financial literacy week from February 09 to 13, 2026. Financial Literacy and Financial Education Organization for Economic Co-operation & Development (OECD) defines ‘financial literacy’ as a combination of financial awareness, knowledge, skills, attitude and behaviour necessary to make sound financial decisions and ultimately achieve individual financial well-being.  OECD defines ‘financial education’ as the process by which financial consumers / investors improve their understanding of financial products, concepts and risks and through information, instruction and / or objective advice, develop the skills and confidence to become more aware of financial risks and opportunities, to make informed choices, to know where to go for help and to take other effective actions to improve their financial well-being. Financial Literacy Week (FLW) Reserve Bank of India (RBI) has been observing Financial Literacy Week (FLW) every year since 2016 to p...
Post a Comment
Read more

What is Reserve Bank of India – Digital Payments Index (RBI-DPI)? (Updated on February 12, 2026)

There have been continuous efforts by various stakeholders for digitization of payments in the country. But how to we measure the impact of these efforts?  What is Reserve Bank of India – Digital Payments Index (RBI-DPI)? Reserve Bank of India (RBI) has constructed a composite Digital Payments Index (DPI) to capture the extent of digitization of payments across the country. What are the parameters of RBI-DPI? The RBI-DPI comprises of five broad parameters that enable measurement of deepening and penetration of digital payments in the country over different time periods. These parameters along with their weights in the RBI-DPI are as follows –  Payment Enablers (25%) Payment Infrastructure – Demand-side factors (10%) Payment Infrastructure – Supply-side factors (15%) Payment Performance (45%) Consumer Centricity (5%).  Each of these parameters have sub-parameters which, in turn, consist of various measurable indicators.  What is the base year for RBI-DPI? The RBI-DPI ...
Post a Comment
Read more