RBI norms for IT services outsourcing by banks and financial entities

The Reserve Bank of India (RBI) on Thursday said that banks and other financial institutions outsourcing their information technology (IT) services to third parties must take care that such arrangements do not impact their obligations towards customers. The banks will not have to take approval from the central bank for entering into such outsourcing agreements, the RBI clarified with a caveat that such arrangements will be subject to periodic inspection.

The central bank, in its monetary policy in June, highlighted the issue stating that outsourcing of IT services expose financial institutions to certain risks. The RBI has therefore issued the guidelines for financial institutions to deploy risk management systems to cover outsourced IT services.

“Outsourcing of any activity of the RE (regulated entity) shall not diminish its obligations as also of its board and senior management, who shall be ultimately responsible for the outsourced activity,” the RBI said in a master circular.

As per the guidelines, scheduled commercial banks, local area banks, small finance banks, payments banks, certain co-operative banks, non-banking financial companies (NBFC), credit information companies and other state-owned financial entities will have to follow these guidelines.

Financial institutions will have to put in place a risk management framework for outsourcing of IT services dealing with the processes and responsibilities to identify and manage such risks. The banks should give only a selected access to customer information to the service provider. Banks and financial institutions will be responsible for protecting the confidentiality of customer data, the RBI said.

In cases where a single IT service provider is chosen by multiple financial institutions, the service provider cannot combine the customer data. The service provider is obligated to inform financial institutions of breach or loss of data in one hour of detection. Where financial institutions have outsourced IT services to a foreign entity, they will have to monitor and study the financial position and reputation of that entity in its host country. Existing RBI guidelines will continue to apply for such outsourcing, the central bank said.

The RBI has also directed banks and financial institutions to put in place, business continuity and disaster recovery plan in case service provider unexpectedly terminates the contract or there is a major breach. The financial institutions will have to install a management structure to monitor and control the outsourced IT activities, which will include monitoring the performance and incident response mechanism of the service provider. The financial institutions will have to plan for an exit strategy while ensuring business continuity during and after exit.