Sponsored
“Understand RBI’s recent Master Direction on Outsourcing of Information Technology Services effective from October 1, 2023. Explore key requirements, risk management, and compliance measures for a seamless IT outsourcing strategy. Stay informed with a comprehensive summary. Source: RBI Guidelines, 2023.”
RBI recently issued Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 on 10th April 2023 and same will come into effect from 01st October 2023. A summary of same is give below –
S. No. | Requirement Summary | Effective Date |
CHAPTER-1 | ||
Para 1 | Short Title and Commencement | |
1 | Existing Outsourcing Arrangements: i. Agreements due for renewal before October 1, 2023 |
Renewal date (Preferably) or before April 10 2024 |
II. Agreements due for renewal on or after October 1, 2023 | Renewal date or before April 10 2026 |
|
2 | New Outsourcing Arrangements: i. The agreements that come into force before October 1, 2023 |
Agreement Date (Preferably) or before April 10 2024 |
ii. The agreements that come into force on or after October 1, 2023 | Effective Date of the Agreement | |
Para 3 | Definitions | Oct 1 2023 |
“Group” ‘group’ may be defined as an arrangement involving two or more entities related to each other through any of the following relationships and a ‘group entity’ as any entity involved in this arrangement. | ||
“Material Outsourcing of IT Services” are those which: a) if disrupted or compromised shall have the potential to significantly impact the RE’s business operations; or b) may have material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information. |
||
“Outsourcing of IT Services” shall include outsourcing of the following activities: a) IT infrastructure management, maintenance and support (hardware, software or firmware); b) Network and security solutions, maintenance (hardware, software or firmware); c) Application Development, Maintenance and Testing; Application Service Providers (ASPs) including ATM Switch ASPs; d) Services and operations related to Data Centres; e) Cloud Computing Services; f) Managed Security Services; and g) Management of IT infrastructure and technology services associated with payment system ecosystem. |
||
“Service Provider” means the provider of IT or IT enabled services including entities related to the RE or those which belong to the same group or conglomerate to which the RE belongs. | ||
CHAPTER-II | ||
4 | Regulatory and Supervisory requirements | Oct 1 2023 |
a) | Outsourcing of any activity shall not diminish RE’s obligations, service provider employs the same high standard of care in performing the services as would have been employed by the RE. REs shall not engage an IT service provider that would result in reputation of RE being compromised or weakened. |
|
b) | RE shall ensure that outsourcing should neither impede or interefere the REs ability to effectively oversee and manage its activities. RE shall ensure that the outsourcing does not impede the RBI in carrying out its supervisory functions and objectives. |
|
c) | REs shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. The Board shall inter-alia ensure that there is no conflict of interest arising out of third-party engagements |
|
d) | Separate guidelines given for usage of cloud computing services and outsourcing of Security Operations Center (SOC) services | |
Para 5 | Comprehensive assessment of need for outsourcing and attendant risks | Oct 1 2023 |
a) | need for outsourcing based on criticality of activity to be outsourced; | |
b) | expectations and outcome from outsourcing; | |
c) | success factors and cost-benefit analysis; and | |
d) | deciding the model for outsourcing. | |
Para 6 | Compliance with all applicable statutory and regulatory requirements | Oct 1 2023 |
The RE shall consider all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, when performing its due diligence in relation to outsourcing of IT services. | ||
Para 7 | Grievance Redressal Mechanism | Oct 1 2023 |
a) | RE shall have robust system in place and solely responsible for redressal of customer grievances | |
b) | outsourcing shall not affect right of customer | |
Para8 | Inventory of Outsourced Services | Oct 1 2023 |
REs shall create an inventory of services, including key entities involved in their supply chains. REs shall map their dependency on third parties and periodically evaluate the information received from the service providers. |
||
CHAPTER-III | ||
Para 9 | IT Outsourcing Policy | Oct 1 2023 |
RE shall put in place a comprehensive Board approved IT outsourcing policy. Poilcy shall incorporate the following: i) Roles and responsibilities of the Board, ii) IT function, iii) Business function iv) Oversight and assurance functions for IT services. v) criteria for selection of such activities vi) Service providers, vii) Parameters for defining material outsourcing, viii) Delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, ix) Systems to monitor and review the operations x) Termination processes and exit strategies |
||
Para 10 | Role of the Board | Oct 1 2023 |
The Board of the RE shall be responsible, inter alia, for: | ||
a) | framework for approval of IT outsourcing activities depending on risks and materiality; | |
b) | approving policies to evaluate the risks and materiality of all existing and prospective IT outsourcing arrangements; and | |
c) | setting up suitable administrative framework of Senior Management for the purpose of these Directions. | |
Para 11 | Role of the Senior Management | Oct 1 2023 |
a) | formulating IT outsourcing policies and procedures, evaluating the risks and materiality and implementation | |
b) | Evaluate performance review, criticality and associated risks | |
c) | identifying IT outsourcing risks | |
d) | ensuring that suitable business continuity plans, including exit of any third-party service provider, and tested periodically; | |
e) | ensuring (i) effective oversight for data confidentiality and (ii) redressal of customer grievances in a timely manner; |
|
f) | Ensuring an independent review and audit for the following: Legislations regulations Board-approved policy performance standards and reporting the same to the board |
|
g) | creating essential capacity within the organisation for proper oversight of outsourced activities. | |
Para 12 | Role of IT Function | Oct 1 2023 |
a) | assisting the Senior Management | |
b) | Central database of all IT outsourcing arrangements is maintained and is accessible for review | |
c) | effectively monitor and supervise and report to senior management | |
d) | Putting in place documentation required for contractual agreements | |
CHAPTER-IV | ||
Para 13 | Due Diligence on Service Providers | Oct 1 2023 |
a) | Appropriate DD shall be performed to assess the capability of the service provider | |
b) | A risk-based approach shall be adopted in conducting DD | |
c) | DD shall take into consideration qualitative, quantitative, financial, operational, legal and reputational factors Obtain independent reviews and market feedback on the service provider to supplement its own assessment. |
|
d) | evaluating the capability of the service provider, risks arising from concentration. | |
Para 14 | Aspects to be considered | Oct 1 2023 |
Due diligence shall involve evaluation of all available information, as applicable, about the service provider, including but not limited to: | ||
a) | past experience | |
b) | financial soundness, ability to service commitments in adverse situtation | |
c) | business reputation and culture, compliance, complaints and outstanding or potential litigations; | |
d) | conflict of interest, if any; | |
e) | factors which impact data security and service performance | |
f) | details of the technology, infrastructure stability, security and internal control, audit coverage, reporting and monitoring procedures, data backup arrangements, business continuity management and disaster recovery plan; | |
g) | capability to identify and segregate REs data; | |
h) | quality of due diligence | |
i) | capability to comply with the regulatory and legal requirements | |
j) | information/ cyber security risk assessment; | |
k) | ensure data protection and RE’s access to the data | |
l) | ability to effectively service all the customers while maintaining confidentiality, | |
m) | ability to enforce agreements | |
CHAPTER-V | ||
Para 15 | Legally binding agreement | Oct 1 2023 |
a) | Ensure that rights and obligations of the parties clearly defined in agreement | |
b) | The agreement shall include: Criticality associated risk strategies to mitigate the risk |
|
c) | The T&C shall be defined and vetter by legal counsel and allow the RE to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. | |
d) | The agreement shall also bring out the nature of legal relationship between the parties | |
Para 16 | Aspects to be considered in agreement | Oct 1 2023 |
The agreement at a minimum should include (as applicable to the scope of Outsourcing of IT Services) the following aspects: | ||
a) | details of the activity being outsourced, including appropriate service and performance standards including for the sub-contractors, if any; | |
b) | effective access by the RE to all data, books, records, information, logs, alerts and business premises | |
c) | regular monitoring and assessment | |
d) | type of material adverse events and the incidents required to be reported to RE | |
e) | compliance with the provisions of Information Technology Act, 2000 and other standards to protect the customer data; | |
f) | the deliverables, including Service-Level Agreements (SLAs) | |
g) | storage of data (only in India) | |
h) | To provide details of data (related to RE and its customers) captured, processed and stored; | |
i) | controls for maintaining confidentiality of data and liability to RE in the event of security breach and leakage of such information | |
j) | types of data/ information that the service provider (vendor) is permitted to share with RE’s customer and / or any other party; | |
k) | specifying the resolution process, events of default, indemnities, remedies, and recourse available to the respective parties; | |
l) | contingency plan(s) to ensure business continuity and testing requirements; | |
m) | right to conduct audit of the service provider (including its sub-contractors) by the RE, | |
n) | right to seek information from the service provider about the third parties (in the supply chain) engaged by the former; | |
o) | recognising the authority of regulators to perform inspection of the service provider | |
p) | including clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors; | |
q) | obligation of the service provider to comply with directions issued by the RBI | |
r) | clauses requiring prior approval/ consent of the RE for use of sub-contractors by the service provider for all or part of an outsourced activity; | |
s) | termination rights of the RE, | |
t) | bligation of the service provider to co-operate with the relevant authorities in case of insolvency/ resolution of the RE; | |
u) | provision to consider skilled resources | |
v) | clause requiring suitable back-to-back arrangements between service providers and the OEMs; and | |
w) | clause requiring non-disclosure agreement with respect to information retained by the service provider. | |
CHAPTER-VI | ||
Para 17 | Risk Management Framework | Oct 1 2023 |
a) | REs shall put in place a Risk Management framework for Outsourcing of IT Services that shall comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements. | |
b) | The risk assessments carried out by the REs shall be suitably documented with necessary approvals in line with the roles and responsibilities for the Board of Directors, Senior Management and IT Function. Such risk assessments shall be subject to internal and external quality assurance on a periodic basis as determined by the Board-approved policy. | |
c) | REs shall be responsible for the confidentiality and integrity of data and information pertaining to the customers that is available to the service provider. | |
d) | Access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse. | |
e) | REs shall ensure the preservation and protection of the security and confidentiality of customer information | |
f) | In the event of multiple service provider relationships, RE remains responsible | |
g) | where service provider acts as an outsourcing agent for multiple REs, care shall be taken to build adequate safeguards so that there is no combining of information, documents, records and assets | |
h) | The RE shall ensure that cyber incidents are reported to the RE without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the TPSP. | |
i) | The REs shall review and monitor the control processes and security practices of the service provider to disclose security breaches. The REs shall immediately notify RBI in the event of breach of security and leakage of confidential customer related information. | |
j) | Concentration Risk: REs shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and/or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers. | |
Para 18 | Business Continuity Plan and Disaster Recovery Plan | Oct 1 2023 |
a) | REs shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) commensurate with the nature and scope of the outsourced activity as per extant instructions issued by RBI from time to time on BCP/ DR requirements. | |
b) | In establishing a viable contingency plan, REs shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time and resources that would be involved. | |
c) | In order to mitigate the risk of unexpected termination, REs shall retain an appropriate level of control over their IT-outsourcing arrangement along with right to intervene, with appropriate measures to continue its business operations. | |
d) | REs shall ensure that service providers are able to isolate the REs’ information, documents and records and other assets. | |
CHAPTER-VII | ||
Para 19 | Monitoring and Control of Outsourced Activities | Oct 1 2023 |
a) | REs shall have in place a management structure to monitor and control its Outsourced IT activities. | |
b) | RE shall conduct regular audits of service providers | |
c) | REs of the common service provider, may adopt pooled (shared) audit. | |
d) | The audits shall assess: i) performance of the service provider, ii) adequacy of the risk management practices iii) compliance with laws and regulations, etc. |
|
e) | REs, depending upon the risk assessment, may also rely upon globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits. However, this shall not absolve REs of their responsibility in ensuring assurance on the controls and procedures required to safeguard data security (including availability of systems) at the service provider’s end. | |
f) | The RE shall periodically review the financial and operational condition of the service provider | |
g) | In the event of termination of the outsourcing agreement, same shall be given due publicity by the RE | |
h) | REs shall ensure that the service provider grants unrestricted and effective access to a) data related to the outsourced activities; b) the relevant business premises, subject to appropriate security protocol |
|
CHAPTER-VIII | ||
Para 20 | Outsourcing within a Group / Conglomerate | Oct 1 2023 |
a) | A RE may outsource any IT activity/ IT enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place. | |
b) | The selection of a group entity shall be based on objective reasons that are similar to selection of a third-party, and any conflicts of interest that such an outsourcing arrangement may entail shall be appropriately dealt with. | |
c) | REs, at all times, shall maintain an arm’s length relationship in dealings with their group entities. Risk management practices being adopted by the RE while outsourcing to a group entity shall be identical to those specified for a non-related party. | |
CHAPTER-IX | ||
Para 21 | Additional requirements for Cross-Border Outsourcing | Oct 1 2023 |
a) | The engagement of a service provider based in a different jurisdiction exposes the RE to country risk. To manage such risk, the RE shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, as well as establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. Further, it shall be ensured that availability of records to the RE and the RBI will not be affected even in case of liquidation of the service provider. |
|
b) | The governing law of the arrangement shall also be clearly specified. | |
c) | The right of the RE and the RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction shall be ensured. | |
d) | The arrangement shall comply with all statutory requirements as well as regulations issued by the RBI from time to time. | |
CHAPTER-X | ||
Para 22 | Exit Strategy | Oct 1 2023 |
a) | The Outsourcing of IT Services policy shall contain a clear exit strategy. In documenting an exit strategy, the RE shall, inter alia, identify alternative arrangements, which may include performing the activity by a different service provider or RE itself. | |
b) | REs shall ensure that the agreement has necessary clauses on safe removal/ destruction of data, hardware and all records (digital and physical), as applicable. However, service provider shall be legally obliged to cooperate fully with both the RE and new service provider(s) to ensure there is a smooth transition. Further, agreement shall ensure that the service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator/ concerned RE. |
Master Direction on Outsourcing of Information Technology Services
Sponsored
Kindly Refer to
Privacy Policy &
Complete Terms of Use and Disclaimer.