The Reserve Bank of India on Monday came out with detailed norms for the outsourcing of IT services by banks, NBFCs, and other regulated financial sector entities to ensure that such arrangements do not undermine their responsibilities and obligations to customers.
In its 'Master Direction on Outsourcing of Information Technology Services,' the RBI said that regulated entities (REs) have been extensively leveraging IT and IT-enabled services (ITeS) to support their business models and the products and services they offer their customers.
In February last year, the central bank proposed the issuance of suitable regulatory guidelines on the outsourcing of IT services with the aim of ensuring effective management of attendant risks. Later, draught norms were issued.
According to RBI, the underlying principle of the directions is to ensure that outsourcing arrangements neither diminish REs' ability to fulfil its obligations to customers nor impede effective supervision by the central bank.
With a view to providing REs adequate time to comply with the requirements, the norms will come into effect on Oct 1, 2023.
A RE shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the RE if the same activity was not outsourced, the central bank said.
According to the central bank, a RE should not engage an IT service provider that would result in the reputation of the RE being compromised or weakened.
Notwithstanding whether the service provider is located in India or abroad, REs should ensure that outsourcing should neither impede nor interfere with the ability of the RE to effectively oversee and manage its activities, as per RBI.
Further, REs have been told to evaluate the need for outsourcing IT services based on a comprehensive assessment of attendant benefits, risks, and the availability of commensurate processes to manage those risks.
On the governance framework, RBI said a RE intending to outsource any of its IT activities should have a comprehensive, board-approved IT outsourcing policy.
Financial institutions should also put in place a risk management framework for outsourcing that comprehensively deals with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with outsourcing IT services arrangements.
Also, REs should ask their service providers to develop and establish a robust framework for documenting, maintaining, and testing their business continuity plans and disaster recovery plans.
A RE can also outsource any IT activity or IT-enabled service within its business group or conglomerate, subject to the conditions specified in the master direction.
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.
