RBI on Monday published detailed specifications for banks, NBFCs to outsource IT services
Posted Date – 11:15 PM, Mon – 4/10/23
Mumbai: The Reserve Bank of India on Monday introduced detailed specifications for banks, NBFCs and regulated financial sector entities to outsource IT services to ensure that such arrangements do not compromise their responsibilities and obligations to their clients.
In its “Key Directions for Information Technology Service Outsourcing”, the RBI said Regulated Entities (REs) have made extensive use of IT and IT-Enabled Services (ITeS) to support their business models, products and services to their clients.
In February last year, the central bank proposed to introduce appropriate regulatory guidelines for IT service outsourcing to ensure effective management of the attendant risks. Subsequently, a draft specification was released.
According to the RBI, the underlying principle of these directives is to ensure that outsourcing arrangements neither impair the ability of REs to fulfill their obligations to clients nor hamper effective central bank supervision.
To give REs sufficient time to meet the requirements, the specification will take effect on October 1, 2023.
The central bank said REs should take steps to ensure that service providers perform services to the same high standards as those employed by REs, provided the same activities are not outsourced.
According to the Central Bank, REs should not engage IT service providers that would cause RE’s reputation to be damaged or weakened.
According to RBI, regardless of whether the service provider is located in India or abroad, the RE should ensure that outsourcing does not hinder or interfere with the RE’s ability to effectively monitor and manage its activities.
In addition, REs have been informed to assess the need for outsourcing of IT services based on a comprehensive assessment of the attendant benefits, risks and availability of corresponding processes to manage these risks.
In terms of governance framework, the RBI stated that REs that intend to outsource any of their IT activities should have a comprehensive board-approved IT outsourcing policy.
Financial institutions should also establish an outsourcing risk management framework that comprehensively addresses the processes and responsibilities for identifying, measuring, mitigating, managing and reporting risks associated with the outsourcing of IT service arrangements.
Additionally, REs should require their service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity plans and disaster recovery plans.
RE may also outsource any IT activity/IT-supported service within its business group/group, subject to the conditions specified in the Master Directive.
