The Reserve Bank of India has recently come out with detailed norms ('the directions') relating to outsourcing of IT services by banks, NBFCs and other regulated financial sector entities. The directions that come into effect from October 01, 2023, seek to ensure that regulated entities do not in any way lower the bar in the context of their obligations to customers for specified IT & IT-enabled tasks that may get outsourced.
Regulated entities include all Banking Companies, Corresponding New Banks, State Bank of India, Primary Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies and specified Financial Institutions.
The directions have brought under purview those IT & IT-enabled tasks that have the potential to significantly impact the business operations of regulated entities in the event of a disruption or compromise and those that can have a material impact on the customers of regulated entities in the event of any unauthorised access, loss or theft of customer information. These currently do not cover corporate internet banking services obtained by regulated entities as corporate customers/sub members of another regulated entity, external assessments (such as vulnerability assessment and penetration testing), information systems audits and security reviews.
The directions have specified standards relating to the following:
-
The governance framework | Encompassing the IT outsourcing policy and roles of the board, management and IT function of the regulated entity in identifying, measuring, monitoring, mitigating and managing IT outsourcing risks.
-
Due diligence of outsourced service providers | Taking into consideration qualitative, quantitative, financial, operational, legal and reputational factors; while highlighting the importance of independent external reviews with market feedback on the service provider.
-
Essential contents of outsourcing agreements | With a focus on performance standards and security measures.
-
Risk management guidelines | Including aspects related to business continuity & disaster recovery plans.
-
Structures for monitoring & control | Including audits.
-
A clear exit strategy | With regard to outsourced IT and IT-enabled activities; while ensuring business continuity during and after exit.
The directions also cover situations where IT & IT-enabled tasks are outsourced within a group/conglomerate, in India and overseas.
Our Managing Partner was interviewed for his views on these developments, which have featured in today's edition of The Economic Times; and are presented in the ensuing section of this thought leadership, for the ease of your reference.
The detailed coverage can be viewed by clicking (here)
Best regards
Markets Team
MGC Global Risk Advisory
|