:: RBI's latest norms on outsourcing IT services ::

The Reserve Bank of India has recently come out with detailed norms ('the directions') relating to outsourcing of IT services by banks, NBFCs and other regulated financial sector entities. The directions that come into effect from October 01, 2023, seek to ensure that regulated entities do not in any way lower the bar in the context of their obligations to customers for specified IT & IT-enabled tasks that may get outsourced.

Regulated entities include all Banking Companies, Corresponding New Banks, State Bank of India, Primary Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies and specified Financial Institutions.

The directions have brought under purview those IT & IT-enabled tasks that have the potential to significantly impact the business operations of regulated entities in the event of a disruption or compromise and those that can have a material impact on the customers of regulated entities in the event of any unauthorised access, loss or theft of customer information. These currently do not cover corporate internet banking services obtained by regulated entities as corporate customers/sub members of another regulated entity, external assessments (such as vulnerability assessment and penetration testing), information systems audits and security reviews.

The directions have specified standards relating to the following:

The governance framework | Encompassing the IT outsourcing policy and roles of the board, management and IT function of the regulated entity in identifying, measuring, monitoring, mitigating and managing IT outsourcing risks.
Due diligence of outsourced service providers | Taking into consideration qualitative, quantitative, financial, operational, legal and reputational factors; while highlighting the importance of independent external reviews with market feedback on the service provider.
Essential contents of outsourcing agreements | With a focus on performance standards and security measures.
Risk management guidelines | Including aspects related to business continuity & disaster recovery plans.
Structures for monitoring & control | Including audits.
A clear exit strategy | With regard to outsourced IT and IT-enabled activities; while ensuring business continuity during and after exit.

The directions also cover situations where IT & IT-enabled tasks are outsourced within a group/conglomerate, in India and overseas.

Our Managing Partner was interviewed for his views on these developments, which have featured in today's edition of The Economic Times; and are presented in the ensuing section of this thought leadership, for the ease of your reference.

The detailed coverage can be viewed by clicking (here)

Best regards

Markets Team

MGC Global Risk Advisory

According to Monish G Chatrath, Managing Partner, MGC Global -

“Strong corporate governance practices and comprehensive risk management frameworks are aspects that are imperative to enhance the resilience of the BFSI sector in India. This is a significant development that is in the best interests of the consumers of BFSI services and other stakeholders (such as the regulators), which requires regulated entities to, at the minimum, maintain their responsibilities to their customers at the same (and even higher) levels to those if the outsourced IT and IT-enabled tasks were undertaken internally.

Regulated entities will need to undertake a detailed evaluation of their requirements for outsourcing IT & IT-enabled tasks, based on a comprehensive assessment of attendant benefits and risks; and will need to institutionalize mitigation measures for such risks. The outsourcing strategy for such tasks needs to be in accordance with a comprehensive board-approved IT outsourcing policy and framework that entails processes with responsibilities for identification, measurement, mitigation, management and reporting of risks associated with such outsourcing arrangements."

About MGC Global Risk Advisory

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.6 billion, Atlanta headquartered - Allinial Global.

MGC Global provides services in the areas of internal audits, enterprise wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.6 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 99 countries, who have over 26,000 professional staff and over 4,000 partners operating from 688 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.