To deal with the risks associated with the outsourcing of IT activities by Regulated Entities (REs) and to ensure that such entities don’t neglect their compliance obligations or responsibilities towards their customers regarding outsourced activities, the Reserve Bank of India (RBI) released a Master Direction on Outsourcing of Information Technology Services on April 10, 2023.
The directions would be effective from October 1, 2023, and have been issued in the exercise of powers conferred on the RBI under provisions of the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934 and the Credit Information Companies (Regulation) Act, 2005, and other statutes.
Given the tendency of REs to outsource their IT activities to third parties, it was deemed necessary to come out with adequate regulatory measures. After receiving the feedback of the public on the draft released last year, the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 have been issued.
These directions apply to arrangements entered into by REs (such as banking companies, non-banking financial companies, credit information companies, etc.) for material outsourcing of IT services. Here, material outsourcing refers to such outsourcing which can have a drastic effect either on the entity’s business operations if the same is “disrupted or compromised” or on the consumers in case their information is lost, stolen or accessed without authorization.
Some of the obligations conferred upon REs are as follows: –
- Various factors have to be taken into consideration before IT activities are outsourced; REs need to assess the need for it, examine the outcome that is expected, etc. Further, due diligence has to be conducted as per the directions.
- It has to be ensured that service providers follow the standard of care which would have been adopted by the RE if the IT activity was not outsourced.
- The outsourcing should not cause any hindrance to the RBI in carrying out its supervisory responsibilities.
- The entity’s grievance redressal mechanism has to address the grievances of its customers concerning outsourced IT activities as well.
- A framework has to be set up to manage the risks connected with the outsourcing of IT activities.