To ensure effective risk management in the outsourcing of IT activities by banks, non -banking finance companies and other regulated entities, the Reserve Bank of India (RBI) issued a draft ‘Master Directive on Outsourcing of IT Services’.
Regulated entities have made extensive use of IT and IT services to support business models and the products and services offered to their customers, and they also outsource most of their IT activities to third parties, exposing entities to significant risk, the central bank said. said.
The draft has been released for stakeholder and public review. The last date for comments and feedback is July 22, 2022.
The draft said that the basic principle is that regulated entities should ensure that outsourcing arrangements do not reduce their ability to meet their obligations to customers nor hinder effective supervision by supervisory authorities.
Regulated entities seeking to outsource IT and IT -enabled services will not require prior approval from the RBI, the draft said, adding that such arrangements are, however, subject to on -site or off -site monitoring and inspection and scrutiny by supervisors. . authorities.
Further, the draft said that regulated entities should assess the need for outsourcing of IT services based on a comprehensive assessment of the benefits, risks and availability of corresponding processes to manage those risks.
In this process, they should consider important aspects, such as determining the need for outsourcing based on activity criticalities to be outsourced, determining expectations or outcomes from outsourcing, determining success factors and cost-benefit analysis, and deciding models for outsourcing. .
On the grievance resolution mechanism, the draft said the responsibility for resolving customer grievances related to outsourcing services rests with the regulated entity.
The RBI has expressed concern about the risks associated with cross -border outsourcing, saying that the involvement of service providers based in different jurisdictions is vulnerable to risk.
“To manage such risks, the regulated entity must closely monitor the service provider’s national government policy and its political, social, economic and legal conditions on an ongoing basis, and establish sound procedures to mitigate national risk. This includes, among others, having appropriate contingencies and exit strategies. Further, it should be ensured that the availability of records to regulated entities and supervisory authorities will not be affected even in the case of liquidation of service providers, “the draft said.
Finally, the draft said the IT Services Outsourcing policy should contain a clear exit strategy with respect to IT outsourcing activities or IT -enabled services while ensuring business continuity during and after the exit.