RBI Deputy Governor M Rajeshwar Rao called upon regulated entities to go in for vendor diversification as dependency on a single third party can create vendor lock-in situations.
Rao cautioned that Regulated Entities/REs(such as Banks and NBFCs) that lack vendor diversification, where they become reliant on a single vendor for critical services, can increase dependency risks and limit their flexibility to adapt to changing market conditions or technological advancements.
Referring to third-party dependencies and digital outsourcing becoming integral to REs operations, the Deputy Governor said with rapidly evolving technology, REs are increasingly relying on third-party agencies and outsourcing of their operations to enhance efficiency, reduce costs, and improve customer experience.
However, while third-party dependencies offer several benefits, they also pose certain risks and challenges.
“One of the primary concerns is selection of the outsourcing partner or in case of digital lending operations, the lending service providers (LSPs).
“Regulated entities need to assess the reliability, security, and regulatory compliance of their third parties to ensure that they meet the required standards” Rao said at a BFSI event organised by CareEdge Ratings.
For example, while digital lending guidelines mandate that REs should ensure that LSPs engaged by them have suitable grievance redressal mechanism on their website or apps, a recent study undertaken by RBI found that not all LSPs or apps have that.
“Poorly managed third-party relationships can expose regulated entities to not only customer dissatisfaction and reputational damage, but may also invite regulatory and supervisory actions,” cautioned the Deputy Governor.
Rao said cybersecurity is another critical area where regulated entities need to assess the preparedness of third-party service providers to protect their digital assets and customer information.
With the increasing frequency and sophistication of cyber-attacks, it is essential for entities to ensure that robust cybersecurity measures are deployed by the service providers to safeguard against threats, he added.