Regulated Entities (REs) have to periodically review the financial and operational condition of IT and IT-enabled service providers to assess their ability to meet outsourcing of IT services obligations, according to the Reserve Bank of India (RBI).

In its Master Direction to REs (Banks, non-banking finance companies, credit information companies and all-India financial institutions) on outsourcing of IT services, the RBI said such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience preparedness.

The RBI emphasised that the underlying principle of its Master Direction is to ensure that outsourcing arrangements neither diminish REs ability to fulfil its obligations to customers nor impede effective supervision by the RBI.

With a view to provide REs adequate time to comply with the requirements, the RBI said the Directions shall come into effect from October 1.

The RBI said REs shall be responsible for the confidentiality and integrity of data and information pertaining to the customers that is available to the service provider.

Access to data at REs’ location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse.

In instances where a service provider acts as an outsourcing agent for multiple REs, care needs to be taken to build adequate safeguards so that there is no combining of information, documents, records and assets, per the Directions.

RE has to ensure that cyber incidents are reported to it by the service provider without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the Third-Party Service Provider.

Concentration risk

REs have to effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and/or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers

In establishing a viable contingency plan, REs have to consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time and resources that would be involved.

REs have to ensure that service providers are able to isolate the REs’ information, documents and records and other assets. This is to ensure that, in adverse conditions or termination of the contract, all documents, record of transactions and information with the service provider and assets of the RE can be removed from the possession of the service provider, or deleted, destroyed or rendered unusable.

A RE can outsource any IT activity/ IT enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place.

To manage the risk arising from engagement of a service provider based in a different jurisdiction, RBI asked REs to closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, as well as establish sound procedures for mitigating the country risk.

This includes, inter alia, having appropriate contingency and exit strategies. Further, it has to be ensured that availability of records to the RE and the RBI will not be affected even in case of liquidation of the service provider.

Related Topics