0

RBI regulated outsourcing of information technology services

Posted by

Meghna AnandIn order to mitigate the risk associated with the outsourcing of IT activities by Regulated Entities (Res) while maintaining compliance obligations and responsibilities towards their customers, On 10th April 2023 Reserve Bank of India (RBI) released a Master Direction on Outsourcing of Information Technology Services. The direction would be effective from first of October 2023 and in accordance with the Reserve Bank of India Act 1934, the Credit Information Companies (Regulation) Act 2005, and other laws that confer power on the RBI.

It was deemed necessary with adequate regulatory measures due to Res’ tendency to subcontract IT activities to third parties. Following public feedback on draft released on last year, the Reserve Bank of India (Outsourcing of information Technologies) Board released a revised draft this year called ‘The Regulatory Framework for Outsourcing of Information Technology’.

APPLICABILITY:

The provisions of these Directions are applicable on the following Regulated Entities (“RE”)

  1. Scheduled Commercial Banks (excluding Regional Rural Banks);
  2. Local Area Banks;
  3. Small Finance Banks;
  4. Payments Banks;
  5. Primary (Urban) Co-operative Banks having asset size of ₹1000 crore and above;
  6. Non-Banking Financial Companies in Top, Upper and Middle Layers1;
  7. Credit Information Companies; and
  8. All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI)

These directions apply to agreements made for the material outsourcing of IT services by REs (such as banking organizations, non-banking financial institutions, credit information providers, etc.). Here, “material outsourcing” refers to outsourcing that could have a significant impact on the entity’s business operations if they were disrupted or compromised or on customers if their personal information was compromised, lost, or improperly accessed.

Outsourcing Agreement

  1. For each service provider, REs must have a binding written contract in place. The outsourcing agreement needs to be flexible enough to give the RE the ability to maintain appropriate control over the outsourced activity or the right to intervene with the necessary tools. Additionally, the nature of the relationship between the RE and the Service Provider should be expressly stated in the agreement.
  2. Furthermore, the Directions outline a number of essential clauses that ought to be included in outsourcing agreements, such as accurate service definitions, monitoring and assessment, the ability to subcontract with the client’s consent, and contingency plans.
  3. The REs must make sure that the regulatory has the power to examine the service provider and its subcontractors, as well as the power to access the infrastructure of the RE and the data that they hold or process on its behalf.
  4. Service provider should be required to follow any instructions given by the RBI regarding the outsourced activities.

The outsourcing agreement must also cover matters relating to data, including any localization requirements that may apply, the disclosure of information about the data that is processed and shared with the RE’s clients and other parties, the Service Provider’s responsibility to the RE in the event of a confidentiality or security breach, etc.

Grievance Redressal Mechanism

The responsibility for resolving customer complaints rests with the REs, who are also required to have an effective grievance redressal mechanism that in no way will be jeopardised by outsourcing. In other words, it is the RE’s responsibility to resolve customer complaints regarding outsourced services. Additionally, outsourcing agreements must not impair a customer’s rights against the RE, including their capacity to seek remedy as permitted by applicable legislation.

Risk Management

The integrity and security of customer-related data and information that is available to the service provider are the responsibility of REs. Additionally, service providers will only have access to data at RE’s site or data centre if they have a need to know, and there will be sufficient measures in place to guard against security lapses and/or data misuse. Care must be taken to provide sufficient protections so that information, papers, records, and assets are not combined when the service provider serves as an outsourcing agent for numerous REs. Even when the contract ends or is cancelled, REs must make sure that an NDA is in place.

Cross Border outsourcing

When cross-border outsourcing occurs, the RE should continuously keep a careful eye on the laws in the nation where the service provider is headquartered and put up mitigating strategies depending on that risk. The Directions provide that the jurisdiction of foreign courts should not extend to the operations of the RE in India merely based on such data processing in foreign jurisdictions if the data is kept or processed outside of India and the real transactions are carried out there. The ability for REs to audit service providers situated outside of India should be allowed.

Takeways

The RBI has been very proactive in implementing effective compliance regimes that hold both REs and its service providers responsible, including its layers of subcontractors that might provide outsourced services. In addition to ensuring compliance, it appears that RBI is also expanding its reach via the RE, which will have a significant impact on the fintech and IT service industries. Under these directions, all vendors, consultants, and sub-contractors of third parties are responsible for meeting their obligations. Despite reference to the type of work and period of providing the services to the RE, the language is quite wide, which may lead to onerous compliance obligations for service providers.

In addition, the obligation of reporting cyber incidents by a service provider under these Directions may prove challenging due to the fact that it is required to be done within 1 hour of discovering the incident. This is more stringent than the CERT-In directions which came out recently provides a timeline of 6 hours to report such incident. Only time will tell how compliance will be ensured by consultants, agents etc. The Directions does not provide any process for reporting the incidents.

Disclaimer: This is an effort by Lexcomply.com to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>