The Reserve Bank of India (RBI) said on Thursday that banks and other financial institutions outsourcing their information technology (IT) services to third parties must ensure that such arrangements do not affect their obligations to customers. . Banks will not have to obtain central bank approval to enter into such outsourcing arrangements, the RBI said, noting that such arrangements will be subject to periodic inspection.
The central bank, in its monetary policy in June, highlighted the problem by indicating that the outsourcing of IT services exposes financial institutions to certain risks. The RBI has therefore issued the guidelines for financial institutions to deploy risk management systems to cover outsourced IT services.
“Outsourcing any activity of the RE (regulated entity) will not diminish its obligations, as well as those of its board of directors and senior management, who will be ultimately responsible for the outsourced activity,” said the RBI in a main circular.
In accordance with the guidelines, regular commercial banks, local banks, small financial banks, payment banks, certain cooperative banks, non-banking financial companies (NBFCs), credit information companies and other financial entities public should follow these guidelines.
Financial institutions will need to put in place a risk management framework for outsourcing IT services addressing processes and responsibilities to identify and manage these risks. Banks should only grant the service provider selected access to customer information. Banks and financial institutions will be responsible for protecting the privacy of customer data, the RBI said.
In cases where a single IT service provider is chosen by multiple financial institutions, the service provider may not combine customer data. The service provider is required to notify financial institutions of the data breach or loss within one hour of detection. Where financial institutions have outsourced IT services to a foreign entity, they will need to monitor and review that entity’s financial condition and reputation in its host country. Existing RBI guidelines will continue to apply to such outsourcing, the central bank said.
The RBI has also ordered banks and financial institutions to put in place a business continuity and disaster recovery plan in case the service provider terminates the contract unexpectedly or in the event of a major breach. Financial institutions will need to put in place a management structure to monitor and control outsourced IT activities, which will include performance monitoring and the service provider’s incident response mechanism. Financial institutions will need to plan an exit strategy while ensuring business continuity during and after exit.