In order to ensure effective management of the risks associated with outsourcing of IT activities by banks, non-bank financial companies and other regulated entities, the Reserve Bank of India (RBI) has issued a draft “Principal Directorate on outsourcing of IT services.
Regulated entities have made extensive use of IT and IT-based services to support their business models and the products and services offered to their customers, and they also outsource a substantial part of their IT activities to third parties, which exposes entities to significant risk, the central bank says.
The draft has been released for comment by stakeholders and members of the public. The TUSEN for comments and feedback is July 22, 2022.
The draft stated that the underlying principle is that regulated entities should ensure that outsourcing arrangements do not diminish their ability to meet their obligations to customers or impede effective oversight by the supervisory authority.
Regulated entities wishing to outsource IT services and IT services will not need prior approval from the RBI, the draft says, adding that such arrangements will however be subject to on-site monitoring, inspection and review. or offsite by supervisor. authority.
Further, the draft indicates that regulated entities should assess the need to outsource IT services based on a comprehensive assessment of the benefits, risks and the availability of proportionate processes to manage those risks.
In this process, they must take into account important aspects, such as determining the need for outsourcing according to the criticality of the activity to be outsourced, determining the expectations or results of the outsourcing, determining the factors of success and cost-benefit analysis, and the choice of outsourcing model. .
Regarding the grievance mechanism, the draft indicates that the responsibility for resolving customer grievances related to outsourced services will lie with the regulated entities.
The RBI has expressed concern about the risks of cross-border outsourcing, saying that engaging a service provider based in a different jurisdiction poses risks.
“To manage this risk, the regulated entity should closely monitor the government policies of the service provider’s country and its political, social, economic and legal conditions on an ongoing basis, and establish robust procedures to mitigate country risk. This includes, among other things, having appropriate contingency and exit strategies.In addition, it must be ensured that the availability of records for the regulated entity and the supervisory authority will not be affected even in the event of the liquidation of the service provider. services,” the project says.
Finally, the draft indicates that the IT outsourcing policy should contain a clear exit strategy with respect to outsourced IT activities or IT services while ensuring business continuity during and after exit.