RBI's norms on outsourcing IT services will improve corporate governance

Reserve Bank's regulation on outsourcing of IT services by banking sector entities is aimed at improving corporate governance and will protect the interest of consumers, say industry experts.

The Reserve Bank of India (RBI) has recently come out with detailed norms for the outsourcing of IT services by banks, NBFCs and other regulated financial sector entities to ensure that such arrangements do not undermine their responsibilities and obligations to customers.

These norms came in the backdrop of the current practice of regulated entities (REs) of extensively leveraging IT and IT-enabled services (ITeS) to support their business models and also the products and services being offered to customers.

Commenting on the Master Direction issued by the RBI on 'Outsourcing of Information Technology Services', Monish G Chatrath, Managing Partner, MGC Global Risk Advisory LLP, said, "Strong corporate governance practices and comprehensive risk management frameworks are aspects that are imperative to enhance the resilience of the BFSI sector in India. This is a significant development that is in the best interests of the consumers...".

He further said the directions have brought under purview those IT & ITeS tasks that have the potential to significantly impact the business operations of regulated entities in the event of a disruption or compromise and those that can have material impact on the customers of the regulated entities in the event of any unauthorised access, loss or theft of customer information.

The Master Direction on 'Outsourcing of Information Technology Services' will come into effect from October 1, 2023. The RBI said the underlying principle of the Master Direction is to ensure that outsourcing arrangements neither diminish REs' ability to fulfil its obligations to customers nor impede effective supervision by the RBI.

Siddhartha Tipnis, Partner, Deloitte India, said the RBI's directives provide key foundational broad strokes to regulated entities for managing technology outsourcing relationships across the continuum: Evaluation Onboarding Service Experience/Management Performance Management Ongoing Risk/Compliance Management Overall Relationship Management.

This framework, Tipnis said, will bring in a lot more rigour as to how REs manage these business critical relationships and is expected to mature RE operating models, processes, systems and streamline/formalise some intuitively followed practices around technology outsourcing.

"With less than 180 days for the directives to become effective, we certainly see this topic being an important part of Board agenda this season. Key RE committees/ groups such as Risk Management Group, Information Security group, amongst others are likely to oversee implementation," Tipnis added.

As per the RBI, REs have put in place a risk management framework that "shall comprehensively deal" with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with outsourcing of IT services arrangements.

Shreya Suri, Partner, IndusLaw, opined that the master directions were an anticipated development, given the proactive approach of RBI in relation to developments and innovations in the digital and technology space.

While certain degree of dependency of regulated entities on critical IT services has been customary, with the coming of pandemic and the movement of many sectors including financial sector to the online space, this dependency has been at a steep incline, Suri said.

"Prior to the master directions, the prevalent outsourcing guidelines were scattered for different classes of REs, however, the master directions attempt to streamline and unify the regulations for all REs," Suri said.

As per the Master Direction, an RE intending to outsource any of its IT activities will have to put in place a comprehensive board-approved IT outsourcing policy.

The policy should incorporate, inter alia, the roles and responsibilities of the board, committees of the board (if any), and senior management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services.