The Reserve Bank of India (RBI) on Monday released new norms for the outsourcing of information technology and associated services by financial entities. The new norms will come into effect from October 1 this year.
The new norms are applicable for all regulated entities, including banking companies, corresponding new banks, primary cooperative banks, non-banking financial companies (NBFCs), credit information companies, EXIM Bank, and National Bank for Agriculture and Rural Development (NABARD), National Bank for Financing Infrastructure and Development (NaBFID), National Housing Bank (NHB) and Small Industries Development Bank of India (SIDBI), amongst others.
The RBI says in the case of foreign banks operating in India through branch mode, "a reference to the board or board of directors in these norms should be read as a reference to the head office or controlling office which has the oversight over the branch operations in India.” "Further, such foreign banks shall be subject to a ‘comply or explain’ approach wherein such foreign banks, may deviate from any specific part of these norms subject to examination and acceptance by the RBI of a reasonably justifiable explanation for the same," RBI adds.
With respect to existing outsourcing arrangements that are already in force, the apex bank has given 12 months to comply with the new norms. "The agreements that are due for renewal before October 1, 2023, shall comply with the provisions of these Directions as on the renewal date (preferably), but not later than 12 months from the date of issuance of this Master Direction," RBI says in a circular.
With respect to new outsourcing arrangements for agreements that come into force before October 1, 2023, the RBI says the regulated entities must comply with the new norms preferably from the agreement date but not later than 12 months from the date of issuance of the norms by the apex bank.
According to the RBI, in order to ensure a robust regulatory framework, the regulated entities shall ensure the service provider shall not be owned or controlled by any director, key managerial personnel, or approver of the outsourcing arrangement of the entity, or their relatives. "An RE (regulated entities) intending to outsource any of its IT activities shall put in place a comprehensive Board approved IT outsourcing policy. The policy shall incorporate, inter alia, the roles and responsibilities of the Board, Committees of the Board (if any) and Senior Management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services," the circular says.
"It shall further cover the criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria, a delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, systems to monitor and review the operations of these activities and termination processes and exit strategies, including business continuity in the event of a third-party service provider exiting the outsourcing arrangement," it adds.
According to the new norms, for grievance redressal, the entities shall have a robust mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the entities.
"Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws," RBI says.