RBI’s stringent IT outsourcing regulations set to uplift corporate governance, say experts

RBI’s IT outsourcing rules enhance corporate governance and safeguard consumers, lauded for comprehensive approach in the BFSI sector.

The Reserve Bank of India’s (RBI) new regulation on the outsourcing of IT services by banking sector entities is aimed at improving corporate governance and protecting the interests of consumers, say industry experts. The new norms come as a response to the current practice of regulated entities extensively leveraging IT and IT-enabled services to support their business models and the products and services being offered to customers.

The Master Direction on ‘Outsourcing of Information Technology Services’ issued by the RBI will come into effect from October 1, 2023. The underlying principle of the Master Direction is to ensure that outsourcing arrangements neither diminish regulated entities’ ability to fulfill their obligations to customers nor impede effective supervision by the RBI.

Experts have lauded the RBI’s move, saying that strong corporate governance practices and comprehensive risk management frameworks are imperative to enhance the resilience of the BFSI sector in India. Monish G Chatrath, Managing Partner, MGC Global Risk Advisory LLP, said that the directives have brought under purview those IT and ITeS tasks that have the potential to significantly impact the business operations of regulated entities in the event of a disruption or compromise and those that can have a material impact on the customers of the regulated entities in the event of any unauthorized access, loss, or theft of customer information.

Siddhartha Tipnis, Partner, Deloitte India, said that the RBI’s directives provide key foundational broad strokes to regulated entities for managing technology outsourcing relationships across the continuum: Evaluation – Onboarding – Service Experience/Management – Performance Management – Ongoing Risk/Compliance Management – Overall Relationship Management. This framework is expected to bring in a lot more rigour as to how regulated entities manage these business-critical relationships and mature their operating models, processes, systems, and streamline/formalize some intuitively followed practices around technology outsourcing.

According to the RBI, regulated entities have put in place a risk management framework that “shall comprehensively deal” with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with outsourcing of IT services arrangements.

Shreya Suri, Partner, IndusLaw, opined that the master directions were an anticipated development, given the proactive approach of RBI in relation to developments and innovations in the digital and technology space. While a certain degree of dependency of regulated entities on critical IT services has been customary, with the coming of the pandemic and the movement of many sectors, including the financial sector, to the online space, this dependency has been at a steep incline, Suri said.

As per the Master Direction, a regulated entity intending to outsource any of its IT activities will have to put in place a comprehensive board-approved IT outsourcing policy. The policy should incorporate, inter alia, the roles and responsibilities of the board, committees of the board (if any), and senior management, IT function, business function, as well as oversight and assurance functions in respect of outsourcing of IT services. The experts suggest that the directives will be an important part of the board agenda this season and that key committees and groups are likely to oversee implementation.