The Reserve Bank of India (RBI) has put forward a few norms for the outsourcing of IT services to ring-fence banks, NBFCs, Credit Information Companies and other Regulated Entities (RE) from financial, operational and reputational risks. The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. REs desirous of outsourcing of IT and IT enabled services shall not require prior approval from RBI. However, such arrangements shall be subject to on-site/ off-site monitoring and inspection/ scrutiny by the supervising authority. The REs would be required to put in place a comprehensive board-approved IT outsourcing policy.
As per the draft, a risk management framework for the outsourcing of IT services should comprehensively deal with the processes and responsibilities for the identification, measurement, mitigation/ management and reporting of risks associated with outsourcing.
Entities regulated by the RBI should also require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Click here to access the Draft Master Direction
