Regulated Entities (REs) (as defined below) have been extensively leveraging Information Technology (IT) and IT enabled services (ITeS) to support their business models and products and services offered to their customers. REs also outsource substantial portion of their IT activities to third parties. Such reliance on IT/ ITeS provided by third parties expose the REs to significant risks.
To address such risks, RBI has issued Draft Directions namely - The Reserve Bank of India (Outsourcing of IT Services) Directions, 2022 (“Directions”). It is pertinent to mention that these Directions are still in Draft stage and have not become effective as of date. Due to the long held stance of RBI for enacting these Directions and the possible implications on entities, it is imperative to have an understanding of the impact that these Directions may bring in.
Some of the Key features of Draft Directions include-:
The provisions of these Directions are applicable on the following Regulated Entities (“RE”)
a) Scheduled Commercial Banks (excluding Regional Rural Banks);
b) Local Area Banks;
c) Small Finance Banks;
d) Payments Banks;
e) Primary (Urban) Co-operative Banks having asset size of ₹1000 crore and above;
f) Non-Banking Financial Companies in Top, Upper and Middle Layers1;
g) Credit Information Companies; and
h) All India Financial Institutions (NHB, NABARD, SIDBI, EXIM Bank and NaBFID)
Material Outsourcing of IT Services
These Directions shall apply to material Outsourcing of IT Services arrangements entered by the REs. Material outsourcing arrangements are those, which if disrupted / compromised, have the potential to (i) either significantly impact the RE’s, (a) business operations, reputation, strategic plans or profitability or (b) ability to manage risk and comply with applicable laws and regulations. OR (ii) in the event of any unauthorised access, loss or theft of customer information may have material impact on the RE’s customers. Further, REs may consider applying these Directions to their non-material Outsourcing of IT Services arrangements also, if felt necessary, depending upon the risk perceived.
The agreement shall be sufficiently flexible to allow the RE to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent, principal or otherwise.
Some key areas that should be covered by the agreement (as applicable to the scope of Outsourcing of IT Services) are as follows:
a) definition of the IT activity being outsourced, including appropriate service and performance standards including for the sub-contractors, if any;
b) effective access by the RE to all data, books, records, information, logs, alerts and business premises relevant to the outsourced activity, available with the service provider;
c) continuous monitoring and assessment of the service provider by the RE, so that any necessary corrective measure can be taken immediately; including termination clause and minimum period to execute such provision, if deemed necessary;
d) type of material adverse events (e.g., data breaches, denial of service, service unavailability etc.) and incident reporting requirements to the RE to take prompt risk mitigation measures and ensure compliance with statutory and regulatory guidelines;
e) compliance with the provisions of IT Act, other applicable legal requirements and standards to protect the customer data;
f) the deliverables, including Service-Level Agreements (SLAs) formalising performance criteria to measure the quality and quantity of service levels;
g) storage of data (as applicable to the concerned REs) only in India as per extant regulatory requirements;
h) clauses requiring the service provider to provide details of data (related to RE and its customers) captured, processed and stored;
i) controls for maintaining confidentiality of data of RE’s and its customers’, and incorporating service provider’s liability to RE in the event of security breach and leakage of such information;
j) types of data/ information that the service provider (vendor) is permitted to share with RE’s customer and / or any other party;
k) specifying the resolution process, events of default, indemnities, remedies, and recourse available to the respective parties;
l) contingency plan(s) to ensure business continuity and testing requirements;
m) right to conduct audit of the service provider by the RE, whether by its internal or external auditors, or by agents appointed to act on its behalf, and to obtain copies of any audit or review reports and findings made about the service provider in conjunction with the services performed for the RE;
n) right to seek information from the service provider about the third parties (in the supply chain) engaged by the former;
o) recognising the authority of regulators to perform inspection of the service provider and any of its sub-contractors. Adding clauses to allow RBI or person(s) authorised by it to access the RE's IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the service provider and/ or its sub-contractors in relation to the outsourcing arrangement;
p) including clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors;
q) obligation of the service provider to comply with directions issued by the RBI in relation to the activities of the RE outsourced to the service provider;
r) clauses requiring prior approval /consent of the RE for use of sub-contractors by the service provider for all or part of an outsourced activity;
s) termination rights of the RE, including the ability to orderly transfer the proposed IT-outsourcing arrangement to another service provider, if necessary or desirable.
t) obligation of the service provider to co-operate with the relevant authorities in case of insolvency/ resolution of the RE;
u) provision to consider resources of service provider who provide core services as “essential personnel” so that a limited number of staff necessary to operate
v) critical functions can work on-site during exigencies (including pandemic situations); and
w) clause requiring suitable back-to-back arrangements between service providers and the OEMs.
The REs have been obligated to be responsible for redressal of customer grievances and shall have a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RE. Further, outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws.
It appears that Service provider will now be responsible for any grievance that may emanate from a service provided by a third party, their agents, sub-contractors etc. There is no limit on the layers to which this obligation flows down and the RE may be responsible for any and all grievances that may have its origin very down in the chain.
REs shall be responsible for the confidentiality and integrity of data / information pertaining to the customers that is available to the service provider. Also, access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse. In instances where service provider acts as an outsourcing agent for multiple REs, care shall be taken to build adequate safeguards so that there is no combining of information, documents, records and assets. REs shall ensure that a Non-Disclosure Agreement (NDA) is in place even after the contract expires/is terminated.
Reporting of Cyber Incidents
REs shall ensure that incidents, including cyber incidents and those resulting in disruption of service and data loss/ leakage are reported to them by the service provider immediately but not later than one hour of detection.
Business Continuity Plan
REs shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) commensurate with the nature and scope of the outsourced activity as per extant BCP/ DR requirements.
REs shall ensure that service providers are able to isolate the REs’ information, documents and records and other assets. This is to ensure that in adverse conditions and/or termination of the contract, all documents, record of transactions and information with the service provider and assets of the RE can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.
Storage of Data
The Draft Directions mention that the agreement for Outsourcing of IT services shall mandate that the storage of data shall only be in India. REs shall ensure that the service provider grants unrestricted and effective access to a) data related to the outsourced activities; b) the relevant business premises of the service provider; subject to appropriate security protocols, for the purpose of effective oversight use by the REs, their auditors, regulators and other relevant Competent Authorities, as authorized under law
Monitoring and Control of Outsourced Activities
RE shall conduct regular audits (as applicable to the scope of Outsourcing of IT Services) of service providers (including sub-contractors) with regard to the activity outsourced by it. Such periodic audits shall assess the performance of the service provider, adequacy of the risk management practices adopted by the service provider, compliance with laws/regulations etc. The frequency of the audit shall be determined based on the nature and extent of risk and impact to the RE from the outsourcing arrangements.
The RE shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
REs shall ensure that the service provider grants unrestricted and effective access to a) data related to the outsourced activities; b) the relevant business premises of the service provider; subject to appropriate security protocols, for the purpose of effective oversight use by the REs, their auditors, regulators and other relevant Competent Authorities, as authorised under law.
RBI has been very proactive in formulating an effective regime to ensure compliances and hold not only the RE but also hold responsible the service providers including the layers of sub-contracts who might be providing outsourced services to the REs. It appears that RBI while ensuring compliances is also extending its reach via the RE and are expected to have a wide impact in the fintech and other IT service industry. The obligations under these directions are applicable on vendors, consultants etc. of third parties as well as sub-contractors of third parties. While there are references to the kind of work and period of providing the services to the RE, the language is quite wide and perhaps the service providers may have to expect onerous compliance obligations as part of their services agreement with the RE.
Further, the obligation of reporting cyber incidents by a service provider under these Directions may prove to be challenging due to the fact that such reporting will have to be done in 1 hour of noticing such incident. This is more stringent than the CERT-In directions which came out recently provides a timeline of 6 hours to report such incident. Only time will tell how compliance will be ensured by consultants, agents etc. third parties and sub-contractors of third parties. The Directions does not provide any process for reporting the incidents.
While these Directions may seem overarching, they are not unprecedented as they draw similarity to the Guidelines on Outsourcing Arrangements issued by European Banking Authority (EBA). While GDPR governs the data protection regime in Europe, in India RBI has been more proactive in ensuring data compliances. Just to highlight the data protection legislation is still under debate and has gone through many revisions and sometimes losing the essence of its original intent.
In addition, the Directions also require the service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). It is observed that reference has been drawn in the Directions to Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices 2022. While these directions have not been issued by RBI yet, the full impact of the current Directions will only be ascertained after their issuance.