RBI: Master Direction on Outsourcing of Information Technology Services


DoS.CO.CSITEG/SEC.1/31.01.015/2023-24                                                                                    10th April 2023

Summary of the Circular:


Regulated Entities (REs) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. In order to ensure effective management of such risks, RBI issued a draft Master Direction on Outsourcing IT Services in June 2022. Based on the feedback received, RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.

Applicability of the Circular:

These Directions shall be applicable to the following entities, collectively referred to as ‘regulated entities’ or ’REs’:

  1. Scheduled Commercial Banks (excluding Regional Rural Banks).
  2. Local Area Banks.
  3. Small Finance Banks.
  4. Payments Banks.
  5. Primary (Urban) Co-operative Banks
  6. Non-Banking Financial Companies
  7. Credit Information Companies
  8. All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI)

Implementation Schedule for the Circular:

The master directions shall be effective from 1st October 2023.

Key Pointers from the Master Direction:

  • The Master Direction defines 22 controls which are segregated into 10 chapters:
    • Preliminary
    • Role of the Regulated Entity
    • Governance Framework
    • Evaluation and Engagement of Service Providers
    • Outsourcing Agreement
    • Risk Management
    • Monitoring and Control of Outsourced Activities
    • Outsourcing within a Group / Conglomerate
    • Cross-Border Outsourcing
    • Exit Strategy
  • Chapter I:
  • With respect to existing outsourcing arrangements that are already in force, REs must ensure that the agreements due for renewal before October 1, 2023, must comply with the provisions of these Directions as on the renewal date or 12 months from the date of issuance of this Master Direction. The agreements that are due for renewal on or after October 1, 2023, must comply with the provisions of these Directions as on the renewal date or 36 months from the date of issuance of this Master Direction, whichever is earlier.
  • With respect to new outsourcing arrangements, REs must ensure that the agreements that come into force before October 1, 2023, must comply with the provisions of this Direction as on the renewal date or 12 months from the date of issuance of this Master Direction and the agreements that come into force on or after October 1, 2023, must comply with the provisions of these Directions from the date of the agreement itself.
  • Outsourcing of IT Services includes outsourcing the following activities:
    • IT infrastructure management, maintenance, and support (hardware, software, or firmware)
    • Network and security solutions, maintenance (hardware, software, or firmware).
    • Application Development, Maintenance, and Testing; Application Service Providers (ASPs) including ATM Switch ASPs
    • Services and operations related to Data Centres
    • Cloud Computing Services
    • Managed Security Services
    • Management of IT infrastructure and technology services associated with the payment system ecosystem.
  • Chapter II:
    • Board and Senior Management shall be ultimately responsible for the outsourced activity.
    • REs shall evaluate the need for Outsourcing of IT Services based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks.
    • REs shall ensure that the service provider shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives
    • All relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, shall be considered when performing due diligence in relation to outsourcing of IT services
    • Responsibility for the redressal of customers’ grievances related to outsourced services shall rest with the RE.
    • Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws
    • REs shall create an inventory of services provided by the service providers (including key entities involved in their supply chains) and map their dependency on third parties and periodically evaluate the information received from the service providers.
  • Chapter III:
    • REs shall put in place a comprehensive Board approved IT outsourcing policy that includes the roles and responsibilities of the Board, the Senior Management, and the IT function as well as the criteria for the selection of such activities and the service providers.
  • Chapter IV:
    • Appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis and a risk-based approach shall be adopted in conducting such due diligence activities.
    • Due diligence shall involve evaluation of all available information, as applicable, about the service provider, including but not limited to past experience and demonstrated competence, financial soundness, business reputation, conflict of interest, external factors, details of the technology, infrastructure stability, capability to comply with the regulatory and legal requirements, information/ cyber security risk assessment.
  • Chapter V:
    • The terms and conditions governing the contract shall be carefully defined and vetted by the RE’s legal counsel for their legal effect and enforceability.
    • The agreement at a minimum should include:
      • details of the activity being outsourced
      • effective access by the RE to all data, books, records, information, logs, alerts and business premises relevant to the outsourced activity
      • regular monitoring and assessment of the service provider
      • type of adverse events and incidents required to be reported
      • compliance with the provisions of Information Technology Act, 2000
      • the deliverables and Service-Level Agreements (SLAs)
      • storage of data only in India
      • service provider to provide details of data captured, processed and stored
      • controls for maintaining confidentiality of data
      • types of data that the service provider is permitted to share with RE’s customer or any other party
      • specifying the resolution process, events of default, indemnities, remedies and recourse available
      • contingency plans
      • right to conduct audit of the service provider
      • right to seek information from the service provider about the third parties in their supply chain
      • allow RBI or person(s) authorised by it to access the RE's IT infrastructure, applications, data, documents, and other necessary information
      • the service provider is contractually liable for the performance and risk management practices of its sub-contractors
      • obligation of the service provider to comply with directions issued by the RBI
      • requirement of prior approval/ consent of the RE for use of subcontractors by the service provider
      • termination rights of the RE
      • obligation of the service provider to co-operate with the relevant authorities in case of insolvency/ resolution of the RE
      • provision to consider skilled resources of service provider
      • suitable back-to-back arrangements between service providers and the OEMs
      • non-disclosure agreement (NDA).
  • Chapter VI:
    • REs shall put in place a Risk Management framework for Outsourcing of IT Services that shall comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements
    • The risk assessments carried out by the REs shall be documented with necessary approvals in line with the roles and responsibilities as determined by the Board-approved policy.
    • REs shall be responsible for the confidentiality and integrity of data.
    • Access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse
    • Access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse.
    • REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. Access to customer information by staff of the service provider shall be on need-to-know basis.
    • In the event of multiple service provider relationships where two or more service providers collaborate to deliver an end-to-end solution, the RE remains responsible for understanding and monitoring the control environment of all service providers that have access to the RE’s data, systems, records or resources
    • Cyber incidents must be reported to the RE by the service provider without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the TPSP
    • The REs shall review and monitor the control processes and security practices of the service provider to disclose security breaches.
    • REs shall adhere to the extant instructions issued by RBI from time to time on Incident Response and Recovery Management.
    • REs shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider
    • REs shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
    • REs shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in an emergency.
  • Chapter VII:
    • REs shall have in place a management structure to monitor and control its Outsourced IT activities.
    • RE shall conduct regular audits of service providers as applicable to the scope of Outsourced IT Services.
    • In scenarios where more than one RE may be availing services from the same third-party service provider, they may adopt pooled (shared) audit.
    • The frequency of the audit shall be determined based on the nature and extent of risk and impact to the RE from the outsourcing arrangements.
    • REs, depending upon the risk assessment, may also rely upon globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits
    • The RE shall periodically review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations
    • In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers of the RE, the same shall be given due publicity by the RE so as to ensure that the customers stop dealing with the concerned service provider.
  • Chapter VIII:
    • A RE may outsource any IT activity/ IT enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place.
  • Chapter IX:
    • The engagement of a service provider based in a different jurisdiction exposes the RE to country risk. To manage such risk, the RE shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis.
    • The right of the RE and the RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction shall be ensured.
  • Chapter X:
    • The Outsourcing of IT Services policy shall contain a clear exit strategy regarding outsourced IT activities/ IT enabled services, while ensuring business continuity during and after exit.
    • REs shall ensure that the agreement has necessary clauses on safe removal/ destruction of data, hardware and all records (digital and physical), as applicable.
    • The service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator/ concerned RE.
  • The Master Direction also includes three appendices regarding:
  • Usage of Cloud Computing Services
  • Outsourcing of Security Operations Centre (SOC)
  • Services not considered under Outsourcing of IT Services
  • Appendix – I (Usage of Cloud Computing Services):
    • The business strategy and goals adopted to the current IT applications footprint and associated costs must be analysed
    • The Outsourcing of IT Services policy must address the entire lifecycle of data from generation of the data, its entry into the cloud, till the data is permanently erased/ deleted
    • REs shall consider the factors of multi-tenancy, multi-location storing / processing of data, etc., and attendant risks, while establishing appropriate risk management framework
    • REs shall adopt and demonstrate a well-established and documented cloud adoption policy that provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs
    • REs shall prefer a technology architecture that provides for secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the RE.
    • IAM shall be agreed upon with the CSP and ensured for providing role-based access to the cloud hosted applications
    • Implementation of security controls in the cloud-based application must achieve similar or higher degree of control objectives than those achieved by on-premise application
    • REs shall accurately define minimum monitoring requirements in the cloud environment.
    • Integration of logs, events from the CSP into the RE’s SOC, wherever applicable and retention of relevant logs in cloud shall be ensured for incident reporting
    • REs shall ensure that CSPs have a well-governed and structured approach to manage threats and vulnerabilities
    • Robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders.
  • Appendix – II (Outsourcing of Security Operations Centre (SOC)):
    • Unambiguously identify the owner of assets used in providing the services
    • Ensure that the RE has adequate oversight and ownership over the rule definition, customisation and related data/ logs, meta-data and analytics
    • Assess periodically all physical facilities involved in service delivery, such as the SOC and areas where client data is stored / processed
    • Integrate the outsourced SOC reporting and escalation process with the RE’s incident response process
  • Appendix – III (Services not considered under Outsourcing of IT Services):
    • Services / Activities not considered under “Outsourcing of IT Services” for the purpose of this Master Direction:
      • Corporate Internet Banking services
      • External audit such as Vulnerability Assessment/ Penetration Testing (VA/PT), Information Systems Audit, security review
      • SMS gateways
      • Procurement of IT hardware/ appliances
      • Acquisition of IT software/ product/ application on a licence or subscription basis
      • Any maintenance service for IT Infra or licensed products, provided by the OEM
      • Applications provided by financial sector regulators or institutions like CCIL, NSE, BSE, etc.
      • Services obtained by a RE as a sub-member of a Centralised Payment Systems (CPS) from another RE
      • Business Correspondent (BC) services, payroll processing, statement printing
  • Vendors / Entities who are not considered as Third-Party Service Provider for the purpose of this Master Direction:
    • Vendors providing business services using IT
    • Payment System Operators authorised by the RBI
    • Partnership based Fintech firms providing co-branded applications, service, products
    • Services of Fintech firms for data retrieval, data validation and verification services such as Bank statement analysis, GST returns analysis, Fetching of vehicle information, Digital document execution, Data entry and Call centre service
    • Telecom Service Providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of the data
    • Security/ Audit Consultants appointed for certification/ audit/ VA-PT related to IT infra/ IT services/ Information Security services.
Article Written by CyRAACS Team
Transform your business and manage risk with your trusted cyber security partner
CYRAAC Services Private Limited
3rd floor, 22, Gopalan Innovation Mall, Bannerghatta Main Road, JP Nagar Phase 3, Bengaluru, Bengaluru Urban, Karnataka-560076
Company CIN: U74999KA2017PTC104449
In Case Of Any Grievances Or Queries Please Contact -
Murari Shanker (MS) Co-Founder and CTO
Email ID: [email protected]
Contact number: +918553004777
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram