RBI: Master Direction on Outsourcing of Information Technology Services
DoS.CO.CSITEG/SEC.1/31.01.015/2023-24 10th April 2023
Summary of the Circular:
Regulated Entities (REs) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. In order to ensure effective management of such risks, RBI issued a draft Master Direction on Outsourcing IT Services in June 2022. Based on the feedback received, RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.
Applicability of the Circular:
These Directions shall be applicable to the following entities, collectively referred to as ‘regulated entities’ or ’REs’:
All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI)
Implementation Schedule for the Circular:
The master directions shall be effective from 1st October 2023.
Key Pointers from the Master Direction:
The Master Direction defines 22 controls which are segregated into 10 chapters:
Role of the Regulated Entity
Evaluation and Engagement of Service Providers
Monitoring and Control of Outsourced Activities
Outsourcing within a Group / Conglomerate
With respect to existing outsourcing arrangements that are already in force, REs must ensure that the agreements due for renewal before October 1, 2023, must comply with the provisions of these Directions as on the renewal date or 12 months from the date of issuance of this Master Direction. The agreements that are due for renewal on or after October 1, 2023, must comply with the provisions of these Directions as on the renewal date or 36 months from the date of issuance of this Master Direction, whichever is earlier.
With respect to new outsourcing arrangements, REs must ensure that the agreements that come into force before October 1, 2023, must comply with the provisions of this Direction as on the renewal date or 12 months from the date of issuance of this Master Direction and the agreements that come into force on or after October 1, 2023, must comply with the provisions of these Directions from the date of the agreement itself.
Outsourcing of IT Services includes outsourcing the following activities:
IT infrastructure management, maintenance, and support (hardware, software, or firmware)
Network and security solutions, maintenance (hardware, software, or firmware).
Application Development, Maintenance, and Testing; Application Service Providers (ASPs) including ATM Switch ASPs
Services and operations related to Data Centres
Cloud Computing Services
Managed Security Services
Management of IT infrastructure and technology services associated with the payment system ecosystem.
Board and Senior Management shall be ultimately responsible for the outsourced activity.
REs shall evaluate the need for Outsourcing of IT Services based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks.
REs shall ensure that the service provider shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives
All relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, shall be considered when performing due diligence in relation to outsourcing of IT services
Responsibility for the redressal of customers’ grievances related to outsourced services shall rest with the RE.
Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws
REs shall create an inventory of services provided by the service providers (including key entities involved in their supply chains) and map their dependency on third parties and periodically evaluate the information received from the service providers.
REs shall put in place a comprehensive Board approved IT outsourcing policy that includes the roles and responsibilities of the Board, the Senior Management, and the IT function as well as the criteria for the selection of such activities and the service providers.
Appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis and a risk-based approach shall be adopted in conducting such due diligence activities.
Due diligence shall involve evaluation of all available information, as applicable, about the service provider, including but not limited to past experience and demonstrated competence, financial soundness, business reputation, conflict of interest, external factors, details of the technology, infrastructure stability, capability to comply with the regulatory and legal requirements, information/ cyber security risk assessment.
The terms and conditions governing the contract shall be carefully defined and vetted by the RE’s legal counsel for their legal effect and enforceability.
The agreement at a minimum should include:
details of the activity being outsourced
effective access by the RE to all data, books, records, information, logs, alerts and business premises relevant to the outsourced activity
regular monitoring and assessment of the service provider
type of adverse events and incidents required to be reported
compliance with the provisions of Information Technology Act, 2000
the deliverables and Service-Level Agreements (SLAs)
storage of data only in India
service provider to provide details of data captured, processed and stored
controls for maintaining confidentiality of data
types of data that the service provider is permitted to share with RE’s customer or any other party
specifying the resolution process, events of default, indemnities, remedies and recourse available
right to conduct audit of the service provider
right to seek information from the service provider about the third parties in their supply chain
allow RBI or person(s) authorised by it to access the RE's IT infrastructure, applications, data, documents, and other necessary information
the service provider is contractually liable for the performance and risk management practices of its sub-contractors
obligation of the service provider to comply with directions issued by the RBI
requirement of prior approval/ consent of the RE for use of subcontractors by the service provider
termination rights of the RE
obligation of the service provider to co-operate with the relevant authorities in case of insolvency/ resolution of the RE
provision to consider skilled resources of service provider
suitable back-to-back arrangements between service providers and the OEMs
non-disclosure agreement (NDA).
REs shall put in place a Risk Management framework for Outsourcing of IT Services that shall comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements
The risk assessments carried out by the REs shall be documented with necessary approvals in line with the roles and responsibilities as determined by the Board-approved policy.
REs shall be responsible for the confidentiality and integrity of data.
Access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse
Access to data at RE’s location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse.
REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. Access to customer information by staff of the service provider shall be on need-to-know basis.
In the event of multiple service provider relationships where two or more service providers collaborate to deliver an end-to-end solution, the RE remains responsible for understanding and monitoring the control environment of all service providers that have access to the RE’s data, systems, records or resources
Cyber incidents must be reported to the RE by the service provider without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the TPSP
The REs shall review and monitor the control processes and security practices of the service provider to disclose security breaches.
REs shall adhere to the extant instructions issued by RBI from time to time on Incident Response and Recovery Management.
REs shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider
REs shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
REs shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in an emergency.
REs shall have in place a management structure to monitor and control its Outsourced IT activities.
RE shall conduct regular audits of service providers as applicable to the scope of Outsourced IT Services.
In scenarios where more than one RE may be availing services from the same third-party service provider, they may adopt pooled (shared) audit.
The frequency of the audit shall be determined based on the nature and extent of risk and impact to the RE from the outsourcing arrangements.
REs, depending upon the risk assessment, may also rely upon globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits
The RE shall periodically review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations
In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers of the RE, the same shall be given due publicity by the RE so as to ensure that the customers stop dealing with the concerned service provider.
A RE may outsource any IT activity/ IT enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place.
The engagement of a service provider based in a different jurisdiction exposes the RE to country risk. To manage such risk, the RE shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis.
The right of the RE and the RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction shall be ensured.
The Outsourcing of IT Services policy shall contain a clear exit strategy regarding outsourced IT activities/ IT enabled services, while ensuring business continuity during and after exit.
REs shall ensure that the agreement has necessary clauses on safe removal/ destruction of data, hardware and all records (digital and physical), as applicable.
The service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator/ concerned RE.
The Master Direction also includes three appendices regarding:
Usage of Cloud Computing Services
Outsourcing of Security Operations Centre (SOC)
Services not considered under Outsourcing of IT Services
Appendix – I (Usage of Cloud Computing Services):
The business strategy and goals adopted to the current IT applications footprint and associated costs must be analysed
The Outsourcing of IT Services policy must address the entire lifecycle of data from generation of the data, its entry into the cloud, till the data is permanently erased/ deleted
REs shall consider the factors of multi-tenancy, multi-location storing / processing of data, etc., and attendant risks, while establishing appropriate risk management framework
REs shall adopt and demonstrate a well-established and documented cloud adoption policy that provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs
REs shall prefer a technology architecture that provides for secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the RE.
IAM shall be agreed upon with the CSP and ensured for providing role-based access to the cloud hosted applications
Implementation of security controls in the cloud-based application must achieve similar or higher degree of control objectives than those achieved by on-premise application
REs shall accurately define minimum monitoring requirements in the cloud environment.
Integration of logs, events from the CSP into the RE’s SOC, wherever applicable and retention of relevant logs in cloud shall be ensured for incident reporting
REs shall ensure that CSPs have a well-governed and structured approach to manage threats and vulnerabilities
Robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders.
Appendix – II (Outsourcing of Security Operations Centre (SOC)):
Unambiguously identify the owner of assets used in providing the services
Ensure that the RE has adequate oversight and ownership over the rule definition, customisation and related data/ logs, meta-data and analytics
Assess periodically all physical facilities involved in service delivery, such as the SOC and areas where client data is stored / processed
Integrate the outsourced SOC reporting and escalation process with the RE’s incident response process
Appendix – III (Services not considered under Outsourcing of IT Services):
Services / Activities not considered under “Outsourcing of IT Services” for the purpose of this Master Direction:
Corporate Internet Banking services
External audit such as Vulnerability Assessment/ Penetration Testing (VA/PT), Information Systems Audit, security review
Procurement of IT hardware/ appliances
Acquisition of IT software/ product/ application on a licence or subscription basis
Any maintenance service for IT Infra or licensed products, provided by the OEM
Applications provided by financial sector regulators or institutions like CCIL, NSE, BSE, etc.
Services obtained by a RE as a sub-member of a Centralised Payment Systems (CPS) from another RE
Business Correspondent (BC) services, payroll processing, statement printing
Vendors / Entities who are not considered as Third-Party Service Provider for the purpose of this Master Direction:
Vendors providing business services using IT
Payment System Operators authorised by the RBI
Partnership based Fintech firms providing co-branded applications, service, products
Services of Fintech firms for data retrieval, data validation and verification services such as Bank statement analysis, GST returns analysis, Fetching of vehicle information, Digital document execution, Data entry and Call centre service
Telecom Service Providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of the data
Security/ Audit Consultants appointed for certification/ audit/ VA-PT related to IT infra/ IT services/ Information Security services.