Topics In Demand
Notification
New

No notification found.

Reserve Bank of India (RBI) : Feedback on Draft Master Directions on ‘Outsourcing of IT Services’
Reserve Bank of India (RBI) : Feedback on Draft Master Directions on ‘Outsourcing of IT Services’

July 26, 2022

364

0

 

In June 2022, the Reserve Bank of India (RBI) released its draft master directions on ‘Outsourcing of IT Services(draft Master Directions). The draft Master Directions propose a risk management framework for outsourcing services including concentration risks, periodic risk requirements, breach reporting timelines, aspects of outsourcing to foreign service providers amongst others.

We submitted our feedback on the draft Master Directions in form of general and specific feedback. Our key recommendations include:

  1. Transition period

In para 1.2(b), the RBI had sought from the stakeholders to suggest a time frame for the adoption of the implementation of the Master Directions for existing agreements. In this regard, as per industry inputs, we suggested that a timeframe of 18-24 months be provided to REs to ensure that existing arrangements are revised/finalised in compliance with the Master Directions.

Recommendation: A timeframe of 18-24 months be provided to REs to align existing agreements with the Directions.

  1.  Materiality of workloads

Para 1.4: Purpose: The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. REs desirous of outsourcing of IT and IT enabled services shall not require prior approval from RBI. However, such arrangements shall be subject to on-site/ off-site monitoring and inspection/ scrutiny by the supervising authority.

These Directions shall apply to material Outsourcing of IT Services arrangements (as defined in para 1.7 below) entered by the REs.

The draft Master Direction proposes a principle-based approach towards regulating the relationship between the REs and their service providers, where the REs are required to assess the materiality of the workloads being outsourced, and accordingly set risk controls in their contracts/agreement with the service providers. Clause 1.4 limits the application of the draft Master Directions to material workloads.

However, as per industry inputs, we had been informed that vast majority of smaller REs are unable to accurately assess materiality of work-loads and overestimate the controls and measures required to protect some non-material loads, leading to significant obligations on the service providers and at considerable expense to the REs.

Recommendation: We recommended that the RBI may consider introducing a framework by which REs are able to identify material workloads. This would help REs align with the RBI’s intent on materiality and avoid unnecessary investments and expenses.

  1. Obligations on service providers post termination of services

Para 11.3 - REs shall require the service provider to preserve documents as required by law and take suitable steps to ensure that REs’ interests are protected, even post termination of the services. REs may execute a non-disclosure agreement with respect to information retained by the service provider.

We noted that the service providers have a contractual relationship with the regulated entities – which ceases after the contract expires or is terminated. The requirement to ensure that the regulated entities’ interests are protected, even after the termination of the services is unclear. The REs may contractually agree upon additional transition time with their service providers to retain data to meet their statutory obligations.

Recommendation: We suggest that the meaning of “take suitable steps to ensure that REs’ interests are protected even post termination of the services” be clarified. We note that the REs may ensure contractually that the service providers retain data for a contractually stipulated time period even after the termination of contract.

 

You can read our detailed feedback in the attachment below. For more information, kindly write to apurva@nasscom.in.

 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

NASSCOM-RBI-ITOutsourcingGuidelines..pdf

images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.