Topics In Demand
Notification
New

No notification found.

Reserve Bank of India’s Master Directions on Outsourcing of IT Services
Reserve Bank of India’s Master Directions on Outsourcing of IT Services

April 11, 2023

604

0

 

On April 10, 2023, the Reserve Bank of India (RBI) notified Master Directions on Outsourcing of Information Technology Services (Master Directions).

Background

In June 2022, RBI had released draft Master Directions for public consultation. Based on the concerns raised by the industry, nasscom had submitted feedback to the draft Master Directions in July 2022.

Overall, the Master Directions detail out norms for outsourcing of IT services by banks, Non-Banking Financial Companies (NBFCs) and some other regulated financial sector entities such as primary cooperative banks, EXIM bank, National Housing Bank, Credit Information Companies etc. with the objective of ensuring that outsourcing arrangements neither diminish the ability of regulated entities (RE) to fulfil its obligations to customers nor impede effective supervision by RBI.

Here is a snapshot of the concerns addressed by the notified Master Directions:

S. No.

Nasscom’s recommendation

Notified Master Directions

1.      

 

Transition time – we had recommended that a timeframe of 18-24 months be provided to REs to align existing IT outsourcing agreements with the Master Directions.

While the Master Directions will come into effect from October 1, 2023, there is an additional time given as follows:

·       For existing agreements due for renewal before October – additional 12 months.

·       For existing agreements due for renewal after October – as on the renewal date or 36 months from the date of issuance of the Master Directions, whichever is earlier.

A longer period will enable a smoother transition for both, the REs and IT service providers.

2.      

 

Report cybersecurity incidents – we had recommended that instead of immediately or within 1 hour of detection, reporting cybersecurity incidents to the RE, service providers should report such incidents promptly.

Master Directions provide the opportunity to report cybersecurity incidents to RE without undue delay and further report it to RBI within 6 hours of detection.

 

A longer time for reporting cybersecurity incidents will increase the quality of the reported information and minimise sharing unfiltered data dumps with RBI.

3.      

 

Pooled audits – we had recommended that REs must be allowed to consider pooled audits that are performed by independent and qualified auditors, jointly engaged by multiple REs using the same service provider.

Master Directions allow that where many REs avail services from the same third-party service provider, REs may adopt pooled (shared) audit. This allows the relevant REs to either pool their audit resources or engage an independent third-party auditor to jointly audit a common service provider.

 

This will enable efficient use of resources without compromising on the end-result of the audit.

 

Some of the recommendations and concerns raised by us have not been addressed by RBI. We are seeking industry’s feedback on these as well as any other operational or compliance related concerns that may arise.

The notified Master Directions are attached for reference.

If you have any feedback on the notified Master Directions, kindly write to garima@nasscom.in with a copy to policy@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

RBI-IT Outsourcing Guidelines.PDF

images
Garima Prakash
Manager, Public Policy and Government Affairs

Reach out to me for all things policy about e-commerce, international trade, export controls, start-ups and fintech

© Copyright nasscom. All Rights Reserved.