RBI's norms on outsourcing IT services aimed at improving corporate governance, say experts 

These norms came in the backdrop of the current practice of regulated entities (REs) of extensively leveraging IT and IT-enabled services (ITeS) to support their business models.

Published: 16th April 2023 05:44 PM  |   Last Updated: 16th April 2023 05:44 PM   |  A+A-

Reserve Bank of India headquarters in Mumbai, RBI

Image used for representational purpose only. (File Photo | PTI)

By PTI

NEW DELHI: Reserve Bank's regulation on outsourcing of IT services by banking sector entities is aimed at improving corporate governance and will protect the interest of consumers, say, industry experts.

The Reserve Bank of India (RBI) has recently come out with detailed norms for the outsourcing of IT services by banks, NBFCs and other regulated financial sector entities to ensure that such arrangements do not undermine their responsibilities and obligations to customers.

These norms came in the backdrop of the current practice of regulated entities (REs) of extensively leveraging IT and IT-enabled services (ITeS) to support their business models and also the products and services being offered to customers.

Commenting on the Master Direction issued by the RBI on 'Outsourcing of Information Technology Services', Monish G Chatrath, Managing Partner, MGC Global Risk Advisory LLP, said, "Strong corporate governance practices and comprehensive risk management frameworks are aspects that are imperative to enhance the resilience of the BFSI sector in India. This is a significant development that is in the best interests of the consumers."

He further said the directions have brought under purview those IT & ITeS tasks that have the potential to significantly impact the business operations of regulated entities in the event of a disruption or compromise and those that can have a material impact on the customers of the regulated entities in the event of any unauthorised access, loss or theft of customer information.

The Master Direction on 'Outsourcing of Information Technology Services' will come into effect from October 1, 2023.

The RBI said the underlying principle of the Master Direction is to ensure that outsourcing arrangements neither diminish REs' ability to fulfil its obligations to customers nor impede effective supervision by the RBI.

Siddhartha Tipnis, Partner, Deloitte India, said the RBI's directives provide key foundational broad strokes to regulated entities for managing technology outsourcing relationships across the continuum: Evaluation, Onboarding, Service Experience/Management, Performance Management, Ongoing Risk/Compliance Management, Overall Relationship Management.

This framework, Tipnis said, will bring in a lot more rigour as to how REs manage these business critical relationships and is expected to mature RE operating models, processes, and systems and streamline/formalise some intuitively followed practices around technology outsourcing.

"With less than 180 days for the directives to become effective, we certainly see this topic being an important part of the Board agenda this season. Key RE committees/ groups such as Risk Management Group, and Information Security Group, amongst others, are likely to oversee implementation," Tipnis added.

As per the RBI, REs have put in place a risk management framework that "shall comprehensively deal" with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with outsourcing of IT services arrangements.

Shreya Suri, Partner, IndusLaw, opined that the master directions were an anticipated development, given the proactive approach of RBI in relation to developments and innovations in the digital and technology space.

While a certain degree of dependency of regulated entities on critical IT services has been customary, with the coming of the pandemic and the movement of many sectors including the financial sector to the online space, this dependency has been at a steep incline, Suri said.

"Prior to the master directions, the prevalent outsourcing guidelines were scattered for different classes of REs, however, the master directions attempt to streamline and unify the regulations for all REs," Suri said.

As per the Master Direction, an RE intending to outsource any of its IT activities will have to put in place a comprehensive board-approved IT outsourcing policy.

The policy should incorporate, inter alia, the roles and responsibilities of the board, committees of the board (if any), and senior management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services.



Comments

Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the newindianexpress.com editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on newindianexpress.com are those of the comment writers alone. They do not represent the views or opinions of newindianexpress.com or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. newindianexpress.com reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp