nbfc: RBI proposes norms for outsourcing of IT services by banks, NBFCs

The Reserve Bank proposed norms for the outsourcing of IT services to ring-fence banks and other regulated entities from financial, operational and reputational risks. Regulated entities (REs) will not require prior approval from the central bank for the outsourcing of IT and IT-enabled services, according to RBI’s draft Master Direction on Outsourcing of Information Technology (IT) Services.

“The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority,” said the draft, on which the RBI has invited comments from stakeholders by July 22.

Banks, payment banks, cooperative banks, credit information companies, NBFCs and other regulated entities, would be required to put in place a comprehensive board-approved IT outsourcing policy.

“Outsourcing of any activity of the RE shall not diminish its obligations as also of its Board and senior management, who shall be ultimately responsible for the outsourced activity.

“RE shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the RE if the same activity was not outsourced,” the draft said.

The draft specifies the role of the board and senior management, besides norms pertaining to the usage of cloud computing services and outsourcing of the Security Operations Center (SOC).

Discover the stories of your interest

The RBI has also proposed that the REs should set up a robust grievance redressal mechanism, “which in no way shall be compromised on account of outsourcing”, meaning responsibility for redressal of customers’ grievances related to outsourced services would rest with them.

As per the draft, a risk management framework for the outsourcing of IT services should comprehensively deal with the processes and responsibilities for the identification, measurement, mitigation/ management and reporting of risks associated with outsourcing.

Entities regulated by the RBI should also require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).

Also, a RE could outsource any IT activity/IT-enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place, the draft said.

It has also proposed additional requirements for cross-border outsourcing.

In February this year, the RBI had proposed to issue a guideline on outsourcing.

The financial system is seeing extensive leveraging and outsourcing of critical IT services by regulated entities to get easier access to newer technologies through financial technology players to improve efficiencies, it had said.

These arrangements expose them to significant financial, operational and reputational risks.

Similarly, the increasing dependence of customers on digital channels to avail banking services makes it imperative for regulated entities to focus on operational resilience, the central bank had said.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.

Source link

Denial of responsibility! insideheadline is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave A Reply

Your email address will not be published.