Most banks and regulated entities have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. These regulated entities also outsource a substantial portion of their IT activities to third parties, which expose them to various risks. Regulated entities include banks, primary co-operative banks, Non-Banking Financial Companies, Credit Information Companies and also institutions such as EXIM Bank, NABARD, NaBFID, National Housing Bank (‘NHB’) and Small Industries Development Bank of India (‘SIDBI’).
To ensure effective management of risks, the RBI issued regulatory guidelines on Outsourcing of IT Services, which can be accessed here: Reserve Bank of India – Notifications (rbi.org.in)
RBI said that the underlying principle of these directions is to ensure that outsourcing arrangements neither diminish the ability of regulated entities to fulfil their obligations to customers nor impede effective supervision by the RBI. The directions shall come into effect from October 1, 2023.
“Outsourcing of IT Services” includes outsourcing of the following activities: a) IT infrastructure management, maintenance and support (hardware, software or firmware); b) Network and security solutions, maintenance (hardware, software or firmware); c) Application Development, Maintenance and Testing; Application Service Providers (ASPs) including ATM Switch ASPs; d) Services and operations related to Data Centres; e) Cloud Computing Services; f) Managed Security Services; and g) Management of IT infrastructure and technology services associated with payment system ecosystem
Some of the notable highlights:
Responsibility of regulated entities in outsourcing
Outsourcing of any activity shall not diminish the regulated entity’s obligations as also of its Board and Senior Management, who shall be ultimately responsible for the outsourced activity. The regulated entity shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the entity, if the same activity was not outsourced. They should not engage an IT service provider that would result in reputation of the entity being compromised or weakened.
IT outsourcing policy of regulated entities
A regulated entity intending to outsource any of its IT activities shall put in place a comprehensive Board approved IT outsourcing policy. The policy shall incorporate, inter alia, the roles and responsibilities of the Board, Committees of the Board (if any) and Senior Management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services. It shall further cover the criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria, delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, systems to monitor and review the operations of these activities and termination processes and exit strategies, including business continuity in the event of a third-party service provider exiting the outsourcing arrangement.
Role of the Board in IT outsourcing activities
The Board shall be responsible, inter alia, for: a) putting in place a framework for approval of IT outsourcing activities depending on risks and materiality; b) approving policies to evaluate the risks and materiality of all existing and prospective IT outsourcing arrangements
Formulation of IT outsourcing policies and procedures by senior management
The senior management must formulate IT outsourcing policies and procedures, evaluating the risks and materiality of all existing and prospective IT outsourcing arrangements based on the framework commensurate with the complexity, nature and scope, in line with the enterprise-wide risk management of the organisation approved by the Board and its implementation.
Assessment of concentration risk by regulated entities
The regulated entity shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and/or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers
Business Continuity Plan and Disaster Recovery Plan requirements for service providers
The regulated entities shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) commensurate with the nature and scope of the outsourced activity as per extant instructions issued by RBI from time to time on BCP/ DR requirements.
Monitoring and control structure for Outsourced IT activities
The regulated entities shall have in place a management structure to monitor and control its Outsourced IT activities. This shall include (as applicable to the scope of Outsourcing of IT Services) but not limited to monitoring the performance, uptime of the systems and resources, service availability, adherence to SLA requirements, incident response mechanism, etc
Clear exit strategy for Outsourced IT activities
The Outsourcing of IT Services policy shall contain a clear exit strategy with regard to outsourced IT activities/ IT enabled services, while ensuring business continuity during and after exit. The strategy should include exit strategy for different scenarios of exit or termination of services with stipulation of minimum period to execute such plans, as necessary. In documenting an exit strategy, the regulated entity shall, inter alia, identify alternative arrangements, which may include performing the activity by a different service provider or the entity itself
Safe removal/destruction of data and records
The regulated entities shall ensure that the agreement has necessary clauses on safe removal/ destruction of data, hardware and all records (digital and physical), as applicable.
Factors to be considered while engaging cloud services
In engaging cloud services, the regulated entities shall ensure, inter alia, that the Outsourcing of IT Services policy addresses the entire lifecycle of data, i.e., covering the entire span of time from generation of the data, its entry into the cloud, till the data is permanently erased/ deleted. The REs shall ensure that the procedures specified are consistent with business needs and legal and regulatory requirements.
Adoption and documentation of cloud adoption policy by regulated entities
In adoption of cloud services, the regulated entities shall take into account the cloud service specific factors, viz., multi-tenancy, multi-location storing/ processing of data, etc., and attendant risks, while establishing appropriate risk management framework
Technology architecture for secure container-based data management
The regulated entities shall adopt and demonstrate a well-established and documented cloud adoption policy. Such a policy should, inter alia, identify the activities that can be moved to the cloud, enable and support protection of various stakeholder interests, ensure compliance with regulatory requirements, including those on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification. The policy should provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs.
Identity and Access Management principles for cloud hosted applications
The regulated entities shall prefer a technology architecture that provides for secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the entity. The architecture should provide for a standard set of tools and processes to manage containers, images and releases. Multitenancy environments should be protected against data integrity and confidentiality risks, and against co-mingling of data
Implementation of security controls in cloud-based applications
Identity and Access Management principles shall be agreed upon with the CSP and ensured for providing role-based access to the cloud hosted applications, in respect of user-access and privileged-access. Stringent access controls, as applicable for an on-premise application, may be established for identity and access management to cloud-based applications. Segregation of duties and role conflict matrix should be implemented for all kinds of user access and privileged-access roles in the cloud-hosted application irrespective of the cloud service model. Access provisioning should be governed by principles of ‘need to know’ and ‘least privileges’. In addition, multi-factor authentication should be implemented for access to cloud applications.
Business continuity framework for cloud services
The regulated entities shall ensure that the implementation of security controls in the cloud-based application achieves similar or higher degree of control objectives than those achieved in/ by an on-premise application.
Business continuity framework for cloud services
The business continuity framework shall ensure that, in the event of a disaster affecting its cloud services or failure of the CSP, the regulated entity can continue its critical operations with minimal disruption of services while ensuring integrity and security. b) Regulated entities shall ensure that the CSP puts in place demonstrative capabilities for preparedness and readiness for cyber resilience as regards cloud services in use by them. This should be systematically ensured, inter alia, through robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders