Skip to content
by Rakesh Waghela

2.14 Outsourcing of IT and financial services

Rule summary

Section titled “Rule summary”

RBI’s Master Direction on Outsourcing of Information Technology Services (DoS.CO.CSITEG/SEC.16/31.01.015/2022-23, dated 10 April 2023) consolidates rules on IT outsourcing by REs. A parallel framework covers outsourcing of financial services (the older Outsourcing of Financial Services guidelines for NBFCs).

For a modern NBFC running on cloud, with vendors for KYC, BSA, bureau, AA, eSign, mandates, communications, analytics — virtually every external relationship is governed by these two frameworks.

Source citation

Section titled “Source citation”
  • RBI Master Direction – Outsourcing of Information Technology Services, DoS.CO.CSITEG/SEC.16/31.01.015/2022-23, 10 April 2023.
  • RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs, DNBR (PD) CC.No.090/03.10.001/2017-18, 9 November 2017 (and subsequent amendments).

What’s covered

Section titled “What’s covered”
  • Cloud computing (IaaS, PaaS, SaaS).
  • Application service providers (LOS / LMS as a service).
  • Hosted infrastructure.
  • Managed services.
  • External business process outsourcing (call centres, recovery agents, document scanning).
  • IT-enabled services.

What’s not allowed to outsource

Section titled “What’s not allowed to outsource”

REs cannot outsource core management functions, defined as:

  • Strategic decisions about products, pricing, risk appetite.
  • Compliance management (the function as a whole; tasks may be supported).
  • Internal audit (the function as a whole).
  • Decision-making on customer-facing matters that involve discretion.
  • Risk management at the policy level.

Outsourcing is allowed for support and execution, not for the regulated entity’s core fiduciary responsibilities.

Key obligations

Section titled “Key obligations”

1. Board-approved outsourcing policy

Section titled “1. Board-approved outsourcing policy”
  • Defines what may be outsourced, criteria for selecting vendors, risk assessment framework, monitoring, exit plans.
  • Reviewed at least annually.

2. Vendor due diligence

Section titled “2. Vendor due diligence”

Before onboarding any vendor:

  • Financial soundness.
  • Technical capability.
  • Track record.
  • Geographic risk.
  • Information security posture.
  • Compliance posture.
  • Sub-contracting practices.
  • Business continuity / disaster recovery.
  • Insurance.

Documented in a vendor risk assessment report, reviewed by responsible business head and approved per delegated authority.

3. Comprehensive written outsourcing agreement / MSA

Section titled “3. Comprehensive written outsourcing agreement / MSA”

Must include:

  • Scope of work with measurable SLAs.
  • Data ownership — RE always owns its data.
  • Data location — usually within India for regulated entity’s data.
  • Confidentiality and security clauses.
  • Sub-contracting rules and approvals.
  • Audit rights — RE’s right to audit, RBI’s right to inspect.
  • Termination — notice period, transition obligations.
  • Exit / portability — vendor must hand back data in readable format, support migration.
  • Incident reporting — vendor must report security incidents within prescribed time.
  • Insurance held by vendor.
  • Compliance with applicable laws.

4. Sub-contracting

Section titled “4. Sub-contracting”
  • Vendor cannot sub-contract without RE’s written prior approval.
  • All sub-contracts inherit the same obligations.
  • Full chain of sub-contractors visible to RE.

5. Material vendor concentration

Section titled “5. Material vendor concentration”
  • RE must avoid material concentration with any one vendor.
  • Periodic concentration review.

6. Performance monitoring

Section titled “6. Performance monitoring”
  • Defined SLAs measured.
  • Periodic vendor performance reviews.
  • Quarterly reporting to senior management for material vendors.

7. Material outsourcing arrangements

Section titled “7. Material outsourcing arrangements”
  • For material arrangements (defined by policy), additional governance — board / committee approval before entering, periodic review.

8. Right to audit

Section titled “8. Right to audit”
  • RE has unconditional right to audit vendor’s controls relevant to RE’s services.
  • RBI has unconditional right to inspect.
  • Vendor must cooperate with RE’s auditors and with RBI inspectors.

9. Exit plans

Section titled “9. Exit plans”
  • Every material vendor relationship has a documented exit plan at the outset.
  • Includes data migration approach, alternative vendor identified, transition timeline, post-exit obligations.
  • Tested periodically through tabletop exercises.

10. Incident notification

Section titled “10. Incident notification”
  • Vendor must notify RE of any incident materially affecting services or data.
  • RE must in turn notify RBI within applicable timeframes (cyber incidents within <= 6 hours).

Product / operational implications

Section titled “Product / operational implications”
  • Vendor catalogue — every vendor with status, MSA reference, services, SLAs, last review.
  • Vendor onboarding checklist — diligence questionnaire, financial review, security review, contract review.
  • Vendor performance review cadence — quarterly minimum for material.
  • Concentration analysis — by spend, by criticality, by data exposure.

System implications

Section titled “System implications”
  • Vendor master in admin module — vendor name, category, services, criticality, MSA, audit-right clause, exit plan, last review, last incident, SLA performance.
  • Service tagging — every external API call tagged with vendor; usage metrics per vendor.
  • Cost allocation per vendor / tenant.
  • Incident management — vendor incidents tracked with severity, reporting, remediation, recurrence.

Documents that must be generated

Section titled “Documents that must be generated”
  • Outsourcing policy (board-approved).
  • Vendor due diligence reports.
  • MSAs / contracts with all required clauses.
  • Vendor performance reviews.
  • Exit plans.
  • Incident reports.
  • Annual board update on material outsourcing.

Workflow that must exist

Section titled “Workflow that must exist”
  • Vendor onboarding workflow with diligence, security review, legal review, business approval.
  • Quarterly vendor reviews for material.
  • Annual outsourcing policy review.
  • Incident response with vendor escalation.

Reports that must be produced

Section titled “Reports that must be produced”
  • Vendor concentration report.
  • Vendor performance dashboard.
  • Outsourcing risk report to board (annual).

Audit evidence required

Section titled “Audit evidence required”
  • Outsourcing policy and review history.
  • Vendor due diligence files.
  • MSAs.
  • Performance reviews.
  • Incident logs.
  • Exit-plan tabletops.

Practical recommendations

Section titled “Practical recommendations”
  1. Standard MSA template with all RBI-required clauses; never sign a vendor’s standard template without amendment.
  2. Single vendor master as the source of truth; integrate with procurement, security, legal, finance.
  3. Audit-right clauses are negotiated upfront — vendors push back on broad clauses; insist on the minimum RBI requires.
  4. Cloud strategy — pick one or two primary cloud providers, document the strategy, run periodic portability exercises (even if simulated).
  5. Concentration triggers — any single vendor exceeding 10% of IT spend or supporting >= 2 critical services should flag for board review.

Sources

Section titled “Sources”
  • RBI Master Direction – Outsourcing of IT Services, DoS.CO.CSITEG/SEC.16/31.01.015/2022-23, 10 April 2023.
  • RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs, DNBR (PD) CC.No.090/03.10.001/2017-18, 9 November 2017.
  • RBI Master Direction on IT Governance, 7 November 2023.