Introduction
The outsourcing of information technology (IT) services has become increasingly prevalent in the banking and financial sector. There are several challenges that have come up and regulators have stepped in with a framework to enable prudent risk management.
RBI Master Direction
The Reserve Bank of India (RBI) has released the Master Direction on Outsourcing of Information Technology Services to address the need for risk management in outsourcing contracts related to technology. This blog does a deep dive into outsourcing IT services in the banking industry. This master circle covers ten different domains and emphasizes on policies, risk frameworks, and controls, with a specific focus on cloud adoption. The directions will come into effect from 1st October 2023.
Need for Outsourcing
Various factors have contributed to the increased outsourcing of IT services, including the growing issues with adoption of technology, challenges with migration of data and platforms, new entrant, increased cloud adoption, relevance of outsourcing opportunities and presence of digital channels.
Potential Impact Areas
Outsourcing IT services has relevance for different stakeholders. This potential impact is on banks, small finance banks, payments banks, non-banking financial companies (NBFCs), credit information companies (CICs), urban cooperative banks (UCBs), and service providers. It explores the need for strengthened structures, governance, and compliance obligations.
Impact on Banks
- Deeper scrutiny of Outsourcing engagements-Legal, regulatory and coverage
- Need to strengthen frameworks on monitoring
- Reevaluate cloud strategy
- Handholding for new digital set ups
Impact on Small Finance Banks & Payments Banks
- Historically they have relied on Partners for technology management
- Need to build full governance framework to manage, and monitor in a real time manner
NBFCs, CICs, UCBs
- Technology investments would focus on the right partner and cloud adoption
- Require to build full governance framework to manage, and monitor
Service Providers
- Alignment of service delivery to meet compliance obligations
- Focus on building Data Security, Privacy, BCP, DR as well as audit management
10 Chapters of Master Circular
The Master Direction comprises ten chapters that cover various aspects of outsourcing IT services. These chapters include:
- Preliminary
- Role of the Regulated Entity
- Governance Framework
- Evaluation & Engagement of Service Providers
- Outsourcing Agreement
- Risk Management
- Monitoring & Control of Outsourced Activities
- Outsourcing within a Group Conglomerate
- Cross Border Outsourcing
- Exit Strategy
Applicable Service Elements
This section identifies the specific IT service elements and outlines the applicable activities. It also mentions non-applicable activities that are excluded from the scope.
Applicable Activities
- IT Infrastructure Management
- Network & Security Management
- Application Development & Maintenance
- Application testing Services
- ATM Switch ASPs
- Data Centre Operations & Hosting
- Cloud Computing Services
- Managed Security Services
- Payment System Services Infrastructure management
Non-Applicable Activities
- Corporate Internet Banking Services
- Audit Services (including VA/PT)
- SMS Service Provider
- Procurement & Acquisition of Hardware/Software
- OEM Led maintenance
- Regulatory bodies
- BCs, Fintech Partnership, Data Enablers
Governance Framework
To ensure compliance with the Master Direction, regulated entities need to establish a board-approved IT outsourcing policy. This section outlines the requirements for building the policy including key outcomes to look for.
Requirements
- Build a comprehensive board approved IT Outsourcing policy
- Define Roles & Responsibility (Terms of Reference) for:
- Board
- Senior Management
- CIO/CTO/IT Team
- Oversight & Assurance structure with respect to policy
- Maintain inventory of Service & Partner
Action Plan
- Prepare on realigning IT outsourcing policy and take board approval
- Identify Key stakeholders and outline Terms of Reference
- Policy roll out plan
- Conduct Training & Workshops for stakeholders
- Prepare review & monitoring mechanism to timely update the policy
- Develop Inventory for outsourcing
Key Outcomes
- Focused IT Outsourcing policy – Criteria, Materiality, delegation of authority, DR/BCP, Risk Assessment, Termination, Exit Strategies
- Documented Terms
Checkpoints for Compliance
- Board agenda item & Minutes
- Board / IT Strategy Committee Minutes
- Schedules for meeting with Stakeholders on
- Training & Workshops
- Review on the Policy Update Process
- Service & Partner inventory with key dates
Evaluation and Engagement
Effective evaluation and engagement of service providers is critical in outsourcing. This section outlines the requirements for establishing a risk-based due diligence, an action plan, key outcomes to target, and checkpoints for compliance.
Requirements
- Risk based Due Diligence Framework to assess the capability To Establish Evaluation framework
- Independent Review
- Aspects coverage on multiple parameters
Action Plan
- Develop Materiality Assessment Framework basis risk potential
- Develop Due Diligence Checklist aligned to materiality as well as service category
- To create vendor evaluation parameters
- Update Partner inventory aligned to materiality
Key Outcomes
- Enhanced framework for selection and onboarding of partners
- Better visibility on capabilities of planned outsourced partner
Checkpoints for Compliance
- Approved Due Diligence Checklist
- Vendor list vis-à-vis Due diligence reports
- Risks derivation linked to Due Diligence
- Alignment with Risk management framework
Outsourcing Agreements
Regulated entities need to establish a legal binding agreement framework and document the terms and conditions in conjunction with their legal teams. This section highlights the importance of regular monitoring, assessment frameworks, and performance monitoring aligned with service level agreements (SLAs). An action plan is needed for regulated entities to create the necessary legal agreement templates and ensure compliance.
Requirements
- To Build a Legal Binding Agreement Framework
- Documentation of Terms & Conditions
- To establish regular Monitoring & Assessment Framework
- Develop Performance Monitoring Framework which is in line with SLA structure
Action Plan for RE
- To create the Legal Agreement template by outlining all key requirements– mapped to materiality and type of services
- Review all existing contracts and Do gap assessment
- Plan for amendment of Agreements
- Map risks related to missing elements as part of Risk register- Exception plan
Key Outcomes
- Formal Outsourcing contracts for all existing partners aligned with regulatory requirements
Checkpoints for Compliance
- Create Checklist of Agreement clauses and map compliance for the set of existing contracts
- Develop Tracker for amendment of contracts
- Notification to Management as per Governance structure
Monitoring and Control of Outsourced Activities
A robust management structure with defined roles and responsibilities is crucial for monitoring activities. This section not only outlines the development of monitoring and control checklists, establishment of audit mechanisms but also identifies the key outcomes and checkpoints for compliance.
Requirements
- Establish Management Structure with defined roles & responsibilities for monitoring
- To build Audit dynamics & Pooled Audit mechanism
Action Plan for RE
- Update/Create Monitoring & Control Checklist
- Control Assessment Checklist
- Termination Checklists
- Document assessment checklists
- Align with respect managing team
Key Outcomes
- Defined Monitoring & Control Structure with respect to Master Direction
- Controlled assessments of Service providers on real-time basis
Checkpoints for Compliance
- Internal Audit Program
- Audit Reports for Outsourcing partners
- Performance Review Reports
- Assessment Reports for CSPs, SOCs partners
Exit Strategy
Requirement to have a well-defined exit strategy for terminating or exiting outsourced IT activities or services. This section outlines the requirements for documenting exit strategy terms, termination clauses, and alternative arrangements. An action plan is provided for creating exit strategies, termination processes, and protecting data during the transition period. Checkpoints for compliance are also highlighted.
Requirements
To Document Exit Strategy terms into policy with regards to:
- BC plan & After Exit terms
- Termination Clauses
- Alternative Arrangements
Action Plan for RE
- Create Exit strategy & time period for executing
- Create Termination processes
- Create clauses to protect the data in transition period
Key Outcomes
- Well-defined plan for exiting or terminating outsourced IT activities or IT-enabled services
Checkpoints for Compliance
- Exit reports for any terminated contracts
- BCP / Exit approach for critical partners
Cloud Computing Services
Cloud Service Provider (CSP)
Selecting a suitable Cloud Service Provider (CSP) is critical in this process. To ensure a secure and reliable partnership, regulated entities (REs) should contract exclusively with service providers operating under jurisdictions that ensure the enforceability of agreements and safeguard their own rights.
Cloud Service Management & Security Consideration
In the context of cloud service management and security considerations, there are certain key factors that regulated entities (REs) have to take account of. These factors help ensure the integrity, confidentiality, and availability of data in the environment.
- RE to ensure the tech architecture is in adherence to Global tech architecture principals & Standards Encryption key & Hardware security modules which shall be under the control of REs
- Implementation of security controls shall be similar or higher than those of in premise architecture with adequate monitoring & vulnerability requirements
Conclusion
Outsourcing IT services in the financial domain needs and due consideration of multiple aspects to ensure compliance, risk management, and operational resilience. Though adherence to these guidelines, banks can enhance their outsourcing practices while giving due consideration to security and efficiency.