The Reserve Bank of India (RBI) on Monday released the final norms for outsourcing of information technology- (IT-) related services by financial sector entities, which will come into effect from October 1.
The regulator has given 12 months to comply with the norms for existing contracts, which will come up for renewal before October 1. For agreements that are due for renewal on or after October 1, the RBI-regulated financial institutions have been asked to comply with the norms within 36 months of the renewal dates.
With respect to new outsourcing arrangements (agreements that come into force before October 1), the entities must comply with the new norms ‘preferably’ from the agreement date but not later than 12 months from the date of issuances of the norms.
“The agreements that come into force on or after October 1 shall comply with the provisions of these directions from the date of agreement itself,” RBI said.
The new norms are applicable for Indian banks, NBFCs, primary cooperative banks, credit information companies, and all other entities that are regulated by the RBI. “In the case of foreign banks operating in India through branch mode, reference to the board or board of directors in these directions should be read as reference to the head office or controlling office which has the oversight over the branch operations in India.”
“Further, such foreign banks shall be subject to a ‘comply or explain’ approach wherein such foreign banks, may deviate from any specific part of these Directions subject to examination and acceptance by the RBI of a reasonably justifiable explanation for the same,” the norms said.
The regulated entities must have a comprehensive board approved plan on the IT outsourcing policy.
The board will be responsible for putting in place a framework for approval of IT outsourcing activities depending on risks and materiality. The RBI said that outsourcing of any activity shall not diminish the regulated entities’ obligations as also of its board and senior management, who shall be ultimately responsible for the outsourced activity.
According to the norms, the regulated entities should ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. An exception can be made with the approval of the board.
Further, the norms said the REs should have a robust grievance redressal mechanism and that responsibility for redressal of customers’ grievances related to outsourced services would rest with the RE.
“Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws,” RBI said.
The new norms have also put additional requirements for cross border outsourcing.
“The engagement of a service provider based in a different jurisdiction exposes the RE to country risk. To manage such risk, the RE shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, as well as establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies,” RBI said.
The regulated entities also have an exit strategy while ensuring business continuity during and after exit. “The strategy should include exit strategy for different scenarios of exit or termination of services with stipulation of minimum period to execute such plans, as necessary,” the norms said.
