The Reserve Bank on Thursday proposed norms for the outsourcing of IT providers to ring-fence banks and different regulated entities from monetary, operational and reputational dangers.
Regulated entities (REs) won’t require prior approval from the central financial institution for the outsourcing of IT and IT-enabled providers, in response to RBI’s draft Master Direction on Outsourcing of Information Technology (IT) Services.
“The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority,” mentioned the draft, on which the RBI has invited feedback from stakeholders by July 22.
Banks, cost banks, cooperative banks, credit score data firms, NBFCs and different regulated entities, can be required to place in place a complete board-approved IT outsourcing coverage.
“Outsourcing of any exercise of the RE shall not diminish its obligations as additionally of its Board and senior administration, who shall be finally liable for the outsourced exercise.
“RE shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the RE if the same activity was not outsourced,” the draft mentioned.
The draft specifies the position of the board and senior administration, in addition to norms pertaining to the utilization of cloud computing providers and outsourcing of the Security Operations Center (SOC).
The RBI has additionally proposed that the REs ought to arrange a strong grievance redressal mechanism, “which in no way shall be compromised on account of outsourcing”, that means duty for redressal of consumers’ grievances associated to outsourced providers would relaxation with them.
As per the draft, a danger administration framework for the outsourcing of IT providers ought to comprehensively cope with the processes and tasks for the identification, measurement, mitigation/ administration and reporting of dangers related to outsourcing.
Entities regulated by the RBI must also require their service suppliers to develop and set up a strong framework for documenting, sustaining and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Also, a RE might outsource any IT exercise/IT-enabled service inside its enterprise group/ conglomerate, offered that such an association is backed by the Board-approved coverage and acceptable service stage preparations/ agreements with its group entities are in place, the draft mentioned.
It has additionally proposed further necessities for cross-border outsourcing.
In February this 12 months, the RBI had proposed to problem a tenet on outsourcing.
The monetary system is seeing in depth leveraging and outsourcing of vital IT providers by regulated entities to get simpler entry to newer applied sciences by way of monetary know-how gamers to enhance efficiencies, it had mentioned.
These preparations expose them to vital monetary, operational and reputational dangers.
Similarly, the growing dependence of consumers on digital channels to avail banking providers makes it crucial for regulated entities to deal with operational resilience, the central financial institution had mentioned.
Source: www.financialexpress.com”