RBI warns of risks from cross-border outsourcing of IT services

The Reserve Bank of India (RBI) has warned of risks from cross-border outsourcing of information technology (IT) services and recommended that regulated entities closely monitor such operations.

“To manage such risks, the regulated entity shall closely monitor the government policies of the service provider’s country and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk,” the central bank said in its draft master direction on outsourcing of IT services.

The RBI’s observations come at a time when it is considering a mandate for domestic processing of payment transactions in order to ring-fence India’s local payment systems.

The RBI has recommended that regulated entities build appropriate contingency and exit strategies. Additionally, firms should ensure that availability of records and the supervising authority would not be affected in the event of liquidation of the service provider.

The provisions of the RBI’s draft master directions are applicable to scheduled commercial banks, local area banks, small finance banks, and payments banks.

Primary urban cooperative banks with asset size of more than Rs 1,000 crore, non-banking financial companies in top, upper and middle layers and credit information companies are also included. All-India financial institutions, such as the National Housing Bank and the National Bank for Agricultural and Rural Development, too, fall under the ambit of the draft directions.

The RBI said that in principle, agreements should only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements.

“However, the jurisdiction of the courts outside India, where data is stored and/ or processed, shall not extend to the operations of the regulated entity in India, on the strength of the fact that the entity’s data is being stored and/ or processed there, even though the actual transactions are undertaken in India,” the draft directions read.

The right of audit and inspection of service providers in different jurisdictions shall be ensured, it said.

The RBI has said that the underlying principle of these directions is that the regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority.

“The regulated entity shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the regulated entity if the same activity was not outsourced… the regulated entities shall not engage an IT service provider that would result in its reputation being compromised or weakened,” the draft circular said.

In its Payments Vision Document released last week, the regulator said that in light of emerging geo-political risks, options would be explored to ring-fence domestic payment systems.

The RBI, in particular, flagged the fact that global card networks stopped processing transactions in Russia following sanctions on the country by the US.

The broad aim of the RBI’s draft directions is to ensure that outsourcing arrangements of regulated entities neither diminish the ability to deliver on obligations nor impede effective supervision.