RBI likely to introduce a comprehensive IT outsourcing framework

Move could be in sync with new privacy Bill

A comprehensive information technology (IT) outsourcing framework for all Reserve Bank of India (RBI)-regulated entities may be on the cards and aligned with the new privacy Bill.

In a related move, the first baby steps are also said to be underway to set up community Cloud architecture — Indian Banking Community Cloud (IBCC) — for state-run banks. This could either be through an alliance of state-run banks or under the aegis of the National Payments Corporation of India or the Institute for Development and Research in Banking Technology. The possibility of a new umbrella entity with state-run banks as equity holders cannot be ruled out.

Senior bankers in the know mentioned that the RBI’s Cyber Security and IT Examination (CSITE) Cell in the Department of Supervision (DoS) could play a significant role in hammering out the new framework. This cell reports to Rohit Jain, RBI executive director (ED) in DoS (Risk, Analytics and Vulnerability Assessment).

S C Murmu is the other ED-DoS (Supervisory Assessment).

On the new IT outsourcing framework, it was pointed out that its bedrock may be the observations made on IT and outsourcing protocols of RBI-regulated entities at the time of their annual inspection. The CSITE looks into this.

“These could be consolidated under the new outsourcing framework,” said a source.

While most senior bankers said these moves may eventually sync with the privacy Bill, they refused to second-guess the status of the Personal Data Protection Bill, 2019.

As for setting up of an IBCC for state-run banks (expected to be a subset of the IT outsourcing framework), this was set in motion after the Indian Banks’ Association’s Standing Committee on Payment Systems and Banking Technology constituted a sub-committee for Cloud-adoption road map. This flowed from EASE 4.0 — Enhanced Access and Service Excellence — reforms which had been flagged off by Union Finance Minister Nirmala Sitharaman in August 2021, under which a brief Cloud survey had been conducted.

New-age digital lenders will be put through the wringer when the new framework comes into being. One of the suggestions put forward to the ‘Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps’ was that when drafting regulations and putting in place a regulatory framework to supervise the use of technology/Cloud adoption by digital lending companies, regulators should take a ‘principles-based approach’.

Principles-based regulation means moving away from reliance on prescriptive rules and relying more on high-level, broadly stated rules, objectives or principles to set the standards by which entities must conduct business.

A New Order

• RBI’s Cyber Security and IT Examination Cell in the Department of Banking Supervision to play a significant role in outlining the new framework

• Observations made on IT and outsourcing protocols of RBI-regulated entities at the time of their annual inspections could be consolidated under the new outsourcing framework

• Baby steps ongoing to set up community Cloud architecture — Indian Banking Community Cloud (IBCC) — for state-run banks

• IBCC could be an alliance of state-run banks under the aegis of National Payments Corporation of India or the Institute for Development and Research in Banking Technology

• Possibility of an umbrella entity with state-run banks as equity holders cannot be ruled out