IT service outsourcing regulations to be effective from Oct 1

The Reserve Bank of India (RBI) announced final guidelines for financial sector businesses to outsource information technology (IT)-related services on Monday, effective 1 October.

The agency has given existing contracts that are due for renewal before 1 October a 12-month grace period to comply with the standards. The RBI-regulated financial institutions have been asked to comply with the requirements within 36 months of the renewal dates for agreements that are due for renewal on or after 1 October.

In the case of new outsourcing arrangements (agreements entered into before 1 October), the entities must comply with the new rules “preferably” from the agreement date but no later than 12 months from the date the norms were issued.

“Agreements entered into on or after 1 October must comply with the provisions of these directions from the date of the agreement,” the RBI said.

The new regulations apply to all Indian banks, NBFCs, main cooperative banks, credit information businesses and other institutions regulated by the RBI.

In the case of foreign banks operating in India through branches, references to the board or board of directors in these guidelines should be interpreted as referring to the head office or controlling office that has oversight over the branch operations in India.

Furthermore, such foreign banks shall be subject to a ‘comply or explain’ approach under which such foreign banks may deviate from any specific part of these Directions subject to examination and acceptance by the RBI of a reasonably justifiable explanation for the same.

Regulated Entities (RE) must have a detailed board-approved IT outsourcing policy strategy.

The board will develop a framework for approving IT outsourcing activities based on risk and materiality. The RBI said that outsourcing any function does not relieve regulated businesses of their obligations, as well as their board and senior management, who would be ultimately responsible for the outsourced activity.

The regulated entities must guarantee that the service provider, if not a group firm, is not owned or managed by any director, key managerial personnel, or approver of the RE’s outsourcing arrangement, or their family. With the board’s consent, an exception can be made.

Furthermore, the guidelines stated that REs should have a robust grievance redressal procedure in place and that the obligation for resolving customer issues connected to outsourced services will be borne by the RE.

“Outsourcing arrangements shall not affect a customer’s rights against the RE, including the customer’s ability to obtain redress as applicable under relevant laws,” the RBI stated.

The new standards have also added new requirements for cross-border outsourcing.

The regulated entities also have an exit strategy in place to ensure business continuity before, during and after the leave. The strategy should include exit strategies for various scenarios of exit or termination of services, with a minimum period to execute such plans, as necessary, the standards said. Businessworld