New RBI IT Outsourcing Directions & Key Takeaways for Fintech Agreements

On April 10th, 2023 Reserve Bank of India (“RBI”) issued fresh directions to financial institutions (also referred to as “Regulated Entities”/ “REs”), concerning outsourcing of information technology (“IT”) services and IT-enabled services (“ITeS”) to third-party service providers (whether or not belonging to the same group of companies as that of the financial institution), titled the ‘Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023’ (“IT Outsourcing Directions”/ “Directions”).

RBI first proposed this in its Statement on Developmental and Regulatory Policies dated February 10^th, 2022; subsequently, a draft was also put for public comments in June 2022. This comes in light of the increasing boom in the use of digital mediums in customer onboarding, KYC and loan disbursement.

IT services or any other outsourced services contracts entered into by banks and non-banking finance companies (“NBFCs”) were previously governed by the Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services (“General Outsourcing Guidelines”). With these guidelines in place, all IT services, fintech agreements and digital lending agreements shall have to be compliant with not just the General Outsourcing Guidelines but also the new IT Outsourcing Directions.

Key Takeaways

1. Applicability

The IT Outsourcing Directions apply to ‘Material Outsourcing of IT Services’ (discussed below) arrangements that are entered by the following REs:

• Schedule Commercial Bank including Foreign Banks located in India, Local Banks, Small Finance Banks, and Payments Banks but excluding Regional Rural Banks;
• Primary (Urban) Co-operative Banks excluding Tier 1 and Tier 2 Urban Co-operative Banks;
• Credit Information Companies (CICs);
• Non- Banking Financial Companies (“NBFCs”); and
• All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI).

Not Applicable on Base Layer NBFCs

The IT Outsourcing Directions only apply to NBFCs included in the ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’. They do not apply to NBFCs in the base layer which includes (a) non-deposit-taking NBFCs below the asset size of ₹1000 crore and (b) NBFCs undertaking the following activities- (i) NBFC-Peer to Peer Lending Platform (NBFC-P2P), (ii) NBFC-Account Aggregator (NBFC-AA), (iii) Non-Operative Financial Holding Company (NOFHC) and (iv) NBFCs not availing public funds and not having any customer interface.^[1]

2. Effective Date

The IT Outsourcing Directions shall be effective from October 1, 2023 (“Effective Date”). RBI has taken a glide path approach for implementing the IT Outsourcing Directions in the existing and new outsourcing arrangements.

Under the glide path approach, the existing outsourcing agreements that are renewed before the Effective Date, the provisions of the IT Outsourcing Directions shall be compiled by the renewal date which shall not be later than 12 (twelve) months from the issuance of IT Outsourcing Directions.

For agreements that shall be renewed on or after the Effective Date, the IT Outsourcing Directions shall be compiled by the renewal date or 36 (thirty- six) months from the date of issue of the IT Outsourcing Directions.

For the new outsourcing agreements that come into force before the Effective Date, the IT Outsourcing Directions shall be compiled preferably as on the date of such agreement but not later than 12 (twelve) months from the date of issuance of these IT Outsourcing Directions.

For agreements that come into force on or after the Effective Date, they shall comply with the IT Outsourcing Directions as of the date of the agreement itself.

AKP Comments: The glide path approach for implementation of IT Outsourcing Directions on existing and new outsourcing agreements indicates that till the effective date of such outsourcing agreements with respect to these  Directions is not triggered, the REs can continue following the IT Directions wherein specific guidelines have been provided for IT services outsourcing.

4. Applicable only to Material Outsourcing of IT Services

The IT Outsourcing Directions mention that they shall apply only to material outsourcing of IT services. The term ‘material outsourcing of IT services’ means any service which if disrupted or compromised shall have the potential to impact the RE’s business operations significantly; or may have a material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information.

AKP Comments: This definition means that the IT Outsourcing Directions are meant for such REs especially NBFCs that undertake lending and other financial services only through digital means. The definition uses the term ‘or’ between the two conditions.

The second condition is linked to access to customer data and its protection. This means that the directions shall apply to any IT service agreement where there is access to customer data including the entire life cycle of a loan.

5. A Regulated Entity can also be considered a Service Provider to another Regulated Entity

The IT Outsourcing Directions define a Service Provider as any entity that provides IT or IT-enabled services to a Regulated Entity or any of its related entities. Further, it has been clarified that depending on the IT outsourcing services provided by a Regulated Entity to another Regulated entity, even a Regulated Entity could be considered a Service Provider within these IT Outsourcing Directions.

6. Outsourcing of Financial Services & Outsourcing of IT Services- Key Differences

The Directions provide an inclusive list of activities that shall be considered as Outsourcing of IT Services for the purpose of these Directions. Such activities include:

• IT infrastructure management, maintenance and support (hardware, software, or firmware);
• Network and security solutions, maintenance (hardware, software, or firmware);
• Application Development, Maintenance and Testing; Application Service Providers (ASPs) including ATM Switch ASPs;
• Services and operations related to Data Centres;
• Cloud Computing Services; and
• Management of IT infrastructure and technology services associated with the payment system ecosystem.

The remaining other services which are not considered as Outsourcing of IT Services or are included in Appendix III (discussed below) shall be considered as outsourcing of financial services and shall not be covered under these IT Outsourcing Directions.

7. Services that do not fall under the scope of Outsourcing IT Services & Entities that do not fall under the scope of Third-Party Service Providers

Appendix III provides an indicative (but not exhaustive) list of services that are not considered outsourcing IT services. Appendix III further contains the list of entities that are not considered Third-Party Service Providers for the purpose of implementation of these Directions.

• Corporate Internet banking services are obtained by the REs as corporate customers/sub-members of another regulated RE.
• External audits such as vulnerability assessment/ penetration testing, information systems audit, security review
• SMS gateways.
• Acquisition of IT software on a licenced or subscription basis and enhancements made to such third-party applications by its vendors (as upgrades) or on specific change requests made by RE.
• Any maintenance service provided for IT infra by the Original Equipment Manufacturer.
• Applications are provided by financial sector regulators or institutions like National Stock Exchange, and the Bombay Stock Exchange.
• Platforms provided by entities like SWIFT, Reuters, etc.
• Business Correspondent Services.
• Any other services subscribed by the RE like anti-virus software, email solutions etc.
• A list of vendors/entities which are not considered third-party service providers (“TPSP”), includes:

1. 1. 1. Payment System Operators authorised by the RBI under the Payment and Settlement System Act, 2007 for setting up and operating Payment Systems in India.
      2. Partnership bases Fintech firms such as those providing co-branded applications, services, and products. These will be considered as outsourcing of financial services.
      3. A non-exhaustive list of services provided by the fintech firms for data retrieval, data validation, and verification is provided, which includes bank statement analysis, GST returns analysis, fetching of vehicle information, digital document execution, data entry and call centre services.
      4. Vendors providing business services.
      5. Telecom service providers.
      6. Security/ Audit Consultants.

8. Inventory of Outsourced Services

REs shall create an inventory of services provided by the service providers (including key entities involved in their supply chains). Further, REs shall map their dependency on third parties and periodically evaluate the information received from the service providers.

9. Data Storage in India

Regardless of the location of the IT service provider, the RE shall have to ensure that all the data related to the IT service is stored on servers in India.

10. Audit Rights & Sub-Contractors

The audit rights of regulated entities have always been a topic of many negotiations in fintech agreements. Now, the REs shall have to ensure the right of audit to not just the fintech but also its sub-contractors.

Subcontractor for the IT Outsourcing Directions shall mean only those entities that provide material/ significant IT services to TPSP specific to the material IT services arrangement that the RE has entered into with the TPSP. As discussed above, a material IT service is one that can significantly impact the business of RE or can have a material impact on customers of REs. Hence, if a TPSP sub-contracts any IT service which is not material in nature, then such sub-contractors shall not be covered under these IT Outsourcing Directions.

Another issue in the industry is the increasing use of software-as-a-service. Most IT services are now integrated with various Application Programming Interfaces (“API”). Legally, every integrated API can be considered a subcontractor under these directions. It is next to impossible for fintech to have that measure of control over every API integration.

AKP Comments: The subcontractor requirements if applied to the API integrations of the fintech strictly shall severely impact SaaS platform usage which is inevitable in this neo-banking age. In this sense, the guidelines are not in sync with the industry.

For example, they expect a team of fintech employees to operate out of the RE’s premises when fintech employees are themselves working in hybrid and remote mode and there is no more a need to have them on-site to rectify systems that are completely cloud-based.

There is a need for advocacy for RBI to get a better understanding of the fintech ecosystem. The sandbox is probably not enough.

11. Risk Management Framework

The IT Outsourcing Directions puts the utmost importance on REs building confidence and trust among its customers to have a stable and safe financial system. Accordingly, IT Outsourcing Directions mandates REs to have a risk management framework which sufficiently deals with the functions and process of identification, measurement, mitigation, management and reporting of risks associated with their outsourcing arrangements. Considering the high dependence on multiple service providers for IT outsourcing services, REs have been asked to have appropriate systems to assess the risks among such service providers, ensuring that all its service providers have access to REs data without compromising customer confidentiality.

For better risk management, REs have been asked to ensure further that all such service providers that cater to multiple REs as an outsourcing agent, build adequate safeguards to avoid combining information, documents, records and assets. It has been clarified that to avoid combing of data, it shall suffice to have a clear separation and isolation of data i.e. RE and their customer-specific data, to ensure that only authorised personnel of RE are able to access data that belongs to them in such service provider’s multi-tenant environment/ architecture.

12. Business Recovery Plan (BRP) and Disaster Recovery Plan (DRP)

The REs shall require the service providers to develop and maintain a framework for BRP and DRP. REs shall develop a contingency plan under which the REs shall consider other alternative service providers or bring the activity outsourced in-house, during an emergency. The REs shall have some control over the outsourcing arrangement to mitigate the risk of sudden termination of an outsourcing agreement. The REs shall ensure that the information, documents and assets of the RE, with the service provider, shall be isolated so that in case of termination, such information and assets can be removed from the service provider’s possession.

AKP Comments 1: The guidelines have an underlying tone hoping that they push REs to start developing their own tech capabilities. For example, having a backup system available in-house in the event of failure of the service provider or expecting a team of employees of the fintech to operate out of the RE’s premises when fintech employees are themselves working in hybrid mode and remote modes and there is no more a need to have them on-site to rectify systems that are completely cloud-based.

AKP Comments 2: It is important for fintech agreements to have clear operating procedures on post-termination transition, transfer of customer data at the end of the contract and a business continuity plan that is practically enforceable. It is important for the tech and legal teams to collaborate to create meaningful contractual provisions.

13. Cross-Border Outsourcing

To mitigate country risk, REs shall closely monitor government policies and the social, economic, political and legal conditions of the jurisdiction in which the service provider is based. Governing law in such agreements should be clearly specified and such arrangements shall be made with companies which are upholding clauses and agreements. REs and RBI shall have the right to conduct an audit of the service provider based in foreign jurisdictions.

The service provider, if not a group company, shall not be owned or controlled by any director, key managerial person or the approver of the outsourcing arrangement of the RE. The only exception is if such an arrangement is approved by the board and proper disclosures, oversight and monitoring of such arrangements are done.

Authored by-

Kritika Krishnamurthy (Founding Partner) & Kavya Awasthi (Associate)

AK & Partners

New Delhi- India

^[1] RBI circular