Outsourcing of Information Technology Services

Introduction

The outsourcing of information technology (IT) services has become increasingly prevalent in the banking and financial sector. There are several challenges that have come up and regulators have stepped in with a framework to enable prudent risk management.

RBI Master Direction

The Reserve Bank of India (RBI) has released the Master Direction on Outsourcing of Information Technology Services to address the need for risk management in outsourcing contracts related to technology. This blog does a deep dive into outsourcing IT services in the banking industry. This master circle covers ten different domains and emphasizes on policies, risk frameworks, and controls, with a specific focus on cloud adoption. The directions will come into effect from 1st October 2023.

Need for Outsourcing

Various factors have contributed to the increased outsourcing of IT services, including the growing issues with adoption of technology, challenges with migration of data and platforms, new entrant, increased cloud adoption, relevance of outsourcing opportunities and presence of digital channels.

Potential Impact Areas

Outsourcing IT services has relevance for different stakeholders. This potential impact is on banks, small finance banks, payments banks, non-banking financial companies (NBFCs), credit information companies (CICs), urban cooperative banks (UCBs), and service providers. It explores the need for strengthened structures, governance, and compliance obligations.

Impact on Banks

• Deeper scrutiny of Outsourcing engagements-Legal, regulatory and coverage
• Need to strengthen frameworks on monitoring
• Reevaluate cloud strategy
• Handholding for new digital set ups

Impact on Small Finance Banks & Payments Banks

• Historically they have relied on Partners for technology management
• Need to build full governance framework to manage, and monitor in a real time manner

NBFCs, CICs, UCBs

• Technology investments would focus on the right partner and cloud adoption
• Require to build full governance framework to manage, and monitor

Service Providers

• Alignment of service delivery to meet compliance obligations
• Focus on building Data Security, Privacy, BCP, DR as well as audit management

10 Chapters of Master Circular

The Master Direction comprises ten chapters that cover various aspects of outsourcing IT services. These chapters include:

1. Preliminary
2. Role of the Regulated Entity
3. Governance Framework
4. Evaluation & Engagement of  Service Providers
5. Outsourcing Agreement
6. Risk Management
7. Monitoring & Control of Outsourced  Activities
8. Outsourcing within a Group Conglomerate
9. Cross Border Outsourcing
10. Exit Strategy

Applicable Service Elements

This section identifies the specific IT service elements and outlines the applicable activities. It also mentions non-applicable activities that are excluded from the scope.

Applicable Activities

1. IT Infrastructure Management
2. Network & Security Management
3. Application Development & Maintenance
4. Application testing Services
5. ATM Switch ASPs
6. Data Centre Operations & Hosting
7. Cloud Computing Services
8. Managed Security Services
9. Payment System Services Infrastructure  management

Non-Applicable Activities

1. Corporate Internet Banking Services
2. Audit Services (including VA/PT)
3. SMS Service Provider
4. Procurement & Acquisition of  Hardware/Software
5. OEM Led maintenance
6. Regulatory bodies
7. BCs, Fintech Partnership, Data Enablers

Governance Framework

To ensure compliance with the Master Direction, regulated entities need to establish a board-approved IT outsourcing policy. This section outlines the requirements for building the policy including key outcomes to look for.

Requirements

• Build a comprehensive board approved IT Outsourcing policy
• Define Roles & Responsibility (Terms of Reference) for:
  • Board
  • Senior Management
  • CIO/CTO/IT Team
• Oversight & Assurance structure with respect to  policy
• Maintain inventory of Service & Partner

Action Plan

• Prepare on realigning IT outsourcing policy and take board approval
• Identify Key stakeholders and outline Terms of Reference
• Policy roll out plan
• Conduct Training & Workshops for stakeholders
• Prepare review & monitoring mechanism to timely update the  policy
• Develop Inventory for outsourcing

Key Outcomes

• Focused IT Outsourcing policy – Criteria, Materiality, delegation of authority, DR/BCP, Risk Assessment, Termination, Exit Strategies
• Documented Terms

Checkpoints for Compliance

• Board agenda item & Minutes
• Board / IT Strategy Committee Minutes
• Schedules for meeting with Stakeholders on
  • Training & Workshops
  • Review on the Policy Update Process
• Service & Partner inventory with key dates

Evaluation and Engagement

Effective evaluation and engagement of service providers is critical in outsourcing. This section outlines the requirements for establishing a risk-based due diligence, an action plan, key outcomes to target, and checkpoints for compliance.

Requirements

• Risk based Due Diligence Framework to assess the capability To Establish Evaluation framework
• Independent Review
• Aspects coverage on multiple parameters

Action Plan

• Develop Materiality Assessment Framework basis risk potential
• Develop Due Diligence Checklist aligned to materiality as well as  service category
• To create vendor evaluation parameters
• Update Partner inventory aligned to materiality

Key Outcomes

• Enhanced framework for selection and onboarding of partners
• Better visibility on capabilities of planned outsourced partner

Checkpoints for Compliance

• Approved Due Diligence Checklist
• Vendor list vis-à-vis Due diligence reports
• Risks derivation linked to Due Diligence
•  Alignment with Risk  management framework

Outsourcing Agreements

Regulated entities need to establish a legal binding agreement framework and document the terms and conditions in conjunction with their legal teams. This section highlights the importance of regular monitoring, assessment frameworks, and performance monitoring aligned with service level agreements (SLAs). An action plan is needed for regulated entities to create the necessary legal agreement templates and ensure compliance.

Requirements

• To Build a Legal Binding Agreement Framework
• Documentation of Terms & Conditions
• To establish regular Monitoring & Assessment Framework
• Develop Performance Monitoring Framework which is in line with SLA  structure

Action Plan for RE

• To create the Legal Agreement template by outlining all key  requirements– mapped to materiality and type of  services
• Review all existing contracts and Do gap assessment
• Plan for amendment of Agreements
• Map risks related to missing elements as part of Risk register- Exception plan

Key Outcomes

• Formal Outsourcing contracts for all existing partners aligned with regulatory requirements

Checkpoints for Compliance

• Create Checklist of Agreement clauses and map compliance for the set of existing contracts
• Develop Tracker for amendment of contracts
• Notification to Management as per Governance structure

Monitoring and Control of Outsourced Activities

A robust management structure with defined roles and responsibilities is crucial for monitoring activities. This section not only outlines the development of monitoring and control checklists, establishment of audit mechanisms but also identifies the key outcomes and checkpoints for compliance.

Requirements

• Establish Management Structure with defined roles & responsibilities for monitoring
• To build Audit dynamics & Pooled Audit mechanism

Action Plan for RE

• Update/Create Monitoring & Control Checklist
  • Control Assessment Checklist
  • Termination Checklists
• Document assessment checklists
• Align with respect managing team

Key Outcomes

• Defined Monitoring & Control Structure with respect to Master Direction
• Controlled assessments of Service providers on real-time basis

Checkpoints for Compliance

• Internal Audit Program
• Audit Reports for Outsourcing partners
• Performance Review Reports
• Assessment Reports for CSPs, SOCs partners

Exit Strategy

Requirement to have a well-defined exit strategy for terminating or exiting outsourced IT activities or services. This section outlines the requirements for documenting exit strategy terms, termination clauses, and alternative arrangements. An action plan is provided for creating exit strategies, termination processes, and protecting data during the transition period. Checkpoints for compliance are also highlighted.

Requirements

To Document Exit Strategy terms into policy with regards to:

• BC plan & After Exit terms
• Termination Clauses
• Alternative Arrangements

Action Plan for RE

• Create Exit strategy & time period for executing
• Create Termination processes
• Create clauses to protect the data in transition period

Key Outcomes

• Well-defined plan for exiting or terminating outsourced IT  activities or IT-enabled services

Checkpoints for Compliance

• Exit reports for any terminated contracts
• BCP / Exit approach for critical partners

Cloud Computing Services

Cloud Service Provider (CSP)

Selecting a suitable Cloud Service Provider (CSP) is critical in this process. To ensure a secure and reliable partnership, regulated entities (REs) should contract exclusively with service providers operating under jurisdictions that ensure the enforceability of agreements and safeguard their own rights.

Cloud Service Management & Security Consideration

In the context of cloud service management and security considerations, there are certain key factors that regulated entities (REs) have to take account of. These factors help ensure the integrity, confidentiality, and availability of data in the environment.

• RE to ensure the tech architecture is in adherence to Global tech architecture principals & Standards  Encryption key & Hardware security modules which shall be under the control of REs
• Implementation of security controls shall be similar or higher than those of in premise architecture  with adequate monitoring & vulnerability requirements

Conclusion

Outsourcing IT services in the financial domain needs and due consideration of multiple aspects to ensure compliance, risk management, and operational resilience. Though adherence to these guidelines, banks can enhance their outsourcing practices while giving due consideration to security and efficiency.