Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025

In exercise of the powers conferred by Section 45L of the Reserve Bank of India Act, 1934 and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest to do so, hereby issues the Directions hereinafter specified.

Chapter I – Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Non-Banking Financial Companies - Managing Risks in Outsourcing) Directions, 2025.

2. These Directions shall come into force with immediate effect.

Provided that, for Non-Banking Financial Companies covered under the scope of these Directions, as mentioned in paragraph 3, their existing IT outsourcing agreements regardless of whether they are due for renewal on or after the effective date of these Directions shall comply with the provisions of these Directions either at the time of renewal or by April 10, 2026, whichever is earlier. However, their new IT outsourcing agreements that come into force on or after the effective date of these Directions, shall comply with the provisions of these Directions from the date of agreement itself.

Provided further that, nothing in the above proviso shall be construed as permitting non-compliance with any other extant regulatory instructions or statutory requirements applicable to such arrangements.

B. Applicability

3. These Directions shall be applicable to all Non-Banking Financial Companies, (hereinafter collectively referred to as ‘NBFCs’ and individually as an NBFC), excluding Housing Finance Companies (HFCs).

Provided that, Chapter IV and IT-specific provisions contained in Chapter II of these Directions shall apply only to NBFCs included in ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’ as defined in the Reserve Bank of India (Non-Banking Financial Companies – Registration, Exemptions and Framework for Scale Based Regulation) Directions, 2025.

Explanation: While Chapter IV as a whole is applicable exclusively to NBFCs included in ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’, certain IT-related provisions in Chapter II (e.g., Board-level IT outsourcing policy and responsibilities of and reviews by the Board with respect to IT outsourcing) are also intended for these categories only. The remaining provisions of Chapter II are applicable to all NBFCs, including those in ‘Base Layer’.

C. Definitions

4. In these Directions, unless the context otherwise requires, ‘Outsourcing’ means use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) by an NBFC to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future. 'Continuing basis' shall include agreements for a limited period.

5. Some other terms pertaining to outsourcing of financial services and IT services have been defined in their respective Chapters as per their applicability.

6. All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Reserve Bank of India Act, 1934 or the Information Technology Act, 2000 or the Companies Act, 2013 and Rules made thereunder, or any statutory modification or re-enactment thereto, or Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

D. Scope

7. As these Directions cover both outsourcing of financial services and IT services, the scope of application of these Directions is specified in the respective Chapters.

Chapter II – Role of the Board

8. The outsourcing of any activity by an NBFC does not diminish its obligations, and those of its Board and Senior Management, who have the ultimate responsibility for the outsourced activity.

A. Board Approved Policy

9. An NBFC intending to outsource any of its financial or IT activities shall put in place corresponding comprehensive Board approved outsourcing policies, the coverage of which are indicated in paragraph 21 and paragraph 65, respectively.

B. Key responsibilities

10. The Board or a Committee of the Board to which powers have been delegated, as applicable for financial or IT outsourcing, shall be responsible for putting in place a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements, laying down appropriate approval authorities depending on risks and materiality, and undertaking regular review.

11. In respect of outsourcing of financial services,

(1) the Board, or a Committee of the Board to which powers have been delegated, shall be responsible, inter alia, for:

(i) approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
(ii) laying down appropriate approval authorities for outsourcing depending on risks and materiality;
(iii) setting up suitable administrative framework of Senior Management;
(iv) undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness;
(v) deciding on business activities of a material nature to be outsourced, and approving such arrangements;
(vi) approving a policy for outsourcing financial services to a group entity; and
(vii) reviewing records of all material outsourcing on half yearly basis, in which case the delegation should be to Risk Management Committee only.

(2) the Audit Committee of the Board (ACB) of an NBFC shall:

(i) monitor the system of internal audit of all outsourced activities; and
(ii) review the ageing analysis of entries pending reconciliation with outsourced vendors and make efforts to reduce the old outstanding items therein at the earliest.

12. In respect of outsourcing of IT services, the Board shall be responsible, inter alia, for:

(i) putting in place a framework for approval of outsourcing activities depending on risks and materiality;

(ii) approving policies to evaluate the risks and materiality of all existing and prospective outsourcing arrangements;

(iii) setting up suitable administrative framework of Senior Management;

(iv) ensuring either by itself or through its Committee that there is no conflict of interest arising out of third-party engagements, especially when permitting an exception to the requirement that the service provider of outsourced services, if not a group company, shall not be owned or controlled by any director, key managerial personnel, approver of the outsourcing arrangement, or their relatives under the proviso to paragraph 62 of these Directions; and

(v) reviewing any adverse development mentioned in reports put up to Senior Management on the monitoring and control activities.

Chapter III – Outsourcing of Financial Services

A. Definitions

13. In this Chapter, unless the context otherwise requires, ‘Material Outsourcing’ means arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability or customer service.

Materiality of outsourcing shall be based on the:

(i) level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by the same;
(ii) potential impact of the outsourcing on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
(iii) likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service;
(iv) cost of the outsourcing as a proportion of total operating costs of the NBFC;
(v) aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider; and
(vi) significance of activities outsourced in the context of customer service and protection.

B. Scope

14. The directions contained in this Chapter shall apply to outsourcing arrangements entered into by an NBFC with a service provider which may be either a member of the group / conglomerate to which the NBFC belongs, or an unrelated party which is located in India or elsewhere for outsourcing of financial services like applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.

Provided that, for outsourced services relating to credit cards, the provisions set out in the Reserve Bank of India (Non-Banking Financial Companies – Credit Cards: Issuance and Conduct) Directions, 2025, as amended from time to time, shall also apply to the applicable entities.

15. The directions contained in this Chapter shall not apply to outsourcing of:

(i) IT services as defined in paragraph 59(2) of these Directions, unless specified otherwise in respective paragraphs of Chapter IV; and
(ii) activities unrelated to financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc.

C. Activities that shall not be outsourced

16. An NBFC which chooses to outsource financial services shall however not outsource core management functions including Internal Audit, Strategic and Compliance functions and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, giving sanction for loans (including retail loans) and management of investment portfolio.

Provided that, for an NBFC in a group / conglomerate, these functions may be outsourced within the group subject to compliance with instructions in paragraph 46 to paragraph 52.

Explanation: While internal audit function itself is a management process, the internal auditors can be on contract.

D. Authorisation, Accountability, and Oversight

17. An NBFC, which desires to outsource financial services, shall not require prior approval from RBI. However, such arrangements would be subject to on-site / off-site monitoring and inspection / scrutiny by RBI.

18. As stated in paragraph 8, the outsourcing of any activity by an NBFC shall not diminish its obligations including to its customers and RBI, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. The NBFC shall, therefore, be responsible for the actions of its service provider including Direct Sales Agents (DSAs) / Direct Marketing Agents (DMAs) and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. The NBFC shall retain ultimate control of the outsourced activity.

19. An NBFC shall ensure that:

(i) all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration have been considered when performing due diligence in relation to outsourcing;
(ii) outsourcing, whether the service provider is located in India or outside India, does not impede RBI in carrying out its supervisory functions and objectives, or diminish the ability of an NBFC to fulfil its obligations to its regulator / supervisor;
(iii) outsourcing, whether the service provider is located in India or outside India, does not impede or interfere with the ability of an NBFC to effectively oversee and manage its activities, and fulfil its obligations;
(iv) outsourcing would not result in the compromise or weakening of an NBFC’s internal control, business conduct, or reputation;
(v) the service provider employs the same high standard of care in performing the services as would be employed by the NBFC, if the activities were conducted within the NBFC and not outsourced; and
(vi) the service provider, if it is not a group company of the NBFC, shall not be owned or controlled by any director of the NBFC or their relatives having the same meaning as assigned under Companies Act, 2013 and the Rules framed thereunder, as amended from time to time.

20. An NBFC shall be responsible for making Currency Transactions Reports (CTRs) and Suspicious Transactions Reports (STRs) to FIU or any other competent authority in respect of its customer related activities carried out by the service providers.

E. Governance Framework

E.1 Outsourcing Policy

21. An NBFC intending to outsource any of its financial services shall put in place a comprehensive outsourcing policy, approved by its Board, which shall incorporate, inter alia, the following:

(i) criteria for selection of such activities as well as service providers;

(ii) delegation of authority depending on risks and materiality; and

(iii) systems to monitor and review the operations of these activities.

E.2 Role of Senior Management

22. The Senior Management of an NBFC shall, inter alia, be responsible for:

(i) evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board or a Committee of the Board;

(ii) developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing;

(iii) reviewing periodically the effectiveness of policies and procedures;

(iv) communicating information pertaining to material outsourcing risks to the Board in a timely manner;

(v) ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;

(vi) ensuring that there is independent review and audit for compliance with set policies; and

(vii) undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.

F. Risk Management

F.1 Evaluation of the Risks

23. An NBFC shall evaluate and guard against the following key risks when outsourcing:

(i) Strategic Risk – such as where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the NBFC.

(ii) Reputation Risk – such as where the service provider delivers poor service or its customer interactions are inconsistent with the overall standards of the NBFC.

(iii) Compliance Risk – such as where, owing to outsourcing, the privacy, consumer, and prudential laws are not adequately complied with.

(iv) Operational Risk – which may arise due to technology failure, fraud, error, or inadequate financial capacity of the service provider to fulfil obligations and / or to provide remedies.

(v) Legal Risk – where an NBFC is subjected to, inter alia, fines, penalties, or punitive damages resulting from supervisory actions, or private settlements due to omissions and commissions by the service provider.

(vi) Exit Strategy Risk – may arise when an NBFC becomes over reliant on one service provider, loses relevant internal skills preventing it from bringing the activity back in-house, or enters into contracts that make speedy exits prohibitively expensive.

(vii) Counterparty Risk – such as where the service provider engages in inappropriate underwriting or credit assessments.

(viii) Country Risk – where the political, social or legal climate creates added risk in the outsourcing arrangement.

(ix) Contractual Risk – where the NBFC may not have the ability to enforce the contract with the service provider.

(x) Concentration and Systemic Risk – where there is a lack of control of an NBFC over a service provider, more so when overall industry has considerable exposure to one service provider.

F.2 Confidentiality and Security of Information

24. An NBFC shall seek to ensure the confidentiality, security, preservation, and protection of the customer information in the custody or possession of the service provider.

25. Access to customer information by a service provider or its staff shall be on a ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

26. An NBFC shall review and monitor the security practices and control processes of its service providers on a regular basis and require the service provider to disclose security breaches.

27. In instances, where a service provider acts as an outsourcing agent for multiple entities, care shall be taken to build strong safeguards so that there is no comingling or combining of information, documents, records, and assets.

28. An NBFC shall ensure that a service provider is able to isolate and clearly identify the NBFC’s customer information, documents, records and assets to protect the confidentiality of the information.

29. An NBFC shall immediately notify RBI in the event of breach of security and leakage of confidential customer related information. In these eventualities, the NBFC shall be liable to its customers for any damage.

G. Outsourcing Process

G.1 Service Provider Evaluation

30. An NBFC shall perform appropriate due diligence while considering or renewing an outsourcing arrangement, to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis.

31. The due diligence mentioned above shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:

(i) qualitative, quantitative, financial, operational, legal, and reputational factors;
(ii) risks arising from undue concentration, if outsourcing to a single service provider or a limited number of service providers;
(iii) past experience and demonstrated competence to implement and support the proposed activity over the contracted period;
(iv) financial soundness and ability to service commitments even under adverse conditions;
(v) business reputation and culture, compliance, complaints and outstanding or potential litigation;
(vi) quality of due diligence exercised by service provider of its employees and sub-contractors;
(viii) security and internal control, audit coverage, reporting and monitoring procedures, business continuity management; and
(ix) external factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance.

32. Where possible, an NBFC shall obtain independent reviews and market feedback on the service provider to supplement the findings of its own due diligence.

33. An NBFC shall also evaluate whether the systems of its service providers are compatible with those of the NBFC, and the acceptability of their standards of performance including in the area of customer service.

G.2 Outsourcing Agreement

34. An NBFC shall ensure that the terms and conditions governing the outsourcing arrangement are carefully defined in written agreements and vetted by the NBFC’s legal counsel on their legal effect and enforceability. The agreement shall appropriately reckon the associated risks and the strategies for mitigating or managing them. The NBFC shall ensure that such an agreement is sufficiently flexible to allow the NBFC to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent-principal or otherwise.

35. Some of the key provisions of the agreement shall include:

(i) details of the activity being outsourced, including appropriate service and performance standards;

(ii) NBFC’s access to all books, records, and information relevant to the outsourced activity available with the service provider;

(iii) regular and continuous monitoring and assessment by the NBFC of the service provider for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately;

(iv) prior approval or consent by the NBFC for the use of subcontractors by the service provider for all or part of an outsourced activity;

(v) controls for maintaining confidentiality of data including of its customers, and incorporating service provider’s liability in the event of security breach and leakage of such confidential information;

(vi) contingency plans to ensure business continuity;

(vii) NBFC’s right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the NBFC;

(viii) right of RBI or persons authorised by it to access the NBFC’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time;

(ix) right of RBI to cause an inspection to be made of the service provider of the NBFC and its books and account by one or more of its officers, employees or other authorised persons;

(x) a termination clause and minimum period for executing termination, if deemed necessary;

(xi) provision that confidentiality of customers’ information shall be maintained even after the contract expires or gets terminated; and

(xii) provisions to ensure that the service provider preserves documents and data in accordance with legal / regulatory obligations of the NBFC and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

G.3 Monitoring and Control of Outsourced Activities

36. An NBFC shall have in place a management structure to monitor and control its outsourced activities and shall ensure that outsourcing agreements with service providers contain provisions to address the same.

37. An NBFC shall maintain a central record of all material outsourcing of financial services for review by its Board and Senior Management. The records shall be updated promptly, and half yearly reviews shall be placed before the Board or Risk Management Committee.

38. Regular audits by either the internal auditors or external auditors of an NBFC shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the NBFC’s compliance with its risk management framework and the requirements of these Directions.

39. An NBFC shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which shall be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience or business continuity preparedness.

40. Certain services, viz., outsourcing of cash management, might involve reconciliation of transaction between an NBFC, its service providers and their subcontractors. In such cases, the NBFC shall ensure that reconciliation of transactions between itself and a service provider (and / or its subcontractors) are carried out in a timely manner.

G.4 Business Continuity and Management of Disaster Recovery Plan

41. An NBFC shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. The NBFC shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.

42. In establishing a viable contingency plan, an NBFC shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

43. An NBFC shall ensure that its service providers are able to isolate the NBFC’s information, documents and records, and other assets so that in adverse conditions or termination of the agreement, all documents, records of transactions and information given to the service provider, and assets of the NBFC, can be removed from the possession of the service provider (in order to continue its business operations); or deleted, destroyed or rendered unusable.

44. In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency / liquidation of its service provider, an NBFC shall retain an appropriate level of control over its outsourcing arrangement along with the right to intervene with appropriate measures to continue its business operations without incurring prohibitive expenses and disruption in the operations of the NBFC and its services to the customers.

G.5 Termination

45. In the event of termination of an outsourcing agreement for any reason, this shall be publicised by the NBFC by displaying at a prominent place in the branch, posting it on the website, and informing the customers so as to ensure that the customers do not continue to deal with the service provider.

H. Specific Outsourcing Arrangements

H.1 Outsourcing within a Group / Conglomerate

46. In a group structure, an NBFC may have back-office and service arrangements or agreements with group entities such as sharing of premises, legal and other professional services, hardware and software applications and centralized back-office functions; outsourcing certain financial services to other group entities. Before entering into such arrangements with group entities, an NBFC shall have a policy approved by the Board or a Committee of the Board and also service level agreements / arrangements with its group entities, which shall also cover demarcation of sharing resources, i.e., premises, personnel, etc.

47. In such arrangements, an NBFC shall inform the customers specifically about the company which is actually offering the product / service, wherever there are multiple group entities involved, or any cross selling observed.

48. While entering into such arrangements, an NBFC shall ensure that these:

(i) are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer's data;
(ii) do not lead to any confusion to the customers on whose products / services they are availing by clear physical demarcation of the space where the activities of the NBFC and those of its other group entities are undertaken;
(iii) do not compromise the ability to identify and manage risk of the NBFC on a stand-alone basis;
(iv) do not prevent RBI from being able to obtain information required for the supervision of the NBFC or pertaining to the group as a whole; and
(v) incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by RBI in relation to the activities of the NBFC.

49. An NBFC shall ensure that its ability to carry out its operations in a sound fashion would not be affected, if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable.

50. If the premises of an NBFC are shared with the group entities for the purpose of cross-selling, the NBFC shall take measures to ensure that the entity's identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in the NBFC’s premises shall mention nature of arrangement of the entity with the NBFC so that the customers are clear on the seller of the product.

51. An NBFC shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that it is in any way responsible for the obligations of its group entities.

52. The risk management practices to be adopted by an NBFC while outsourcing to a related party (i.e., party within the group / conglomerate) shall be identical to those for a non-related party as specified in this Chapter.

H.2 Offshore outsourcing

53. In principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that generally uphold confidentiality clauses and agreements.

54. While engaging with service provider(s) in a foreign country, an NBFC shall:

(i) closely monitor government policies of the jurisdiction in which the service provider is based and political, social, economic and legal conditions, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies;
(ii) clearly specify the governing law of the outsourcing arrangement;
(iii) ensure availability of records to the NBFC and RBI will not be affected even in the case of liquidation of the service provider or offshore custodian or the NBFC in India;
(iv) ensure activities outsourced outside India are conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of the NBFC in a timely manner;
(v) ensure that, where the offshore service provider is a regulated entity, the relevant offshore regulator will neither obstruct the arrangement nor object to the RBI’s inspection visits or visits of NBFC’s internal and external auditors;
(vi) ensure that the regulatory authority of the offshore location does not have access to the data relating to Indian operations of the NBFC simply on the ground that the processing is being undertaken there (not applicable, if offshore processing is done in the home country of the NBFC);
(vii) ensure that the jurisdiction of the courts in the offshore location where data is maintained does not extend to the operations of the NBFC in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and
(viii) ensure that all original records continue to be maintained in India.

I. Redressal of Grievances related to Outsourced Services

55. Outsourcing arrangements entered into by an NBFC shall not affect the rights of its customers against the NBFC, including the ability of the customers to obtain redressal as applicable under relevant laws.

56. In cases where customers are required to deal with service providers in the process of dealing with an NBFC, the NBFC shall incorporate a clause in the corresponding product literature, brochures, etc., stating that the services of service providers in sales, marketing, etc., of the products may be used. The role of the service providers may be indicated in broad terms.

57. An NBFC shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the NBFC. In case of microfinance loans, a declaration that the NBFC shall be accountable for inappropriate behaviour of the employees of the service provider and shall provide timely grievance redressal, shall be made in the loan agreement, and Fair Practices Code (FPC) displayed in its office / branch premises / website.

58. In addition to the above,

(i) an NBFC shall constitute Grievance Redressal Machinery in accordance with the provisions of Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025;

(ii) at the operational level, an NBFC shall display the name and contact details (Telephone / Mobile nos. as also email address) of the Grievance Redressal Officer prominently at its branches / places where business is transacted. The designated officer shall ensure that genuine grievances of customers are redressed promptly without involving delay. It shall be clearly indicated that NBFC’s Grievance Redressal Machinery will also deal with the issue relating to services provided by the outsourced agency;

(iii) an NBFC shall give a time limit of 30 days to the customers for preferring their complaints or grievances. The grievance redressal procedure of the NBFC and the time frame fixed for responding to the complaints shall be placed on the NBFC's website; and

(iv) if a complaint was rejected wholly or partly by an NBFC and the complainant is not satisfied with the reply or does not get any reply within 30 days, after the NBFC received the complaint, the complainant shall have the following options for redressal of their grievance(s):

(a) the RBI’s Ombudsman in case of NBFCs to which RBI’s Integrated Ombudsman Scheme, 2021 applies, or
(b) Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI in case of NBFCs to which RBI’s Integrated Ombudsman Scheme, 2021 does not apply.

Chapter IV – Outsourcing of Information Technology (IT) Services

A. Definitions

59. In this Chapter, unless the context otherwise requires, the terms herein shall bear the meanings assigned to them below:

(1) ‘Group’ shall be as defined in the Reserve Bank of India (Commercial Banks- Concentration Risk Management) Directions, 2025, as amended from time to time, for the purpose of intragroup transactions and exposures;

(2) ‘IT services’ means IT services and / or IT enabled services and / or IT activities.

(3) ‘Material Outsourcing of IT Services’ are those which:

(i) if disrupted or compromised shall have the potential to significantly impact the NBFC’s business operations; or
(ii) may have material impact on the NBFC’s customers in the event of any unauthorised access, loss or theft of customer information;

(4) ‘Service Provider’ means provider of IT or IT enabled services including entities related to the NBFC or those which belong to the same group or conglomerate to which the NBFC belongs.

Provided that, for the purpose of this Chapter, the following indicative (but not exhaustive) list of vendors and entities shall not be considered as ‘Service Providers’ defined above:

(i) vendors providing business services using IT. For e.g., Business Correspondents (BCs);
(ii) Payment System Operators (PSOs) authorised by RBI under the Payment and Settlement Systems Act, 2007 for setting up and operating Payment Systems in India;
(iii) partnership based FinTech firms such as those providing co-branded applications, services, products (would be considered under outsourcing of financial services in Chapter III);
(iv) FinTech firms providing services for data retrieval, data validation and verification such as, financial statement analysis, GST returns analysis, fetching of vehicle information, digital document execution, data entry and call centre services, etc.;
(v) telecom service providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of data; and
(vi) security or audit consultants appointed for certification, audit or Vulnerability Assessment / Penetration Testing (VA / PT) related to IT infra, IT services or information security services in their role as independent third-party auditor or consultant or lead implementer.

Explanation: Depending upon the IT Outsourcing services provided (if any) by a Regulated Entity (RE) to other RE(s), even an RE could be considered as a service provider to other RE, under the provisions contained in this Chapter.

(5) ‘Sub-contractor’ refers to those providing material / significant IT services to the service provider and is specific to the material IT services arrangement that the NBFC has entered into with the service provider.

B. Scope

60. These Directions shall apply to an NBFC’s material outsourcing of IT services, as defined in paragraph 59(3) above. In this context, ‘Outsourcing of IT Services’ shall include outsourcing of the following activities:

(i) IT infrastructure management, maintenance and support (hardware, software or firmware);

(ii) network and security solutions, maintenance (hardware, software or firmware);

(iii) application development, maintenance and testing; Application Service Providers (ASPs) including ATM Switch ASPs;

(iv) services and operations related to Data Centres;

(v) cloud computing services;

(vi) managed security services; and

(vii) management of IT infrastructure and technology services associated with payment system ecosystem.

61. These Directions shall not apply to the following services / activities,

(i) corporate internet banking services obtained by an NBFC as a corporate customer or sub-member of another RE;

(ii) external audit services such as VA / PT, Information Systems Audit, and security review;

(iii) SMS gateways (Bulk SMS service providers);

(iv) procurement of IT hardware or appliances;

(v) acquisition of IT software, product or application (e.g., CBS, database, security solutions, etc.) on a licence or subscription basis, and any enhancements made to such licensed third-party applications by the vendor (as upgrades) or on specific change request made by an NBFC;

(vi) any maintenance service (including security patches, bug fixes) for IT infrastructure or licensed products, provided by the Original Equipment Manufacturer (OEM) themselves, in order to ensure continued usage of the same by the NBFC;

(vii) applications provided by financial sector regulators or institutions such as CCIL, NSE, BSE, etc.;

(viii) platforms provided by entities such as Reuters, Bloomberg, SWIFT, etc.;

(ix) any other off-the-shelf products (e.g., anti-virus software, email solutions, etc.) subscribed to by an NBFC, wherein only a license is procured with no or minimal customisation;

(x) services obtained by an NBFC as a sub-member of a Centralised Payment System (CPS) from another RE; and

(xi) Business Correspondent (BC) services, payroll processing, and statement printing.

C. Authorisation, Accountability, and Oversight

62. In addition to adhering to the requirements stipulated in subparagraphs (i) to (v) of paragraph 19 of these Directions, an NBFC shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the NBFC, or their relatives. The terms ‘control’, ‘director’, ‘key managerial personnel’, and ‘relative’ have the same meaning as assigned under the Companies Act, 2013 and the Rules framed thereunder from time to time.

Provided that, an exception to the above requirement may be made with the approval of Board / a Committee of the Board, followed by appropriate disclosure, oversight and monitoring of such arrangements.

63. An NBFC shall evaluate the need for outsourcing of IT services based on a comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. For this purpose, the NBFC shall, inter alia, consider the following:

(i) the need for outsourcing based on criticality of activity to be outsourced;
(ii) expectations and outcomes from outsourcing;
(iii) success factors and cost-benefit analysis; and
(iv) the model for outsourcing.

64. An NBFC shall ensure that cyber incidents are reported to it by the service provider without undue delay, so that an incident is reported by the NBFC to the RBI within six hours of detection by the third-party service provider.

D. Governance Framework

D.1 Outsourcing Policy

65. An NBFC intending to outsource any of its IT activities shall put in place a comprehensive Board approved IT outsourcing policy incorporating, inter alia,

(i) the roles and responsibilities of the Board, Committees of the Board (if any) and Senior Management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services;

(ii) criteria for selection of such activities as well as service providers;

(iii) parameters for defining material outsourcing based on the broad criteria defined in paragraph 59(3) of these Directions;

(iv) delegation of authority depending on risk and materiality;

(v) disaster recovery and business continuity plans;

(vi) systems to monitor and review the operations of these activities; and

(vii) termination processes and exit strategies, including business continuity in the event of a third-party service provider exiting the outsourcing arrangement.

D.2 Role of Senior Management

66. The Senior Management of an NBFC shall, inter alia, be responsible for:

(i) formulating IT outsourcing policies and procedures, evaluating the risks and materiality of all existing and prospective IT outsourcing arrangements based on the framework commensurate with the complexity, nature and scope, in line with the enterprise-wide risk management of the organisation approved by the Board and its implementation;

(ii) prior evaluation of prospective IT outsourcing arrangements and periodic evaluation of the existing outsourcing arrangements covering the performance review, criticality and associated risks of all such arrangements based on the policy approved by the Board;

(iii) identifying IT outsourcing risks as they arise, monitoring, mitigating, managing and reporting of such risks to the Board / a Committee of the Board in a timely manner;

(iv) ensuring that suitable business continuity plans based on realistic and probable disruptive scenarios, including exit of any third-party service provider, are in place and tested periodically;

(v) ensuring (a) effective oversight over third party for data confidentiality and (b) appropriate redressal of customer grievances in a timely manner;

(vi) ensuring an independent review and audit on a periodic basis for compliance with the legislations, regulations, Board-approved policy and performance standards and reporting the same to Board / a Committee of the Board; and

(vii) creating essential capacity with required skillsets within the organisation for proper oversight of outsourced activities.

D.3 Role of IT Function

67. The responsibilities of the IT Function of an NBFC shall, inter alia, include:

(i) assisting the Senior Management in identifying, measuring, monitoring, mitigating and managing the level of IT outsourcing risk in the organisation;

(ii) ensuring that a central database of all IT outsourcing arrangements is maintained and is accessible for review by Board, Senior Management, Auditors and Supervisors;

(iii) effectively monitor and supervise the outsourced IT activity to ensure that the service providers meet the laid down performance standards and provide uninterrupted services, report to the Senior Management; co-ordinate periodic due diligence and highlight concerns, if any; and

(iv) putting in place necessary documentation required for contractual agreements including service level management, monitoring of vendor operations, key risk indicators and classifying the vendors as per the determined risk.

E. Risk Management

E.1 Risk Management Framework

68. An NBFC shall put in place a risk management framework that comprehensively deals with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with such IT outsourcing arrangements.

69. An NBFC shall suitably document risk assessments with necessary approvals in line with the roles and responsibilities of the Board of Directors, Senior Management and IT Function and subject the same to internal and external quality assurance on a periodic basis as determined by the Board-approved policy.

70. An NBFC shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and / or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers.

E.2 Confidentiality and Security of Information

71. An NBFC shall be responsible for the confidentiality and integrity of data and information pertaining to its customers that is available to the service provider.

72. In this regard, an NBFC shall adhere to directions stated in paragraph 24 to paragraph 27 of these Directions and additionally ensure that:

(i) access by service providers to data at the NBFC or its data centre shall be on ‘need to know’ basis, with appropriate controls to prevent security breaches and / or data misuse;
(ii) in the event of multiple service provider relationships where two or more service providers collaborate to deliver an end-to-end solution, the NBFC remains responsible for understanding and monitoring the control environment of all service providers that have access to its data, systems, records or resources;
(iii) it immediately notifies RBI in the event of breach of security and leakage of confidential customer related information. In these eventualities, the NBFC shall adhere to the extant instructions issued by RBI from time to time on Incident Response and Recovery Management.

73. With regard to requirement regarding combining of data stipulated in paragraph 27, it would suffice if there is clear separation and isolation of data (NBFC and its customer specific data and information) to ensure that only the personnel as authorised by the NBFC is able to access data that belongs to them in a multi-tenant environment / architecture.

F. Outsourcing Process

F.1 Service Provider Evaluation

74. The directions regarding service provider evaluation as applicable to outsourcing of financial services contained in paragraph 30 to paragraph 32 shall apply, mutatis mutandis, to outsourcing of IT services, with the following additional considerations for due-diligence:

(i) technology, infrastructural stability, data backup arrangements, and disaster recovery plan;
(ii) conflict of interest, if any;
(iii) capability to identify and segregate NBFC’s data;
(iv) capability to comply with the regulatory and legal requirements of the outsourcing arrangement;
(v) information / cyber security risk assessment;
(vi) ensuring that appropriate controls, assurance requirements and possible contractual arrangements are in place to ensure data protection and NBFC’s access to the data which is processed, managed or stored by the service provider;
(vii) ability to effectively service all the customers while maintaining confidentiality, especially where a service provider has exposure to multiple entities; and
(viii) ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality.

75. A risk-based approach shall be adopted in conducting such due diligence activities.

F.2 Outsourcing Agreement

76. An NBFC shall ensure that its rights and obligations and those of each service provider are clearly defined and set out in a legally binding written agreement, in line with the provisions specified in paragraph 34 of these Directions. In principle, the provisions of the agreement shall appropriately reckon the criticality of the outsourced task to the business of the NBFC, the associated risks and the strategies for mitigating or managing them.

77. In addition to the requirements specified in subparagraphs (i) to (vii) of paragraph 35, an NBFC shall also include at minimum (as applicable to the scope of outsourcing of IT services) the following aspects in any agreement for outsourcing of IT services:

(i) provisions covering service provider’s subcontractors with respect to service and performance standards [subparagraph (i) of paragraph 35] and NBFC’s right to conduct audits [subparagraph (vii) of paragraph 35];

(ii) access by the NBFC to all data, books, records, information logs, alerts and business premises relevant to the outsourced activity, available with the service provider;

(iii) type of material adverse events (e.g., data breaches, denial of service, service unavailability, etc., relevant to the outsourced activity) and the incidents required to be reported to the NBFC to enable the NBFC to take prompt risk mitigation measures and ensure compliance with statutory and regulatory guidelines;

(iv) compliance with the provisions of Information Technology Act, 2000, other applicable legal requirements and standards to protect the customer data;

(v) the deliverables including Service Level Agreements (SLAs) formalising performance criteria to measure the quality and quantity of service levels;

(vi) storage of data only in India (as applicable) as per extant regulatory requirements;

(vii) clauses requiring the service provider to provide details of data (related to the NBFC and its customers) captured, processed, and stored;

(viii) types of data / information that the service provider (vendor) is permitted to share with NBFC’s customer and / or any other party;

(ix) the resolution process, events of default, indemnities, remedies, and recourse available to the respective parties;

(x) contingency plan(s) to ensure testing requirements;

(xi) right to seek information from the service provider about the third parties (in the supply chain) engaged by the former;

(xii) right of RBI or person(s) authorised by it to perform inspection of the service provider and any of its sub-contractors and access the NBFC’s IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the service provider and / or its sub-contractors in relation and as applicable to the scope of the outsourcing arrangement;

(xiii) clauses making the service provider contractually liable for the performance and risk management practices of its subcontractors;

(xiv) obligation of the service provider to comply with directions issued by the RBI in relation to the activities outsourced to the service provider, through specific contractual terms and conditions specified by the NBFC;

(xv) termination rights of the NBFC, including the ability to orderly transfer the proposed IT-outsourcing arrangement to another service provider, if necessary or desirable;

(xvi) obligation of the service provider to co-operate with the relevant authorities in case of insolvency / resolution of the NBFC;

(xvii) provision to consider skilled resources of service provider who provide core services as ‘essential personnel’ so that a limited number of staff with back-up arrangements necessary to operate critical functions can work on-site during exigencies (including pandemic situations);

(xviii) clause requiring suitable back-to-back arrangements between service providers and the OEMs; and

(xix) clause requiring non-disclosure agreement with respect to information retained by the service provider.

F.3 Monitoring and Control of Outsourced Activities

78. An NBFC shall have in place a management structure to monitor and control its outsourced activities. This shall include (as applicable to the scope of outsourcing of IT services), but not be limited to, monitoring the performance, uptime of the systems and resources, service availability, adherence to SLA requirements, incident response mechanism, etc.

79. An NBFC shall conduct regular audits of service providers (including sub-contractors) with regard to the activity outsourced by it. Such audits may be conducted either by NBFC’s internal auditors or external auditors appointed to act on NBFC’s behalf.

80. While outsourcing various IT services, more than one RE may be availing services from the same third-party service provider. In such scenarios, in lieu of conducting separate audits by individual REs of the common service provider, they may adopt pooled (shared) audit. This allows the relevant REs to either pool their audit resources or engage an independent third-party auditor to jointly audit a common service provider. However, in doing so, it shall be the responsibility of REs in ensuring that the audit requirements related to their respective contract with the service provider are met effectively.

81. The audits shall assess the performance of the service provider, adequacy of the risk management practices adopted by the service provider, compliance with laws and regulations, etc. The frequency of the audit shall be determined based on the nature and extent of risk and impact on the NBFC from the outsourcing arrangements. Reports on the monitoring and control activities shall be reviewed periodically by the Senior Management and in case of any adverse development, the same shall be put up to the Board for information.

82. An NBFC, depending upon the risk assessment, may also rely upon globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits. However, this shall not absolve the NBFC of its responsibility in ensuring assurance on the controls and procedures required to safeguard data security (including availability of systems) at the service provider’s end.

83. An NBFC shall periodically review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations. An NBFC shall adopt risk-based approach in defining the periodicity. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience preparedness.

84. An NBFC shall ensure that the service provider grants unrestricted and effective access to (a) data related to the outsourced activities; (b) the relevant business premises of the service provider; subject to appropriate security protocols, for the purpose of effective oversight by the NBFC, its auditors, regulators and other relevant Competent Authorities, as authorised under law.

F.4 Inventory of Outsourced Services

85. An NBFC shall create an inventory of IT services outsourced to service providers (including key entities involved in their supply chains). Further, the NBFC shall map its dependency on third parties and periodically evaluate the information received from the service providers.

F.5 Business Continuity and Management of Disaster Recovery Plan

86. The Directions regarding ‘Business Continuity and Management of Disaster Recovery Plan’ as applicable to outsourcing of financial services contained in paragraph 41 to paragraph 44 shall apply, mutatis mutandis, to outsourcing of IT services. The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) for outsourced IT services shall be commensurate with the nature and scope of the outsourced activity as per extant instructions issued by RBI from time to time on BCP / DR requirements.

F.6 Exit Strategy

87. The IT outsourcing policy shall contain a clear exit strategy, for ensuring business continuity during and after exit.

88. The strategy shall include plans for different scenarios of exit or termination of services with stipulation of minimum period to execute such plans, as necessary.

89. In documenting its exit strategy, an NBFC shall, inter alia, identify alternative arrangements, which may include performing the activity by a different service provider or by the NBFC itself.

90. An NBFC shall ensure that outsourcing agreements have necessary clauses on safe removal / destruction of data, hardware and all records (digital and physical), as applicable. Further, the outsourcing agreement shall ensure that the service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator or the concerned NBFC.

91. A service provider shall be legally obliged to cooperate fully with both the NBFC and its new service provider(s) to ensure there is a smooth transition.

F.7 Termination

92. In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers of the NBFC, the same shall be given due publicity by the NBFC so as to ensure that the customers stop dealing with the concerned service provider.

G. Specific Outsourcing Arrangements

G.1 Outsourcing within a Group / Conglomerate

93. An NBFC may outsource any IT activity / IT enabled service within its business group / conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements / agreements with its group entities are in place.

94. The selection of a group entity shall be based on objective reasons that are similar to selection of a third-party, and any conflicts of interest that such an outsourcing arrangement may entail shall be appropriately dealt with.

95. An NBFC, at all times, shall maintain an arm's length relationship in dealings with its group entities. Risk management practices being adopted by the NBFC while outsourcing to a group entity shall be identical to those specified for a non-related party.

G.2 Offshore or Cross-Border outsourcing

96. n principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that generally uphold confidentiality clauses and agreements.

97. While engaging with service provider(s) in a foreign country, an NBFC shall:

(i) closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies;

(ii) clearly specify the governing law of the outsourcing arrangement;

(iii) ensure that availability of records to the NBFC and the RBI will not be affected even in case of liquidation of the service provider;

(iv) ensure the right of the NBFC and RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction; and

(v) ensure that the arrangement complies with all statutory requirements as well as regulations issued by the RBI from time to time.

G.3 Outsourcing of Security Operations Centre (SOC)

98. Considering the risks associated with outsourcing of Security Operations Centre (SOC) operations by an NBFC, such as data being stored and processed at an external location and managed by a third party to which the NBFC has lesser visibility, the NBFC, to mitigate the risks, shall adopt the following requirements in the case of outsourcing of SOC operations in addition to the controls prescribed in this Chapter:

(i) unambiguously identify the owner of assets used in providing the services (systems, software, source code, processes, concepts, etc.);

(ii) ensure that the NBFC has adequate oversight and ownership over the rule definition, customisation and related data / logs, meta-data and analytics (specific to the NBFC);

(iii) assess SOC functioning, including all physical facilities involved in service delivery, such as the SOC and areas where client data is stored / processed periodically;

(iv) integrate the outsourced SOC reporting and escalation process with the NBFC’s incident response process; and

(v) review the process of handling of the alerts / events.

G.4 Usage of Cloud Computing Services

99. Several cloud deployment and service models have emerged over time. These are generally based on the extent of technology stack that is proposed to be adopted by the consuming entity.

(1) Example - 1: Some cloud services are:

(i) Infrastructure as a Service (IaaS): The service provides computing, storage, network, and other basic resources so that the client can develop and deploy their applications.
(ii) Platform as a Service (PaaS): The service provides software for building application, middleware, database, development environment, and other tools along with the infrastructure to the client.
(iii) Software as a Service (SaaS): Client uses the application(s) provided by the service provider on a cloud infrastructure.
(iv) Besides the three common application services, Cloud Service Providers (CSPs) also provide a range of services, viz., Database as a Service, Security as a Service, Storage as a Service, and others with varying risk levels.

(2) Example - 2: Some of the popular deployment models for delivery of cloud services are Private Cloud, Public Cloud, Hybrid Cloud, Community Cloud.

100. Considering the varied services, benefits, and risk profiles associated with the cloud deployment and service models, an NBFC that uses cloud services for storage, computing and movement of data in cloud environments shall, in addition to other applicable provisions in these Directions:

(i) undertake a comprehensive assessment of its business strategy and goals adopted to the existing IT applications’ footprint and associated costs. Such assessment shall include, but not be limited to, an analysis of various heads of cloud-related expenditure, such as application refactoring, integration, consulting, migration, and projected recurring expenditure depending on the nature of workloads. The extent of cloud adoption may vary, ranging from migration of non-business critical workloads to the cloud, to deployment of critical business applications such as Software-as-a-Service (SaaS), or other combinations in between, and shall be determined based on a duly conducted business technology risk assessment;

(ii) ensure, inter alia, that the ‘IT outsourcing policy’, referred to in paragraph 65 of these Directions, addresses the entire lifecycle of data, i.e., covering the entire span of time from generation of the data, its entry into the cloud, till the data is permanently erased / deleted. It shall also ensure that specified procedures are consistent with business needs and legal and regulatory requirements;

(iii) take into account cloud service specific factors, viz., multi-tenancy, multi-location storing / processing of data, etc., and attendant risks while establishing appropriate risk management framework;

(iv) implement necessary controls by referring to the cloud security best practices, as per applicability of the shared responsibility model between the NBFC and the Cloud Service Provider (CSP);

For cloud security best practices, an NBFC may refer to, inter alia, NIST SP 800-210 General Access Control Guidance for Cloud Systems https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-210.pdf

(v) put in place strong cloud governance by adopting and demonstrating a well-established and documented cloud adoption policy. Such a policy shall, inter alia,

(a) identify the activities that can be moved to the cloud;
(b) enable and support protection of various stakeholder interests;
(c) ensure compliance with regulatory requirements, including those on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification; and
(d) provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs.

(vi) ensure that the selection of a CSP is based on a comprehensive risk assessment of the CSP. An NBFC shall enter into a contract only with CSPs that are subject to jurisdictions that uphold enforceability of agreements and the rights available thereunder to the NBFC, including those relating to aspects such as data storage, data protection and confidentiality.

(vii) ensure that the service and technology architecture supporting cloud-based applications is built in adherence to globally recognised architecture principles and standards. The technology architecture shall:

(a) provide for a standard set of tools and processes to manage containers, images and releases;
(b) provide for a secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the NBFC;
(c) be protected against data integrity and confidentiality risks, and against co-mingling of data, in case of multi-tenancy environments; and
(d) be resilient and enable smooth recovery in case of failure of any one or combination of components across the cloud architecture with minimal impact on data / information security.

(viii) agree upon the Identity and Access Management (IAM) with the CSP and ensure that role-based access to the cloud hosted applications, both in respect of user-access and privileged-access, is provided. The NBFC shall:

(a) establish stringent access controls, as applicable for an on-premises application, for identity and access management to cloud-based applications;
(b) implement segregation of duties and role conflict matrix for all kinds of user-access and privileged-access roles in the cloud-hosted application irrespective of the cloud service model;
(c) ensure that access provisioning is governed by principles of ‘need to know’ and ‘least privileges’; and
(d) implement multi-factor authentication for access to cloud applications.

(ix) ensure that the implementation of security controls in the cloud-based application achieves similar or higher degree of control objectives than those achieved in or by an on-premises application. This includes ensuring secure connection through appropriate deployment of network security resources and their configurations; appropriate and secure configurations, monitoring of the cloud assets utilised by the NBFC; necessary procedures to authorise changes to cloud applications and related resources.

(x) define minimum monitoring requirements in the cloud environment and assess the information / cyber security capability of the CSP, to ensure that it:

(a) maintains an information security policy framework commensurate with its exposures to vulnerabilities and threats;
(b) is able to maintain its information / cyber security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment;
(c) has set the nature and frequency of testing of controls in respect of the outsourced services commensurate with the materiality of the services being outsourced by the NBFC and the threat environment; and
(d) has mechanisms in place to assess the subcontractors with regards to confidentiality, integrity and availability of the data being shared with them, where applicable.

(xi) ensure appropriate integration of logs and events from the CSP into the NBFC’s SOC, wherever applicable and / or retention of relevant logs in cloud for incident reporting and handling of incidents relating to services deployed on the cloud;

(xii) ensure that the cyber resilience controls of the CSP complement the NBFC’s own application security measures, and that both the NBFC and the CSP maintain continuous and regular updates of security-related software, including upgrades, fixes, patches, and service packs, to safeguard applications against advanced threats and malware;

(xiii) ensure that the CSP has a well-governed and structured approach to manage threats and vulnerabilities supported by requisite industry-specific threat intelligence capabilities;

(xiv) ensure that the business continuity framework provides for continued operation of critical functions in the event of a disaster affecting the NBFC’s cloud services or failure of the CSP, with minimal disruption to services and without compromising data integrity and security;

(xv) ensure that the CSP has put in place demonstrative capabilities for preparedness and readiness for cyber resilience as regards cloud services in use by them through, inter alia, robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders.

(xvi) develop an exit strategy that shall

(a) factor, inter alia, agreed processes and turnaround times for returning the NBFC’s service collaterals and data held by the CSP; data completeness and portability; secure purge of NBFC’s information from the CSP’s environment; smooth transition of services; and unambiguous definition of liabilities, damages, penalties and indemnities, which should also be a part of the service level stipulations in SLA;
(b) include exit plans which align with the ongoing design of applications and service delivery technology stack;
(c) include contractually agreed exit / termination plans, which specify how the cloud-hosted service(s) and data will be moved out from the cloud with minimal impact on continuity of the NBFC’s business, while maintaining integrity and security; and
(d) include clauses for prompt take-over of all records of transactions, customer and operational information, configuration data in a systematic manner from the CSP and purging at the CSP-end and ensuring independent assurance before signing off from the CSP.

(xvii) ensure that the audit / periodic review / third-party certifications cover, as per applicability and cloud usage, inter alia, aspects such as roles and responsibilities of both NBFC and CSP in cloud governance, access and network controls, configurations, monitoring mechanism, data encryption, log review, change management, incident response, and resilience preparedness and testing, etc.

H. Redressal of Grievances related to Outsourced Services

101. An NBFC shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the NBFC.

102. Outsourcing arrangements entered into by an NBFC shall not affect the rights of its customers against the NBFC, including the ability of the customers to obtain redressal as applicable under relevant laws.

Chapter V – Repeal and Other Provisions

A. Repeal and saving

103. With the issue of these Directions, the existing Directions, instructions, and guidelines relating to outsourcing of financial services and IT services as appliable to Non-Banking Financial Companies stand repealed, as communicated vide notification dated XX, 2025. The Directions, instructions, and guidelines repealed prior to the issuance of these Directions shall continue to remain repealed.

104. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed Directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions.

B. Application of other laws not barred

105. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

106. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, the RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by the RBI shall be final and binding.