Chapter 4 : IT Services Outsourcing - RBI - Reserve Bank of India
Chapter 4 : IT Services Outsourcing
Introduction In India, as banks augment growth and expand business, there is an increasing reliance on external service providers as partners in achieving the growth targets and as effective cost alternatives. 'Outsourcing' may be defined as a bank's use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future. ‘Continuing basis' includes agreements for a limited period. The benefits of outsourcing include efficiencies in operations, increased ability to acquire and support current technology and tide over the risk of obsolescence, increased time availability for management to focus on key management functions, shorter lead time in delivering services to customers, better quality of services, and stronger controls among others. Common areas for Outsourcing Outsourcing has been a constant theme in banking technology over at least the past ten years, as banking has become more technology intensive and the required scale of investment has grown exponentially. Many operations have been outsourced to Third party vendors comprising external vendors and specialized subsidiaries. Service providers today may be a technology company or specialist outsourcing manager. This decision to outsource should fit into the institution’s overall strategic plan and corporate objectives. Common areas where Banks have outsourced functions include:
Role of the Board and Senior Management The Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships. Whereas an institution may delegate its day-to-day operational duties to a service provider, responsibilities for effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions continue to rest with the Bank, Board and senior management. Board and senior management have the responsibility to institute an effective governance mechanism and risk management process for all outsourced operations. The Board is responsible for:
Senior management is responsible for:
Various components/aspects relating to outsourcing: 1. ‘Material’ Outsourcing Banks need to assess the degree of ‘materiality’ inherent in the outsourced functions. Whether an outsourcing arrangement is ‘material’ to the business context or not is a qualitative judgment and may be determined on the basis criticality of service, process, or technology to the overall business objectives. Outsourcing of non-financial processes, such as technology operations, is ‘material’ and if disrupted has the potential to significantly impact business operations, reputation and stability of the Bank. Where a Bank relies on third party employees to perform key banking functions such as applications processing, verifications, approvals, etc.,on a continuous basis, such outsourcing may also be construed as ‘material’, whether or not the personnel are located within the premises of the Bank. However, extant RBI guidelines on outsourcing indicate activities which cannot be outsourced and need to be carried out by the bank. These include Internal Audit, Compliance function, and decision making functions like KYC compliance, loans sanctioning, and managing investment portfolio. These need to be kept in view.Criteria that may be considered in determining the materiality of proposed outsourcing include the following:
Banks should undertake a periodic review of their outsourced processes to identify new outsourcing risks as they arise. For e.g. when the service provider has further sub-contracted work to other service providers or has undergone a significant change in processes, infrastructure, or management. Materiality should be considered both at an institution level and on a consolidated basis i.e. together with the institution’s branches and corporations/entities under its control. 2. Risk Management in outsourcing arrangements Risk management is the process of identifying, measuring, monitoring and managing risk. Risks inherent to process outsourcing, include Strategic risk, Reputation risk, Operational risk, Compliance risk, Legal risk, Counter party risk, Country risk, Contractual risk, Access risk, Concentration and systemic risk, and Exit strategy risk. Failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements, among others may lead to reputation / financial losses for the bank and may also result in systemic risks within the banking system in the country. Pervasive use of technology in banking operations further amplifies the risk impact. (i) Risk Evaluation and Measurement Risk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in the light of known and expected changes, as part of the strategic planning or review processes. The framework for risk evaluation should include the following steps:
Banks should evaluate vendor managed processes or specific vendor relationships as they relate to information systems and technology. All outsourced information systems and operations may be subject to risk management and security and privacy policies that meet the Bank’s own standards. (ii) Service provider selection Management should identify functions to be outsourced along with necessary controls and solicit responses from prospective bidders via an RFP process. Proposals submitted by service providers should be evaluated in the light of the organisation’s needs, and any differences in the service provider proposals as compared to the solicitation should be analyzed carefully. Selection of affiliated parties as service providers should be done at arm’s length in accordance with this guideline. Due Diligence In negotiating / renewing an Outsourcing arrangement, due diligence should be performed to assess the capability of the technology service provider to comply with obligations in the outsourcing agreement. Due diligence should involve an evaluation of all information about the service provider including qualitative, quantitative, financial, operational and reputational factors, as follows:
Extent of due diligence reviews may vary based on risk inherent in the outsourcing arrangements. Due diligence undertaken during the selection process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing. Maintaining Caution lists and scoring for service providers (bureau services) Where possible the Bank may obtain independent reviews and market feedback to supplement internal findings. IBA may facilitate requisite data sharing between banks to maintain scoring information for existing / new service providers. Banks should ensure that information used for due diligence is current and not more than 12 months old. Reporting to the regulator Banks must be required to report to the regulator, where the scale and nature of functions outsourced are significant, or extensive data sharing is involved across geographic locations as part of technology / process outsourcing and when data pertaining to Indian operations are stored/processed abroad. Multiple Service provider relationships A multiple service provider relationship is one where two or more service providers collaborate to deliver an end to end solution to the financial institution. Multiple contracting scenarios are possible:
An institution selects from the above or any other contractual relationship, however, remains responsible for understanding and monitoring the control environment of all service providers that have access to the banks systems, records or resources. (iii) Contracting The terms and conditions governing the contract between the bank and the service provider should be carefully defined in written agreements and vetted by bank's legal counsel on their legal effect and enforceability. Banks should ensure that the contract brings out nature of legal relationship between the parties (agent, principal or otherwise), and addresses risks and mitigation strategies identified at the risk evaluation and due diligence stages. Contracts should clearly define the roles and responsibilities of the parties to the contract and include suitable indemnification clauses. Any ‘limitation of liability’ consideration incorporated by the service provider should be assessed in consultation with the legal department. Contracts should provide for periodic renewal and re-negotiation to enable the institution to retain an appropriate level of control over the outsourcing and should include the right to intervene with appropriate measure to meet the Banks’ legal and regulatory obligations. Contractual agreements should, in the very least, have provisions for the following:
(iv) Monitoring and Control of outsourced activities Banks should establish a structure for management and control of outsourcing, based on the nature, scope, complexity and inherent risk of the outsourced activity. A structure for monitoring and control of outsourced activities should comprise of the following:
Service Level Agreements and performance metrics Management should include SLAs in the outsourcing contracts to agree and establish accountability for performance expectations. SLAs must clearly formalize the performance criteria to measure the quality and quantity of service levels. Banks should develop the following towards establishing an effective oversight program:
Performance expectations, under both normal and contingency circumstances, need to be defined. Provisions need to be in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider. Control environment offered by the Service Provider Banks should evaluate the adequacy of internal controls environment offered by the service provider. Due consideration should be given to the implementation of following by the service provider:
Periodic Risk Assessment, Audit and Reviews Outsourcing should not impede or interfere with the ability of the Bank or the Regulator in performing its supervisory functions and objectives. As a practice, institutions should conduct pre- and post- outsourcing implementation reviews. An institution should also review its outsourcing arrangements periodically to ensure that its outsourcing risk management policies and procedures, and these Guidelines, are effectively complied with. An institution should, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider including reports by the service provider’s external auditors, should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness. Banks should also periodically commission independent audit and expert assessments on the security and control environment of the service provider. Such assessments and reports on the service provider may be performed and prepared by the institution’s internal or external auditors, or by agents appointed by the institution. Such reviews should take adequate cognizance of historical violations or issue remediation during previous audits and assessments. Copies of previous audits and assessments should be shared during RBI inspections. Business Continuity Planning Banks should ensure that their business continuity preparedness is not adversely compromised on account of outsourcing. Banks are expected to adopt sound business continuity management practices as issued by RBI and seek proactive assurance that the outsourced service provider maintains readiness and preparedness for business continuity on an ongoing basis. Banks, while framing the viable contingency plan, need to consider the availability of alternative service providers or the possibility of bringing the outsourced activity back-in-house in an emergency(for example, where number of vendors for a particular service is extremely limited) and the costs, time and resources that would be involved and take suitable preparatory action. (v) Confidentiality and Security Public confidence is a cornerstone in the stability and reputability of a bank. Banks should be proactive to identify and specify the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data. This is particularly applicable where third party service providers have access to personally identifiable information and critical customer data. An institution may take the following steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated:
(vi) Outsourcing to Foreign Service providers The engagement of service providers across multiple geographies exposes the organization to country risk – economic, social and political reasons in the country that may adversely affect the Banks business and operations. Banks should proactively evaluate such risk as part of the due diligence process and develop appropriate mitigating controls and as required, an effective exit strategy. Outsourcing outside India should be agreed, in a manner that does not obstruct or hinder the ability of the bank or regulatory authorities to perform periodic audits/inspections and assessments, supervise or reconstruct activities of the bank based on books, records and necessary documentation, in a timely manner. Banks should ensure the following:
(vii) Outsourcing within a Group These guidelines are generally applicable to outsourcing within a group conglomerate, including parent or Head Office, branch or a group company, whether located within or outside India. These requirements may be addressed as part of group wide risk assessment and management procedures. Due diligence on an intra-group service provider may take the form of evaluating qualitative aspects on the ability of the service provider to address risks specific to the institution, particularly those relating to business continuity management, monitoring and control, and audit and inspection, including confirmation on the right of access to be provided to RBI to retain effective supervision over the institution, and compliance with local regulatory standards. The respective roles and responsibilities of each office in the outsourcing arrangement should be documented in writing in a formal Service Level Agreement. (viii) Handling customer grievances and complaints The Board and senior management are responsible for ensuring that quality and availability of banking services to customers are not adversely affected due to the outsourcing arrangements entered into by the Bank. Banks need to institute a robust grievance redressal mechanism, which should not be compromised in any way due to outsourcing. The name and contact number of designated grievance redressal officer of the bank should be made known and widely publicized. The designated officer should ensure that genuine grievances of customers are redressed promptly without involving delay. It should be clearly indicated that banks' Grievance Redressal Machinery will also deal with the issue relating to services provided by the outsourced agency. Generally, a time limit of 30 days may be given to the customers for forwarding their complaints / grievances. The grievance redressal procedure of the bank and the time frame fixed for responding to the complaints should be placed on the bank's website. If a complainant does not get satisfactory response from the bank within 60 days from the date of his lodging the complaint, he will have the option to approach the Office of the concerned Banking Ombudsman for redressal of his grievance/s. INDUSTRY-WIDE RECOMMENDATIONS: 1. IBA may facilitate requisite data sharing between banks to maintain scoring information for existing / new service providers and including any fraud or major operational lapses committed by the service providers. 2. Detailed service provider assessment and monitoring frameworks and best practices from a banking context can be explored by IBA in collaboration with institutions like DSCI and IDRBT. KEY RECOMMENDATIONS: 1. The Board and senior management are responsible for outsourced operations and for managing risks inherent in such outsourcing relationships. Whereas an institution may delegate its permitted day-to-day operational duties to a service provider, responsibilities for effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions continue to rest with the Bank, Board and senior management. Board and senior management have the responsibility to institute an effective governance mechanism and risk management process for all outsourced operations. 2. Banks need to assess the degree of ‘materiality’ inherent in the outsourced functions. Whether an outsourcing arrangement is ‘material’ to the business context or not is a qualitative judgment and may be determined on the basis of criticality of service, process, or technology to the overall business objectives. Outsourcing of non-financial processes, such as technology operations, is ‘material’ and if disrupted has the potential to significantly impact business operations, reputation and stability of the bank. Where a Bank relies on third party employees to perform key banking functions such as applications processing, etc., on a continuous basis, such outsourcing may also be construed as ‘material’, whether or not the personnel are located within the premises of the Bank. 3. Risk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in the light of known and expected changes, as part of the strategic planning or review processes. Banks should evaluate vendor managed processes or specific vendor relationships as they relate to information systems and technology. All outsourced information systems and operations may be subject to risk management and security and privacy policies that meet the Bank’s own standards. 4. When considering negotiating / renewing an Outsourcing arrangement, due diligence should be performed to assess the capability of the technology service provider to comply with obligations in the outsourcing agreement. Due diligence should involve an evaluation of all information about the service provider including qualitative, quantitative, financial, operational and reputational factors.Where possible the Bank may obtain independent reviews and market feedback to supplement internal findings. 5. Banks must be required to report to the regulator, where the scale and nature of functions outsourced are significant, or extensive data sharing is involved across geographic locations as part of technology / process outsourcing. 6. In the event of multiple service provider relationships where two or more service providers collaborate to deliver an end to end solution for the financial institution, a bank, however, remains responsible for understanding and monitoring the control environment of all service providers that have access to the Banks systems, records or resources. 7. The terms and conditions governing the contract between the bank and the service provider should be carefully defined in written agreements and vetted by bank's legal counsel on their legal effect and enforceability. 8. Banks should ensure that the contract brings out the nature of the legal relationship between the parties (agent, principal or otherwise), and addresses risks and mitigation strategies identified at the risk evaluation and due diligence stages. Contracts should clearly define the roles and responsibilities of the parties to the contract and include suitable indemnification clauses. Any ‘limitation of liability’ consideration incorporated by the service provider should be assessed in consultation with the legal department. Various critical aspects that need to be considered have been indicated in the chapter. 9. Banks should establish a structure for management and control of outsourcing, based on the nature, scope, complexity and inherent risk of the outsourced activity. 10. Management should include SLAs in the outsourcing contracts to agree and establish accountability for performance expectations. SLAs must clearly formalize the performance criteria to measure the quality and quantity of service levels.For outsourced technology operations, specific metrics may be defined around the service availability, business continuity and transaction security, in order to measure services rendered by the external vendor organization. 11. Banks should evaluate the adequacy of the internal controls environment offered by the service provider. Due consideration should be given to implementation by the service provider of various aspects like information security policies and employee awareness of the same, logical access controls, physical and environmental security and controls, controls for handling data, etc. 12. Outsourcing should not impede or interfere with the ability of the bank or the regulator in performing its supervisory functions and objectives.As a practice, institutions should conduct pre- and post- outsourcing implementation reviews. An institution should also review its outsourcing arrangements periodically to ensure that its outsourcing risk management policies and procedures, and these Guidelines, are effectively complied with. An institution should, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet outsourcing obligations. 13. Banks should also periodically commission independent audit and expert assessments on the security and control environment of the service provider. Such assessments and reports on the service provider may be performed and prepared by the institution’s internal or external auditors, or by agents appointed by the institution. 14. Banks should ensure that their business continuity preparedness is not compromised on account of outsourcing. Banks are expected to adopt sound business continuity management practices as issued by RBI and seek proactive assurance that the outsourced service provider maintains readiness and preparedness for business continuity on an ongoing basis. 15. A bank needs to take effective steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated. 16. Banks, while framing the viable contingency plan, need to consider the availability of alternative service providers or the possibility of bringing the outsourced activity back-in-house in an emergency(for example, where number of vendors for a particular service is extremely limited) and the costs, time and resources that would be involved and take suitable action, if warranted. 17. In the event of outsourcing of technology operations, the banks should subject the same to enhanced and rigorous change management and monitoring controls since ultimate responsibility and accountability rests with the bank. It may be desirable that banks control the management of user ids created for use of external vendor personnel. As a contingency measure, banks may also endeavor to develop, over a period of time, reasonable level of skills/knowledge in various technology related areas like system administration, database administration, network architecture and administration, etc., to effectively engage with the vendors or to take over these functions in the event of any contingency. 18. The engagement of service providers across multiple geographies exposes the organisation to country risk – economic, social and political reasons in the country that may adversely affect the Banks business and operations. Banks should proactively evaluate such risk as part of the due diligence process and develop appropriate mitigating controls and as required, an effective exit strategy. 19. Emerging technologies such as data center hosting, applications as a service and cloud computing have given rise to unique legal jurisdictions for data and cross border regulations. Banks should clarify the jurisdiction for their data and applicable regulations at the outset of an outsourcing arrangement. This information should be reviewed periodically and in case of significant changes performed by the service provider. 20. These guidelines are generally applicable to outsourcing within a group conglomerate, including parent or Head Office, branch or a group company, whether located within or outside India. The requirements may be addressed as part of group wide risk assessment and management procedures. 21. Banks should ensure that quality and availability of banking services to customers are not adversely affected due to the outsourcing arrangements entered into by the Bank. Banks need to institute a robust grievance redressal mechanism, which should not be compromised in any way due to outsourcing. 22. IBA may facilitate requisite data sharing between banks to maintain scoring information for existing / new service providers and including any fraud or major operational lapses committed by the service providers. 23. Detailed service provider assessment and monitoring frameworks and best practices from a banking context can be explored by IBA in collaboration with institutions like DSCI and IDRBT. |