DRAFT FOR COMMENTS

RBI/2025-26/--
DoR.ORG.REC.No./ 00-00-000/2025-26

XX, 2025

Table of Contents

In exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, as amended vide Banking Regulation (Amendment) Act 2020 (39 of 2020), and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest to do so, hereby issues the Directions hereinafter specified.

Chapter I – Preliminary

A. Short Title and Commencement

These Directions shall be called the Reserve Bank of India (Rural Co-operative Banks - Managing Risks in Outsourcing) Directions, 2025.

These Directions shall come into force with immediate effect.

B. Applicability

These Directions shall be applicable to all Rural Co-operative Banks, hereinafter collectively referred to as 'RCBs' and individually as an 'RCB'.

In this context, Rural Co-operative Banks shall mean State Co-operative Banks and Central Co-operative Banks, as defined in the National Bank for Agriculture and Rural Development Act, 1981.

C. Definitions

4. In these Directions, unless the context otherwise requires, 'Outsourcing' means use of a third party by the RCB to perform activities on a continuing basis that would normally be undertaken by the RCB itself, now or in the future. 'Continuing basis' shall include agreements for a limited period.

5. All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or the Companies Act, 2013 and Rules made thereunder, or any statutory modification or re-enactment thereto, or Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

Chapter II – Role of the Board

6. The outsourcing of any activity by an RCB does not diminish its obligations, and those of its Board and MD / CEO along with the Senior Management, who have the ultimate responsibility for the outsourced activity.

A. Board Approved Policy

7. An RCB intending to outsource any of its financial services shall put in place a comprehensive Board approved outsourcing policy, the coverage of which is indicated in paragraph 17.

B. Key responsibilities

8. The Board shall be responsible for putting in place a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements, laying down appropriate approval authorities depending on risks and materiality, and undertaking regular review. It shall be responsible, inter alia, for:

(i) approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;

(ii) laying down appropriate approval authorities for outsourcing depending on risks and materiality;

(iii) undertaking regular review of the framework for its efficacy and updating the same to ensure that the outsourcing strategies and arrangements have continued relevance, effectiveness, safety and soundness;

(iv) deciding on business activities of a material nature to be outsourced and approving such arrangements;

(v) assessing management competencies to develop sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements; and

(vi) setting up suitable administrative framework of management;

(vii) reviewing records of all material outsourcing on half yearly basis;

(viii) ensuring that a robust system of internal audit of all outsourced financial activities is put in place and monitoring the same; and,

(ix) ensuring submission of an Annual Compliance Certificate giving the particulars of contracts for outsourcing of financial services, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken, to the NABARD;

Chapter III – Outsourcing of Financial Services

A. Definitions

9. In this Chapter, unless the context otherwise requires, ‘Material Outsourcing’ means arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of an RCB.

Materiality of outsourcing shall be based on the:

(i) level of importance to the RCB of the activity being outsourced as well as the significance of the risk posed by the same;

(ii) potential impact of the outsourcing on the RCB on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;

(iii) likely impact on the RCB’s reputation and brand value, and ability to achieve its business objectives, strategies and plans, should the service provider fail to perform the service;

(iv) cost of the outsourcing as a proportion of total operating costs of the RCB;

(v) aggregate exposure to that particular service provider, in cases where the RCB outsources various functions to the same service provider; and

(vi) significance of activities outsourced by RCB in context of customer service and protection.

B. Scope

10. These Directions apply to outsourcing arrangements entered in to by an RCB with a service provider, located in India or elsewhere, for outsourcing of financial services like applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.

11. These Directions shall not apply to outsourcing of activities unrelated to banking services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, besides others.

C. Activities that shall not be outsourced

12. An RCB which chooses to outsource financial services shall however not outsource core management functions including policy formulation, Internal Audit and compliance, compliance with KYC norms, credit sanction and management of investment portfolio.

Provided that, where required, experts, including former employees, could be hired on a contractual basis subject to:

(i) the Audit Committee of Board (ACB) / Board being assured that such expertise does not exist within the audit function of the RCB;

(ii) any conflict of interest in such matters being recognised and effectively addressed; and

(iii) ownership of audit reports in all cases resting with regular functionaries of the internal audit function.

D. Authorisation, Accountability, and Oversight

13. An RCB, which desires to outsource financial services, shall not require prior approval from RBI / NABARD. However, such arrangements shall be subject to on-site / off-site monitoring and inspection / scrutiny by RBI / NABARD.

14. As stated in paragraph 6 of these Directions, the outsourcing of any activity by an RCB shall not diminish its obligations including to its customers and RBI / NABARD, and those of its Board and MD / CEO along with the Senior Management, who have the ultimate responsibility for the outsourced activity. An RCB shall, therefore, be responsible for the actions of its service provider including Business Correspondents and their retail outlets / sub-agents and the confidentiality of information pertaining to the customers that is available with the service provider. An RCB shall retain ultimate control of the outsourced activity.

15. An RCB shall ensure that:

(i) all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration have been considered when performing due diligence in relation to outsourcing;

(ii) outsourcing, whether the service provider is located in India or outside India, does not impede RBI / NABARD in carrying out its regulatory / supervisory functions and objectives and diminish the ability of an RCB to fulfil its obligations to its regulator / supervisor;

(iii) outsourcing, whether the service provider is located in India or outside India, does not impede or interfere with the ability of an RCB to effectively oversee and manage its activities, and fulfil its obligations;

(iv) outsourcing would not result in the compromise or weakening of an RCB’s internal control, business conduct or reputation;

(v) the service provider employs the same high standard of care in performing the services as would be employed by the RCB, if the activities were conducted within the RCB and not outsourced; and

(vi) the service provider shall not be owned or controlled by any director or officer / employee of the RCB or their relatives having the same meaning as assigned under Companies Act, 2013 and the Rules framed thereunder, as amended from time to time.

16. An RCB shall be responsible for making Currency Transactions Reports (CTRs) and Suspicious Transactions Reports (STRs) to FIU or any other competent authority in respect of its customer related activities carried out by the service providers.

E. Governance Framework

E.1 Outsourcing Policy

17. An RCB intending to outsource any of its financial services shall put in place a comprehensive outsourcing policy, approved by its Board, which shall incorporate, inter alia, the following:

(i) criteria for selection of such activities as well as service providers;

(ii) parameters for defining ‘material outsourcing’ based on the broad criteria indicated in paragraph 9 of these Directions;

(iii) delegation of authority depending on risks and materiality; and

(iv) systems to monitor and review the operations of these activities.

E.2 Role of Senior Management

18. The Managing Director (MD) / Chief Executive Officer (CEO) and Senior Management of an RCB shall, inter alia, be responsible for:

(i) evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;

(ii) developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing;

(iii) reviewing periodically the effectiveness of policies and procedures;

(iv) communicating information pertaining to material outsourcing risks to the Board in a timely manner;

(v) ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;

(vi) ensuring that there is independent review and audit for compliance with set policies; and

(vii) undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks.

F. Risk Management

F.1 Evaluation of the Risks

19. An RCB shall evaluate and guard against the following key risks when outsourcing:

(i) Strategic Risk – such as where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the RCB.

(ii) Reputation Risk – such as where the service provider delivers poor service or its customer interactions are inconsistent with the overall standards of the RCB, or it fails to preserve and protect confidential customer information.

(iii) Compliance Risk – such as where, owing to outsourcing, the privacy, consumer and prudential laws are not adequately complied with.

(iii) OperationalRisk – which may arise due to technology failure, fraud, error, or inadequate financial capacity of the service provider to fulfil obligations and / or to provide remedies.

(iv) LegalRisk – where an RCB is subjected to, inter alia, fines, penalties, or punitive damages resulting from supervisory actions, or private settlements due to omissions and commissions by the service provider.

(v) ExitStrategyRisk – may arise when an RCB becomes overly reliant on one service provider, loses relevant internal skills preventing it from bringing the activity back in-house, or enters into contracts that make speedy exits prohibitively expensive.

(vi) Counterparty Risk – such as where the service provider engages in inappropriate underwriting or credit assessments.

(vii) Country Risk – where the political, social or legal climate creates added risk in the outsourcing arrangement.

(viii) Contractual Risk – where the RCB may not have the ability to enforce the contract with the service provider.

(ix) Concentration and Systemic Risk – where there is a lack of control of an RCB over a service provider, more so when overall banking industry has considerable exposure to one service provider.

F.2 Confidentiality and Security of Information

20. An RCB shall seek to ensure the security, preservation and protection of the customer information in the custody of the service provider.

21. Access to customer information by a service provider or its staff shall be on a ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

22. An RCB shall review and monitor the security practices and control processes of its service providers on a regular basis and require the service provider to disclose security breaches.

23. In instances, where a service provider acts as an outsourcing agent for multiple entities, care shall be taken to build strong safeguards so that there is no comingling or combining of information, documents, records and assets.

24. An RCB shall ensure that a service provider is able to isolate and clearly identify the RCB’s customer information, documents, records, and assets to protect the confidentiality of the information.

25. An RCB shall immediately notify RBI / NABARD in the event of breach of security and leakage of confidential customer related information. In these eventualities, the RCB shall be liable to its customers for any damage.

G. Outsourcing Process

G.1 Service Provider Evaluation

26. An RCB shall perform appropriate due diligence while considering or renewing an outsourcing arrangement, to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis.

27. The due diligence mentioned above shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:

(i) qualitative, quantitative, financial, operational, legal, and reputational factors;

(ii) risks arising from undue concentration, if outsourcing to a single service provider or a or a limited number of service providers;

(iii) past experience and demonstrated competence to implement and support the proposed activity over the contracted period;

(iv) financial soundness and ability to service commitments even under adverse conditions;

(v) business reputation and culture, compliance, complaints and outstanding or potential litigation;

(vi) quality of due diligence exercised by service provider of its employees and sub-contractors;

(vii) security and internal control, audit coverage, reporting and monitoring procedures, business continuity management;

(viii) external factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance; and

(ix) ability to effectively service all the customers with confidentiality, especially where a service provider has exposure to multiple entities.

28. Where possible, an RCB shall obtain independent reviews and market feedback on the service provider to supplement the findings of its own due diligence.

29. An RCB shall also evaluate whether the systems of its service providers are compatible with those of the RCB and also whether their standards of performance including in the area of customer service are acceptable to it.

G.2 Outsourcing Agreement

30. An RCB shall ensure that the terms and conditions governing the outsourcing arrangement are carefully defined in written agreements and vetted by the RCB’s legal counsel on their legal effect and enforceability. The agreement shall appropriately reckon the associated risks and the strategies for mitigating or managing them. The RCB shall ensure that such an agreement is sufficiently flexible to allow the RCB to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent-principal or otherwise.

31. Some of the key provisions of the agreement shall include:

(i) details of the activities being outsourced including Service Level Agreements (SLAs) to agree and establish accountability for performance expectations. SLAs shall clearly formalise the performance criteria to measure the quality and quantity of service levels;

(ii) access by the RCB to all books, records, and information relevant to the outsourced activity available with the service provider ;

(iii) regular and continuous monitoring and assessment by the RCB of the service provider for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately;

(iv) prior approval / consent of the RCB for use of subcontractors by the service provider for all or part of an outsourced activity. Before according the consent, an RCB shall review the subcontracting arrangement and ensure that these arrangements are compliant with these Directions;

(v) controls for maintaining confidentiality of data of the RCB and its customers, and incorporating service provider’s liability to the RCB in the event of security breach and leakage of such information;

(vi) contingency plan(s) to ensure business continuity;

(vii) right of the RCB to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the RCB;

(viii) right of RBI / NABARD or persons authorised by it to access the RCB’s documents, records of transactions, logs and other necessary information given to, stored or processed by the service provider, within a reasonable time. This includes information maintained in paper and electronic formats;

(ix) right of the NABARD to cause an inspection of a service provider of an RCB and its books and accounts by one or more of its officers or employees or other authorised persons;

(x) a termination clause and minimum period for executing termination;

(xi) provision that confidentiality of customers’ information shall be maintained even after the contract expires or gets terminated; and

(xii) provision to ensure that the service provider preserves documents and data in accordance with legal / regulatory obligations of the RCB and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

G.3 Monitoring and Control of Outsourced Activities

32. An RCB shall have in place a management structure to monitor and control its outsourced activities and shall ensure that outsourcing agreements with service providers contain provisions to address the same.

33. An RCB shall maintain a central record of all material outsourcing of financial services for review by its Board and MD / CEO along with the Senior Management. The records shall be updated promptly, and half yearly reviews shall be placed before the Board.

34. Regular audits, at least annually, by either the internal auditors or external auditors of an RCB shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the RCB’s compliance with its risk management framework and the requirements of these Directions.

35. An RCB shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which shall be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience or business continuity preparedness.

36. Certain services might involve reconciliation of transaction between an RCB, its service providers and their subcontractors. In such cases, the RCB shall ensure that reconciliation of transactions between itself and a service provider (and / or its subcontractors) are carried out as advised in RBI guidelines on Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019, as applicable, amended from time to time.

G.4 Business Continuity and Management of Disaster Recovery Plan

37. An RCB shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. It shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider joint testing and recovery exercises with its service provider at mutually agreed frequency but at least annually.

38. In establishing a viable contingency plan, an RCB shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

39. An RCB shall ensure that its service providers are able to isolate the RCB’s information, documents and records, and other assets so that in adverse conditions or termination of the agreement, all documents, records of transactions and information given to the service provider and assets of the RCB can be removed from the possession of the service provider (in order to enable the RCB to continue its business operations); or deleted, destroyed or rendered unusable.

40. In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency / liquidation of its service provider, an RCB shall retain an appropriate level of control over its outsourcing arrangement along with the right to intervene with appropriate measures to continue its business operations without incurring prohibitive expenses and disruption in the operations of the RCB and its services to the customers.

G.5 Termination

41. If the services of a service provider are terminated by an RCB, then it shall:

(i) publicise the same by displaying at a prominent place in the branches and posting it on the website so as to ensure that its customers do not continue to entertain the service provider; and

(ii) inform IBA of the reasons for termination to enable IBA to maintain a caution list of such service providers for sharing among banks.

H. Specific Outsourcing Arrangements

H.1 Offshore outsourcing

42. In principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that generally uphold confidentiality clauses and agreements.

43. While engaging with service provider(s) in a foreign country, an RCB shall:

(i) closely monitor government policies of the jurisdiction in which the service provider is based and political, social, economic and legal conditions, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies;

(ii) clearly specify the governing law of the outsourcing arrangement;

(iii) ensure availability of records to the RCB and the RBI / NABARD will not be affected even in case of liquidation of the service provider or offshore custodian or the RCB in India;

(iv) ensure activities outsourced outside India are conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of the RCB in a timely manner;

(v) ensure that, where the offshore service provider is a regulated entity, the relevant offshore regulator will neither obstruct the arrangement nor object to the NABARD’s inspection or RBI / NABARD’s visits or visits of RCB’s internal and external auditors;

(vi) ensure that the regulatory authority of the offshore location does not have access to the data relating to Indian operations of the RCB simply on the ground that the processing is being undertaken there;

(vii) ensure that the jurisdiction of the courts in the offshore location where data is maintained does not extend to the operations of the RCB in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and

(viii) ensure that all original records continue to be maintained in India.

44. The overseas outsourcing operations of an RCB shall be governed by both, these Directions and the host country guidelines, and in case there are differences, the more stringent of the two would prevail. However, where there is any conflict, the host country guidelines shall prevail.

I. Redressal of Grievances related to Outsourced Services

45. Outsourcing arrangements entered into by an RCB shall not affect the rights of its customers against the RCB, including the ability of the customers to obtain redressal as applicable under relevant laws.

46. In cases where customers are required to deal with service providers in the process of dealing with an RCB, it shall incorporate a clause in the corresponding product literature, brochures, etc., stating that services of service providers in sales, marketing, etc., of the products may be used. The role of the service providers may be indicated in broad terms.

47. An RCB shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RCB. In case of microfinance loans, a declaration that the RCB shall be accountable for inappropriate behaviour by its employees or employees of the outsourced agency and shall provide timely grievance redressal, shall be made in the loan agreement, and also in the Fair Practices Code (FPC) displayed in its office / branch premises / website.

48. In addition to the above:

(i) an RCB shall constitute Grievance Redressal Machinery within the RCB and give wide publicity about it through electronic and print media and also by placing the information on its website;

(ii) the name and contact number of designated grievance redressal officer of the RCB shall be made known and widely publicised. The designated officer shall ensure that genuine grievances of customers are redressed promptly without involving delay. It shall be clearly indicated that RCB’s Grievance Redressal Machinery will also deal with the issues relating to services provided by the service provider;

(iii) the grievance redressal procedure of the RCB and the time frame for responding to the complaints (maximum 30 days) shall be placed on the RCB’s website; and

(iv) if a complaint was rejected wholly or partly by an RCB and the complainant is not satisfied with the reply or does not get any reply within 30 days, after the RCB received the complaint, the complainant shall have the option of approaching the Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI for redressal of her grievance(s).

Chapter IV – Repeal and Other Provisions

A. Repeal and saving

50. With the issue of these Directions, the existing Directions, instructions, and guidelines relating to outsourcing of financial services as appliable to Rural Co-operative Banks stand repealed, as communicated vide notification dated XX, 2025. The Directions, instructions, and guidelines repealed prior to the issuance of these Directions shall continue to remain repealed.

51. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed Directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions.

B. Application of other laws not barred

52. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

53. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, the RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by the RBI shall be final and binding.