Reserve Bank of India (Payments Banks – Managing Risks in Outsourcing) Directions, 2025

In exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest to do so, hereby issues the Directions hereinafter specified.

Chapter I – Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Small Finance Banks - Managing Risks in Outsourcing) Directions, 2025.

2. These Directions shall come into force with immediate effect.

Provided that, a bank’s existing IT outsourcing agreements regardless of whether they are due for renewal on or after the effective date of these Directions shall comply with the provisions of these Directions either at the time of renewal or by April 10, 2026, whichever is earlier. However, the bank’s new IT outsourcing agreements that come into force on or after the effective date of these Directions, shall comply with the provisions of these Directions from the date of agreement itself.

Provided further that, nothing in the above proviso shall be construed as permitting non-compliance with any other extant regulatory instructions or statutory requirements applicable to such arrangements.

B. Applicability

3. These Directions shall be applicable to Small Finance Banks (hereinafter collectively referred to as 'banks' and individually as a 'bank').

C. Definitions

4. In these Directions, unless the context otherwise requires, ‘Outsourcing’ means use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) by a bank to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future. 'Continuing basis’ shall include agreements for a limited period.

5. Some other terms pertaining to outsourcing of financial services and IT services have been defined in their respective Chapters as per their applicability.

6. All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or the Information Technology Act, 2000 or the Companies Act, 2013 and Rules made thereunder, or any statutory modification or re-enactment thereto, or Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

D. Scope

7. As these Directions cover both outsourcing of financial services and IT services, the scope of application of these Directions is specified in the respective Chapters.

Chapter II – Role of the Board

8. The outsourcing of any activity by a bank does not diminish its obligations, and those of its Board and Senior Management, who have the ultimate responsibility for the outsourced activity.

A. Board Approved Policy

9. A bank intending to outsource any of its financial or IT activities shall put in place corresponding comprehensive Board approved outsourcing policies, the coverage of which are indicated in paragraph 22 and paragraph 61, respectively.

B. Key responsibilities

10. The Board or a Committee of the Board to which powers have been delegated, as applicable for financial or IT outsourcing, shall be responsible for putting in place a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements, laying down appropriate approval authorities depending on risks and materiality, and undertaking regular review.

11. In respect of outsourcing of financial services,

(1) the Board, or a Committee of the Board to which powers have been delegated, shall be responsible, inter alia, for:

approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
laying down appropriate approval authorities for outsourcing depending on risks and materiality;
undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness;
deciding on business activities of a material nature to be outsourced, and approving such arrangements;
reviewing records of all material outsourcing on half yearly basis; and
ensuring submission of an Annual Compliance Certificate giving the particulars of contracts for outsourcing of financial services, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken to the Department of Supervision, RBI.

(2) the Audit Committee of the Board (ACB) of a bank shall:

monitor the system of internal audit of all outsourced activities; and
review the ageing analysis of entries pending reconciliation with outsourced vendors and make efforts to reduce the old outstanding items therein at the earliest.

12. In respect of outsourcing of IT services, the Board shall be responsible, inter alia, for:

putting in place a framework for approval of outsourcing activities depending on risks and materiality;
approving policies to evaluate the risks and materiality of all existing and prospective outsourcing arrangements;
setting up suitable administrative framework of Senior Management;
ensuring either by itself or through its Committee that there is no conflict of interest arising out of third-party engagements, especially when permitting an exception to the requirement that the service provider of outsourced services, if not a group company, shall not be owned or controlled by any director, key managerial personnel, approver of the outsourcing arrangement, or their relatives under the proviso to paragraph 58 of these Directions; and
reviewing any adverse development mentioned in reports put up to Senior Management on the monitoring and control activities.

Chapter III – Outsourcing of Financial Services

A. Definitions

13. In this Chapter, unless the context otherwise requires, ‘Material Outsourcing’ means arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of a bank.

Materiality of outsourcing shall be based on the:

level of importance to the bank of the activity being outsourced;
potential impact of the outsourcing on the bank on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
likely impact on the bank’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service;
cost of the outsourcing as a proportion of total operating costs of the bank; and
aggregate exposure to that particular service provider, in cases where the bank outsources various functions to the same service provider.

B. Scope

14. The Directions contained in this Chapter shall apply to outsourcing arrangements entered into by a bank with a service provider which may be either a member of the group / conglomerate to which the bank belongs, or an unrelated party which is located in India or elsewhere for outsourcing of financial services likeapplications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.

Provided that, for outsourced services relating to credit cards, the provisions set out in the Reserve Bank of India (Small Finance Banks – Credit Cards and Debit Cards: Issuance and Conduct) Directions, 2025, as amended from time to time, shall also apply.

15. The provisions of these Directions shall also apply, mutatis mutandis, to subcontracted activities. For this purpose, the outsourcing contract shall provide for prior approval or consent of the bank before a service provider engages any subcontractor for all or part of the outsourced activity. Before granting such consent, the bank shall review the subcontracting arrangement and ensure that the same complies with the Directions set out in this Chapter.

16. The directions contained in this Chapter shall not apply to outsourcing of:

IT services as defined in paragraph 55(2) of these Directions, unless specified otherwise in respective paragraphs of Chapter IV;
activities unrelated to banking services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc; and
audit-related assignments to Chartered Accountant firms which shall continue to be governed by the instructions and guidelines issued by the Department of Supervision, RBI.

C. Activities that shall not be outsourced

17. A bank which chooses to outsource financial services shall however not outsource core management functions including Internal Audit, Compliance function and decision-making functions like determining compliance with KYC norms for opening deposit accounts, giving sanction for loans (including retail loans) and management of investment portfolio.

D. Authorisation, Accountability, and Oversight

18. A bank, which desires to outsource financial services, shall not require prior approval from RBI whether the service provider is located in India or outside India.

19. As stated in paragraph 8, the outsourcing of any activity by a bank shall not diminish its obligations including to its customers and RBI, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. The bank shall, therefore, be responsible for the actions of its service provider including Direct Sales Agents (DSAs) / Direct Marketing Agents (DMAs) and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. The bank shall retain ultimate control of the outsourced activity.

20. A bank shall ensure that:

all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration have been considered when performing due diligence in relation to outsourcing;
outsourcing, whether the service provider is located in India or outside India, does not impede RBI in carrying out its supervisory functions and objectives, or diminish the ability of a bank to fulfil its obligations to its regulator / supervisor;
outsourcing, whether the service provider is located in India or outside India, does not impede or interfere with the ability of a bank to effectively oversee and manage its activities, and fulfil its obligations;
outsourcing would not result in the compromise or weakening of a bank’s internal control, business conduct, or reputation;
the service provider employs the same high standard of care in performing the services as would be employed by the bank, if the activities were conducted within the bank and not outsourced; and
the service provider, if it is not a subsidiary of the bank, shall not be owned or controlled by any director or officer / employee of the bank or their relatives having the same meaning as assigned under Companies Act, 2013 and the Rules framed thereunder, as amended from time to time.

21. A bank shall be responsible for making Currency Transactions Reports (CTRs) and Suspicious Transactions Reports (STRs) to FIU or any other competent authority in respect of its customer related activities carried out by the service providers.

E. Governance Framework

E.1 Outsourcing Policy

22. A bank intending to outsource any of its financial services shall put in place a comprehensive outsourcing policy, approved by its Board, which shall incorporate, inter alia, the following:

criteria for selection of such activities as well as service providers;
parameters for defining ‘material outsourcing’ based on the broad criteria indicated in paragraph 13 of these Directions;
delegation of authority depending on risks and materiality; and
systems to monitor and review the operations of these activities.

E.2 Role of Senior Management

23. The Senior Management of a bank shall, inter alia, be responsible for:

evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board or a Committee of the Board;
developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing;
reviewing periodically the effectiveness of policies and procedures;
communicating information pertaining to material outsourcing risks to the Board in a timely manner;
ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
ensuring that there is independent review and audit for compliance with set policies; and
undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.

F. Risk Management

F.1 Evaluation of the Risks

24. A bank shall evaluate and guard against the following key risks when outsourcing:

Strategic Risk – such as where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the bank.
Reputation Risk – such as where the service provider delivers poor service or its customer interactions are inconsistent with the overall standards of the bank.
Compliance Risk – such as where, owing to outsourcing, the privacy, consumer, and prudential laws are not adequately complied with.
Operational Risk – which may arise due to technology failure, fraud, error, or inadequate financial capacity of the service provider to fulfil obligations and / or to provide remedies.
Legal Risk – where a bank is subjected to, inter alia, fines, penalties, or punitive damages resulting from supervisory actions, or private settlements due to omissions and commissions by the service provider.
Exit Strategy Risk – may arise when a bank becomes over reliant on one service provider, loses relevant internal skills preventing it from bringing the activity back in-house, or enters into contracts that make speedy exits prohibitively expensive.
Counterparty Risk – such as where the service provider engages in inappropriate underwriting or credit assessments.
Country Risk – where the political, social or legal climate creates added risk in the outsourcing arrangement.
Contractual Risk – where the bank may not have the ability to enforce the contract with the service provider.
Concentration and Systemic Risk – where there is a lack of control of a bank over a service provider, more so when overall banking industry has considerable exposure to one service provider.

F.2 Confidentiality and Security of Information

25. A bank shall seek to ensure the security, preservation, and protection of the customer information in the custody or possession of the service provider.

26. Access to customer information by a service provider or its staff shall be on a ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

27. A bank shall review and monitor the security practices and control processes of its service providers on a regular basis and require the service provider to disclose security breaches.

28. In instances, where a service provider acts as an outsourcing agent for multiple entities, care shall be taken to build strong safeguards so that there is no comingling or combining of information, documents, records, and assets.

29. A bank shall ensure that a service provider is able to isolate and clearly identify the bank’s customer information, documents, records and assets to protect the confidentiality of the information.

30. A bank shall immediately notify RBI in the event of breach of security and leakage of confidential customer related information. In these eventualities, the bank shall be liable to its customers for any damage.

G. Outsourcing Process

G.1 Service Provider Evaluation

31. A bank shall perform appropriate due diligence while considering or renewing an outsourcing arrangement, to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis.

32. The due diligence mentioned above shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:

qualitative, quantitative, financial, operational, legal, and reputational factors;
risks arising from undue concentration, if outsourcing to a single service provider or a limited number of service providers;
past experience and demonstrated competence to implement and support the proposed activity over the contracted period;
financial soundness and ability to service commitments even under adverse conditions;
business reputation and culture, compliance, complaints and outstanding or potential litigation;
quality of due diligence exercised by service provider of its employees and sub-contractors;
security and internal control, audit coverage, reporting and monitoring procedures, business continuity management; and
external factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance.

33. Where possible, a bank shall obtain independent reviews and market feedback on the service provider to supplement the findings of its own due diligence.

34. A bank shall also evaluate whether the systems of its service providers are compatible with those of the bank, and the acceptability of their standards of performance including in the area of customer service.

G.2 Outsourcing Agreement

35. A bank shall ensure that the terms and conditions governing the outsourcing arrangement are carefully defined in written agreements and vetted by the bank’s legal counsel on their legal effect and enforceability. The agreement shall appropriately reckon the associated risks and the strategies for mitigating or managing them. The bank shall ensure that such an agreement is sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent-principal or otherwise.

36. Some of the key provisions of the agreement shall include:

details of the activity being outsourced, including appropriate service and performance standards;
bank’s access to all books, records, and information relevant to the outsourced activity available with the service provider;
regular and continuous monitoring and assessment by the bank of the service provider for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately;
prior approval or consent by the bank for the use of subcontractors by the service provider for all or part of an outsourced activity as set out in paragraph 15 of these Directions;
controls for maintaining confidentiality of data including of its customers, and incorporating service provider’s liability in the event of security breach and leakage of such confidential information;
contingency plans to ensure business continuity;
bank’s right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the bank;
right of RBI or persons authorised by it to access the bank’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time;
right of RBI to cause an inspection to be made of the service provider by one or more of its officers, employees or other authorised persons;
a termination clause and minimum period for executing termination, if deemed necessary;
provision that confidentiality of customers’ information shall be maintained even after the contract expires or gets terminated; and
provisions to ensure that the service provider preserves documents and data in accordance with legal / regulatory obligation of the bank.

G.3 Monitoring and Control of Outsourced Activities

37. A bank shall have in place a management structure to monitor and control its outsourced activities and shall ensure that outsourcing agreements with service providers contain provisions to address the same.

38. A bank shall maintain a central record of all material outsourcing of financial services for review by its Board and Senior Management. The records shall be updated promptly, and half yearly reviews shall be placed before the Board.

39. Regular audits by either the internal auditors or external auditors of a bank shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and the requirements of these Directions.

40. A bank shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which shall be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience or business continuity preparedness.

41. Certain services, viz., outsourcing of cash management, might involve reconciliation of transaction between a bank, its service providers and their subcontractors. In such cases, the bank shall ensure that reconciliation of transactions between itself and a service provider (and / or its subcontractors) are carried out in a timely manner. A bank shall ensure that the reconciliation is carried out as advised in RBI guidelines on ‘Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019, as amended from time to time.

G.4 Business Continuity and Management of Disaster Recovery Plan

42. A bank shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. The bank shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.

43. In establishing a viable contingency plan, a bank shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

44. A bank shall ensure that its service providers are able to isolate the bank’s information, documents and records, and other assets so that in adverse conditions or termination of the agreement, all documents, records of transactions and information with the service provider, and assets of the bank, can be removed from the possession of the service provider (in order to continue its business operations); or deleted, destroyed or rendered unusable.

45. In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency / liquidation of its service provider, a bank shall retain an appropriate level of control over its outsourcing arrangement along with the right to intervene with appropriate measures to continue its business operations without incurring prohibitive expenses and disruption in the operations of the bank and its services to the customers.

G.5 Termination

46. If the services of a service provider are terminated by a bank, then it shall:

publicise the same so as to ensure that its customers do not continue to entertain the service provider; and
inform IBA of the reasons for termination to enable IBA to maintain a caution list of such service providers for sharing among banks.

H. Specific Outsourcing Arrangements

H.1 Outsourcing within a Group / Conglomerate

47. The risk management practices to be adopted by a bank while outsourcing to a related party (i.e., party within the group / conglomerate) shall be identical to those for a non-related party as specified in this Chapter.

H.2 Offshore outsourcing

48. In principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that generally uphold confidentiality clauses and agreements.

49. While engaging with service provider(s) in a foreign country, a bank shall:

closely monitor government policies of the jurisdiction in which the service provider is based and political, social, economic and legal conditions, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies;
clearly specify the governing law of the outsourcing arrangement;
ensure availability of records to the bank and RBI will not be affected even in the case of liquidation of the service provider or offshore custodian or the bank in India;
ensure activities outsourced outside India are conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of the bank in a timely manner;
ensure that, where the offshore service provider is a regulated entity, the relevant offshore regulator will neither obstruct the arrangement nor object to the RBI’s inspection visits or visits of bank’s internal and external auditors;
ensure that the regulatory authority of the offshore location does not have access to the data relating to Indian operations of the bank simply on the ground that the processing is being undertaken there (not applicable, if offshore processing is done in the home country of the bank);
ensure that the jurisdiction of the courts in the offshore location where data is maintained does not extend to the operations of the bank in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and
ensure that all original records continue to be maintained in India.

50. The overseas operations of a bank shall be governed by both, these Directions and the host country guidelines, and in case there are differences, the more stringent of the two shall prevail. However, where there is any conflict, the host country guidelines shall prevail.

I. Redressal of Grievances related to Outsourced Services

51. Outsourcing arrangements entered into by a bank shall not affect the rights of its customers against the bank, including the ability of the customers to obtain redressal as applicable under relevant laws.

52. In cases where customers are required to deal with service providers in the process of dealing with a bank, the bank shall incorporate a clause in the corresponding product literature, brochures, etc., stating that the services of service providers in sales, marketing, etc., of the products may be used. The role of the service providers may be indicated in broad terms.

53. A bank shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the bank. In case of microfinance loans, a declaration that the bank shall be accountable for inappropriate behaviour of the employees of the service provider and shall provide timely grievance redressal, shall be made in the loan agreement, and Fair Practices Code (FPC) displayed in its office / branch premises / website.

54. In addition to the above,

a bank shall constitute Grievance Redressal Machinery within the bank and give wide publicity about it through electronic and print media;
the name and contact number of designated grievance redressal officer of the bank shall be made known and widely publicised. The designated officer shall ensure that genuine grievances of customers are redressed promptly without involving delay. It shall be clearly indicated that bank’s Grievance Redressal Machinery will also deal with the issue relating to services provided by the service provider; and
the time frame fixed for responding to the complaints (maximum 30 days) shall be placed on the bank's website. If a complaint was rejected wholly or partly by a bank, and the complainant is not satisfied with the reply, or does not get any reply within 30 days after the bank received the complaint, the complainant shall have the option to seek grievance redressal under the RBI’s Integrated Ombudsman Scheme, 2021.

Chapter IV – Outsourcing of Information Technology (IT) Services

A. Definitions

55. In this Chapter, unless the context otherwise requires, the terms herein shall bear the meanings assigned to them below:

(1) ‘Group’ shall be as defined in the Reserve Bank of India (Commercial Banks- Concentration Risk Management) Directions, 2025, as amended from time to time, for the purpose of intragroup transactions and exposures;

(2) ‘IT services’ means IT services and / or IT enabled services and / or IT activities.

(3) ‘Material Outsourcing of IT Services’ are those which:

if disrupted or compromised shall have the potential to significantly impact the bank’s business operations; or
may have material impact on the bank’s customers in the event of any unauthorised access, loss or theft of customer information;

(45) ‘Service Provider’ means provider of IT or IT enabled services including entities related to the bank or those which belong to the same group or conglomerate to which the bank belongs.

Provided that, for the purpose of this Chapter, the following indicative (but not exhaustive) list of vendors and entities shall not be considered as ‘Service Providers’ defined above:

vendors providing business services using IT. For e.g., Business Correspondents (BCs);
Payment System Operators (PSOs) authorised by RBI under the Payment and Settlement Systems Act, 2007 for setting up and operating Payment Systems in India;
partnership based FinTech firms such as those providing co-branded applications, services, products (would be considered under outsourcing of financial services in Chapter III);
FinTech firms providing services for data retrieval, data validation and verification such as, bank statement analysis, GST returns analysis, fetching of vehicle information, digital document execution, data entry and call centre services, etc.;
telecom service providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of data; and
security or audit consultants appointed for certification, audit or Vulnerability Assessment / Penetration Testing (VA / PT) related to IT infra, IT services or information security services in their role as independent third-party auditor or consultant or lead implementer.

Explanation: Depending upon the IT Outsourcing services provided (if any) by a Regulated Entity (RE) to other RE(s), even an RE could be considered as a service provider to other RE, under the provisions contained in this Chapter.

(5) ‘Sub-contractor’ refers to those providing material / significant IT services to the service provider and is specific to the material IT services arrangement that the bank has entered into with the service provider.

B. Scope

56. These Directions shall apply to a bank’s material outsourcing of IT services, as defined in paragraph 55 (3) above. In this context, ‘Outsourcing of IT Services’ shall include outsourcing of the following activities:

IT infrastructure management, maintenance and support (hardware, software or firmware);
network and security solutions, maintenance (hardware, software or firmware);
application development, maintenance and testing; Application Service Providers (ASPs) including ATM Switch ASPs;
services and operations related to Data Centres;
cloud computing services;
managed security services; and
management of IT infrastructure and technology services associated with payment system ecosystem.

57. These Directions shall not apply to the following services / activities,

corporate internet banking services obtained by a bank as a corporate customer or sub-member of another RE;
external audit services such as VA / PT, Information Systems Audit, and security review;
SMS gateways (Bulk SMS service providers);
procurement of IT hardware or appliances;
acquisition of IT software, product or application (e.g., CBS, database, security solutions, etc.) on a licence or subscription basis, and any enhancements made to such licensed third-party applications by the vendor (as upgrades) or on specific change request made by a bank;
any maintenance service (including security patches, bug fixes) for IT infrastructure or licensed products, provided by the Original Equipment Manufacturer (OEM) themselves, in order to ensure continued usage of the same by the bank;
applications provided by financial sector regulators or institutions such as CCIL, NSE, BSE, etc.;
platforms provided by entities such as Reuters, Bloomberg, SWIFT, etc.;
any other off-the-shelf products (e.g., anti-virus software, email solutions, etc.) subscribed to by a bank, wherein only a license is procured with no or minimal customisation;
services obtained by a bank as a sub-member of a Centralised Payment System (CPS) from another RE; and
Business Correspondent (BC) services, payroll processing, and statement printing.

C. Authorisation, Accountability, and Oversight

58. In addition to adhering to the requirements stipulated in subparagraphs (i) to (v) of paragraph 20 of these Directions, a bank shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the bank, or their relatives. The terms ‘control’, ‘director’, ‘key managerial personnel’, and ‘relative’ have the same meaning as assigned under the Companies Act, 2013 and the Rules framed thereunder from time to time.

Provided that, an exception to the above requirement may be made with the approval of Board / a Committee of the Board, followed by appropriate disclosure, oversight and monitoring of such arrangements.

59. A bank shall evaluate the need for outsourcing of IT services based on a comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. For this purpose, the bank shall, inter alia, consider the following:

the need for outsourcing based on criticality of activity to be outsourced;
expectations and outcomes from outsourcing;
success factors and cost-benefit analysis; and
the model for outsourcing.

60. A bank shall ensure that cyber incidents are reported to it by the service provider without undue delay, so that an incident is reported by the bank to the RBI within six hours of detection by the third-party service provider.

D. Governance Framework

D.1 Outsourcing Policy

61. A bank intending to outsource any of its IT activities shall put in place a comprehensive Board approved IT outsourcing policy incorporating, inter alia,

the roles and responsibilities of the Board, Committees of the Board (if any) and Senior Management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services;
criteria for selection of such activities as well as service providers;
parameters for defining material outsourcing based on the broad criteria defined in paragraph 55 (3) of these Directions;
delegation of authority depending on risk and materiality;
disaster recovery and business continuity plans;
systems to monitor and review the operations of these activities; and
termination processes and exit strategies, including business continuity in the event of a third-party service provider exiting the outsourcing arrangement.

D.2 Role of Senior Management

62. The Senior Management of a bank shall, inter alia, be responsible for:

formulating IT outsourcing policies and procedures, evaluating the risks and materiality of all existing and prospective IT outsourcing arrangements based on the framework commensurate with the complexity, nature and scope, in line with the enterprise-wide risk management of the organisation approved by the Board and its implementation;
prior evaluation of prospective IT outsourcing arrangements and periodic evaluation of the existing outsourcing arrangements covering the performance review, criticality and associated risks of all such arrangements based on the policy approved by the Board;
identifying IT outsourcing risks as they arise, monitoring, mitigating, managing and reporting of such risks to the Board / a Committee of the Board in a timely manner;
ensuring that suitable business continuity plans based on realistic and probable disruptive scenarios, including exit of any third-party service provider, are in place and tested periodically;
ensuring (a) effective oversight over third party for data confidentiality and (b) appropriate redressal of customer grievances in a timely manner;
ensuring an independent review and audit on a periodic basis for compliance with the legislations, regulations, Board-approved policy and performance standards and reporting the same to Board / a Committee of the Board; and
creating essential capacity with required skillsets within the organisation for proper oversight of outsourced activities.

D.3 Role of IT Function

63. The responsibilities of the IT Function of a bank shall, inter alia, include:

assisting the Senior Management in identifying, measuring, monitoring, mitigating and managing the level of IT outsourcing risk in the organisation;
ensuring that a central database of all IT outsourcing arrangements is maintained and is accessible for review by Board, Senior Management, Auditors and Supervisors;
effectively monitor and supervise the outsourced IT activity to ensure that the service providers meet the laid down performance standards and provide uninterrupted services, report to the Senior Management; co-ordinate periodic due diligence and highlight concerns, if any; and
putting in place necessary documentation required for contractual agreements including service level management, monitoring of vendor operations, key risk indicators and classifying the vendors as per the determined risk.

E. Risk Management

E.1 Risk Management Framework

64. A bank shall put in place a risk management framework that comprehensively deals with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with such IT outsourcing arrangements.

65. A bank shall suitably document risk assessments with necessary approvals in line with the roles and responsibilities of the Board of Directors, Senior Management and IT Function and subject the same to internal and external quality assurance on a periodic basis as determined by the Board-approved policy.

66. A bank shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and / or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers.

E.2 Confidentiality and Security of Information

67. A bank shall be responsible for the confidentiality and integrity of data and information pertaining to its customers that is available to the service provider.

68. In this regard, a bank shall adhere to directions stated in paragraph 25 to paragraph 28 of these Directions and additionally ensure that:

access by service providers to data at the bank or its data centre shall be on ‘need to know’ basis, with appropriate controls to prevent security breaches and / or data misuse;
in the event of multiple service provider relationships where two or more service providers collaborate to deliver an end-to-end solution, the bank remains responsible for understanding and monitoring the control environment of all service providers that have access to its data, systems, records or resources;
it immediately notifies RBI in the event of breach of security and leakage of confidential customer related information. In these eventualities, the bank shall adhere to the extant instructions issued by RBI from time to time on Incident Response and Recovery Management.

69. With regard to requirement regarding combining of data stipulated in paragraph 28, it would suffice if there is clear separation and isolation of data (bank and its customer specific data and information) to ensure that only the personnel as authorised by the bank is able to access data that belongs to them in a multi-tenant environment / architecture.

F. Outsourcing Process

F.1 Service Provider Evaluation

70. The directions regarding service provider evaluation as applicable to outsourcing of financial services contained in paragraph 31 to paragraph 33 shall apply, mutatis mutandis, to outsourcing of IT services, with the following additional considerations for due-diligence:

technology, infrastructural stability, data backup arrangements, and disaster recovery plan;
conflict of interest, if any;
capability to identify and segregate bank’s data;
capability to comply with the regulatory and legal requirements of the outsourcing arrangement;
information / cyber security risk assessment;
ensuring that appropriate controls, assurance requirements and possible contractual arrangements are in place to ensure data protection and bank’s access to the data which is processed, managed or stored by the service provider;
ability to effectively service all the customers while maintaining confidentiality, especially where a service provider has exposure to multiple entities; and
ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality.

71. A risk-based approach shall be adopted in conducting such due diligence activities.

F.2 Outsourcing Agreement

72. A bank shall ensure that its rights and obligations and those of each service provider are clearly defined and set out in a legally binding written agreement, in line with the provisions specified in paragraph 35 of these Directions. In principle, the provisions of the agreement shall appropriately reckon the criticality of the outsourced task to the business of the bank, the associated risks and the strategies for mitigating or managing them.

73. In addition to the requirements specified in subparagraphs (i) to (vii) of paragraph 36, a bank shall also include at minimum (as applicable to the scope of outsourcing of IT services) the following aspects in any agreement for outsourcing of IT services:

provisions covering service provider’s subcontractors with respect to service and performance standards [subparagraph (i) of paragraph 36] and bank’s right to conduct audits [subparagraph (vii) of paragraph 36];
access by the bank to all data, books, records, information logs, alerts and business premises relevant to the outsourced activity, available with the service provider;
type of material adverse events (e.g., data breaches, denial of service, service unavailability, etc., relevant to the outsourced activity) and the incidents required to be reported to the bank to enable the bank to take prompt risk mitigation measures and ensure compliance with statutory and regulatory guidelines;
compliance with the provisions of Information Technology Act, 2000, other applicable legal requirements and standards to protect the customer data;
the deliverables including Service Level Agreements (SLAs) formalising performance criteria to measure the quality and quantity of service levels;
storage of data only in India (as applicable) as per extant regulatory requirements;
clauses requiring the service provider to provide details of data (related to the bank and its customers) captured, processed, and stored;
types of data / information that the service provider (vendor) is permitted to share with bank’s customer and / or any other party;
the resolution process, events of default, indemnities, remedies, and recourse available to the respective parties;
contingency plan(s) to ensure testing requirements;
right to seek information from the service provider about the third parties (in the supply chain) engaged by the former;
right of RBI or person(s) authorised by it to perform inspection of the service provider and any of its sub-contractors and access the bank’s IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the service provider and / or its sub-contractors in relation and as applicable to the scope of the outsourcing arrangement;
clauses making the service provider contractually liable for the performance and risk management practices of its subcontractors;
obligation of the service provider to comply with directions issued by the RBI in relation to the activities outsourced to the service provider, through specific contractual terms and conditions specified by the bank;
termination rights of the bank, including the ability to orderly transfer the proposed IT-outsourcing arrangement to another service provider, if necessary or desirable;
obligation of the service provider to co-operate with the relevant authorities in case of insolvency / resolution of the bank;
provision to consider skilled resources of service provider who provide core services as ‘essential personnel’ so that a limited number of staff with back-up arrangements necessary to operate critical functions can work on-site during exigencies (including pandemic situations);
clause requiring suitable back-to-back arrangements between service providers and the OEMs; and
clause requiring non-disclosure agreement with respect to information retained by the service provider.

F.3 Monitoring and Control of Outsourced Activities

74. A bank shall have in place a management structure to monitor and control its outsourced activities. This shall include (as applicable to the scope of outsourcing of IT services), but not be limited to, monitoring the performance, uptime of the systems and resources, service availability, adherence to SLA requirements, incident response mechanism, etc.

75. A bank shall conduct regular audits of service providers (including sub-contractors) with regard to the activity outsourced by it. Such audits may be conducted either by bank’s internal auditors or external auditors appointed to act on bank’s behalf.

76. While outsourcing various IT services, more than one RE may be availing services from the same third-party service provider. In such scenarios, in lieu of conducting separate audits by individual REs of the common service provider, they may adopt pooled (shared) audit. This allows the relevant REs to either pool their audit resources or engage an independent third-party auditor to jointly audit a common service provider. However, in doing so, it shall be the responsibility of REs in ensuring that the audit requirements related to their respective contract with the service provider are met effectively.

77. The audits shall assess the performance of the service provider, adequacy of the risk management practices adopted by the service provider, compliance with laws and regulations, etc. The frequency of the audit shall be determined based on the nature and extent of risk and impact on the bank from the outsourcing arrangements. Reports on the monitoring and control activities shall be reviewed periodically by the Senior Management and in case of any adverse development, the same shall be put up to the Board for information.

78. A bank, depending upon the risk assessment, may also rely upon globally recognised third-party certifications made available by the service provider in lieu of conducting independent audits. However, this shall not absolve the bank of its responsibility in ensuring assurance on the controls and procedures required to safeguard data security (including availability of systems) at the service provider’s end.

79. A bank shall periodically review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations. A bank shall adopt risk-based approach in defining the periodicity. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience preparedness.

80. A bank shall ensure that the service provider grants unrestricted and effective access to (a) data related to the outsourced activities; (b) the relevant business premises of the service provider; subject to appropriate security protocols, for the purpose of effective oversight by the bank, its auditors, regulators and other relevant Competent Authorities, as authorised under law.

F.4 Inventory of Outsourced Services

81. A bank shall create an inventory of IT services outsourced to service providers (including key entities involved in their supply chains). Further, the bank shall map its dependency on third parties and periodically evaluate the information received from the service providers.

F.5 Business Continuity and Management of Disaster Recovery Plan

82. The Directions regarding ‘Business Continuity and Management of Disaster Recovery Plan’ as applicable to outsourcing of financial services contained in paragraph 42 to paragraph 45 shall apply, mutatis mutandis, to outsourcing of IT services. The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) for outsourced IT services shall be commensurate with the nature and scope of the outsourced activity as per extant instructions issued by RBI from time to time on BCP / DR requirements.

F.6 Exit Strategy

83. The IT outsourcing policy shall contain a clear exit strategy, for ensuring business continuity during and after exit.

84. The strategy shall include plans for different scenarios of exit or termination of services with stipulation of minimum period to execute such plans, as necessary.

85. In documenting its exit strategy, a bank shall, inter alia, identify alternative arrangements, which may include performing the activity by a different service provider or by the bank itself.

86. A bank shall ensure that outsourcing agreements have necessary clauses on safe removal / destruction of data, hardware and all records (digital and physical), as applicable. Further, the outsourcing agreement shall ensure that the service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator or the concerned bank.

87. A service provider shall be legally obliged to cooperate fully with both the bank and its new service provider(s) to ensure there is a smooth transition.

F.7 Termination

88. In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers of the bank, the same shall be given due publicity by the bank so as to ensure that the customers stop dealing with the concerned service provider.

G. Specific Outsourcing Arrangements

G.1 Outsourcing within a Group / Conglomerate

89. A bank may outsource any IT activity / IT enabled service within its business group / conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements / agreements with its group entities are in place.

90. The selection of a group entity shall be based on objective reasons that are similar to selection of a third-party, and any conflicts of interest that such an outsourcing arrangement may entail shall be appropriately dealt with.

91. A bank, at all times, shall maintain an arm's length relationship in dealings with its group entities. Risk management practices being adopted by the bank while outsourcing to a group entity shall be identical to those specified for a non-related party.

G.2 Offshore or Cross-Border outsourcing

92. In principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that generally uphold confidentiality clauses and agreements.

93. While engaging with service provider(s) in a foreign country, a bank shall:

closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies;
clearly specify the governing law of the outsourcing arrangement;
ensure that availability of records to the bank and the RBI will not be affected even in case of liquidation of the service provider;
ensure the right of the bank and RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction; and
ensure that the arrangement complies with all statutory requirements as well as regulations issued by the RBI from time to time.

G.3 Outsourcing of Security Operations Centre (SOC)

94. Considering the risks associated with outsourcing of Security Operations Centre (SOC) operations by a bank, such as data being stored and processed at an external location and managed by a third party to which the bank has lesser visibility, the bank, to mitigate the risks, shall adopt the following requirements in the case of outsourcing of SOC operations in addition to the controls prescribed in this Chapter:

unambiguously identify the owner of assets used in providing the services (systems, software, source code, processes, concepts, etc.);
ensure that the bank has adequate oversight and ownership over the rule definition, customisation and related data / logs, meta-data and analytics (specific to the bank);
assess SOC functioning, including all physical facilities involved in service delivery, such as the SOC and areas where client data is stored / processed periodically;
integrate the outsourced SOC reporting and escalation process with the bank’s incident response process; and
review the process of handling of the alerts / events.

G.4 Usage of Cloud Computing Services

95. Several cloud deployment and service models have emerged over time. These are generally based on the extent of technology stack that is proposed to be adopted by the consuming entity.

(1) Example - 1: Some cloud services are:

Infrastructure as a Service (IaaS): The service provides computing, storage, network, and other basic resources so that the client can develop and deploy their applications.
Platform as a Service (PaaS): The service provides software for building application, middleware, database, development environment, and other tools along with the infrastructure to the client.
Software as a Service (SaaS): Client uses the application(s) provided by the service provider on a cloud infrastructure.
Besides the three common application services, Cloud Service Providers (CSPs) also provide a range of services, viz., Database as a Service, Security as a Service, Storage as a Service, and others with varying risk levels.

(2) Example - 2: Some of the popular deployment models for delivery of cloud services are Private Cloud, Public Cloud, Hybrid Cloud, Community Cloud.

96. Considering the varied services, benefits, and risk profiles associated with the cloud deployment and service models, a bank that uses cloud services for storage, computing and movement of data in cloud environments shall, in addition to other applicable provisions in these Directions:

(i) undertake a comprehensive assessment of its business strategy and goals adopted to the existing IT applications’ footprint and associated costs. Such assessment shall include, but not be limited to, an analysis of various heads of cloud-related expenditure, such as application refactoring, integration, consulting, migration, and projected recurring expenditure depending on the nature of workloads. The extent of cloud adoption may vary, ranging from migration of non-business critical workloads to the cloud, to deployment of critical business applications such as Software-as-a-Service (SaaS), or other combinations in between, and shall be determined based on a duly conducted business technology risk assessment;

(ii) ensure, inter alia, that the ‘IT outsourcing policy’, referred to in paragraph 61 of these Directions, addresses the entire lifecycle of data, i.e., covering the entire span of time from generation of the data, its entry into the cloud, till the data is permanently erased / deleted. It shall also ensure that specified procedures are consistent with business needs and legal and regulatory requirements;

(iii) take into account cloud service specific factors, viz., multi-tenancy, multi-location storing / processing of data, etc., and attendant risks while establishing appropriate risk management framework;

(iv) implement necessary controls by referring to the cloud security best practices, as per applicability of the shared responsibility model between the bank and the Cloud Service Provider (CSP);

For cloud security best practices, a bank may refer to, inter alia, NIST SP 800-210 General Access Control Guidance for Cloud Systems https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-210.pdf

(v) put in place strong cloud governance by adopting and demonstrating a well-established and documented cloud adoption policy. Such a policy shall, inter alia,

identify the activities that can be moved to the cloud;
enable and support protection of various stakeholder interests;
ensure compliance with regulatory requirements, including those on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification; and
provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs.

(vi) ensure that the selection of a CSP is based on a comprehensive risk assessment of the CSP. A bank shall enter into a contract only with CSPs that are subject to jurisdictions that uphold enforceability of agreements and the rights available thereunder to the bank, including those relating to aspects such as data storage, data protection and confidentiality.

(vii) ensure that the service and technology architecture supporting cloud-based applications is built in adherence to globally recognised architecture principles and standards. The technology architecture shall:

provide for a standard set of tools and processes to manage containers, images and releases;
provide for a secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the bank;
be protected against data integrity and confidentiality risks, and against co-mingling of data, in case of multi-tenancy environments; and
be resilient and enable smooth recovery in case of failure of any one or combination of components across the cloud architecture with minimal impact on data / information security.

(viii) agree upon the Identity and Access Management (IAM) with the CSP and ensure that role-based access to the cloud hosted applications, both in respect of user-access and privileged-access, is provided. The bank shall:

establish stringent access controls, as applicable for an on-premises application, for identity and access management to cloud-based applications;
implement segregation of duties and role conflict matrix for all kinds of user-access and privileged-access roles in the cloud-hosted application irrespective of the cloud service model;
ensure that access provisioning is governed by principles of ‘need to know’ and ‘least privileges’; and
implement multi-factor authentication for access to cloud applications.

(ix) ensure that the implementation of security controls in the cloud-based application achieves similar or higher degree of control objectives than those achieved in or by an on-premises application. This includes ensuring secure connection through appropriate deployment of network security resources and their configurations; appropriate and secure configurations, monitoring of the cloud assets utilised by the bank; necessary procedures to authorise changes to cloud applications and related resources.

(x) define minimum monitoring requirements in the cloud environment and assess the information / cyber security capability of the CSP, to ensure that it:

maintains an information security policy framework commensurate with its exposures to vulnerabilities and threats;
is able to maintain its information / cyber security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment;
has set the nature and frequency of testing of controls in respect of the outsourced services commensurate with the materiality of the services being outsourced by the bank and the threat environment; and
has mechanisms in place to assess the subcontractors with regards to confidentiality, integrity and availability of the data being shared with them, where applicable.

(xi) ensure appropriate integration of logs and events from the CSP into the bank’s SOC, wherever applicable and / or retention of relevant logs in cloud for incident reporting and handling of incidents relating to services deployed on the cloud;

(xii) ensure that the cyber resilience controls of the CSP complement the bank’s own application security measures, and that both the bank and the CSP maintain continuous and regular updates of security-related software, including upgrades, fixes, patches, and service packs, to safeguard applications against advanced threats and malware;

(xiii) ensure that the CSP has a well-governed and structured approach to manage threats and vulnerabilities supported by requisite industry-specific threat intelligence capabilities;

(xiv) ensure that the business continuity framework provides for continued operation of critical functions in the event of a disaster affecting the bank’s cloud services or failure of the CSP, with minimal disruption to services and without compromising data integrity and security;

(xv) ensure that the CSP has put in place demonstrative capabilities for preparedness and readiness for cyber resilience as regards cloud services in use by them through, inter alia, robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders.

(xvi) develop an exit strategy that shall

factor, inter alia, agreed processes and turnaround times for returning the bank’s service collaterals and data held by the CSP; data completeness and portability; secure purge of bank’s information from the CSP’s environment; smooth transition of services; and unambiguous definition of liabilities, damages, penalties and indemnities, which should also be a part of the service level stipulations in SLA;
include exit plans which align with the ongoing design of applications and service delivery technology stack;
include contractually agreed exit / termination plans, which specify how the cloud-hosted service(s) and data will be moved out from the cloud with minimal impact on continuity of the bank’s business, while maintaining integrity and security; and
include clauses for prompt take-over of all records of transactions, customer and operational information, configuration data in a systematic manner from the CSP and purging at the CSP-end and ensuring independent assurance before signing off from the CSP.

(xvii) ensure that the audit / periodic review / third-party certifications cover, as per applicability and cloud usage, inter alia, aspects such as roles and responsibilities of both bank and CSP in cloud governance, access and network controls, configurations, monitoring mechanism, data encryption, log review, change management, incident response, and resilience preparedness and testing, etc.

H. Redressal of Grievances related to Outsourced Services

97. A bank shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the bank.

98. Outsourcing arrangements entered into by a bank shall not affect the rights of its customers against the bank, including the ability of the customers to obtain redressal as applicable under relevant laws.

Chapter V – Repeal and Other Provisions

A. Repeal and saving

99. With the issue of these Directions, the existing Directions, instructions, and guidelines relating to outsourcing of financial services and IT services as appliable to Small Finance Banks stand repealed, as communicated vide notification dated XX, 2025. The Directions, instructions, and guidelines repealed prior to the issuance of these Directions shall continue to remain repealed.

100. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed Directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions.

B. Application of other laws not barred

101. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

102. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, the RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by the RBI shall be final and binding.