News and developments
New RBI IT Outsourcing Directions and Key Takeaways for Fintech Agreements
On April 10th, 2023 Reserve Bank of India (“RBI”) issued fresh directions to financial institutions (also referred to as “Regulated Entities”), concerning outsourcing of information technology (“IT”) services and IT-enabled services (“ITeS”) to third-party service providers (whether or not belonging to the same group of companies as that of the financial institution), titled the ‘Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023’ (“IT Outsourcing Directions”). RBI had first proposed this in its Statement on Developmental and Regulatory Policies dated February 10th, 2022, a draft was also put for public comments in June 2022. This comes in light of the increasing boom in the use of digital mediums in customer onboarding, KYC and loan disbursement.
IT services or any other outsourced services contracts entered into by banks and non-banking finance companies (“NBFCs”) were previously governed by the Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services (“General Outsourcing Guidelines”). With these guidelines in place, all IT services, fintech agreements and digital lending agreements shall have to be compliant with not just the General Outsourcing Guidelines but also the new IT Outsourcing Directions.
Key Takeaways
Not Applicable on Base Layer NBFCs
The IT Outsourcing Directions only apply to NBFCs included in the ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’. They do not apply to NBFCs in the base layer which includes non-deposit-taking NBFCs below the asset size of ₹1000 crore and (b) NBFCs undertaking the following activities- (i) NBFC-Peer to Peer Lending Platform (NBFC-P2P), (ii) NBFC-Account Aggregator (NBFC-AA), (iii) Non-Operative Financial Holding Company (NOFHC) and (iv) NBFCs not availing public funds and not having any customer interface.[1] It also applies to credit information companies and branches of foreign banks in India in addition to other REs.
The guidelines mention that they apply only to material outsourcing of IT services. The definition of material outsourcing of IT services means any service which if disrupted or compromised shall have the potential to impact the RE’s business operations significantly; or may have a material impact on the RE’s customers in the event of any unauthorised access, loss or theft of customer information.
AKP Comments: This definition means that the directions are meant for those REs especially NBFCs that undertake lending and other financial services only through digital means. The definition uses the term ‘or’ between the two conditions. The second condition is linked to access to customer data and its protection. This means, however, that the directions shall apply to any IT service agreement where there is access to customer data including the entire life cycle of a loan.
REs shall create an inventory of services provided by the service providers (including key entities involved in their supply chains). Further, REs shall map their dependency on third parties and periodically evaluate the information received from the service providers.
Regardless of the location of the IT service provider, the RE shall have to ensure that all the data related to the IT service is stored on servers in India.
The audit rights of regulated entities have always been a topic of many negotiations in fintech agreements. Now, the REs shall have to ensure the right of audit not just the fintech but also its subcontractors. Another issue in the industry is the increasing use of software-as-a-service. Most IT services are now integrated with various Application Programming Interfaces (“API”). Legally, every integrated API is a sub-contractor. It is next to impossible for fintech to have that measure of control over every API integration.
AKP Comments: The subcontractor requirements if applied to the API integrations of the fintech strictly shall severely impact Software as a Service (“SaaS”) platform usage which is inevitable in this neo-banking age. In this sense, the guidelines are not in sync with the industry. For example, they expect a team of employees of the fintech to operate out of the RE’s premises when fintech employees are themselves working in hybrid mode and remote modes and there is no more a need to have them on-site to rectify systems that are completely cloud-based. There is a need for advocacy for RBI to get a better understanding of the fintech ecosystem. The sandbox is probably not enough.
The REs shall require the service providers to develop and maintain a framework for BRP and DRP. REs shall develop a contingency plan under which the REs shall consider other alternative service providers or bring the activity outsourced in-house, during an emergency. The REs shall have some control over the outsourcing arrangement to mitigate the risk of sudden termination of an outsourcing agreement. The REs shall ensure that the information, documents and assets of the RE, with the service provider, shall be isolated so that in case of termination, such information and assets can be removed from the service provider's possession.
AKP Comments 1: The guidelines have an underlying tone hoping that they push REs to start developing their own tech capabilities. For example, having a backup system available in-house in the event of failure of the service provider or expecting a team of employees of the fintech to operate out of the RE’s premises when fintech employees are themselves working in hybrid mode and remote modes and there is no more a need to have them on-site to rectify systems that are completely cloud-based.
AKP Comments 2: It is important for fintech agreements to have clear operating procedures on post-termination transition, transfer of customer data at the end of the contract and a business continuity plan that is practically enforceable. It is important for the tech teams and legal teams to collaborate to come up with meaningful contractual provisions.
To mitigate country risk, REs shall closely monitor government policies and the social, economic, political and legal conditions of the jurisdiction in which the service provider is based. Governing law in such agreements should be clearly specified and such arrangements shall be made with companies which are upholding clauses and agreements. REs and RBI shall have the right to conduct an audit of the service provider based in foreign jurisdictions.
The service provider, if not a group company, shall not be owned or controlled by any director, Key Managerial Person or the approver of the outsourcing arrangement of the RE. The only exception is if such an arrangement is approved by the board and proper disclosures, oversight and monitoring of such arrangements are done.
Authored by-
Anuroop Omkar & Kritika Krishnamurthy
Founding Partners
AK & Partners
New Delhi- India
[1] RBI circular