RBI’s master directions on outsourcing to IT companies: Important clauses for the IT Outsourcing Agreement

I.?????????????? Introduction

The Reserve Bank of India (RBI) on April 10, 2023, published a new set of regulatory guidelines titled Master Direction on Outsourcing of Information Technology Services (referred to as “Master Direction”). This Master Direction sets out framework for the outsourcing of IT and IT-enabled Services (ITeS) by regulated entities (REs).

With India’s IT sector developing rapidly, these REs are increasingly relying on IT and ITeS to grow their business models and improve products and services for customers. This practice, however, poses risks, especially given the sensitive personal information about customers involved. Recognizing the potential risks to customer data in outsourced arrangements, the RBI has mandated compliance with the Master Direction starting from October 2023, to strengthen data protection and risk management in outsourcing by REs.

II.?????????????? Applicability

The new Master Direction applies to all Banking Companies, Corresponding New Banks, the State Bank of India, Primary Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies, EXIM Bank, National Bank for Agriculture and Rural Development (NABARD), National Bank for Financing Infrastructure and Development (NaBFID), National Housing Bank (NHB), Small Industries Development Bank of India (SIDBI), and All India Financial Institutions (AIFIs) with respect to material outsourcing of IT service arrangements.

It also extends to foreign banks operating in India through branch modes, using a “comply or explain” approach. This means foreign banks may deviate from specific parts of the Master Direction, subject to review and acceptance by the RBI, provided they offer a reasonably justified explanation for any such deviation.

III.?????????????? Compliance

To safeguard customers and ensure the operations of the REs are not impacted by any disruption in their IT services, the Master Direction sets out new roles and responsibilities of the REs. Firstly, it makes clear that by outsourcing IT services, the REs do not absolve themselves of responsibility with respect to those services; indeed, the RE’s Board and Senior Management shall be ultimately responsible for the outsourced activity.

IV.?????????????? Establishment of Grievance Redressal Mechanism

REs must also establish a reliable grievance redressal mechanism, allowing customers to seek resolution directly from the RE, even if the service in question is outsourced. The Master Direction also requires REs to create and follow a comprehensive ‘outsourcing policy’ approved by their Board of Directors. This policy must clearly outline the specific roles and responsibilities of the Board, Senior Management, and the IT team in formulating and enforcing the policy’s standards. The Master Direction itself provides guidance on essential roles and responsibilities to be incorporated.

V.?????????????? Due Diligence on Service Providers

Once the outsourcing policy is approved, REs must undertake due diligence on potential service providers. This assessment goes beyond surface-level checks and includes evaluating the provider’s capability to fulfil obligations under the Master Direction. Due diligence should also examine legal and reputational aspects, among other critical factors. The agreement should be flexible enough to allow REs to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations.

VI.?????????????? Legally Binding Agreement

The Master Direction obligates the REs to ensure that their rights and obligations and those of each IT service providers are clearly defined and set out in a legally binding written agreement.

VII.?????????????? Important Clauses to be considered in the Outsourcing Agreement

?Somewhat unusually, the Master Direction even codifies aspects of the outsourcing agreement. For example, Paragraph 16 lists essentials aspects that outsourcing agreement must include such as details of the activity outsourced, RE’s right to access to all data relevant to that activity, provisions for risk management, identification of material adverse events, and protocols for reporting of cyber incidents. To that end, one can ascertain some of the core clauses that must be present in any outsourcing agreement for IT services, following the new Master Direction.

?VIII.?????????????? Important Clauses

?(i)???????? Definitions: Though some critical terms have been defined by the RBI in its Master Directions, any service agreement arising nonetheless must define various terms in a separate clause. This allows for parties to the agreement to have clarity on the meaning of terms used in the agreement as well as courts or other adjudicators in the event of a dispute. In an IT outsourcing agreement, terms such as “Applicable Laws”, “Services”, “Service Level(s)”, “Confidential Information”, “Customer Data”, “Effective Date” and more must be defined. An example of such a clause would be:

?(a)??????? “Applicable Laws” means all laws, ordinance, statutes, rules, orders, decrees, judgments, injunctions, licenses, permits, approvals, authorizations, consents, waivers, privileges, agreements and regulations of any Indian governmental authority having jurisdiction over the relevant matter as such including Guidelines on RBI (Outsourcing of IT Services) Directions, 2023 issued by the Reserve Bank of India on April 10, 2023, Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks on November 03, 2006 as well as the Master Direction - Non-Banking Financial Company - Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016 issued on September 01, 2016, and as may be amended, modified, enacted or revoked from time to time hereafter. [KG Comment: It is recommended to specify the exact guidelines/master directions in the applicable laws for clarity.]

?(b)??????? “Confidential Information” means any and all information and materials of whatever nature that is conveyed, disclosed, or provided in relation to this Agreement by either Party to the other, or otherwise acquired or observed by a Party, whether oral (reproduced in writing within 7 days of oral disclosure), written, or in any other medium, including but not limited to business, Customer Data, technical, financial information, procurement requirements, customer lists, marketing plans, experimental work, designs, specifications, engineering details, patents, copyrights, trade secrets, proprietary methodologies, construction plans, building designs, architectural sketches, models, inventions, know-how and techniques, concept, scope, technologies and features of the Project/Services, materials procurement strategies, and safety measures,? any commercially valuable information, any information of third party provided by a Party and/or any other information provided to a Party by the other in connection with this Agreement. [KG Comment: This definition shall always be made inclusive and can be amended based on the nature of the information disclosed.]

(c)???????? “Customer Data” means: (a) any and all of the data and/or databases owned or controlled by the Customer; (b) any and all information, data and details of Customer’s officers, directors, employees, agents, consultants, vendors, service providers, customers, clients; and (c) any and all data (including any personal data (as defined in the applicable data protection legislation) and information relating to Customer and any operations, facilities, personnel, assets and programs, in each case, which may be delivered or provided to, generated by or otherwise used or processed by the Service Provider or may otherwise come into the possession or control of the Service Provider and/or its personnel, and in whatever form that data and information may exist and of whatever nature, including text, drawings, diagrams, images and sounds.

?(d)??????? “Services” shall mean IT services and support services performed by the Service Provider under the Agreement, as more fully specified in Exhibit A. [KG Comment: Please note that it is important to identify the services clearly and it is recommended that the same be specified in a separate service related annexure.]

?(e)???????? “Service Levels” shall mean the specific, measurable standards of performance for Services provided by the Service Provider under the Agreement, as more fully specified in Exhibit B. [KG Comment: The service levels covers aspects of uptime, downtime, severities, types of severities, response time, resolution time, escalation matrix, point of contact, service credits and more.]

?(ii)??????? Scope of Work: As per the Master Direction, an outsourcing IT service agreement should also clearly stipulate the scope of work of the service provider. This clearly delineates the responsibilities of the service provider and allows for an easier description of the oversight/supervisory obligations of the RE. Within the same clause, the agreement can also stipulate for a high standard of service that does not damage the RE’s reputation, which the RBI considers to be extremely important considering the requirement of consumer trust to ensure stability of financial institutions. This clause may also state the deliverables and specifications which standardise performance criteria. [KG Comment: SOW is a document typically negotiated and worked upon by business, finance and technical team members. However, such SOW may also contain some legal clauses pertaining to payment details, deliverable timelines etc., which shall be clearly outlined.]

?(iii)????? Incidents to be reported: The Master Direction also makes clear in order to mitigate the risk posed by outsourcing IT services, the RE must have knowledge of any ‘material adverse events’ to enable it to take risk mitigation measures and to comply with regulatory guidelines; an RE is required to report a cyber-attack to RBI within 6 hours. In addition, RE is responsible for its IT services as it impacts customers regardless of the outsourcing. A clause in the agreement which obliges the service provider to report any adverse events would also allow RE’s internal IT team to create a stopgap solution that mitigates the impact of the adverse event on customers. A sample clause is provided below:

?(a)??????? “In case of material adverse events, the Service Providers shall notify the Company of the same in a prompt and timely manner without undue delay. Material adverse events include, but are not limited to, breaches of the Service Provider’s servers, service unavailability or inconsistency, denial of service, breach of Customer Data including data breaches, theft, leakage, loss or unauthorized use of data, DDoS attacks, or other technical issues which impede the provision of Services.

?(b)??????? Once the Service Provider is made aware of a material adverse event, the Service Provider shall immediately attempt to rectify the damage caused by the event and allow the Company to resume usual business operations. In doing so, the Service Provider shall regularly update the Company’s IT team and work in conjunction.”

?(iv)????? Confidentiality and Data security: One of the main risks the RBI targeted to mitigate by issuing the Master Direction was the risk unregulated outsourcing posed to customers’ data. Service providers, by virtue of maintaining the IT infrastructure of an RE, have access to an unrestricted amount of customer and employee data. This poses an enormous risk as a breach of the provider’s data or servers would lead to huge amounts of sensitive data in the hands of bad actors. As a result, an IT outsourcing service agreement must have a clause which evidences the criticality of protecting the RE’s data in the hands of the service provider. Such a clause must include details such as the storage of data and other compliance with Indian legislation dealing with personal data such as the IT Act and the DPDPA, 2023. Similarly, the agreement must contain clauses wherein the service provider is obligated to provide RE details of the data stored and processed. Moreover, the RE must have a way of controlling the confidentiality of its data and its customers’ data. Within this general group, a clause requiring non-disclosure of RE’s information retained by the service provider may be included too. Confidentiality clauses may be drafted as the following:

?(a)??????? “The Service Provider shall ensure that it implements an appropriately robust security protocol for the Company’s Confidential Information. Without prejudice to rest of the terms of the agreement, the Service Provider shall ensure that the Company’s Confidential Information is handled, processed and stored at all times, in such manner as is consistent with required IT security standards under the applicable laws or as may be required by the Company. The Service Provider shall protect Confidential Information from unauthorised use, access and interference while such data is in the Service Provider’s possession and when it is in transit across a network (whether public or private). The Service Provider shall not retain Customer Data for longer than necessary for provision of the Services.

?(b)??????? The Service Provider shall implement strict and adequate security, technical and organisational measures in respect of the integrity and confidentiality of the Company Data whilst in its possession to ensure that the Company Data will not be recorded, disclosed, processed, deleted, altered, used or otherwise tampered with in an unauthorised or accidental manner and to protect the Company Data in accordance with the relevant data protection legislation. The Service Provider shall segregate and keep separately all information, documents, and records pertaining to the Services, Company and customers of Company.

?(c)???????? The Company shall, at all times, be able to inspect the data collected and manage such data, including modifying or deleting data, as it sees fit. The Service Provider shall ensure the Company will have such an ability and shall not interfere with the Company’s exercise of this ability.”

?(v)??????? Supervision and Monitoring: Arguably the biggest impact the RBI’s new Master Direction for IT outsourcing is it requires an RE to monitor the service provider and take ultimate responsibility for the service provider’s actions. With that in mind, the part of the service agreement that formalizes the supervision and monitoring of the service provider is a critical part of the agreement. The Master Direction often places a positive obligation on the RE in this respect and the service agreement therefore must reflect that. Other than creating and following an outsourcing policy, for example, the Board and Senior Management of the RE must also create a framework to assess the performance of the service provider. Key clauses related to supervision should include the RE’s right to audit the service provider or engage an external auditor for this purpose, ensuring that the service provider is fulfilling the agreement and not adversely impacting the RE’s business. The RBI must also have access to the RE’s IT infrastructure and any information held by the service provider for its assessments. The agreement may further include provisions detailing the RE’s internal structure for monitoring outsourced services and conducting risk assessments. An example of a general supervision clause in the service agreement is provided below:

?(a)??????? “The Service Provider acknowledges and agrees that the Customer, the RBI and/or any other regulatory authority shall have the unequivocal right to monitor, supervise, review and conduct audits or inspections of the Service Provider’s facilities and operations in any jurisdiction where the Service Provider operates. The Service Provider shall allow the Company, RBI or its appointed agents/representatives full access to all relevant data, information, premises and personnel to conduct an audit of the outsourced services. Such audits shall be conducted regularly and with prior notice to the Service Provider, as the Customer/RBI may deem fit. This audit or inspection may include access to the Company’s IT infrastructure, employee data, customer data, documents or other Company information stored and processed by the Service Provider or any other information that Company or RBI deems relevant for the Services. The Service Provider shall also comply with all directions issued by the RBI in relation to outsourced services.

?(b)??????? The Service Provider shall keep complete and accurate books, records, and information of all the operations and expenses in connection with the Services provided to the Customer. The Service Provider agrees to keep all such records for the minimum period of 10 (ten) years or such longer period as may be stipulated under the Applicable Law or notified by the Customer or RBI from time to time.”

?(vi)????? Business Continuity. As per the Master Direction, REs must include a robust contingency planning clause within their outsourcing agreements. This requirement is aimed at ensuring business continuity in case of disruptions or failures on the part of the service provider. The contingency plan clause should detail the measures the service provider will undertake to restore services and minimize any impact on RE’s operations. Additionally, these agreements must specify periodic testing requirements to verify the effectiveness of the contingency plans, thereby ensuring that both the RE and service provider are prepared for unforeseen scenarios. This proactive approach aids in mitigating operational risks associated with outsourcing, ensuring that critical services remain resilient and responsive to potential disruptions. An example of a general business continuity clause in the service agreement is provided below:

?“The Service Provider shall develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures in relation to the Services. The Service Provider shall periodically test such business continuity and recovery plan. The Customer shall be entitled to conduct joint testing and recovery exercise with the Service Provider. The Customer shall be entitled to intervene and take such appropriate measures in the event the performance of the Services by the Service Provider are interrupted for any reasons whatsoever.”?

?(vii)???? Conclusion

?All in all, the new RBI Master Direction for outsourcing of IT services is a welcome development to mitigate various risks that arose from excessive outsourcing. These Master Directions apply specifically to REs, most of which are financial institutions. The guidelines introduce several positive obligations for REs, such as the requirement to draft an outsourcing policy and assess the necessity of outsourcing in the first place. They also necessitate the inclusion of new clauses in outsourcing agreements between REs and IT service providers. While some of these clauses, like definitions and scope of work, are standard in most agreements, they remain crucial. Others, like the supervision/monitoring and confidentiality clauses, are new and reflect the changing regulatory landscape of both outsourcing by financial institutions and the IT industry. These are clauses that are critical to an outsourcing agreement and undoubtedly must be present in all such agreements.

?Disclaimer: The information provided in this article is for general informational purposes only and should not be construed as legal advice. The content is not intended to create, and receipt of it does not constitute an attorney-client relationship. Readers should not act upon this information without seeking professional counsel.