Introduction:
Technology has fundamentally transformed the financial services industry, with many contemporary financial institutions (“FI”) adopting a digital-first or exclusively online business model. With third-party technology service providers handling critical functions for FIs, as outsourced partners, regulators such as the Reserve Bank of India (“RBI”), Securities and Exchange Board of India (“SEBI”) and the Insurance Regulatory and Development Authority of India (“IRDAI”) have issued their respective guidelines on outsourcing/ adoption of cloud services.[i] Additionally, FIs are also required to comply with general data protection laws.[ii]
These guidelines mandate FIs to enter into outsourcing agreements that include certain clauses specified by the regulators. This brings the outsourced parties indirectly under the regulator’s purview through contractual obligations via the FI. Understanding the key considerations for financial institutions when outsourcing or relying on third parties is thus essential.
Key Contracting Considerations:
- Activities that should not be outsourced: FIs must not outsource core/ decision-making functions such as risk assessment and compliance with know your client (KYC) norms. Outsourcing does not absolve FIs of supervisory responsibilities.[iii]
- Vendor due diligence and oversight: FIs are required to undertake thorough vendor evaluation/ due-diligence, continuously monitor, and periodically audit their service providers.[iv] FIs may enforce this contractually via ‘right to audit’ clauses and regulatory pass-through obligations.
- Board oversight: The FI’s Board must put in place IT outsourcing policies and procedures, evaluating risks and materiality of such arrangements.[v] The RBI also requires the senior management of FIs to continuously monitor, mitigate, manage and report outsourcing risks and to ensure effective data confidentiality and timely redressal of customer grievances.[vi]
- Regulator’s access over outsourced partner: Outsourcing agreements must enable regulators to have effective access over the service provider’s premises, infrastructure (physical and digital) and data of the FI housed within the service provider.[vii]
- Data localisation: RBI, SEBI and IRDAI mandate FIs to contractually ensure that its service provider processes and stores data of the FI locally in India.[viii] However, the RBI recently allowed FIs to process data outside India, provided that it is deleted from servers outside India and brought back to the country within 24 hours of processing.[ix]
- Collection of data: To align with the Digital Personal Data Protection Act, 2023, the RBI has introduced restrictions on blanket data collection, with norms for a need-based and consent-based regime and prohibited accessing mobile-phone resources such as files, media, call logs, etc.[x]
- Data confidentiality: FIs must ensure contractually that their service providers maintain strict data confidentiality, including data of the FI’s customers,[xi] and to segregate the FI’s data from any other data the service providers may have.[xii]
- Cyber security: FIs must undertake cyber security risk assessment of service providers prior to any engagement and thereafter monitor them on an ongoing basis.[xiii] Additionally:
- SEBI has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF), outlining mandatory controls and baseline security measures, which must be complied with by June 30, 2025;[xiv] and
- The RBI mandates that security controls of a cloud-based application should be equal to or exceed those of on-premise application.[xv]
- Breach notification: FIs must contractually ensure that service providers notify them of material adverse events (e.g., data breaches, denial of service, service unavailability, etc.), which the FIs are then required to disclose to regulators and/ or CERT-In within stipulated timelines.[xvi]
- Termination and data portability: The agreement must contain obligations pertaining to seamless contract termination, return of FI’s data and data deletion post termination.[xvii] The agreement must also enable seamless portability of the FI’s data to alternative service providers.[xviii]
Conclusion:
Tech outsourcing by FIs requires meticulous contractual structuring to comply with the norms prescribed by sectoral regulators and general data protection laws. Increased regulatory oversight makes it imperative for FIs to have a unique approach toward technology contracting that is distinct from standard commercial contracts. Appropriate risk allocation, higher standards of oversight and care required to conclude contracts means that FIs must navigate the process expertly while preserving commercial intent. Hence, given the complexity involved, the RBI and SEBI have prescribed that the terms and conditions governing the contract must be carefully defined and vetted by the legal counsel of FIs for their legal effect and enforceability.[xix]
[i] RBI (Outsourcing of Information Technology Services) Directions, 2023 (“IT Outsourcing MD”); SEBI Circular dated Mar 06, 2023 on “Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)” (“SEBI Cloud Framework”); SEBI Circular dated August 20, 2024 on “Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)” (“CSCRF”); Master Circular on Operations and Allied Matters of Insurers dated on June 19, 2024 (here) and IRDAI (Protection of Policyholders’ Interests, Operations and Allied Matters of Insurers) Regulations, 2024 (“PPHI Regulations”); IRDAI Information and Cybersecurity Guidelines, 2023 (here).
[ii] Such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Digital Personal Data Protection Act, 2023 (once in force)
[iii] Paragraph 2 of RBI’s Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs dated November 09, 2017 (here); Paragraph 5 of SEBI Circular dated December 15, 2011 on Guidelines on Outsourcing of Activities by Intermediaries (here); Paragraph 21 of IRDAI’s Master Circular on Operations and Allied Mattes of Insurers dated on June 19, 2024 and Regulation 46 of the PPHI Regulations.
[iv] Paragraph 13 of the IT Outsourcing MD; Paragraph 5 of Annexure-1 of the SEBI Cloud Framework.
[v] Paragraph 10 of the IT Outsourcing MD; Paragraph 1(i) of Annexure-1 of the SEBI Cloud Framework.
[vi] Paragraphs 11 of the IT Outsourcing MD.
[vii] Paragraph 16(b) of the IT Outsourcing MD; Paragraph 10 (viii) and (ix) of Annexure-1 of the SEBI Cloud Framework.
[viii] Paragraph 3(iii) of Annexure-1 of the SEBI Cloud Framework; Paragraph 16(g) of the IT Outsourcing MD; Annexure III, IRDAI’s Information and Cyber Security Guidelines dated April 24, 2023..
[ix] Paragraph 13(iv) of the Reserve Bank of India (Digital Lending) Directions, 2025 (“DL Directions”).
[x] Paragraph 12(i) of the DL Directions.
[xi] Paragraphs 5.2(f) and 7 and of the SEBI Cloud Framework; Paragraph 16 of the IT Outsourcing MD.
[xii] Paragraph 5(iv)(2) of the SEBI Cloud Framework; Paragraph 14(g) of the IT Outsourcing MD.
[xiii] Paragraph 14(j) of the IT Outsourcing MD; Paragraph 8 of Annexure-1 of the SEBI Cloud Framework.
[xiv] Paragraph 2 od SEBI Circular dated March 28, 2025 on “Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)”.
[xv] Paragraph 6(c) to Appendix-I of the IT Outsourcing MD.
[xvi] Paragraph 16(d) of the IT Outsourcing MD; Paragraph 6.2.14 of Annexure-1 of the SEBI Cloud Framework.
[xvii] Paragraph 18(d) of the IT Outsourcing MD; Paragraph 6.1(vii) of Annexure-1 of the SEBI Cloud Framework.
[xviii] Paragraph 8(a)(ii) of Appendix–I of the IT Outsourcing MD; Paragraph 9(iii) of Annexure-1 of the SEBI Cloud Framework.
[xix] Paragraph 15(c) of the IT Outsourcing MD; Paragraph 7(ii) of Annexure-1 of the SEBI Cloud Framework.
