Master Directions

RBI/DOR/2025-26/318
DOR.ORG.REC.No.237/21-04-158/2025-26

November 28, 2025

Reserve Bank of India (Rural Co-operative Banks – Managing Risks in Outsourcing) Directions, 2025

In exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, as amended vide Banking Regulation (Amendment) Act 2020 (39 of 2020), and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest so to do, hereby, issues the Directions hereinafter specified.

Chapter I – Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Rural Co-operative Banks - Managing Risks in Outsourcing) Directions, 2025.

2. These Directions shall come into force with immediate effect.

B. Applicability and Scope

3. These Directions shall be applicable to all Rural Co-operative Banks, hereinafter collectively referred to as 'RCBs' and individually as an 'RCB'.

For the purpose of these Directions, ‘Rural Co-operative Banks’ mean State Co-operative Banks and Central Co-operative Banks, as defined in the National Bank for Agriculture and Rural Development Act, 1981.

4. These Directions apply to outsourcing arrangements entered in by an RCB with a service provider, located in India or elsewhere, for outsourcing of financial services like applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing, and back office related activities.

5. These Directions shall not apply to outsourcing of activities unrelated to banking services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records.

C. Definitions

6. In these Directions, unless the context otherwise requires,

(1) 'Outsourcing' means use of a third party by the RCB to perform activities on a continuing basis that would normally be undertaken by the RCB itself, now or in the future. 'Continuing basis' shall include agreements for a limited period.

(2) ‘Material Outsourcing’ means arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation, or profitability of an RCB. ‘Materiality’ of outsourcing shall be based on the:

(i) level of importance to the RCB of the activity being outsourced as well as the significance of the risk posed by the same;

(ii) potential impact of the outsourcing on the RCB on various parameters such as earnings, solvency, liquidity, funding capital, and risk profile;

(iii) likely impact on the RCB’s reputation and brand value, and ability to achieve its business objectives, strategies and plans, should the service provider fail to perform the service;

(iv) cost of the outsourcing as a proportion of total operating costs of the RCB;

(v) aggregate exposure to that particular service provider, in cases where the RCB outsources various functions to the same service provider; and

(vi) significance of activities outsourced by RCB in the context of customer service and protection.

7. All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or the Companies Act, 2013 and Rules made thereunder, or any statutory modification or re-enactment thereto, or Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

Chapter II – Role of the Board

8. The outsourcing of any activity by an RCB does not diminish its obligations, and those of its Board and Managing Director (MD) / Chief Executive Officer (CEO) along with the Senior Management, who have the ultimate responsibility for the outsourced activity.

A. Board-Approved Policy

9. An RCB intending to outsource any of its financial services shall put in place a comprehensive Board-approved outsourcing policy, the coverage of which is indicated in paragraph 16.

B. Key responsibilities

10. The Board shall be responsible for putting in place a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements, laying down appropriate approval authorities depending on risks and materiality, and undertaking regular review. It shall be responsible, inter alia, for:

(i) approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements, and the policies that apply to such arrangements;

(ii) laying down appropriate approval authorities for outsourcing depending on risks and materiality;

(iii) undertaking regular review of the framework for its efficacy and updating the same to ensure that the outsourcing strategies and arrangements have continued relevance, effectiveness, safety, and soundness;

(iv) deciding on business activities of a material nature to be outsourced and approving such arrangements;

(v) assessing management competencies to develop sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements;

(vi) setting up suitable administrative framework of management;

(vii) reviewing records of all material outsourcing on half-yearly basis;

(viii) ensuring that a robust system of internal audit of all outsourced financial activities is put in place and monitoring the same; and

(ix) ensuring submission of an Annual Compliance Certificate giving the particulars of contracts for outsourcing of financial services, the prescribed periodicity of audit by internal / external auditor, major findings of the audit, and action taken, to NABARD.

Chapter III – Outsourcing of Financial Services

A. Activities that shall not be outsourced

11. An RCB which chooses to outsource financial services shall however not outsource core management functions including policy formulation, Internal Audit and compliance, compliance with KYC norms, credit sanction, and management of investment portfolio.

Provided that with respect to Internal Audit, where required, experts, including former employees, could be hired on a contractual basis subject to:

(i) the Audit Committee of Board (ACB) / Board being assured that such expertise does not exist within the audit function of the RCB;

(ii) any conflict of interest in such matters being recognised and effectively addressed; and

(iii) ownership of audit reports in all cases resting with regular functionaries of the internal audit function.

B. Authorisation, Accountability, and Oversight

12. An RCB, which desires to outsource financial services, shall not require prior approval from RBI / NABARD. However, such arrangements shall be subject to on-site / off-site monitoring and inspection / scrutiny, by RBI / NABARD.

13. As stated in paragraph 8 of these Directions, the outsourcing of any activity by an RCB shall not diminish its obligations including to its customers and RBI / NABARD, and those of its Board and MD / CEO along with the Senior Management, who have the ultimate responsibility for the outsourced activity. An RCB shall, therefore, be responsible for the actions of its service provider including Business Correspondent (BC) and its retail outlets / sub-agents and the confidentiality of information pertaining to the customers that is available with the service provider. An RCB shall retain ultimate control of the outsourced activity.

14. An RCB shall ensure that:

(i) all relevant laws, regulations, rules, guidelines, and conditions of approval, licensing or registration have been considered when performing due diligence in relation to outsourcing;

(ii) outsourcing, whether the service provider is located in India or outside, does not impede RBI / NABARD in carrying out its regulatory / supervisory functions and objectives and diminish the ability of an RCB to fulfil its obligations to the regulator / supervisor;

(iii) outsourcing, whether the service provider is located in India or outside, does not impede or interfere with the ability of an RCB to effectively oversee and manage its activities, and fulfil its obligations;

(iv) outsourcing would not result in the compromise or weakening of an RCB’s internal control, business conduct, or reputation;

(v) the service provider employs the same high standard of care in performing the services as would be employed by the RCB, if the activities were conducted within the RCB and not outsourced; and

(vi) the service provider shall not be owned or controlled by any director or officer / employee of the RCB or their relatives having the same meaning as assigned under Companies Act, 2013 and the Rules framed thereunder, as amended from time to time.

15. An RCB shall be responsible for filing Currency Transactions Reports (CTRs) and Suspicious Transactions Reports (STRs) to FIU or any other competent authority in respect of its customer related activities carried out by the service provider.

C. Governance Framework

C.1 Outsourcing Policy

16. An RCB intending to outsource any of its financial services shall put in place a comprehensive outsourcing policy, approved by its Board, which shall incorporate, inter alia, the following:

(i) criteria for selection of such activities and the service providers;

(ii) parameters for defining ‘material outsourcing’ based on the broad criteria indicated in paragraph 6(2) of these Directions;

(iii) delegation of authority depending on risks and materiality; and

(iv) systems to monitor and review these activities.

C.2 Role of Senior Management

17. The MD / CEO and Senior Management of an RCB shall, inter alia, be responsible for:

(i) evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;

(ii) developing and implementing sound and prudent outsourcing policy and procedures commensurate with the nature, scope and complexity of the outsourcing;

(iii) reviewing periodically the effectiveness of policies and procedures;

(iv) communicating information pertaining to material outsourcing risks to the Board in a timely manner;

(v) ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;

(vi) ensuring that there is independent review and audit for compliance with set policies; and

(vii) undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks.

D. Risk Management

D.1 Evaluation of the Risks

18. An RCB shall evaluate and guard against the following key risks when entering into outsourcing arrangements:

(i) Strategic Risk – such as where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the RCB.

(ii) Reputation Risk – such as where the service provider delivers poor service or its customer interactions are inconsistent with the overall standards of the RCB, or it fails to preserve and protect confidential customer information.

(iii) Compliance Risk – such as where, owing to outsourcing, the privacy, consumer, and prudential laws are not adequately complied with.

(iv) Operational Risk – which may arise due to technology failure, fraud, error, or inadequate financial capacity of the service provider to fulfil obligations or to provide remedies.

(v) Legal Risk – where an RCB is subjected to, inter alia, fines, penalties, or punitive damages resulting from supervisory actions, or private settlements due to omissions and commissions by the service provider.

(vi) Exit Strategy Risk – may arise when an RCB becomes overly reliant on one service provider, loses relevant internal skills preventing it from bringing the activity back in-house, or enters into contracts that make speedy exits prohibitively expensive.

(vii) Counterparty Risk – such as where the service provider engages in inappropriate underwriting or credit assessments.

(viii) Country Risk – where the political, social, or legal climate creates added risk in the outsourcing arrangement.

(ix) Contractual Risk – where the RCB may not have the ability to enforce the contract with the service provider.

(x) Concentration and Systemic Risk – where there is a lack of control of an RCB over a service provider, more so when overall banking industry has considerable exposure to one service provider.

D.2 Confidentiality and Security of Information

19. An RCB shall seek to ensure the security, preservation, and protection of the customer information in the custody of the service provider.

20. Access to customer information by a service provider or its staff shall be on a ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

21. An RCB shall review and monitor the security practices and control processes of its service providers on a regular basis and require the service provider to disclose security breaches.

22. In instances, where a service provider acts as an outsourcing agent for multiple entities, care shall be taken to build strong safeguards so that there is no comingling or combining of information, documents, records, and assets.

23. An RCB shall ensure that its service providers are able to isolate and clearly identify the RCB’s customer information, documents, records, and assets to protect the confidentiality of the information.

24. An RCB shall immediately notify RBI / NABARD in the event of breach of security and leakage of confidential customer related information. In these eventualities, the RCB shall be liable to its customers for any damage.

E. Outsourcing Process

E.1 Service Provider Evaluation

25. An RCB shall perform appropriate due diligence while considering or renewing an outsourcing arrangement, to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis.

26. The due diligence mentioned above shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:

(i) qualitative, quantitative, financial, operational, legal, and reputational factors;

(ii) risks arising from undue concentration, if outsourcing to a single service provider or a limited number of service providers;

(iii) past experience, and demonstrated competence to implement and support the proposed activity over the contracted period;

(iv) financial soundness and ability to service commitments even under adverse conditions;

(v) business reputation and culture, compliance, complaints, and outstanding or potential litigation;

(vi) quality of due diligence exercised by service provider of its employees and sub-contractors;

(vii) security and internal control, audit coverage, reporting and monitoring procedures, and business continuity management;

(viii) external factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance; and

(ix) ability to effectively service all the customers with confidentiality, especially where a service provider has exposure to multiple entities.

27. Where possible, an RCB shall obtain independent reviews and market feedback on the service provider to supplement the findings of its own due diligence.

28. An RCB shall also evaluate whether the systems of its service provider are compatible with those of the RCB and acceptability of standards of performance including in the area of customer service.

E.2 Outsourcing Agreement

29. An RCB shall ensure that the terms and conditions governing the outsourcing arrangement are carefully defined in written agreements and vetted by the RCB’s legal counsel on their legal effect and enforceability. The agreement shall appropriately reckon the associated risks and the strategies for mitigating or managing them. The RCB shall ensure that such an agreement is sufficiently flexible to allow the RCB to retain an appropriate level of control over the outsourcing, and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent-principal or otherwise.

30. Some of the key provisions of the agreement shall include:

(i) details of the activities being outsourced including Service Level Agreements (SLAs) to agree and establish accountability for performance expectations. SLAs shall clearly formalise the performance criteria to measure the quality and quantity of service levels;

(ii) access by the RCB to all books, records, and information relevant to the outsourced activity available with the service provider;

(iii) regular and continuous monitoring and assessment by the RCB of the service provider for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately;

(iv) prior approval / consent of the RCB for use of subcontractors by the service provider for all or part of an outsourced activity. Before according the consent, an RCB shall review the subcontracting arrangement and ensure that these arrangements are compliant with these Directions;

(v) controls for maintaining confidentiality of data of the RCB and its customers, and incorporating service provider’s liability to the RCB in the event of security breach and leakage of such information;

(vi) contingency plan(s) to ensure business continuity;

(vii) right of the RCB to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the RCB;

(viii) right of RBI / NABARD or persons authorised by it to access the RCB’s documents, records of transactions, logs, and other necessary information given to, stored or processed by the service provider, within a reasonable time. This includes information maintained in paper and electronic formats;

(ix) right of the NABARD to cause an inspection of a service provider of an RCB and its books and accounts by one or more of its officers or employees or other authorised persons;

(x) a termination clause and minimum period for executing termination;

(xi) provision that confidentiality of customers’ information shall be maintained even after the contract expires, or gets terminated; and

(xii) provision to ensure that the service provider preserves documents and data in accordance with legal and regulatory obligations of the RCB and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

E.3 Monitoring and Control of Outsourced Activities

31. An RCB shall have in place a management structure to monitor and control its outsourced activities and shall ensure that outsourcing agreements with service providers contain provisions to address the same.

32. An RCB shall maintain a central record of all material outsourcing of financial services for review by its Board and MD / CEO along with the Senior Management. The records shall be updated promptly, and half yearly reviews shall be placed before the Board.

33. Regular audits, at least annually, by either the internal auditors or external auditors of an RCB shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the RCB’s compliance with its risk management framework, and the requirements of these Directions.

34. An RCB shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which shall be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience or business continuity preparedness.

35. Certain services might involve reconciliation of transaction between an RCB, its service provider, its subcontractors. In such cases, the RCB shall ensure that reconciliation of transactions between itself and the service provider (and its subcontractors) are carried out as advised in RBI guidelines on Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019, as applicable and as amended from time to time.

E.4 Business Continuity and Management of Disaster Recovery Plan

36. An RCB shall require its service providers to develop and establish a robust framework for documenting, maintaining, and testing business continuity and recovery procedures. It shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider joint testing and recovery exercises with its service provider at mutually agreed frequency, but at least annually.

37. In establishing a viable contingency plan, an RCB shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time and resources that would be involved.

38. An RCB shall ensure that its service providers are able to isolate the RCB’s information, documents, and records, and other assets so that in adverse conditions or termination of the agreement, all documents, records of transactions and information given to the service provider and assets of the RCB can be removed from the possession of the service provider (in order to enable the RCB to continue its business operations), deleted, destroyed, or rendered unusable.

39. In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency or liquidation of its service provider, an RCB shall retain an appropriate level of control over its outsourcing arrangement along with the right to intervene with appropriate measures to continue its business operations without incurring prohibitive expenses and disruption in the operations of the RCB and its services to the customers.

E.5 Termination

40. If the services of a service provider are terminated by an RCB, then it shall:

(i) publicise the same by displaying at a prominent place in its branches and by posting it on the website so as to ensure that its customers do not continue to deal with the service provider; and

(ii) inform Indian Banks’ Association (IBA) of the reasons for termination to enable IBA to maintain a caution list of such service providers for sharing among banks.

F. Specific Outsourcing Arrangements

F.1 Offshore outsourcing

41. In principle, outsourcing arrangements shall only be entered into with parties operating in jurisdictions that uphold confidentiality agreements and clauses

42. While engaging with service provider(s) in a foreign country, an RCB shall:

(i) closely monitor government policies of the jurisdiction in which the service provider is based and political, social, economic, and legal conditions, both during the risk assessment and on a continuous basis, and establish sound procedures for dealing with country risk. This includes having appropriate contingency and exit strategies;

(ii) clearly specify the governing law of the outsourcing arrangement;

(iii) ensure that the availability of records to the RCB and the RBI / NABARD will not be affected even in case of liquidation of the service provider or offshore custodian;

(iv) ensure activities outsourced outside India are conducted in a manner so as not to hinder efforts to supervise or reconstruct the activities of the RCB in a timely manner;

(v) ensure that, where the offshore service provider is a regulated entity, the relevant offshore regulator will neither obstruct the arrangement nor object to the NABARD’s inspection or RBI / NABARD’s visits or visits of RCB’s internal or external auditors;

(vi) ensure that the regulatory authority of the offshore location does not have access to the data relating to Indian operations of the RCB simply on the ground that the processing is being undertaken there;

(vii) ensure that the jurisdiction of the courts in the offshore location where data is maintained does not extend to the operations of the RCB in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and

(viii) ensure that all original records continue to be maintained in India.

43. The overseas outsourcing operations of an RCB shall be governed by both, these Directions and the host country guidelines, and in case there are differences, the more stringent of the two shall prevail. However, where there is any conflict, the host country guidelines shall prevail.

G. Redressal of Grievances related to Outsourced Services

44. Outsourcing arrangements entered into by an RCB shall not affect the rights of its customers against the RCB, including the ability of the customers to obtain redressal as applicable under relevant laws.

45. In cases where customers are required to deal with a service provider in the process of dealing with an RCB, it shall incorporate a clause in the corresponding product literature, and brochures, stating that services of the service provider, including in sales, and marketing, of the products may be used. The role of the service provider may be indicated in broad terms.

46. An RCB shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RCB. In case of microfinance loans, a declaration that the RCB shall be accountable for inappropriate behaviour by its employees or employees of the outsourced agency and shall provide timely grievance redressal, shall be made in the loan agreement, and in the Fair Practices Code (FPC) displayed in its office / branch premises / website.

47. In addition to the above:

(i) an RCB shall constitute Grievance Redressal Machinery in accordance with the provisions of Reserve Bank of India (Rural Co-operative Banks - Responsible Business Conduct) Directions, 2025 and give wide publicity about it within the bank through electronic and print media and also by placing the information on its website;

(ii) the name and contact number of designated grievance redressal officer of the RCB shall be made known and widely publicised. The designated officer shall ensure that genuine grievances of customers are redressed promptly without involving delay. It shall be clearly indicated that RCB’s Grievance Redressal Machinery will also deal with the issues relating to services provided by the service provider;

(iii) the grievance redressal procedure of the RCB and the time frame for responding to the complaints (maximum 30 days) shall be placed on the RCB’s website; and

(iv) if a complaint is rejected wholly or partly by an RCB, and the complainant is not satisfied with the reply or does not get any reply within 30 days, after the RCB received the complaint, the complainant shall have the option of approaching the Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI for redressal of their grievance(s).

Chapter IV – Repeal and Other Provisions

A. Repeal and saving

48. With the issue of these Directions, the existing Directions, instructions, and guidelines relating to outsourcing of financial services, as applicable to RCBs, stand repealed, as communicated vide circular DOR.RRC.REC.302/33-01-010/2025-26 dated November 28, 2025. The Directions, instructions, and guidelines repealed prior to the issuance of these Directions shall continue to remain repealed.

48. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed Directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions. Further, the repeal of these Directions, instructions, or guidelines shall not in any way prejudicially affect:

(1) any right, obligation or liability acquired, accrued, or incurred thereunder;

(2) any, penalty, forfeiture, or punishment incurred in respect of any contravention committed thereunder;

(3) any investigation, legal proceeding, or remedy in respect of any such right, privilege, obligation, liability, penalty, forfeiture, or punishment as aforesaid; and any such investigation, legal proceedings or remedy may be instituted, continued, or enforced and any such penalty, forfeiture or punishment may be imposed as if those directions, instructions, or guidelines had not been repealed.

B. Application of other laws not barred

49. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

50. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, the RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by the RBI shall be final and binding.

(Sunil T S Nair)
Chief General Manager