Click here to Visit the RBI’s new website
PDF document (332 kb)
Draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services

Draft Master Direction for Comments

All Commercial Banks (including Local Area Banks, Regional Rural Banks, Payments Banks, and Small Finance Banks)
All-India Financial Institutions (viz. Exim Bank, NABARD, NHB, SIDBI, and NaBFID)
All Non-Banking Financial Companies including Housing Finance Companies (HFCs)
All Urban Co-operative Banks, State Co-operative Banks, and Central Co-operative Banks
All Credit Information Companies

Master Direction - Reserve Bank of India
(Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023

Regulated Entities (REs) are increasingly using outsourcing as a means for reducing costs as well as for availing specialist expertise not available internally. Outsourcing of a permissible activity is an operational decision of REs, but it exposes them to various risks which need to be managed. The directions on managing these risks have been incorporated in the enclosed Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023.

2. These Directions have been prepared by incorporating, updating and where required, harmonizing the extant directions/guidelines/instructions to enable REs to have all current instructions on outsourcing of financial services at one place for reference.

3. These Directions are being issued in exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, Section 45L of the Reserve Bank of India Act, 1934, Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions/laws enabling the Reserve Bank of India in this regard.

Yours faithfully,

(Sunil T S Nair)
Chief General Manager

Draft Master Direction - Reserve Bank of India
(Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023

In exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, Section 45L of the Reserve Bank of India Act, 1934, Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions/laws enabling the Reserve Bank of India in this regard, the Reserve Bank of India being satisfied that it is necessary and expedient in the public interest to do so, hereby, issues the Directions hereinafter specified.

Chapter – I
Short Title and Commencement

1. Preliminary

These Directions shall be called the Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023.

2. Applicability

2.1 These Directions shall be applicable to the following entities, unless specifically mentioned otherwise:

  1. All Commercial Banks [including Local Area Banks (LABs), Regional Rural Banks (RRBs), Payments Banks (PBs), and Small Finance Banks (SFBs)];

  2. All-India Financial Institutions (AIFIs) (viz. Exim Bank, NABARD, NHB, SIDBI, and NaBFID);

  3. All Non-Banking Financial Companies (NBFCs) including Housing Finance Companies (HFCs);

  4. All Urban Co-operative Banks (UCBs), State Co-operative Banks (StCBs), and Central Co-operative Banks (CCBs); and

  5. All Credit Information Companies (CICs).

2.2 These Directions are concerned with managing risks and code of conduct in outsourcing of financial services. These Directions are not applicable to technology-related aspects and activities not related to banking/financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, etc. An Illustrative list of financial outsourcing arrangements to which these Directions are applicable is provided in Annex I.

2.3 These Directions shall apply mutatis mutandis to subcontracted activities, as well.

3. Purpose

The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervisory authority. REs desirous of outsourcing of financial services shall not require prior approval from the Reserve Bank of India (RBI). However, such arrangements shall be subject to on-site/ off- site monitoring and inspection/ scrutiny by the supervisory authority.

4. Definitions

For the purpose of these Directions, the following definitions shall apply:

4.1 “Material outsourcing arrangement” means an outsourcing arrangement which–

(i) in the event of failure of service or breach of security, has the potential to either materially impact an RE’s–

(a) business operations, reputation, strategies, or profitability; or

(b) ability to manage risk and comply with applicable laws and regulations, or

(ii) in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on the RE’s customers.

4.2 “Outsourcing” refers to an RE’s use of a third party (either an affiliated entity within a group or an external entity) to perform activities that would normally be undertaken by the RE itself on a continuing basis, now or in the future.

‘Continuing basis’ would include agreements for a limited period. This means REs shall not enter into perpetual agreements1.

4.3 “Regulated Entities” (REs) refers to the entities mentioned in paragraph 2.1.

4.4 "Service provider" means the provider of financial services who may either be a member of the group to which the RE belongs, or an unrelated party. It also includes sub-contractors to whom the service providers may further outsource some activity.

4.5 “Supervisory Authority” means,

(i) RBI in case of Commercial Banks (including LABs, PBs, SFBs, and UCBs), NBFCs, CICs, and AIFIs.

(ii) NABARD in case of StCBs, CCBs, and RRBs.

(iii) NHB in case of HFCs.

All other words or expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or The Credit Information Companies (Regulation) Act, 2005 or Companies Act 2013 and rules/regulations made thereunder.

Activities that shall not be outsourced

5. REs shall not outsource core management functions including policy formulation, decision-making functions like determining compliance with KYC norms, according sanction for loans [i.e. an RE shall take a final call on extending credit to any particular customer irrespective of whether a service provider is involved or not in the process. Further, if the RE follows a template structure for sanctioning loans through a service provider as per a pre-decided criterion (that is approved by the Board of the RE), the RE should demonstrate to the supervisor that the lending call/ decision to lend was solely taken by the RE and the role of the service provider is only that of a facilitator], management of investment portfolio, compliance function, and internal audit function2.

Material Outsourcing

6. Materiality of outsourcing would be based on the following criteria, which should be considered on a gross basis, i.e., prior to application of any risk mitigants or controls:

  1. the level of importance to the RE of the activity being outsourced as well as the significance of the risk posed by the same;

  2. the potential impact of the outsourcing by the RE on various parameters such as earnings, solvency, liquidity, capital and risk profile;

  3. the potential impact on the RE’s brand value and reputation, and its ability to achieve business objectives, plans and, strategies should the service provider fail to perform the service;

  4. the cost of the outsourcing as a proportion of total operating costs of the RE;

  5. the aggregate level of dependency to that particular service provider, in cases where the RE outsources various functions to the same service provider;

  6. the significance of activities outsourced in context of customer service and protection;

  7. the degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house; and

  8. impact on the RE’s counterparties and the financial market, should the service provider fail to perform the service.

7. The criteria as mentioned in paragraph 6, however, shall not preclude other outsourcing activities as determined by the RE from being classified as material outsourcing.

Regulatory and Supervisory Requirements and Role of REs

8. The supervisory authority, during the course of Inspection, shall review the implementation of these Directions, including an assessment of the quality of related risk management systems, particularly in respect of material outsourcing.

9. The regulatory and supervisory requirements and role of REs inter alia include the following:

(i) The REs shall consider all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, when performing its due diligence in relation to outsourcing.

(ii) The outsourcing of any activity by an RE does not diminish its obligations, as also that of its Board / Senior Management, who have the ultimate responsibility for the outsourced activity. REs shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would be employed by the REs, if the activities were conducted by the REs and not outsourced. Accordingly, REs shall not engage in outsourcing of any activity that would result in their internal control, business conduct or reputation being compromised or weakened.

(iii) REs shall establish an inventory of services provided by the service providers (including key entities involved in their supply chains) to map their dependency on third parties and periodically evaluate the information they receive from the service providers.

(iv) REs shall be responsible not only for the actions of their service provider but also of their sub-agents engaged in the context of outsourced activity. They shall also be responsible for the confidentiality of customer information available with the service provider and retain ultimate control of the outsourced activity.

(v) REs shall ensure that the service provider shall neither impede/interfere with the ability of the RE to effectively oversee and manage its activities nor impede the supervisory authority in carrying out the supervisory functions and objectives.

(vi) REs shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. The terms control, director, key managerial personnel, and relative have the same meaning as assigned under respective Directions issued for the REs. However, an exception to this requirement may be made with the approval of Board or a Committee of the Board, followed by appropriate disclosure.

(vii) REs shall have a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing i.e. responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RE.

(viii) Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws. As, in the process of dealing with the REs, the customers are required to deal with the service providers, REs shall incorporate a clause in the product literature /brochures etc., stating that they may use the services of agents in sales/marketing, etc. of the products. The role of agents may also be indicated in broad terms.

Risk Management Practices for Outsourcing

10. Outsourcing Policy

The RE intending to outsource any of its financial activities shall put in place a comprehensive Board approved outsourcing policy. The policy shall incorporate, inter alia, criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria as indicated in Chapter-III, delegation of authority depending on risk and materiality, and systems to monitor and review the operations of these activities.

11. Role of the Board of Directors (Board) and Senior Management

11.1 The Board and Senior Management shall be ultimately responsible for managing risks inherent in outsourcing arrangements. They shall have the responsibility to put in place an effective governance mechanism and risk management process for all outsourced activities.

11.2 The Board or a Committee of the Board of the RE to which powers have been delegated shall be responsible, inter alia, for:

  1. approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements as also policies that apply to such arrangements;

  2. putting in place a framework for approval of outsourcing activities depending on risks and materiality; and

  3. setting up suitable administrative framework of Senior Management for the purpose of these Directions.

11.3 Senior Management of the RE shall be responsible for:

  1. evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;

  2. developing and implementing sound and prudent outsourcing policies and procedures commensurate with the complexity, nature, and scope of the outsourcing activity;

  3. undertaking a regular review of the outsourcing policies and procedures, strategies, and arrangements for their continued relevance, safety, and effectiveness as also to identify new material outsourcing risks as they arise;

  4. deciding on business activities of a material nature to be outsourced and approving such arrangements;

  5. communicating information pertaining to material outsourcing risks to the Board in a timely manner;

  6. ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and are tested periodically; and

  7. ensuring that there is independent review and audit for compliance with set outsourcing policies.

12. Evaluation of the Risks

Some of the key risks in outsourcing that need to be evaluated by the REs are: -

(i) Compliance Risk- Privacy, confidentiality and statutory laws/prudential regulations not adequately complied with by the service provider.

(ii) Concentration and Systemic Risk- Due to lack of control of individual REs over a service provider, more so when overall banking/financial services industry has considerable exposure to one service provider.

(iii) Contractual Risk – Arising from whether or not the RE has the ability to enforce the contract.

(iv) Counterparty Risk- Arising due to non-adherence by the service providers to the performance requirements (e.g.: submission of incorrect data on borrowers’ income level may lead to inappropriate underwriting or credit assessments by the RE).

(v) Country Risk- Due to economic, political, social or legal climate thereby creating added risks when the service provider is a foreign based entity, or the outsourcing happens in a foreign country.

(vi) Exit Strategy Risk- Could arise from over-reliance on one firm, the loss of relevant skills in the RE itself preventing it from bringing the activity back in-house and where the RE has entered into contracts wherein speedy exits would be prohibitively expensive or disruptive.

(vii) Legal Risk- Includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to commissions and omissions of the service provider.

(viii) Operational Risk – Arising due to technology failure, error, fraud, inadequate processes, and lack of financial capacity to fulfil obligations and/or provide remedies.

(ix) Reputation Risk- Poor service from the service provider, and its customer interaction not being consistent with the overall standards of the RE, or failure in preservation and protection of confidential customer information.

(x) Strategic Risk – Conduct of business by the service provider in a manner inconsistent with the overall strategic goals of the RE.

13. Evaluating the Capability of the Service Provider

13.1 In considering or renewing an outsourcing arrangement, REs shall undertake appropriate due diligence to assess the capability of the service provider to comply with obligations in the outsourcing agreement. REs shall consider whether the systems of service providers are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable. REs shall also consider, while evaluating the capability of the service provider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Where possible, REs shall obtain independent reviews and market feedback on the service provider to supplement their own findings.

13.2 While carrying out due diligence, REs shall take into consideration financial, operational, qualitative, quantitative, and reputational factors. Due diligence shall involve an evaluation of all available information about the service provider, including but not limited to the following: -

  1. conflict of interest if any;

  2. past experience and competence to implement and support the proposed activity over the contracted period;

  3. financial soundness and ability to service commitments even under adverse conditions;

  4. business reputation and culture, compliance, complaints and outstanding or potential litigation;

  5. business continuity management, audit coverage, internal controls, security, and reporting and monitoring environment;

  6. external factors like economic, legal, political, and social environment of the jurisdiction in which the service provider operates and other events that may impact service performance;

  7. ensuring due diligence by service provider of its employees;

  8. ability to effectively service all the customers with confidentiality where a service provider has exposure to multiple REs;

  9. disaster recovery arrangements and track record;

  10. degree of reliance on sub-contractors; and

  11. adequacy of the service provider's insurance coverage.

14. The Outsourcing Agreement

14.1 The terms and conditions governing the contract between the RE and service provider shall be carefully defined in written agreements and vetted by the RE’s legal counsel for their legal effect and enforceability. The agreement should address the risks and also cover the risk mitigation strategies. It shall be sufficiently flexible to allow the RE to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. It shall also bring out clearly the nature of legal relationship between the parties, i.e., whether principal, agent, or otherwise.

14.2 Some of the key provisions to be covered in the agreement are given below. It should:

  1. clearly define the activities that are going to be outsourced including Service Level Agreements (SLAs) to agree and establish accountability for performance expectations. SLAs shall clearly formalize the performance criteria to measure the quality and quantity of service levels;

  2. provide for continuous assessment and monitoring of the service provider by the RE so that necessary corrective measure can be initiated immediately;

  3. include contingency plans to ensure business continuity;

  4. incorporate controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information;

  5. provide for prior approval/consent of the RE for use of subcontractor/s by the service provider for all or part of an outsourced activity. Before according the approval/consent, the RE shall review the subcontracting arrangement and ensure that the arrangement is compliant with these Directions;

  6. include a clause that will enable the RE to have access to all books, records and information relevant to the outsourced activity available with the service provider;

  7. provide the RE with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the RE;

  8. include a clause to allow the supervisory authority or persons authorised by it to access the documents, records of transactions, logs and other necessary information given to, stored or processed by the service provider, within a reasonable time. This includes information maintained in paper and electronic formats. Further, the agreement should also include a clause to recognise the right of the supervisory authority to cause an inspection of a service provider of the RE and its books and accounts by one or more of its officers or employees or other authorised persons;

  9. include clause relating to a clear obligation on a service provider to comply with directions given by the supervisory authority insofar as they involve activities of the RE;

  10. include a termination clause and minimum period to execute the termination;

  11. provide for the preservation of documents and data by the service provider in accordance with the legal/regulatory obligation of the RE. The RE shall take suitable steps to ensure that its interests as well as customers’ confidential information are protected even post termination of the services or expiry of the contract;

  12. specify the type of material adverse events (e.g., data breaches, service unavailability, etc.) and incident reporting requirements under which the service provider should report to the RE so as to enable the RE to take prompt risk mitigation measures;

  13. specify the events of default, and the indemnities, resolution process, remedies and recourse of the respective parties in the agreement; and

  14. specify (in case of material outsourcing arrangements) the location(s) (i.e. regions or countries) where the function will be provided and/or where relevant data will be processed, and the conditions to be met, including a requirement to notify the RE, if the service provider proposes to change the location(s).

Provided that the above shall be subject to RBI instructions on storage of data including:

  1. ‘Master Directions - Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017’ issued vide circular DNBR (PD) 090/03.10.124/2017-18 dated October 04, 2017, as amended from time to time,

  2. ‘Storage of Payment System Data’ issued vide circular DPSS.CO.OD No.2785/06.08.005/2017-2018 dated April 6, 2018 and ‘FAQ on Storage of Payment System Data’, as amended from time to time, and

  3. ‘Guidelines on Digital Lending’ issued vide circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 02, 2022, as amended from time to time.

15. Confidentiality and Security

15.1 Public confidence and customer trust in REs is a prerequisite for their stability and reputation. Hence, the REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider.

15.2 Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

15.3 Sharing of data by the RE with the service provider shall be through secure channels. Both sharing and storage3 of data with the service provider shall be in an encrypted manner. The RE shall also ensure that there is a structured process in place for secured removal/ disposal/ destruction of data by the service provider.

15.4 In instances where service provider acts as an outsourcing agent for multiple REs, care shall be taken to build adequate safeguards so that there is no comingling of assets, documents, information and records.

15.5 The REs shall review and monitor the control processes and security practices of the service provider on a regular basis and require the service provider to report security breaches to them.

15.6 The REs shall immediately notify the supervisory authority in the event of any breach of security and leakage of confidential customer related information. In these eventualities, the RE shall be liable to its customers for any damage.

16. Responsibilities of Direct Sales Agents (DSA)/ Direct Marketing Agents (DMA)/ Recovery Agents (applicable to commercial banks, cooperative banks4 and NBFCs)

16.1 REs shall put in place a Board approved code of conduct for DSA/ DMA/ Recovery Agents and obtain their undertaking to abide by the code. They shall ensure that the DSA/ DMA/ Recovery Agents are properly trained to handle their responsibilities with care and sensitivity, particularly aspects such as soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer, etc. The RE and their Recovery Agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude upon the privacy of the debtors'/their guarantors’ family members, referees and friends, sending inappropriate messages either on mobile or through social media, making threatening and anonymous calls, persistently5 calling the borrower/guarantor, making false and misleading representations, etc. Further, the REs and their Recovery Agents are barred from calling the borrower/guarantor before 8:00 a.m. and after 7:00 p.m.6 for recovery of overdue loans.

17. Business Continuity and Management of Disaster Recovery Plan

17.1 The RE shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity and Recovery procedures. The RE shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan. Further, in case of material outsourcing, the RE shall also conduct occasional joint testing and recovery exercises with its service provider, at least annually.

17.2 In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the RE shall retain an appropriate level of control over its outsourcing and the right to intervene with appropriate measures to continue its business operations without any break in the operations and its services to the customers.

17.3 In establishing a viable contingency plan, REs shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

17.4 Outsourcing often leads to the sharing of facilities operated by the service provider. The RE shall ensure that service providers are able to isolate the RE's information, documents and records, and other assets. This is to ensure that in adverse conditions and/ or termination of the contract, all documents, record of transactions and information with the service provider, and assets of the RE, can be removed from the possession of the service provider or deleted, destroyed, or rendered unusable in order to continue its business operations.

18. Monitoring and Control of Outsourced Activities

18.1 The RE shall have in place a management structure to monitor and control its outsourcing activities.

18.2 A central record of all material outsourcing shall be maintained. The records shall be updated promptly and half yearly reviews placed before the Board or its Committee.

18.3 Reports on the monitoring and control activities shall be reviewed periodically by the Senior Management and, in case of any adverse development, the same shall be put up to the Board or its Committee for information.

18.4 The RE shall perform comprehensive pre- and post- implementation review of new outsourcing arrangements or when amendments are made to the outsourcing arrangements.

18.5 Regular audits at least annually by either the internal or external auditors of the RE shall assess the adequacy of the risk management practices adopted in managing and overseeing the outsourcing arrangement, the RE's compliance with its risk management framework and the requirements of these Directions. A report of these audits shall be placed before the Board or ACB of the RE.

18.6 REs shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality and security, and business continuity preparedness.

18.7 REs shall also submit an Annual Compliance Certificate giving the particulars of outsourcing contracts, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken through the Board, to their respective supervisory authorities.

18.8 The event of termination of any outsourcing agreement, on account of the below-mentioned reasons (indicative in nature), where the service provider deals with customers, shall be publicised by publishing in the leading local newspaper with sufficient circulation in the locality, displaying at a prominent place in the branches, and posting it on the RE’s website so as to ensure that the customers do not continue to deal with the service provider,

  1. Fraud committed by the service provider;

  2. Leakage of information / data;

  3. Breach of confidentiality or code of conduct by the service provider; and

  4. Blacklisting of the service provider by GoI, RBI, SEBI, or any other regulator/supervisory authority.

18.9 REs shall immediately notify the supervisory authority in the event of any significant problems that have the potential to materially affect the outsourcing arrangement and, as a consequence, materially affect the business operations, profitability, reputation or strategies of the RE.

18.10 Certain cases, like outsourcing of cash management, might involve reconciliation of transactions between the RE, the service provider and its sub-contractors. In such cases, REs shall ensure that reconciliation of transactions between the RE and the service provider (and/ or its sub-contractor), are carried out as advised in RBI guidelines on ‘Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019 as amended from time to time and other such instructions issued by the regulator/ supervisory authority.

18.11 Incentive compensation review: REs shall also ensure that an effective process is in place to review and approve any incentive compensation that may be embedded in service provider contracts, including a review of whether existing governance and controls are adequate in light of risks arising from incentive compensation arrangements. As the service provider may, in certain instances of outsourcing, represent the RE by selling products or services on its behalf, the RE should consider whether the incentives provided might encourage the service provider to take imprudent risks. Inappropriately structured incentives may result in reputational damage, increased litigation, or other risks to the RE. An example of an inappropriate incentive would be one where variable fees or commissions encourage the service provider to direct customers to products of the RE with higher profit margins without due consideration to suitability of such products for the customer.

19. Redressal of Grievances related to Outsourced Services

19.1 REs shall constitute Grievance Redressal Machinery as contained in

  1. Paragraph 16.5 of ‘Master Circular on Customer Service in Banks’ issued vide circular ref. DBR.No.Leg.BC. 21/09.07.006/2015-16 dated July 1, 2015, as amended from time to time,

  2. Paragraph 32 and other relevant paragraphs of ‘Master Direction - Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016’ issued vide circular ref. DNBR.PD.007/03.10.119/2016-17 dated September 1, 2016, as amended from time to time,

  3. Paragraph 32 and other relevant paragraphs of ‘Master Direction - Non-Banking Financial Company - Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016’ issued vide circular ref. DNBR.PD.008/03.10.119/2016-17 dated September 1, 2016, as amended from time to time,

  4. Paragraph 12 and other relevant paras of ‘Customer Service in Regional Rural Banks’ issued vide circular ref. RPCD.CO.RRB.BC.No. 100/03.05.33/2013-14 dated May 12, 2014, as amended from time to time,

  5. Paragraph 12 and other relevant paras of ‘Customer Service in State/ Central Co-operative Banks (StCBs/CCBs)’ issued vide circular ref. RPCD.CO.RCB.BC.No. 36/07.51.010/2014-15 dated October 22, 2014, as amended from time to time,

  6. Paragraph 30 and other relevant paras of ‘Master Circular on Customer Service – UCBs’ issued vide circular ref. DCBR.CO.BPD.(PCB).MC.No.15/12.05.001/2015-16 dated July 1, 2015, as amended from time to time,

  7. Paragraph 78 and other relevant paragraphs of ‘Master Direction – Non-Banking Financial Company – Housing Finance Company (Reserve Bank) Directions, 2021’ issued vide circular ref. DOR.FIN.HFC.CC.No.120 /03.10.136/2020-21 dated February 17, 2021,as amended from time to time,

  8. Section 21 and other relevant Sections of ‘The Credit Information Companies (Regulation) Act, 2005’,

  9. Integrated Ombudsman Scheme, 2021’ and ‘FAQs on The Reserve Bank - Integrated Ombudsman Scheme, 2021’, as amended from time to time, and

  10. Other such instructions issued by the regulator/supervisory authority.

19.2 The REs shall give wide publicity to their Grievance Redressal mechanism by displaying it at a prominent place in their branches and also by placing the information on their website. It shall be clearly indicated that REs' Grievance Redressal mechanism will also deal with the issues relating to services provided by the outsourced agencies. The name and contact details (Telephone/ Mobile nos. as also email address) of designated grievance redressal officer, escalation matrix and principal nodal officer (wherever applicable) of the RE shall be made known and widely publicised. The said designated officer shall ensure that grievances of customers are redressed promptly.

19.3 The grievance redressal procedure of the RE and the time frame fixed for responding to the complaints shall be placed on the RE's website. If a complainant does not get any reply from the RE within 30 days after the RE received the complaint or is not satisfied with the reply of the RE, she will have the following options for redressal of her grievance/s:

  1. the RBI’s Ombudsman in case of REs to which RBI’s Integrated Ombudsman Scheme, 2021 applies, or

  2. Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI in case of RBI supervised REs to which RBI’s Integrated Ombudsman Scheme, 2021 does not apply, or

  3. Grievance Redressal mechanism of the respective supervisory authority in case of REs supervised by an authority other than RBI.

20. Reporting of transactions to FIU or other competent authorities

REs shall be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the REs' customer related activities carried out by the service providers.

21. Reporting to the supervisory authority

REs shall report all material financial outsourcing arrangements (including arrangements involving extensive data sharing across geographic locations as part of process outsourcing and when data pertaining to Indian operations are processed abroad) to the supervisory authority on a quarterly basis. Reporting format shall be prescribed separately.

22. Centralised List of Outsourced Agents

If a service provider’s contract is terminated prematurely prior to the completion of the contracted period of service, on account of the reasons mentioned below (indicative in nature), Indian Banks' Association (IBA)/respective RBI-recognised Self-Regulatory Organizations (SROs) would have to be informed of the reasons for termination,

  1. Fraud committed by the service provider;

  2. Leakage of information / data;

  3. Breach of confidentiality or code of conduct by the service provider; and

  4. Blacklisting of the service provider by GoI, RBI, SEBI, or any other regulator/supervisory authority.

IBA/respective RBI-recognised SROs would be maintaining a caution list of such service providers for sharing among themselves and the respective member REs.

Outsourcing within a Group/ Conglomerate

23. In a group structure, REs may have back-office and service arrangements/ agreements with group entities e.g. sharing of premises, legal and other professional services, hardware and software applications, centralized back-office functions, outsourcing certain financial services to other group entities, etc. However, REs at all times shall maintain an arm's length relationship in such dealings (including sharing of data and servers7). Before entering into such arrangements with group entities, REs shall have a Board approved policy in this regard as well as service level agreements/ arrangements with their group entities, which shall also cover demarcation of shared resources such as premises, IT hardware including servers, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or where there is any kind of cross selling of product/services.

24. While entering into such arrangements, REs shall ensure the following:

  1. they are appropriately documented in written agreements with details like scope of services, charges for the services and confidentiality of the customer's data;

  2. they do not lead to any confusion to the customers regarding whose products/ services they are availing;

  3. they do not compromise the ability to identify and manage risk of the RE on a stand-alone basis;

  4. they do not prevent the supervisory authority from being able to obtain information required for the supervision of the RE or pertaining to the group as a whole;

  5. they incorporate a clause in the written agreements that there is a clear obligation for any service provider to comply with Directions given by the RBI in relation to the activities of the RE; and

  6. the selection of a group entity is based on objective reasons and that the conditions of the outsourcing arrangement are set at arm’s length and explicitly deal with conflicts of interest that such an outsourcing arrangement may entail.

25. REs shall ensure that their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable.

26. If the premises of the RE are shared with the group entities for the purpose of cross-selling, the REs shall take measures to ensure that the entity's identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in the RE’s premises shall mention nature of arrangement of the entity with the RE so that the customers are clear on the seller of the product.

27. REs shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities.

28. The risk management practices to be adopted by the RE while outsourcing to a related party (i.e. party within the Group) shall be identical to those specified in Chapter V of these Directions.

Off-Shore Outsourcing of Financial Services

29. The engagement of service providers in a foreign country exposes the RE to country risk, may adversely affect the RE and could prevent the service provider from carrying out the terms of its agreement with the RE. To manage the country risk involved in such outsourcing activities, the RE shall establish sound procedures for dealing with country risk problems, take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified.

30. The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise the RE in a timely manner.

31. The outsourcing related to overseas operations of REs shall be governed by both, these guidelines and the host country guidelines. Where there are differences, the more stringent of the two would prevail. However, where there is any conflict, the host country guidelines would prevail.

32. As regards the off-shore outsourcing of financial services relating to Indian Operations, REs shall additionally ensure that

  1. Where the off-shore service provider is an RE, the relevant host country regulator will neither obstruct the arrangement nor object to inspection visits of the supervisory authority or visits of the home RE’s internal and external auditors.

  2. The availability of records to management of the RE and the supervisory authority will withstand the liquidation of either the offshore custodian or the RE in India.

  3. The host country regulator does not have access to the data relating to Indian operations of the RE simply on the ground that the processing is being undertaken there (not applicable if off shore processing is done in the home country of the RE).

  4. The jurisdiction of the courts in the host country where data is processed does not extend to the operations of the RE in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India.

  5. All original records shall be continued to be maintained in India.


33. With the issue of final Directions, the directions/guidelines/instructions contained in the following circulars, issued by RBI stand repealed.

Sr No Title Circular number and date
1 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks DBOD.NO.BP.40/21.04.158/2006-07 dated November 3, 2006
2 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks DBOD.NO.BP.64/21.04.158/2007-08 dated March 03, 2008
3 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks DBOD.No.BP.97/21.04.158/2008-09 dated December 11, 2008
4 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks-Compliance Certificate DBS.CO.PPD.BC.5/11.01.005/2008-09 dated April 22, 2009
5 Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks DBR.No.BP.BC.76/21.04.158/2014-15 dated March 11, 2015
6 Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs DNBR.PD.CC.No.090/03.10.001/2017-18 dated November 9, 2017
7 Guidelines for Managing Risk in Outsourcing of Financial Services by Co-operative Banks DOR.ORG.REC.27/21.04.158/2021-22 dated June 28, 2021

Annex I

Examples of financial outsourcing arrangements

1. The following is an indicative list of some services that, when performed by a third party, would be regarded as financial outsourcing arrangements for the purposes of these Directions:

  1. application processing (e.g., loan origination, credit cards);

  2. middle and back office operations (e.g., electronic funds transfer, payroll processing, custody operations, quality control, order processing);

  3. claims administration (e.g., loan negotiation, loan processing, collateral management, collection of bad loans);

  4. document processing (e.g., cheques, credit card and bill payments, bank statements, other corporate payments, customer statement printing);

  5. cash management;

  6. manpower management (e.g., training and development); and

  7. marketing and research (e.g., product development, data warehousing and mining, media relation, call centre, telemarketing).

2. The following arrangements would generally not be considered financial outsourcing arrangements for the purpose of these Directions:

  1. a function that is legally required to be performed by a service provider, e.g. statutory audit;

  2. telecommunication services, postal and courier services and public utilities;

  3. market information services (e.g., provision of data by Bloomberg, Moody’s, Standard & Poor’s);

  4. common network infrastructure (e.g., RuPay, Visa, MasterCard);

  5. clearing and settlement arrangements between clearing houses and settlement institutions and their members, and similar arrangements between members and non-members;

  6. global financial messaging infrastructure which are subject to oversight by relevant regulators (e.g., SWIFT);

  7. correspondent banking services; and

  8. the acquisition of services that would otherwise not be undertaken by the RE (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, maintenance and security of the RE’s premises, medical services, servicing of company cars, catering, usage of courier, housekeeping and janitorial services, movement and archiving of records, travel services) and goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture).

1 REs shall be given sufficient time (say 3 – 6 months) to bring their existing outsourcing agreements in compliance with the final Master Direction on the matter subsequently.

2 However, where required, experts including former employees can be hired on a contractual basis subject to the Audit Committee of the Board (ACB)/Board being assured that such expertise does not exist within the audit function of the RE. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.

3 For outsourcing arrangements entered by REs with a Lending Service Provider (LSP)/ Digital Lending App (DLA), refer to para 11 on ‘Storage of data’ of ‘Guidelines on Digital Lending’ issued vide circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 02, 2022.

4 Co-operative banks are not permitted to appoint DSA/DMA for raising deposits in terms of para 27 of Master Direction - Reserve Bank of India (Co-operative Banks - Interest Rate on Deposits) Directions, 2016, dated May 12, 2016, as amended from time to time.

5 For example- calling repeatedly

6 Not applicable to microfinance loans covered under ‘Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022’, dated March 14, 2022.

7 Please refer to ‘Master Direction on Outsourcing of Information Technology Services’ issued vide circular ref. DoS.CO.CSITEG/SEC.1/31.01.015/2023-24 dated April 10, 2023.