RBI Outsourcing Guidelines: A Step-by-Step Vendor Due Diligence Checklist

Introduction

The Reserve Bank of India’s Master Direction on Outsourcing of Information Technology Services (effective October 1, 2023) reshaped how Indian banks, NBFCs, payment system operators, and credit information companies must govern their third-party technology providers. For regulated entities, vendor due diligence is no longer a best practice — it’s a documented, examinable obligation.

This checklist translates the regulation’s expectations into concrete steps your team can execute before every material outsourcing engagement.

What the RBI Direction expects

The Direction requires regulated entities (REs) to maintain an outsourcing policy approved by the board, establish a governance framework, classify outsourcing engagements by materiality, perform pre-engagement due diligence on the service provider, ensure contractual controls, including audit rights and sub-contracting restrictions, monitor ongoing performance and risk, and maintain a viable exit strategy. The RE remains responsible for the outsourced activity in all circumstances.

Step 1 — Determine materiality

Classify the engagement: Material or Non-material. Material outsourcing is one in which failure would significantly impact business continuity, reputation, customer data, or regulatory compliance. Core banking, card processing, KYC, cloud hosting of customer data, and payment gateways are nearly always material.

Step 2 — Pre-engagement due diligence

1. Corporate standing — incorporation, ownership, beneficial owners, sanctions screening.
2. Financial viability — last 3 years’ audited financials, credit rating, and going-concern opinion.
3. Technical capability — staffing, delivery model, prior BFSI experience.
4. Security posture — ISO 27001, SOC 2 Type II, pen test, vulnerability management.
5. Data protection — GDPR/DPDP alignment, data residency, cross-border transfer controls.
6. Business continuity — RTO/RPO, DR site, tested BCP.
7. Sub-contracting chain — complete sub-processor list with geography and function.
8. Regulatory history — adverse findings, sanctions, litigation, breach history.
9. References — 2–3 existing BFSI clients willing to speak on record.

Step 3 — Concentration & geographic risk

Document concentration risk: Is this vendor the sole provider of a material function? Is your RE too large a share of the vendor’s revenue (forcing dependence that’s unhealthy both ways)? For cross-border outsourcing, document the legal regime, data-access powers of foreign governments, and contingency for blockage.

Step 4 — Contracting — non-negotiable clauses

1. Explicit right to audit (onsite and remote) for RE and RBI.
2. Confidentiality and data-protection obligations with named data classes.
3. Sub-contracting restrictions; prior written consent for material sub-contracting.
4. Service levels with penalties and periodic review.
5. Business continuity obligations and BCP test participation.
6. Breach notification within 24 hours.
7. Data residency and cross-border transfer controls.
8. Termination rights: for cause, for convenience, and for regulatory reasons.
9. Exit assistance: transition support, data return in agreed format, certified destruction.
10. Liability and indemnity caps aligned to risk.

Step 5 — Ongoing monitoring

Establish a monitoring plan: monthly service-level review, quarterly risk review for material engagements, annual refresh of due diligence artifacts, continuous cyber posture monitoring, and incident integration. Document all reviews — RBI examiners will ask.

Step 6 — Exit strategy (the most-overlooked item)

For every material engagement, maintain a documented exit strategy: an identified alternative provider, a data portability plan, a transition timeline, transition-assistance clauses, and a tabletop exercise executed at least once during the engagement.

Step 7 — Reporting to the board

The board must receive periodic reports on outsourced activities, risks, and the effectiveness of controls. Keep minutes and artifacts auditable for at least the period required by the Direction and your internal retention policy.

Frequently Asked Questions

Does the RBI Direction apply to NBFCs and PSOs?

Yes — the Direction covers banks, NBFCs, payment system operators, credit information companies, and other RBI-regulated entities. Exact materiality thresholds and submissions vary by entity type.

Do we need RBI approval before outsourcing?

Material outsourcing does not require prior RBI approval, but it must meet the Directions’ pre-engagement and governance requirements. Certain cross-border arrangements and core banking outsourcing have specific notification obligations.

Is cloud hosting of customer data permitted?

Yes, with strict conditions on data residency, access controls, audit rights, and regulator access. The RE must ensure supervisory access is preserved.

How long must records be retained?

Retain contracts, due diligence artifacts, monitoring records, incident logs, and exit plans for the statutory retention period (typically 8–10 years) plus any regulator-specific mandate.

What are common audit findings?

Missing exit plans, expired evidence on file, sub-processor chains that weren’t disclosed, weak breach-notification clauses, and inconsistent monitoring documentation.

Ready to modernize your vendor risk program?

ShieldRisk AI is CERT-In Empanelled and purpose-built for the Indian BFSI. We ship RBI-aligned questionnaires, audit-ready evidence vaults, and dashboards trusted by banks and NBFCs. Book a demo to see our RBI-aligned workflow.

Inherent Risk vs. Residual Risk: A Clear Explainer with Examples

Vendor Tiering: How to Classify Vendors by Risk