RBI’s 2025 Directions on IT Outsourcing by Local Area Banks: Governance, Risk and Compliance Blueprint

The Reserve Bank of India has notified the Reserve Bank of India (Local Area Banks – Managing Risks in Outsourcing) Directions, 2025 under Section 35A of the Banking Regulation Act, 1949. These Directions lay down an exhaustive regulatory framework governing material outsourcing of IT services by Local Area Banks (LABs), with a sharp focus on governance, risk management, data security, business continuity and regulatory oversight.

The Directions come into force with immediate effect. All new IT outsourcing contracts entered into on or after the effective date must comply from day one, while existing IT outsourcing arrangements must be brought into conformity at the time of renewal or by April 10, 2026, whichever is earlier. Non-compliance with other existing RBI or statutory mandates is not excused by these transition provisions.

1. Coverage, Applicability and Definitions

1.1 Who is covered?

The Directions apply exclusively to Local Area Banks, collectively referred to as “banks” and individually as “bank” throughout the Directions. The framework imposes obligations on these banks whenever they enter into material outsourcing of IT services.

1.2 What is treated as “Outsourcing of IT Services”?

For the purpose of these Directions, “Outsourcing of IT Services” covers, among others:

  • IT infrastructure management, support and maintenance (for hardware, software or firmware);
  • Network and security solution management and maintenance;
  • Application development, maintenance and testing, including arrangements with Application Service Providers (ASPs) such as ATM Switch ASPs;
  • Data centre–related operations and services;
  • Cloud computing services;
  • Managed security services; and
  • Management of IT infrastructure and technology services linked to the payment system ecosystem.

The Directions only govern material outsourcing of these IT services, as explained below.

1.3 What is outside the scope?

Certain arrangements are expressly excluded from the ambit of these Directions. These include, inter alia:

  • Corporate internet banking services that a bank uses as a corporate customer or sub-member of another Regulated Entity (RE);
  • External audit‑type engagements such as Vulnerability Assessment / Penetration Testing, Information Systems Audit and security reviews;
  • SMS gateway and bulk SMS services;
  • Procurement of IT hardware / appliances;
  • Licensing or subscription of off-the-shelf IT software (e.g. Core Banking Solution, database, security products) and standard upgrades or change requests;
  • OEM‑provided maintenance (including security patches and bug fixes) for IT infrastructure or licensed products;
  • Usage of regulatory / infrastructure platforms like those from Clearing Corporation of India Limited (CCIL), National Stock Exchange (NSE), Bombay Stock Exchange (BSE);
  • Interfaces and platforms like Reuters, Bloomberg, SWIFT;
  • Other standard products like anti-virus software and email solutions with minimal or no customisation;
  • Services obtained as a sub-member in a Centralised Payment System (CPS) from another RE;
  • Business Correspondent services, payroll processing, and statement printing.

Note: The Directions include an indicative list of entities that qualify as Regulated Entities (REs) such as Commercial Banks, other LABs, Small Finance Banks, Payments Banks, Regional Rural Banks, NBFC – BL, NBFC – ML, NBFC – UL, All India Financial Institutions, Credit Information Companies, Urban and Rural Co-operative Banks, and Payment System Operators. For “Commercial Banks”, the definition in section 5 of the Banking Regulation Act, 1949 is followed.

1.4 Key definitions

The Directions provide specific definitions for critical terms:

  • ‘Material Outsourcing of IT Services’ (paragraph 6(3)):
    Outsourcing that:

    1. If disrupted or compromised, could significantly affect the bank’s operations; or
    2. May have a material impact on customers in case of unauthorised access, loss or theft of customer information.

  • ‘Outsourcing’:
    Use of a third party, whether within the group or external, to undertake on a continuing basis activities that the bank would otherwise perform itself. “Continuing basis” also includes finite-period agreements.

  • ‘Service Provider’:
    Any entity providing IT services to the bank, whether related or group company, unless specifically carved out. The Directions list vendors that are not treated as “Service Providers” for this framework, such as:

    • Business Correspondents using IT;
    • Payment System Operators authorised under the Payment and Settlement Systems Act, 2007;
    • Certain FinTech partnership providers (e.g. co-branded apps and products, data retrieval/validation services, digital document execution, data entry, call centres);
    • Telecom companies providing leased lines and similar infrastructure;
    • Independent security or audit consultants appointed as auditors or lead implementers.

  • ‘Sub-contractor’:
    A party providing material/significant IT services to the service provider in relation to the bank’s outsourcing arrangement.

All other undefined terms carry the same meaning as in the Banking Regulation Act, 1949, Reserve Bank of India Act, 1934, Information Technology Act, 2000, Companies Act, 2013, allied Rules and RBI Glossary of Terms, or as understood in commercial parlance.

2. Board-Level Governance and Oversight

2.1 Continuing responsibility of Board and Senior Management

The Directions underline that outsourcing does not dilute or transfer the bank’s obligations. The Board and Senior Management remain ultimately responsible for all outsourced services and must ensure effective oversight, irrespective of whether functions are performed internally or by third parties, in India or overseas.

2.2 Mandatory Board-approved IT outsourcing policy

Each bank is required to adopt a comprehensive Board-approved IT outsourcing policy, which must, at a minimum, cover:

  • Allocation of roles and responsibilities among the Board, Board Committees (where applicable), Senior Management, IT function, business units and oversight functions;
  • Criteria for selecting IT services and choosing service providers;
  • Parameters for classifying arrangements as material, aligned with paragraph 6(3);
  • Delegation of approval authority based on risk and materiality;
  • Business continuity and disaster recovery strategies;
  • Monitoring and review mechanisms for outsourced operations; and
  • Termination procedures and exit strategies, including arrangements to maintain continuity if a service provider exits.

2.3 Board’s specific responsibilities

The Board must, inter alia:

  1. Put in place a framework for approval of outsourcing based on risk and materiality;
  2. Approve policies for evaluating risk and materiality of all current and proposed outsourcing;
  3. Establish an adequate Senior Management oversight structure;
  4. Ensure that conflicts of interest linked to third-party engagements are properly identified and managed, particularly where exceptions are taken to the restriction that a service provider (if not a group company) must not be owned or controlled by a director, key managerial personnel or approver of the arrangement, or their relatives;
  5. Periodically review reports from Senior Management, especially any adverse developments concerning outsourced services.

3. Senior Management and IT Function: Operational Responsibilities

3.1 Role of Senior Management