RBI Master Direction on Outsourcing of IT Services 2023

RBI Master Direction (RBI/2023-24/102 dated 10 April 2023) governing outsourcing of IT services by Scheduled Commercial Banks, Local Area Banks, Small Finance Banks, Payments Banks, select Urban Co-operative Banks, NBFCs (excluding Base Layer), Credit Information Companies, and All India Financial Institutions. Covers 10 chapters: governance framework, due diligence, outsourcing agreements, risk management, monitoring, cross-border outsourcing, and exit strategy — with Appendix I on cloud computing services and Appendix II on SOC outsourcing. Transition deadlines: new agreements compliant from inception; existing agreements due for renewal after 1 Oct 2023 compliant by 10 April 2026.

Composition

13 controls currently indexed; participates in 9 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Board-level IT/IT Strategy Committee with documented charter
• Business continuity and ICT recovery readiness
• Cloud Security Posture Management — continuous configuration assessment
• Comprehensive asset inventory with classification and ownership
• Multi-regulator incident notification with coordinated submission timelines
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting