RBI Master Direction on Outsourcing of IT Services (ITO 2023) — a practitioner reference

ControlForge free guide · 2026-05-24 · Reflects Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, effective 1 October 2023

Quick reference

Applies to: Scheduled Commercial Banks including Foreign Banks operating in India, excluding Regional Rural Banks; Local Area Banks; Small Finance Banks; Payments Banks; Primary (Urban) Co-operative Banks (excluding Tier 1 and Tier 2 UCBs); NBFCs in the Middle, Upper, and Top Layers of the Scale Based Regulation framework (Base Layer NBFCs excluded); Credit Information Companies (CICs); All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI).
Mandatory or voluntary: mandatory regulation; binding on all Regulated Entities (REs) listed above.
Year published: notified 10 April 2023; came into effect 1 October 2023 for new outsourcing arrangements; glide-path provisions applied to existing arrangements depending on renewal date.
Issuing body: Reserve Bank of India, Department of Regulation.
Penalties: monetary penalties under Section 47A of the Banking Regulation Act, Section 58G of the RBI Act, or Section 30 of the Payment and Settlement Systems Act depending on entity type; supervisory action including operational restrictions and public disclosure.
ControlForge density: 13 controls curated covering the Master Direction's nine control areas plus the cloud-services and security-operations-centre annexures; cross-walked with RBI ITGRCA, CSF, ISO/IEC 27001:2022, ISO/IEC 27017:2015, and CSA CCM.

What it is

The Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 — referred to as ITO 2023 — is the IT outsourcing-specific Master Direction for India's banking and non-banking financial sector. It came into force on 1 October 2023 and complements the broader ITGRCA Master Direction (effective 1 April 2024). Where ITGRCA establishes the IT governance superstructure, ITO 2023 addresses the specific risks of outsourcing IT services to third-party service providers (TPSPs) — a regulatory area that had grown materially in importance as banks and NBFCs increasingly relied on external providers for core IT capabilities.

The underlying principle is direct: outsourcing does not diminish the RE's obligations to customers or impede RBI's effective supervision. ITO 2023 operationalises this principle through structured requirements on:

Governance and policy for IT outsourcing.
Risk assessment of outsourcing arrangements.
Due diligence on TPSPs.
Contractual obligations.
Material outsourcing assessment and Board oversight.
Risk management of outsourcing.
Business continuity for outsourced services.
Termination and exit strategy.
Reporting and supervision.

The Master Direction includes two important annexures:

Annexure 1 — Usage of Cloud Computing Services: cloud-specific outsourcing requirements that complement the general framework. Bridges to the SEBI Cloud Framework (for SEBI REs) and to broader cloud-security practice.
Annexure 2 — Outsourcing of Security Operations Centre (SOC) Services: specific provisions for SOC outsourcing arrangements, which had become common as smaller REs adopted MSSP-based SOCs.

A third annexure clarifies services not considered under "Outsourcing of IT Services" — primarily certain standard market services and specific carve-outs.

The 2023 Master Direction replaced earlier IT outsourcing circulars that had been issued piecemeal since 2006, including the Bank's earlier Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services. ITO 2023 is the IT-specific Master Direction within that broader outsourcing framework.

Structure at a glance

The Master Direction is organised into eight chapters plus annexures:

Chapter I — Preliminary: definitions, applicability, scope, what constitutes IT outsourcing.
Chapter II — Governance and Management: Board-approved IT Outsourcing Policy, Senior Management responsibilities, IT Outsourcing oversight.
Chapter III — Outsourcing Process: risk assessment, due diligence on TPSPs, contractual arrangements.
Chapter IV — Material Outsourcing: identification, additional governance, Board approval for material arrangements.
Chapter V — Risk Management Framework: TPSP risk monitoring, incident management for outsourced services, business continuity arrangements.
Chapter VI — Termination and Exit Strategy: exit planning, data return and destruction.
Chapter VII — Reporting and Supervision: reporting to RBI, RBI inspection authority over TPSPs.
Chapter VIII — Other Provisions: repeal, interpretation.
Annexure 1 — Usage of Cloud Computing Services: cloud-specific overlay.
Annexure 2 — Outsourcing of Security Operations Centre (SOC) Services: SOC outsourcing specifics.
Annexure 3 — Services Not Considered Outsourcing: carve-outs.

The Master Direction defines "material outsourcing arrangement" with specific criteria — arrangements where failure or disruption would materially impact the RE's customers, financial position, or regulatory compliance. Material arrangements face additional governance, contractual, and monitoring requirements.

The "glide path" approach for existing arrangements: - Existing agreements due for renewal before 1 October 2023: comply within 12 months from the date of issuance (i.e., by 10 April 2024). - Existing agreements due for renewal on or after 1 October 2023: comply at renewal or within 36 months from the date of issuance (i.e., by 10 April 2026), whichever is earlier.

By mid-2026, the glide path has closed for virtually all in-scope arrangements; supervisory exposure for non-compliant existing arrangements is now active.

Who must comply

ITO 2023 applies to:

Scheduled Commercial Banks including Foreign Banks operating in India (excluding Regional Rural Banks).
Local Area Banks.
Small Finance Banks and Payments Banks.
Primary (Urban) Co-operative Banks in Tier 3 and Tier 4 categories (Tier 1 and Tier 2 UCBs are excluded).
NBFCs in the Middle, Upper, and Top Layers of the Scale Based Regulation framework (Base Layer NBFCs excluded).
Credit Information Companies (CICs).
All India Financial Institutions: EXIM Bank, NABARD, NaBFID, NHB, SIDBI.

The scope mirrors ITGRCA largely but with the addition of Local Area Banks (which are excluded from ITGRCA). For Tier 1 and Tier 2 UCBs and Base Layer NBFCs, RBI's general outsourcing principles apply through other instruments rather than the more demanding ITO 2023 regime.

What constitutes "IT outsourcing": arrangements where the RE engages a third-party service provider to perform IT activities or IT-enabled services that are part of the RE's IT systems or service delivery. Includes: cloud services (IaaS, PaaS, SaaS), data centre hosting, managed service providers, managed security services (SOC), software development services, IT support services, infrastructure management, application management. Excludes: services that are not IT in nature, certain standard market services (e.g., internet bandwidth), and other arrangements specifically carved out in Annexure 3.

A practical scoping question that surfaces frequently: SaaS arrangements that are essentially "buying a software product" — does that constitute outsourcing? The Master Direction's framing is broad: if the SaaS provider hosts the application, processes data on the RE's behalf, or has access to RE systems or data, it is in scope. The SaaS-as-product framing does not exempt the arrangement from ITO 2023.

Core obligations

Walking the major obligations across the nine control areas.

IT Outsourcing Policy. Board-approved policy covering: types of activities that may be outsourced; types specifically prohibited from outsourcing (e.g. core decision-making, statutory compliance); risk appetite; governance structure; approval authority levels; reporting requirements; review cadence. The policy is reviewed at least annually and on material changes. Maps into ControlForge clusters cl-policy, cl-supplier-policy, and cl-roles-responsibilities.

Senior Management responsibilities. Senior Management is responsible for implementing the policy, conducting risk assessments, approving outsourcing arrangements within delegated authority, monitoring TPSP performance, and reporting to the Board. The Head of IT Function and the CISO have specific roles in evaluating and overseeing IT outsourcing arrangements. Maps into cl-roles-responsibilities.

Risk assessment. Documented risk assessment for each proposed outsourcing arrangement covering: strategic risk, compliance risk, operational risk, reputational risk, country risk (for cross-border arrangements), concentration risk, and security and data protection risks. Risk assessment is refreshed periodically and on material changes. Maps into cl-risk-assessment and cl-supply-chain-risk.

Due diligence on TPSPs. Pre-engagement due diligence covering: financial soundness; technical and operational capability; security and resilience posture; business continuity capability; regulatory compliance posture; references; track record; reputational standing; sub-contracting arrangements. For cross-border TPSPs: country-specific risks including data-protection law compatibility, regulatory accessibility. Documented diligence file maintained and refreshed periodically. Maps into cl-third-party-due-diligence and cl-supplier-policy.

Contractual arrangements. Comprehensive contracts covering: scope and SLA; data ownership and confidentiality; security obligations; sub-contracting controls (the TPSP cannot sub-contract without notifying / obtaining approval); right to audit by the RE and by RBI; incident notification with defined timelines; cooperation with regulatory inspection; termination conditions; exit assistance; data return and destruction on termination; data residency. Maps into cl-supplier-policy and cl-data-processing-agreement.

Material outsourcing arrangements — additional requirements: - Board approval for entering, materially varying, or terminating the arrangement. - Enhanced due diligence. - More demanding contractual coverage. - Direct Board / Board Sub-Committee oversight. - More frequent risk monitoring. - Specific business continuity arrangements (alternate provider identified or exit-ready architecture).

Determining materiality requires structured criteria: impact on customer service; impact on financial position; impact on regulatory compliance; concentration; complexity; duration. The materiality assessment is documented.

Risk management and monitoring. Ongoing monitoring of TPSP performance, compliance, and risk position; periodic reviews including annual review for critical arrangements; incident management procedures specifically covering TPSP-side incidents flowing to RE incident response; periodic right-to-audit exercise. Maps into cl-continuous-monitoring and cl-incident-response-execution.

Business continuity for outsourced services. BCP and DR arrangements for outsourced services with clearly defined RTO and RPO; alternate provider identification or in-house fallback capability for critical arrangements; periodic testing. The principle: a TPSP failure should not cause RE failure. Maps into cl-bcp-ict-readiness and cl-supplier-policy.

Termination and exit strategy. Documented exit strategy at the start of every material arrangement; clear data return and destruction procedures; transition assistance from outgoing TPSP; smooth handover to alternate provider or in-house. The exit strategy is reviewed periodically. Maps into cl-supplier-policy.

Cloud-specific (Annexure 1). Where the outsourcing involves cloud computing services: data localisation considerations; CSP selection with focus on MeitY empanelment and major security certifications; shared responsibility model documented; cloud-specific security controls; portability and exit assistance; concentration risk at the CSP level. Maps into cl-cloud-shared-responsibility, cl-cspm-cloud-posture, and cl-cross-border-transfer.

SOC outsourcing (Annexure 2). Where the outsourcing is for security operations: SOC service scope and SLA; threat intelligence integration; alerting and escalation; coordination with RE incident response; periodic effectiveness review; right to audit the SOC operator; data handling and confidentiality. Maps into cl-monitoring-activities and cl-soc-msm.

Reporting to RBI. Reporting requirements for material outsourcing arrangements at inception and on material change; incident reporting where TPSP-side incidents materially affect the RE; RBI right to direct termination of arrangements that violate the framework or create supervisory concern. Maps into cl-incident-reporting-external and cl-mandatory-audit.

How auditors test it

Three audit pathways:

RBI supervisory inspection. RBI's Department of Supervision conducts inspections under the Banking Regulation Act / RBI Act; outsourcing is a standard inspection scope. Inspectors review the IT Outsourcing Policy, the inventory of arrangements with materiality classification, due diligence files for sample critical arrangements, sample contracts, ongoing monitoring evidence, incident records, BCP test reports, and exit strategy documents. RBI has historically been active in this area; non-compliant arrangements have driven supervisory action.

Internal IS audit as required by ITGRCA Chapter VI. Annual cycle covering risk-based scope; IT outsourcing is a standard internal audit scope item.

External assurance through CERT-In empanelled firms for VAPT covering outsourced infrastructure, and through specialist firms for ITO 2023 gap analyses.

Evidence patterns at an ITO-relevant inspection:

Board-approved IT Outsourcing Policy with date trail.
Inventory of outsourcing arrangements with materiality classification.
Due diligence files for sample critical arrangements (3-5 sampled).
Sample contracts for material arrangements (3-5 sampled) reviewed against ITO 2023 contractual requirements.
Ongoing TPSP monitoring evidence: performance reviews, security assessments, audit-right exercise records.
Incident records showing TPSP-side incidents and RE response.
BCP / DR test reports covering outsourced services.
Exit strategies for material arrangements.
For cloud outsourcing: CSP selection rationale, MeitY empanelment verification, shared responsibility matrix, data residency posture.
For SOC outsourcing: MSSP contract, scope and SLA, alerting integration, periodic effectiveness review.

Common findings in recent inspections: - Materiality classification not applied to a significant arrangement; consequently Board oversight gap. - Contract for an existing arrangement not updated during the glide-path window; legacy contract clauses inadequate for ITO 2023. - Cloud arrangement where the CSP region used is not MeitY-empanelled. - TPSP right-to-audit clause exists but never exercised; the RE has no recent independent assessment of TPSP-side controls. - Exit strategy theoretical; not tested. - Sub-contracting by the TPSP unbeknownst to the RE; flow-down approval clause not enforced.

How it relates to other frameworks

ITO 2023 sits adjacent to ITGRCA and integrates with the broader RBI cyber-and-IT stack:

RBI ITGRCA 2023: governance umbrella. ITGRCA Chapter II requires Board-level oversight of outsourcing; ITO 2023 provides the operational specifics.
RBI CSF 2016: operational cyber controls for banks; integrates with ITO 2023 where outsourced services touch the cyber-control surface.
RBI (Outsourcing of Financial Services) 2006 and updates: the broader outsourcing framework covering non-IT outsourcing. ITO 2023 is the IT-specific Master Direction within that broader framework.
RBI Cyber Resilience and Digital Payment Security Controls 2024: for non-bank PSOs; concept-equivalent provisions for payment-sector outsourcing.
SEBI Cloud Framework 2023: for entities that are both SEBI REs and RBI REs (rare but possible), both apply.
CERT-In Direction 70B: 6-hour incident reporting applies to TPSP-side incidents affecting the RE.
DPDPA 2023 + Rules 2025: from May 2027, TPSPs processing personal data on behalf of REs are Data Processors under DPDPA; the RBI ITO 2023 contractual provisions overlap with DPDPA processor obligations.
ISO/IEC 27001:2022: many TPSPs hold ISO 27001 certification; useful in due diligence but does not substitute for the RE's own assessment.
ISO/IEC 27017:2015: cloud security extension; relevant for cloud TPSPs.
AICPA SOC 2 Trust Services Criteria: TPSP attestation framework commonly referenced in due diligence.
CSA STAR Certification: cloud-specific assurance referenced in due diligence for cloud TPSPs.

ControlForge cross-walks ITO 2023 against the general supplier-policy and cloud-shared-responsibility clusters and against the parallel SEBI Cloud Framework for entities with overlapping regulatory scope.

Common pitfalls

Five recurring failure patterns:

Materiality classification under-applied. Some arrangements clearly material (core banking SaaS, cloud-hosted critical applications, AML/KYC TPSPs) are classified as non-material to avoid the additional governance overhead. RBI inspections push back. Fix: structured materiality methodology with documented thresholds; Board-reviewed materiality decisions; periodic reassessment.
Existing arrangements not updated within the glide-path window. The 12-month and 36-month windows have closed; existing arrangements that were renewed under old contracts are now non-compliant. Fix: prioritised contract renegotiation programme; documented compliance posture per arrangement.
CSP / TPSP audit reports accepted in lieu of entity-specific assessment. A TPSP's SOC 2 or ISO 27001 covers the TPSP's general controls but does not address the RE-specific configuration, the data flows, or the RE-specific contractual obligations. Fix: TPSP audit reports as inputs to, not substitutes for, RE-conducted due diligence including configuration review.
Sub-contracting by the TPSP not visible. TPSPs sub-contract aspects of service delivery; the RE's contract requires notification / approval but the operational process is weak. Fix: structured sub-contracting flow-down with documented notification and approval; periodic sub-processor inventory review.
Exit strategy theoretical. The exit document exists but key elements (data return mechanism, transition assistance from outgoing TPSP, capability to migrate to alternative or in-house) have not been tested. Fix: scoped exit drill for one material arrangement annually; documented findings and remediation.

Two further patterns:

Right-to-audit clause exists but never exercised. The contract includes the right but the RE does not actually conduct independent audits of the TPSP. Fix: scheduled right-to-audit exercise for critical TPSPs at least biennially; documented audit findings and TPSP responses.
Cloud arrangement region not MeitY-empanelled. Default cloud region selection without verification; data residency requirements (under DPDPA, sectoral rules) may layer on top of ITO 2023. Fix: explicit MeitY empanelment verification per CSP region; documented regional architecture.

Inspection observations through 2025-2026. RBI supervisory examinations focused on ITO 2023 have surfaced a consistent set of recurring observations: glide-path window has closed and entities that did not refresh existing arrangements during the window face disproportionate inspection scrutiny on those legacy contracts; materiality classification is examined closely with examiners challenging classifications that appear to under-call material arrangements; exit strategy testing is a particular focus — examiners ask not just whether an exit document exists but whether it has been exercised or stress-tested, with most entities finding this is the weakest area of their ITO 2023 posture. CSP outsourcing arrangements receive disproportionate examination time given the materiality of cloud to most REs' IT delivery.

When to use this framework

ITO 2023 compliance is mandatory for in-scope REs. Operational considerations:

Greenfield outsourcing: framework-compliant from day one is easier than retrofitting.
Brownfield (existing arrangements): the glide-path windows have closed; existing arrangements that haven't been refreshed against ITO 2023 are supervisory exposures.
Cloud migration planning: ITO 2023 + Annexure 1 + (where applicable) SEBI Cloud Framework form the regulatory backbone; coordinated implementation reduces effort.
Material arrangement Board approval workflow: many REs need to formalise this workflow if it wasn't structured before ITO 2023.
CCO involvement: under ITGRCA's broader CCO independence requirements, the CCO's certification of compliance includes outsourcing arrangements; budget and authority for the CCO function accordingly.

For RBI REs outside ITO 2023's scope (Tier 1/2 UCBs, Base Layer NBFCs), the general RBI outsourcing principles still apply through other circulars. Such REs may treat ITO 2023 as a reference but the binding obligations are lighter.