What changed
RBI inserted a new sub-paragraph (7.4) into its 2006 outsourcing guidelines. It now mandates five specific safeguards for offshore outsourcing of financial services related to Indian operations.
What it means for you
Banks must renegotiate offshore contracts to guarantee RBI and auditor access, data sovereignty, and record retention in India. Non-compliance could expose banks to regulatory action or data leakage risks. This raises compliance costs but protects customer data and operational control.
What you must do
- Review all offshore outsourcing contracts for Indian operations to ensure they include clauses allowing RBI inspection and auditor visits.
- Confirm that records can be retrieved even if the offshore provider or the bank is liquidated.
- Ensure offshore regulators have no automatic access to Indian customer data.
- Verify that offshore courts cannot claim jurisdiction over Indian operations based on data processing location.
- Maintain all original records within India as required.
Who it affects
All scheduled commercial banks (excluding RRBs) with offshore outsourcing arrangements for Indian operations, Compliance and legal teams handling vendor contracts, IT and data management departments managing offshore data processing
Does this apply to outsourcing to a bank's own group entity abroad?
Yes, the circular applies to all offshore outsourcing of financial services for Indian operations, regardless of whether the provider is a related party or a third party.
What happens if the offshore regulator refuses RBI inspection?
The bank must ensure the contract prevents such refusal; otherwise, the arrangement may be non-compliant and subject to regulatory action.