What changed
RBI issued guidelines in 2013 for banks to share IT resources, providing a structured framework for evaluating assets, mapping data flows, and entering into service contracts covering security, governance, and compliance. Banks must ensure regulatory access to all shared IT resources, even if located off-premises.
What it means for you
Banks can now collaborate to reduce IT costs by sharing infrastructure and applications, but must maintain high governance and security standards. This opens opportunities for smaller banks to access advanced IT capabilities, while all banks must strengthen vendor risk management and audit readiness. Non-compliance with data localization or privacy norms could attract regulatory action.
What you must do
- Identify and classify IT assets (data, applications, processes) for potential sharing, with management approval possibly at the board level depending on criticality.
- Conduct thorough due diligence on service providers, including other banks, ensuring they meet all legal and regulatory requirements.
- Map data flows between your bank, service provider, and customers to assess risks and ensure data movement complies with RBI norms.
- Draft comprehensive service contracts covering architecture, governance, security, business continuity, and audit rights for regulators.
- Establish ongoing governance processes to monitor provider security maturity and maintain accountability for shared resources.
Who it affects
All Scheduled Commercial Banks (excluding RRBs), IT and IS Governance teams, Risk and compliance departments, Vendor management and procurement teams, Board of Directors (for critical asset approvals)
What types of applications can be shared under these guidelines?
Applications related to collaboration, housekeeping, office automation, and business applications are eligible for sharing. Critical infrastructure or applications require management approval, possibly at the board level depending on criticality.
Do we need to allow RBI to audit shared IT resources?
Yes, the service contract must ensure that regulators of the country have access to all information resources consumed by the bank, even if they are not physically located on the bank's premises. The service provider must agree to audit/inspection by regulators.