What changed
RBI issued the Reserve Bank of India (Payments Banks – Managing Risks in Outsourcing) Directions, 2025, replacing any prior instructions. The directions cover both financial services outsourcing (Chapter III) and IT services outsourcing (Chapter IV), with specific provisions for cloud computing, security operations centres, and offshore arrangements. Existing IT outsourcing agreements must comply by April 10, 2026, or at renewal, whichever is earlier; new agreements must comply immediately.
What it means for you
Payments Banks must now formalize their outsourcing governance with board-approved policies, detailed risk assessments, and robust monitoring frameworks. The directions impose stricter accountability on senior management and require explicit contractual clauses for confidentiality, business continuity, and grievance redressal. Non-compliance could attract regulatory action under Section 35A of the Banking Regulation Act, 1949.
What you must do
- Review all existing outsourcing agreements (financial and IT) against the new directions and plan compliance by April 10, 2026, for IT contracts.
- Ensure board approval of a comprehensive outsourcing policy covering risk evaluation, service provider due diligence, and termination clauses.
- Update outsourcing contracts to include provisions for subcontracted activities, prior approval, and data security requirements.
- Establish a monitoring framework for outsourced services, including business continuity and disaster recovery plans.
- Prepare a grievance redressal mechanism for customers affected by outsourced services.
Who it affects
Payments Banks in India, Senior management and boards of Payments Banks, Service providers (including group entities and offshore vendors) to Payments Banks, IT and risk management teams within Payments Banks
When do existing IT outsourcing agreements need to comply with these directions?
Existing IT outsourcing agreements must comply either at the time of renewal or by April 10, 2026, whichever is earlier. New agreements signed after the effective date must comply immediately.
What activities cannot be outsourced under these directions?
The directions specify certain activities that shall not be outsourced, though the exact list is detailed in Chapter III of the document. Banks must refer to the full text for the prohibited list.
Do these directions apply to subcontracted activities?
Yes, the provisions apply mutatis mutandis to subcontracted activities, and the outsourcing contract must require the bank's prior approval before any subcontracting.