Reserve Bank of India (RBI) and Insurance Regulatory and Development Authority of India (IRDAI)
About RBI and IRDAI
The Reserve Bank of India (RBI), India's central banking institution, the Insurance Regulatory and Development Authority of India (IRDAI), and the Ministry of Electronics and Information Technology (MeitY) comprise three of the key financial industry regulators overseeing banks, insurance organizations, and market infrastructure institutions. Their directives include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data.
Outsourcing and risk management guidance includes:
- Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by Banks (RBI) address the risks that regulated banks would be exposed to while outsourcing financial services and help ensure that outsourcing does not impede the supervisory role of the RBI. The RBI does not require prior approval for banks seeking to outsource financial services; however, core banking functions, such as internal audit and compliance functions, should not be outsourced.
- Guidelines on Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds (RBI). Financial institutions must report outsourcing arrangements where the scale and nature of the activities are significant or require extensive data sharing with service providers outside of India. This guidance applies particularly if operational data is stored or processed outside India.
- Outsourcing of Activities by Indian Insurers Regulation (IRDAI). Every year, insurance organizations are required to report outsourcing to IRDAI of certain support functions of core activities within 45 days of the close of the financial year. (Page 7 in the Microsoft checklist describes what constitutes “support functions of core activities.”
Financial firms using cloud services must also comply with privacy rules, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (MeitY). Developed to strengthen India’s data protection laws, these rules govern the protection and handling of sensitive personal data.
Microsoft, RBI, and IRDAI
To help guide financial institutions in India considering outsourcing business functions to the cloud, Microsoft has published a compliance checklist for financial institutions in India. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.
When Indian financial institutions outsource business activities to the cloud, they must follow the guidelines of the Reserve Bank of India for managing risk and addressing the issues that arise from the use of information technology. They must also comply with the data security and privacy requirements established by the Ministry of Electronics and Information Technology (MeitY). In addition, insurance organizations must follow outsourcing guidelines published by the Insurance Regulatory and Development Authority of India (IRDAI).
The Microsoft checklist helps financial firms in India that are conducting due-diligence assessments of Microsoft business cloud services and includes:
- An overview of the regulatory landscape for context.
- A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.
Microsoft in-scope cloud services
How to implement
- Compliance checklist for India: Financial firms can get help conducting risk assessments of Microsoft business cloud services.
- Risk Assessment & Compliance Guide: Create a governance model for risk assessment of Microsoft cloud services, and regulator notification.
- Financial use cases for Azure: Use case overviews, tutorials, and other resources to build Azure solutions for financial services.
Frequently asked questions
Are there any mandatory terms that must be included in the contract with the cloud services provider?
Yes. The guidelines referenced above stipulate some specific points that financial institutions must incorporate into their cloud services contracts. Part 2 of the checklist (page 70) maps these against the sections in the Microsoft contractual documents where they are addressed.