Reserve Bank of India (RBI) and Insurance Regulatory and Development Authority of India (IRDAI)

About RBI and IRDAI

The Reserve Bank of India (RBI), India's central banking institution, the Insurance Regulatory and Development Authority of India (IRDAI), and the Ministry of Electronics and Information Technology (MeitY) comprise three of the key financial industry regulators overseeing banks, insurance organizations, and market infrastructure institutions. Their directives include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data.

Outsourcing and risk management guidance includes:

Financial firms using cloud services must also comply with privacy rules, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (MeitY). Developed to strengthen India's data protection laws, these rules govern the protection and handling of sensitive personal data.

Microsoft, RBI, and IRDAI

To help guide financial institutions in India considering outsourcing business functions to the cloud, Microsoft has published a compliance checklist for financial institutions in India. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.

When Indian financial institutions outsource business activities to the cloud, they must follow the guidelines of the Reserve Bank of India for managing risk and addressing the issues that arise from the use of information technology. They must also comply with the data security and privacy requirements established by the Ministry of Electronics and Information Technology (MeitY). In addition, insurance organizations must follow outsourcing guidelines published by the Insurance Regulatory and Development Authority of India (IRDAI).

The Microsoft checklist helps financial firms in India that are conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud services

How to implement

Frequently asked questions

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes. The guidelines referenced above stipulate some specific points that financial institutions must incorporate into their cloud services contracts. Part 2 of the checklist (page 70) maps these against the sections in the Microsoft contractual documents where they are addressed.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources