The Reserve Bank of India (RBI) has issued a directive to all regulated entities (REs) to bolster their operational resilience, as outlined in a guidance note released on Tuesday.
This move follows recent actions taken against Kotak Mahindra Bank and underscores the increasing reliance of India's financial sector on third-party providers, necessitating improved risk management practices.
In the guidance note, the RBI emphasizes the imperative for all REs to establish robust information and communication technology (ICT) risk management programs that align with their operational risk management frameworks. Notably, while previous RBI guidance on operational risk management primarily targeted commercial banks, this broader directive now extends to all REs, including non-bank entities and all-India financial institutions.
The directive underscores the importance of managing dependencies on external relationships, such as third parties and intragroup entities, for critical operations. REs are mandated to conduct thorough risk assessments and due diligence before engaging with external parties.
Moreover, the regulations governing the outsourcing of IT activities to third parties, effective since October 2023, aim to ensure that such arrangements do not compromise REs' ability to fulfill customer obligations or impede effective oversight by the RBI.
The guidance note further stipulates that REs must ensure that third-party providers, including intragroup entities, maintain operational resilience levels comparable to their own, both in routine operations and during disruptions. REs are also required to develop and implement response and recovery plans to manage incidents that could disrupt critical operations, aligning with their risk appetite and tolerance for disruption.
Additionally, the guidance advises against further outsourcing functions without appropriate risk management strategies in place. It also emphasizes the inclusion of clauses in agreements with service providers, holding them contractually liable for the performance and risk management practices of their subcontractors.
Furthermore, the RBI urges REs to prioritize cybersecurity measures and develop contingency plans to safeguard critical information integrity in the event of security breaches.
In summary, the RBI's recommendations aim to fortify the operational resilience of all regulated entities in the financial sector, ensuring robust risk management practices and safeguarding against potential disruptions.
