In 2024, a major Indian cooperative bank suffered a long outage after a critical IT service provider experienced an internal systems failure. The bank’s customers were locked out of services for days. The RBI’s response was unambiguous: the bank was responsible, not the vendor – for the continuity, security and regulatory compliance of all outsourced IT functions.
This is the principle at the heart of every RBI direction on IT outsourcing: outsourcing transfers a function, not the accountability. At the heart of the RBI’s outsourcing framework is a clear proposition – outsourcing does not lessen regulatory responsibility. Boards and senior management of regulated entities remain fully accountable for outsourced activities, irrespective of the nature, location or complexity of the service provider.
The regulatory framework: Two directions, one principle
IT outsourcing & third-party & vendor risk management under RBI Master Direction is governed by two primary instruments that work in parallel:
Master Direction on Outsourcing of IT Services (April 2023, effective October 2023)
This direction applies to scheduled commercial banks, some urban cooperative banks, NBFCs (excluding Base Layer), and All India Financial Institutions. It established the foundational framework for governing IT outsourcing risk, including due diligence requirements, contractual obligations, concentration risk management, subcontractor oversight and cyber incident reporting timelines. Existing contracts were required to comply by April 2024.
RBI (Non-Banking Financial Companies Managing Risks in Outsourcing) Directions, 2025 (issued November 2025)
This is the most significant recent update. The 2025 Directions redefine how NBFCs must govern, monitor and manage risks rising from outsourcing of financial services and IT functions – including cloud, SOC, group entities and offshore arrangements. For new outsourcing arrangements, these Directions apply immediately.
Together, these directions signal that the RBI has moved IT outsourcing to its centre. Regulated entities that treat vendor management as just a formal exercise – rather than a risk governance obligation – are the ones most exposed during supervisory inspections.
The 6 core vendor risk obligations every regulated entity must meet
The requirements across both directions converge around six core obligations. These apply regardless of whether the vendor is a large cloud provider, a niche fintech or a group entity.
Due diligence before engagement
Before onboarding any vendor for material IT services, regulated entities must test the service provider’s financial soundness, past performance, business reputation, technology infrastructure stability and data protection controls.
Contractual controls that are enforceable
The contract is the compliance instrument. Contracts must give RBI or persons authorised by it the right to perform inspection of the service provider and any of its sub-contractors, and to access the regulated entity’s IT infrastructure, applications and data stored or processed by the service provider. Any clause that conditions RBI’s inspection rights on vendor consent is non-compliant.
Concentration risk management
The guidelines require Board-level oversight of material outsourcing arrangements, thorough service provider due diligence, continuous monitoring and concentration risk management. Where a regulated entity depends on a single vendor for a critical function – or where multiple regulated entities depend on the same provider – exit strategies and fallback plans must be documented and tested.
Subcontractor oversight
Service providers may not subcontract outsourced activities without prior approval of the regulated entity. All regulatory obligations must flow down contractually, and the principal service provider remains fully liable for acts and omissions of subcontractors.
Cyber incident reporting through the vendor chain
For IT outsourcing, cyber incidents must be reported to RBI within six hours of detection. This effectively requires outsourcing contracts to prescribe tight and operationally realistic notification timelines for vendors. If the vendor detects a breach at 2 AM, the regulated entity’s 6-hour clock with the RBI starts at the same moment.
Continuous performance monitoring
RBI requires continuous monitoring of service provider performance, audit rights in outsourcing contracts, and periodic audits validating control effectiveness. Monitoring is not a one-time review – it is an ongoing governance obligation with documented evidence of SLA tracking, incident reviews and risk reassessments.
What the 2025 NBFC Directions change specifically
The November 2025 NBFC Outsourcing Directions tighten the framework in several areas that were previously not very clear:
- Supply chain transparency: NBFCs must now contractually require vendors to disclose all third parties (sub-contractors) in their supply chain relevant to the outsourcing arrangement and must have the right to seek information about them.
- Immediate effect for new arrangements: Unlike the April 2023 IT Outsourcing Direction, which allowed a transition period, the 2025 Directions apply to new outsourcing arrangements immediately from the date of issue.
- Data segregation: Vendors must maintain clear separation and isolation of the NBFC’s data from other clients’ data, particularly relevant for shared cloud infrastructure and multi-tenant SaaS platforms.
- Legacy contract remediation: Existing contracts must transition to the new directions by April 10, 2026. Regulated entities should remediate legacy contracts through RBI-compliant addenda rather than waiting for renewal cycles.
Conclusion
Regulated entities that have not yet audited their vendor portfolios against the updated framework are already behind, particularly those with existing contracts approaching the April 2026 transition deadline.
At CyberNX, our RBI Master Direction Compliance Services help banks and NBFCs build vendor risk governance frameworks that satisfy regulatory scrutiny – from due diligence processes and contract reviews to third-party security assessments and concentration risk analysis. If your organisation is working through IT outsourcing & third-party & vendor risk management under RBI Master Direction and needs expert guidance, our team is ready to help. Connect with us today.
IT Outsourcing & Third-Party & Vendor Risk Management Under RBI Master Direction FAQs
What is the difference between the RBI IT Outsourcing Direction (2023) and the NBFC Outsourcing Directions (2025)?
The Master Direction on Outsourcing of IT Services (April 2023) established the foundational framework for IT outsourcing risk management applicable to banks, select cooperative banks, NBFCs and financial institutions. The NBFC Managing Risks in Outsourcing Directions (November 2025) is a broader update specific to NBFCs, covering both financial and IT outsourcing, with immediate applicability for new arrangements and a transition deadline of April 10, 2026 for existing contracts.
What due diligence must regulated entities conduct before engaging an IT vendor?
Regulated entities must test a vendor’s financial soundness, past performance, business reputation, technology infrastructure stability, data protection controls and independent market reviews before engagement. This assessment must be documented, and the assessment process itself must be governed by a Board-approved policy.
What are the vendor cyber incident reporting requirements under the RBI framework?
Vendors are required to report cyber incidents to the regulated entity immediately upon detection. The regulated entity must then report the incident to RBI within 6 hours of detection – meaning the clock begins from the moment the vendor becomes aware, not from when the regulated entity is informed.
How should regulated entities manage concentration risk in IT outsourcing?
Concentration risk arises when a regulated entity depends heavily on a single vendor or when multiple entities depend on the same provider for critical services. Regulated entities must identify concentration risk at the vendor level and at the geographic or infrastructure level, document exit strategies and fallback arrangements and demonstrate through periodic reviews that operational continuity is not dependent on any single point of failure.
