Mandatory Contract Clauses

RBI Master Directions on IT Outsourcing prescribe specific clauses that must be present in every IT outsourcing agreement. RBI inspectors verify these clause-by-clause during on-site examination.

Scope of services — Clear, detailed description of services outsourced, including service levels, deliverables, and performance metrics
Roles and responsibilities — Explicit delineation of responsibilities between the bank and the service provider
Confidentiality and data protection — Binding obligations for protection of customer data and bank proprietary information
Sub-contracting restrictions — Prior written approval required for any sub-contracting; bank retains right to reject sub-contractors
Regulatory and audit access — RBI and its authorised representatives have unrestricted access to the service provider's premises, systems, and records
Business continuity and disaster recovery — Vendor must maintain tested BCP/DR with documented RPO/RTO aligned to bank's requirements
Service level agreements (SLAs) — Measurable SLAs with penalties for non-performance and reporting frequency
Termination and exit management — Clear termination triggers, notice periods, transition support obligations, and data handover
Indemnification — Service provider indemnifies the bank for losses due to provider's negligence, breach, or non-compliance
Intellectual property — Ownership of data, customisations, and work products clearly defined
Governing law and dispute resolution — Indian law governs; dispute resolution through Indian arbitration or courts
Material outsourcing declaration — Clause acknowledging the arrangement as material outsourcing (if applicable) with reporting to RBI
Inspection Finding Missing or incomplete mandatory clauses is one of the most common RBI IT examination findings. Inspectors compare contracts against the Master Directions clause-by-clause. Ensure every outsourcing agreement is reviewed against this checklist before execution.

Audit Rights Verification

RBI places significant emphasis on audit rights as a non-negotiable element of IT outsourcing. These rights must be contractually enforceable and practically exercisable.

RBI direct access — Contract explicitly grants RBI (or its authorised representatives) the right to access, inspect, and audit the service provider
Bank's internal audit — Bank's internal audit team has contractual right to audit the outsourced activity at any time with reasonable notice
External auditor access — Bank's statutory auditors and IS auditors can audit the service provider's operations and controls
Sub-contractor audit trail — Audit rights extend to all sub-contractors engaged by the service provider
On-site inspection — Right to conduct on-site inspection of the service provider's facilities, including data centres
Documentation access — Access to all relevant records, logs, reports, and documentation related to the outsourced services
Audit frequency — Minimum annual audit of material outsourcing arrangements; more frequent for critical services
Remediation tracking — Audit findings must be tracked to closure with defined timelines and escalation for overdue items

Service Continuity Obligations

Service continuity for outsourced IT activities is treated by RBI as a systemic risk concern, not just a contractual matter.

BCP/DR plan — Service provider maintains a documented and tested Business Continuity Plan aligned with bank's continuity requirements
Annual DR testing — Disaster recovery failover tested at least annually with documented results shared with the bank
RPO/RTO alignment — Service provider's recovery objectives match or exceed the bank's requirements for the outsourced activity
Incident communication — Service provider must notify the bank within 2 hours of any service disruption affecting the outsourced activity
Redundancy architecture — Critical outsourced services must have redundant infrastructure (no single point of failure)
Pandemic/force majeure provisions — Continuity obligations during extended disruptions including remote working arrangements
Dependency mapping — Bank maintains a map of all dependencies on the service provider, including upstream and downstream systems
Concentration risk assessment — Assessment of vendor concentration risk across the bank's outsourcing portfolio

Exit Management Provisions

Exit management is one of the most scrutinised areas during RBI IT examination. An outsourcing arrangement without a viable exit plan is a material risk finding.

Exit plan documented — Detailed exit/transition plan created at the start of the outsourcing arrangement (not when exit is triggered)
Notice period — Minimum 6-month notice period for either party; longer for complex or critical services
Transition support — Service provider obligated to provide transition support (knowledge transfer, documentation, parallel run) for minimum 6 months
Data migration — Complete data extraction and migration in bank-specified format within agreed timelines
Data deletion post-exit — Service provider must delete all bank data after successful migration and provide a deletion certificate
Source code / configuration escrow — For custom-developed systems, source code escrow arrangement in place
Alternative provider readiness — Bank has identified and pre-qualified at least one alternative provider for material outsourcing
Exit testing — Exit plan tested (at least as a tabletop exercise) at least once during the contract period
Costs — Exit and transition costs clearly defined in the contract; no exit-penalty clauses that could impede the bank's ability to exit
Common Pitfall Many banks discover during RBI inspection that their exit plans are either non-existent or untested. RBI expects exit plans to be created at contract inception and tested periodically. A contract without a viable exit plan is a material risk finding.

Data Localisation Declarations

RBI's data localisation requirements mandate that all payment system data and customer data must be stored in India. This applies to all outsourced IT activities handling such data.

Data residency declaration — Service provider provides a signed declaration that all bank/customer data is stored and processed in India
Data centre location disclosure — Full disclosure of all data centre locations (primary, DR, backup) where bank data resides
No offshore access — Contractual prohibition on accessing bank data from outside India without explicit approval and safeguards
Cloud provider compliance — If cloud-hosted, confirmation that the cloud region is in India and data does not leave Indian borders
Backup and DR in India — All backup copies and DR replicas stored within India
Log data in India — All security and operational logs related to bank data processed and stored in India (aligned with CERT-In 180-day requirement)
Annual compliance certificate — Service provider issues annual data localisation compliance certificate to the bank
Audit verification — Data localisation verified through annual IS audit with evidence of data centre locations and access controls
RiskSage Capability RiskSage by CreativeCyber automates RBI IT outsourcing compliance — mandatory clause gap analysis across all vendor contracts, audit rights tracking, service continuity monitoring, exit plan readiness scoring, and data localisation declaration management for banks and NBFCs.

Request access to RiskSage →