Indian financial sector's growing reliance on third-party providers mandates the need for better operational risk management and resilience, the Reserve Bank of India (RBI) said in a guidance note to all regulated entities (REs) on Tuesday.

All REs in India should implement a robust information and communication technology (ICT) risk management programme in alignment with their operational risk management framework, the RBI said.

The RBI's previous guidance note on operational risk management was meant only for commercial banks, but the fresh guidance shall apply to all REs, including non-banks and all-India financial institutions.

"REs should manage their dependencies on relationships, including those of, but not limited to, third parties (which include intragroup entities), for the delivery of critical operations," the RBI said.

All REs must perform a risk assessment and due diligence before entering into any arrangements with third parties or external entities.

The RBI's rules on outsourcing of IT activities to third parties came into effect in October 2023.

The rules ensure that outsourcing arrangements do not diminish regulated entities' ability to fulfil their obligations to customers, while also not impeding effective supervision by the RBI.

The REs should also verify whether the third party, including the intragroup entity to these arrangements, has at least an equivalent level of operational resilience to safeguard critical operations under normal circumstances and in the event of a disruption.

"REs should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the RE's risk appetite and tolerance for disruption," the note added.

The RBI also cautioned the regulated entities about further outsourcing of functions managed by third-party service providers and asked that these risks be managed appropriately.

"REs, in their agreement with the service providers, should include clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors," it said.

The central bank also asked the REs to focus on cyber security-related risks and recommended plans to be in place to maintain the integrity of critical information in the event of such a security breach.

(Reporting by Swati Bhat; additional reporting by Ira Dugal; Editing by Savio D'Souza and Sohini Goswami)