RBI/DOR/2025-26/363 | DOR.ORG.REC.No.282/21-04-158/2025-26
Date: November 28, 2025
The Reserve Bank of India (RBI) has issued the Non-Banking Financial Companies (Managing Risks in Outsourcing) Directions, 2025, marking a significant regulatory milestone for NBFCs operating in India. These Directions comprehensively redefine how NBFCs must govern, monitor, and manage risks arising from outsourcing of financial services and IT functions, including cloud, SOC, group entities, and offshore arrangements.
This blog provides a detailed, section-wise analysis of the RBI Directions, 2025, covering applicability, timelines, governance requirements, data security obligations, vendor management, customer protection, and key compliance takeaways for NBFCs.
1. Background & Regulatory Intent
Outsourcing has become an integral part of NBFC operations, particularly for technology platforms, customer servicing, data processing, analytics, and security monitoring. While outsourcing enables scalability and efficiency, it also introduces operational, cyber, legal, reputational, and concentration risks.
Recognising these risks, RBI has issued the NBFC Managing Risks in Outsourcing Directions, 2025 to:
- Strengthen governance and accountability
- Enhance data protection and cyber resilience
- Ensure uninterrupted customer services
- Maintain supervisory visibility and control
- Prevent dilution of customer rights
These Directions align NBFC outsourcing practices with RBI’s broader focus on operational resilience and third-party risk management (TPRM).
2. Applicability of RBI Outsourcing Directions, 2025
The Directions apply to all categories of NBFCs, as per their regulatory layer, including:
- NBFC-D (Deposit taking NBFCs)
- NBFC-ICC
- NBFC-MFI
- NBFC-IFC
- Housing Finance Companies (HFCs)
- Core Investment Companies (CICs)
- Standalone Primary Dealers (SPDs)
- NBFC-P2P
- NBFC-Account Aggregators (NBFC-AA)
- Mortgage Guarantee Companies (MGCs)
Both financial outsourcing and IT outsourcing arrangements fall within the scope of these Directions.
3. Effective Date & Transition Timelines
- Immediate effect from November 28, 2025
- New IT outsourcing contracts: Must comply immediately
- Existing IT outsourcing contracts:
Transition allowed until April 10, 2026, or contract renewal, whichever is earlier
NBFCs are expected to realign contracts, policies, and governance frameworks within the prescribed timelines.
4. Governance Framework & Accountability
4.1 Role of the Board of Directors
The Board bears ultimate responsibility for all outsourcing arrangements. Key responsibilities include:
- Approving outsourcing and IT outsourcing policies
- Defining approval frameworks based on materiality and risk
- Ensuring identification and resolution of conflicts of interest
- Reviewing adverse developments, incidents, and outsourcing risks
- Ensuring outsourcing does not compromise customer protection or regulatory compliance
4.2 Role of Senior Management
Senior Management is responsible for execution and ongoing oversight, including:
- Assessing materiality and risks before outsourcing
- Implementing Board-approved policies
- Ensuring Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
- Enabling independent audit and review mechanisms
- Building adequate in-house expertise to oversee outsourced activities
4.3 Role of the IT Function
For IT outsourcing, the IT function must:
- Maintain a centralised register of all IT outsourcing arrangements
- Monitor vendors against performance and security SLAs
- Track vendor risks, incidents, and compliance posture
- Support audits, inspections, and reporting requirements
5. Risk Management & Materiality Assessment
NBFCs must establish a comprehensive risk management framework covering:
- Strategic risk
- Operational risk
- Legal and compliance risk
- Concentration and dependency risk
- Reputational risk
- Cyber and data security risk
Materiality assessment must consider:
- Criticality of outsourced activity
- Impact on customers and financial stability
- Data sensitivity
- Substitutability of service provider
Risk assessments must be documented, periodically reviewed, and reported to the Board.
6. Data Protection, Confidentiality & Cyber Security
RBI has placed strong emphasis on data ownership and accountability.
Key obligations include:
- NBFCs remain fully responsible for confidentiality, integrity, and availability (CIA) of customer data
- Strict need-to-know access controls
- Clear segregation and non-co-mingling of data, especially in multi-tenant environments
- Secure identity and access management (IAM)
- Encryption and secure configurations
7. Incident Management & RBI Reporting
- Service providers must promptly notify NBFCs upon detection of incidents
- NBFCs must report material IT or cyber incidents to RBI within 6 hours of becoming aware
- Clear incident escalation, investigation, and resolution frameworks are mandatory
This requirement significantly tightens RBI’s expectations around real-time supervisory visibility.
8. Vendor Due Diligence & Contractual Safeguards
NBFCs must conduct risk-based due diligence on vendors and subcontractors, covering:
- Cyber security posture
- Data handling and segregation controls
- Regulatory compliance capability
- Financial stability and operational resilience
Mandatory Contractual Clauses
Outsourcing agreements must include:
- Scope of services and performance SLAs
- Information security and data protection obligations
- Incident and adverse event reporting timelines
- RBI and NBFC audit and inspection rights
- Subcontracting controls with back-to-back obligations
- Business continuity and disaster recovery
- Termination, exit strategy, and data return/purge provisions
- Cooperation during insolvency or regulatory directions
9. Business Continuity, DRP & Exit Strategy
NBFCs must ensure:
- An updated inventory of outsourced IT and services
- BCP and DRP tested periodically based on criticality
- Well-defined exit strategies covering:
- Data migration and secure deletion
- Continuity of services
- Minimum transition period
- Cooperation obligations of vendors
Exit planning is mandatory even at the contract onboarding stage.
10. Customer Protection & Grievance Redressal
Outsourcing must not dilute customer rights.
Key requirements:
- NBFC retains full responsibility for customer grievances
- Grievance Redressal Officer (GRO) details must remain visible
- Clear escalation timelines and Ombudsman/CEPC access
- Outsourced activities cannot be used as a defence for service failures
11. Special Focus Areas Under the Directions
11.1 Cloud Outsourcing
- Governance across the entire data lifecycle
- Management of multi-tenant and geographical risks
- NBFC-controlled encryption keys and HSMs
- Secure IAM and configuration management
- Audit and inspection rights for RBI and NBFC
11.2 SOC (Security Operations Centre) Outsourcing
- NBFC retains ownership of logs, alerts, and custom rules
- Quality and accuracy of alerts to be periodically reviewed
- Escalation and response integrated with NBFC systems
11.3 Group Entities & Offshore Outsourcing
- Arm’s-length arrangements even within group entities
- Physical and logical demarcation where infrastructure is shared
- Confidentiality and enforceability for offshore locations
- Originals of critical data to remain accessible in India
- RBI and NBFC audit rights extend to offshore locations
- Country risk assessment and contingency planning
12. Key Compliance Takeaways for NBFCs
- Immediate compliance for new outsourcing contracts
- Existing IT contracts must align by April 10, 2026
- Board-driven governance and oversight is non-negotiable
- Data protection and incident reporting are critical focus areas
- NBFCs remain accountable to RBI and customers at all times
Conclusion
The RBI NBFC Managing Risks in Outsourcing Directions, 2025 significantly raise the compliance bar for NBFCs. Outsourcing is no longer a back-office decision—it is a Board-level risk governance issue.
NBFCs should proactively:
- Update outsourcing and IT policies
- Review and renegotiate vendor contracts
- Strengthen incident reporting and BCP frameworks
- Build internal TPRM and cyber oversight capabilities
Early alignment will not only ensure regulatory compliance but also enhance operational resilience and customer trust.
How We Can Assist
IPPC GROUP (I.P. Pasricha & Co. supports NBFCs in aligning their outsourcing and IT frameworks with the RBI NBFC Managing Risks in Outsourcing Directions, 2025, including policy review, vendor compliance, and risk governance.
