RBI warns of outsourcing risks after global IT outage
MUMBAI, INDIA — Reserve Bank of India (RBI) Deputy Governor M. Rajeshwar Rao raised alarms regarding increasing cybersecurity risks and the growing dependency of financial services on outsourcing.
His comments came just days after a global IT outage — caused by a faulty CrowdStrike software update for Microsoft — disrupted operations across various industries, including airlines, banks, and hospitals.
“The first issue I would like to discuss is the issue of third-party dependence and outsourcing arrangements in regulated entities (REs), because last Friday essentially reflects the kind of risks I am talking about,” Rao stated at the BFSI summit organized by CareEdge Ratings.
Outsourcing risks and vendor lock-in
Rao acknowledged that while outsourcing and third-party dependencies can enhance efficiency, reduce costs, and improve customer experience, they also pose significant risks.
One primary concern is the selection of outsourcing partners or lending service providers (LSPs) and ensuring their reliability, security, and regulatory compliance.
The RBI chief noted that dependency on third parties can create vendor lock-in situations, where reliance on a single vendor for critical services or lack of vendor diversification can increase dependency risks and limit the entities’ flexibility to adapt to changing market conditions or technological advancements.
Cybersecurity preparedness
Cybersecurity remains a critical area for financial institutions. Rao emphasized the need for financial entities to assess and ensure the preparedness of third-party service providers to protect digital assets and customer information.
The recent IT outage, which affected 8.5 million computers worldwide, highlighted the vulnerabilities in relying heavily on external vendors.
Customer conduct and transparency
Rao also highlighted issues related to customer conduct and transparency within financial entities. He noted that some entities fall short in providing timely responses to customer queries and complaints, leading to customer dissatisfaction.
Additionally, there are concerns over the lack of transparency regarding fees, charges, and penal provisions, often resulting in disputes and complaints.
“We continue to observe instances of slow response times to customer queries and complaints, lengthy wait times on customer service hotlines and delayed email responses, contributing to customer dissatisfaction,” he stated.
Regulatory actions and grievance redressal
Rao pointed out that poorly managed third-party relationships could lead to customer dissatisfaction, reputational damage, and even regulatory and supervisory actions.
He urged financial entities to ensure that LSPs have suitable grievance redressal mechanisms in place, as mandated by digital lending guidelines.
“Lengthy and cumbersome account closure procedures, coupled with unclear requirements and documentation, frustrate customers and prolong their association with the entity against their wishes,” Rao added.
Call for active board involvement
Rao concluded by urging the boards of financial entities to take an active role in identifying and approving the head of control and assurance functions.
He emphasized the importance of clear communication between the board and heads of control and assurance functions to ensure comprehensive risk assessment across different business units.
The RBI continues to push for greater transparency and accountability in the financial sector, aiming to protect customer interests and maintain trust in the system.
Lessons from the global IT outage
Derek Gallimore, Founder and CEO of Outsource Accelerator, emphasized the critical lessons businesses should learn from the Microsoft-CrowdStrike incident.
“The ripple effects from a single software update failure highlight just how fragile our interconnected systems are,” Gallimore noted. “For many organizations, the incident uncovered an uncomfortable truth: their operations rely heavily on systems and services beyond their control.”
While outsourcing IT functions can be beneficial for expertise and cost efficiency, it also introduces vulnerabilities that need careful management.
Gallimore suggests that businesses need to take a proactive approach to their IT infrastructure and outsourcing relationships. This doesn’t mean abandoning outsourcing altogether but rather implementing a more nuanced, risk-aware approach.
Strategies include diversifying the organization’s technology stack, maintaining in-house expertise, implementing rigorous testing protocols, and developing robust contingency plans.
The Microsoft-CrowdStrike outage also served as a wake-up call for businesses across all sectors, letting them know that it’s time to shift from a mindset of IT cost optimization to one of operational resilience.
