Outsourcing and risk management guidance includes:
Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by Banks (RBI) address the risks that regulated banks would be exposed to while outsourcing financial services and help ensure that outsourcing doesn't impede the supervisory role of the RBI. The RBI doesn't require prior approval for banks seeking to outsource financial services; however, core banking functions, such as internal audit and compliance functions, shouldn't be outsourced.
Outsourcing of Activities by Indian Insurers Regulation (IRDAI). Every year, insurance organizations are required to report outsourcing to IRDAI of certain support functions of core activities within 45 days of the close of the financial year. Page 7 in the Microsoft checklist describes what constitutes 'support functions of core activities.'
To help guide financial institutions in India considering outsourcing business functions to the cloud, Microsoft has published a compliance checklist for financial institutions in India. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they're complying with applicable regulatory requirements.
When Indian financial institutions outsource business activities to the cloud, they must follow the guidelines of the Reserve Bank of India for managing risk and addressing the issues that arise from the use of information technology. They must also comply with the data security and privacy requirements established by the Ministry of Electronics and Information Technology (MeitY). In addition, insurance organizations must follow outsourcing guidelines published by the Insurance Regulatory and Development Authority of India (IRDAI).
The Microsoft checklist helps financial firms in India that are conducting due-diligence assessments of Microsoft business cloud services and includes:
An overview of the regulatory landscape for context.
A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.
Compliance checklist for India: Financial firms can get help conducting risk assessments of Microsoft business cloud services.
Financial use cases for Azure: Use case overviews, tutorials, and other resources to build Azure solutions for financial services.
Frequently asked questions
Are there any mandatory terms that must be included in the contract with the cloud services provider?
Yes. The guidelines referenced above stipulate some specific points that financial institutions must incorporate into their cloud services contracts. Part 2 of the checklist (page 70) maps these against the sections in the Microsoft contractual documents where they're addressed.
Use Microsoft Purview Compliance Manager to assess your risk