In June 2022, the Reserve Bank of India discovered that several banks had effectively become backend utilities for fintech apps. The fintechs acquired the customers, designed the user experience, ran the credit algorithms, and set the loan terms. The banks supplied their licence and their balance sheet — and in some cases had no idea who their borrowers actually were. When defaults spiked and complaints flooded in, the RBI had to answer a question it had been circling for years: if a bank outsources everything except its name, who is responsible when things go wrong?
The answer, codified across two decades of circulars and now consolidated into the Commercial Banks – Managing Risks in Outsourcing Directions, 2025, is unambiguous. The bank is responsible. Always.
Why did the RBI regulate outsourcing in the first place?
The original circular landed on November 3, 2006. DBOD.NO.BP.40/21.04.158/2006-07 (since withdrawn) laid down the first comprehensive framework for managing risks in outsourcing of financial services by scheduled commercial banks. The timing was not accidental. Indian banks were rapidly contracting out customer-facing operations — call centres, loan recovery, data processing, cash management — and the regulator needed guardrails before the practice outran the rules.
"It is entirely for the banks to take a view on the desirability of outsourcing a permissible activity related to financial services having regard to all relevant factors, including the commercial aspects of the decision. However, should a bank, in its own judgment, decide to outsource a financial services activity, necessary safeguards for addressing the risks inherent in such outsourcing should be put in place."
— RBI Circular, November 3, 2006
Why this mattered: because outsourcing creates an information asymmetry. The customer deals with the vendor. The vendor controls the process. But the bank holds the licence and the deposits. If the vendor mishandles data, engages in coercive recovery, or simply goes offline, the customer's recourse is against the bank — and the regulator's recourse must be too.
A December 2008 amendment (DBOD.No.BP.97/21.04.158/2008-09 (since withdrawn)) added provisions specifically for offshore outsourcing, requiring that foreign regulators would not obstruct RBI inspection visits, and that data availability would survive the liquidation of either the offshore custodian or the Indian bank. That 2008 circular was withdrawn when the 2025 Directions absorbed its provisions — but its core principle remains intact.
What can a bank NOT outsource?
The 2025 Directions draw a bright line. Paragraph 15 states that a bank "shall not outsource core management functions including Internal Audit, compliance function, and decision-making functions like determining compliance with KYC norms for opening deposit accounts, giving sanction for loans (including retail loans), and management of investment portfolio."
Why these specific functions? Because they define the bank's risk profile. Internal audit is the mechanism by which a bank discovers its own problems. Compliance is how it stays within regulatory boundaries. KYC decision-making determines who the bank's customers are — and by extension, its exposure to money laundering and terrorism financing risk. Loan sanctioning is the single act that creates credit risk on the bank's balance sheet. If any of these were handed to a third party, the bank would not be managing itself in any meaningful sense. It would be a shell holding a licence.
"The outsourcing of any activity by a bank shall not diminish its obligations including to its customers and RBI, and those of its Board and Senior Management, who have the ultimate responsibility for the outsourced activity."
— RBI (Commercial Banks – Managing Risks in Outsourcing) Directions, 2025, Paragraph 17
This principle — accountability cannot be outsourced — runs through every subsequent regulatory action on the subject.
How did the recovery agent problem force the RBI's hand?
The most visible outsourcing failure in Indian banking was not a data breach or a system outage. It was recovery agents. Banks outsourced loan collection to third-party agencies, and those agencies used intimidation, harassment, and in some cases physical violence against borrowers. The August 2022 circular on recovery agent responsibilities (since withdrawn) — announced via a press release the same day — tightened the rules on permissible calling hours, mandatory identification, and the bank's direct liability for agent misconduct.
Why did this matter beyond borrower protection? Because it demonstrated a pattern the RBI would see again with fintechs: when banks outsource customer-facing functions, they lose control over the customer relationship. The vendor becomes the face of the bank, and the bank has no real-time visibility into what that face is doing.
What happened when fintechs became the front end?
The fintech lending model inverted the traditional outsourcing relationship. Instead of a bank hiring a vendor to perform a back-office task, fintechs built consumer-facing platforms and then partnered with banks for the regulated activity — lending. The fintech acquired the customer, ran the credit assessment through its own algorithms, and disbursed the loan from the bank's books. The customer often did not know which bank was their actual lender.
The RBI's first intervention was the June 2020 circular on loans sourced over digital lending platforms, which required adherence to fair practices codes and outsourcing guidelines. The comprehensive response came with the Guidelines on Digital Lending (since withdrawn), which mandated that loan disbursement and repayment must flow directly between the bank and the borrower's account — eliminating the fintech as a pass-through for funds. For the full regulatory chain on digital lending, see the digital payments and UPI timeline.
Why this architecture? Because the RBI needed to ensure that the borrower knew who their lender was, that the bank retained meaningful control over credit decisions, and that fintech intermediaries could not pool or redirect funds. The outsourcing framework's core principle — the bank cannot outsource accountability — applied with particular force here.
Why did IT outsourcing get its own separate direction?
By 2022, the scale of IT outsourcing in Indian banking had grown far beyond what the 2006 financial services outsourcing guidelines could address. Banks were running core banking on vendor-managed platforms, hosting data on third-party cloud infrastructure, and relying on external security operations centres to monitor cyber threats. The Master Direction on Outsourcing of Information Technology Services (since withdrawn) issued in April 2023 — after a draft released in June 2022 — created a dedicated regulatory framework for IT outsourcing.
The IT direction addressed cloud computing specifically. Banks using cloud services must assess the entire data lifecycle — from generation through cloud entry to permanent deletion. Multi-tenancy risks (where multiple organisations share cloud infrastructure) and data localisation requirements (certain data must remain accessible within Indian jurisdiction) received explicit treatment. Why data localisation? Because the RBI must be able to inspect bank data. When that data sits in a foreign jurisdiction, regulatory access depends on the cooperation of foreign courts and regulators — a dependency the RBI was unwilling to accept.
The 2025 consolidation absorbed the IT outsourcing direction into the unified outsourcing framework. Chapter IV of the 2025 Directions now covers IT outsourcing — including cloud computing provisions, Security Operations Centre outsourcing, and offshore data processing — alongside the financial services outsourcing rules in Chapter III. For the broader IT governance and cybersecurity framework that connects to these rules, see the cyber security and IT framework timeline.
What is the regulatory sandbox, and why does the RBI run one?
The Enabling Framework for Regulatory Sandbox, finalised in August 2019 after receiving 381 comments from 69 stakeholders, created a controlled environment for testing fintech innovations. The first cohort focused on retail payments, with entities entering a test phase in November 2020 and exiting in December 2020. Subsequent cohorts covered cross-border payments, MSME lending, and prevention of financial fraud, with the fifth cohort on a neutral theme exiting in July 2024.
Why does a regulator run a sandbox rather than simply writing rules? Because fintech products often do not fit existing regulatory categories. A payment innovation might touch outsourcing rules, KYC requirements, data protection norms, and payment system regulations simultaneously. The sandbox lets the RBI observe how a product works in practice — with real users but limited scale — before deciding which regulatory framework applies and whether new rules are needed.
In May 2024, the RBI went further, releasing a framework for recognising Self-Regulatory Organisations for the fintech sector. The SRO-FT framework acknowledged that direct regulation of every fintech entity was neither practical nor desirable — but that the sector needed governance standards. The RBI's approach to NBFC regulation followed a similar arc of increasing formalisation; see the NBFC regulation timeline for that parallel story.
How does the 2025 consolidation change the landscape?
The November 28, 2025 Directions represent the most significant restructuring of outsourcing regulation since 2006. The RBI issued entity-specific outsourcing directions for commercial banks, NBFCs, small finance banks, payments banks, urban co-operative banks, all-India financial institutions, local area banks, and credit information companies, repealing and replacing the earlier circulars and master directions.
The amendment chain tells the story of regulatory learning:
Financial services outsourcing:
1. November 3, 2006 — original guidelines (Managing Risks in Outsourcing of Financial Services (Guidelines on Managing Risks and Code of Conduct i) (since withdrawn)) — now withdrawn
2. December 11, 2008 — offshore outsourcing amendment (Offshore Outsourcing Amendment RBI/2008-09/322 (since withdrawn)) — now withdrawn
3. April 22, 2009 — compliance certificate requirement (Outsourcing Compliance Certificate RBI/2008-09/449)
4. August 12, 2022 — recovery agent responsibilities (Recovery Agent Responsibilities RBI/2022-23/108 (since withdrawn)) — now withdrawn
5. November 28, 2025 — consolidated Directions (Managing Risks in Outsourcing Directions (Reserve Bank of India (Commercial Banks – Managing)) — active
IT services outsourcing:
1. April 10, 2023 — Master Direction on IT outsourcing (Outsourcing of IT Services Direction RBI/2023-24/102 (since withdrawn)) — now withdrawn
2. November 7, 2023 — IT Governance, Risk, Controls and Assurance (IT Governance and Risk Framework RBI/2023-24/107) — active
3. November 28, 2025 — IT outsourcing absorbed into entity-specific Directions (Managing Risks in Outsourcing Directions (Reserve Bank of India (Commercial Banks – Managing), Chapter IV) — active
Why consolidate? Because the proliferation of separate circulars, amendments, and entity-specific extensions had created a compliance maze. Banks had to cross-reference the 2006 guidelines, the 2008 offshore amendment, the 2023 IT outsourcing direction, and multiple interim circulars just to understand their obligations. The 2025 Directions put everything in one document per entity type — a pattern the RBI has applied across all regulatory domains in its November 2025 overhaul.
The underlying message has not changed in twenty years. A bank can outsource an activity. It cannot outsource the responsibility for that activity. The board remains accountable. The regulator will look through the vendor to the bank. And the customer's rights do not diminish because a third party is performing the service.
Last updated: April 2026