NCC : India’s financial institutions to be required to acquire source code of critical services or implement Escrow

On 7 November 2023, the Reserve Bank of India (RBI) issued a draft Master Direction which sets out its expectations on the management of the risks associated with the use of technology by all India financial institutions, with a set of controls to be employed and complied with by April 2024.

As well as setting out a list of key things that institutions should establish within their organisation by the deadline, the Direction specifically requires that the source code of critical applications is acquired. Where that is not possible, the Bank expects institutions to implement Escrow, or similar arrangements, as a key solution to ensuring the resilience of the region's financial system.

Wayne Scott, Regulatory Compliance Solutions Lead at NCC Group Software Resilience, shares his thoughts on why the inclusion of Escrow is an important one:

Expected to work in combination with the "Master Direction on Outsourcing of IT Services" issued earlier this year, the new Direction is a great step forward for the region with guidance to take institutions through end to end technology risk management, in an effort to improve the overall reliability and continuity of the financial system.

The new Direction lists out key things that must be established within institutions by the deadline, including:

1. An IT Governance Framework
2. An IT service management framework
3. Clarity on the role of the Board of Directors in the ownership of IT risks
4. An IT Strategy Committee within the Board
5. A Senior Management and IT Steering Committee
6. A clear Head of IT function
7. An IT and Information Security Risk Management Framework
8. An Information Security Policy and Cyber Security Policy

Much like the other global operational resilience regulation, when combined with the "Master Direction on Outsourcing of IT Services", the new master direction requires regulated entities to:

1. Assign an owner of the risks
2. Map the estate to understand the risks
3. Set an appetite on how to deal with the risk
4. Build plans to cope with the risks
5. Test those plans to ensure the plans work
6. Learn the lessons from the work above

When talking about how to build plans to cope with the risks and being proactive when addressing the safeguarding of access to business critical applications that are provided by a third party vendor, the Bank specifically calls out Escrow as a way to 'adequately mitigate the risk of default by the vendor'.

Escrow is a legal framework, combined with a knowledge transfer and a scenario test designed to mitigate the risk of relying on third party supplied software. It is an effective tool that can help organisations protect their investment in technology and, as evidenced by its inclusion in the Direction, a way to help ensure compliance with regulation.

As digital transformation continues to accelerate, operational resilience has become increasingly crucial for businesses. With increased reliance on third-party providers and outsourced IT solutions, coupled with the ever-present risk of digital threats and other sources of business interruption, regulatory bodies are implementing new standards and guidelines that demand access to critical software source code and data.

The inclusion of Escrow is a great step forward and another example of the global move towards regulatory adoption of escrow and an alignment of regulation to mitigate supplier failure, service deterioration and concentration risk in financial services.

ENDS