RBI's IT outsourcing framework — and how Vihaya fits.
The Reserve Bank of India's Master Direction on Outsourcing of IT Services, paired with the Cloud Outsourcing direction, defines how Indian banks and NBFCs may engage external technology providers. The framework is strict on data localisation, audit rights, and exit-management — and Vihaya's deployment model satisfies the structural requirements by construction.
How Vihaya maps to the framework
| RBI requirement | Vihaya posture |
|---|---|
| Data localisation | Deployment runs in the bank's VPC (AWS Mumbai / GCP Mumbai / Azure South India). Vihaya does not store customer data. |
| Right to audit | Clause in standard pilot SOW; audit trail accessible via the customer's existing Postgres tooling |
| Exit management | Plan delivered at pilot kickoff; data and IP transition documented |
| BCP / DR | Runbook with RPO/RTO targets delivered at handoff |
| Sub-contracting | Sub-contractors limited to foundation-model providers; Azure OpenAI India / Vertex Mumbai / Anthropic / OpenAI Enterprise — all under enterprise terms |
| Material risk events | Incident-event hooks surface material-risk events to the bank's reporting workflow |
RBI IT outsourcing FAQ
Which RBI direction applies to AI outsourcing?
The 'Master Direction on Outsourcing of Information Technology Services' issued in April 2023 (updated periodically) is the primary instrument. It applies to all scheduled commercial banks, NBFCs, urban cooperative banks, and large credit information companies.
Does this require data localisation?
Effectively yes for personal and customer data. The direction requires sensitive data to remain within India and the customer to retain the ability to retrieve and migrate data on exit. Vihaya satisfies this by deploying inside the bank's own VPC (AWS Mumbai, GCP Mumbai, Azure South India); no data leaves the bank.
What about cloud outsourcing specifically?
RBI's separate Cloud Outsourcing direction (effective 2024) requires due-diligence-on-CSP, data-localisation, exit-management, and continued bank ownership of data. Vihaya is deployment-model-agnostic — we run on whichever CSP the bank has cleared, with the bank as the cloud-account owner.
What's in the exit-management plan?
Standard contents: data extraction format, timeline for migration, IP-handover provisions, transition support. Vihaya's pilot SOW ships with an exit-management plan template. Practically: customer data is in their own Postgres in their own VPC — exit is one snapshot away.
Want to see this in your environment?
30-minute discovery call. Draft SOW within 5 business days.
Talk to us about a pilot →