RBI’s Rao flags outsourcing, cybersecurity risks days after Microsoft outage

Mumbai: Reserve Bank of India deputy governor M. Rajeshwar Rao on Monday flagged the risks around cybersecurity and growing dependency of financial services companies on outsourcing arrangements, days after a global Microsoft Windows outage disrupted the operations of industries worldwide, including airlines, banks, and hospitals.

“The first issue I would like to discuss is the issue of third-party dependence and outsourcing arrangements in regulated entities (REs), because last Friday essentially reflects the kind of risks I am talking about,” Rao said at the BFSI summit organised by CareEdge Ratings, referring to the Microsoft outage on 19 July.

Rao acknowledged that third-party dependencies and digital outsourcing have become integral to the operations of financial services entities to enhance efficiency, reduce costs, and improve customer experience, but warned that the arrangements pose several concerns such as selection of the outsourcing partner or lending service providers (LSPs) and their reliability, security, and regulatory compliance.

“For example, while digital lending guidelines mandate that REs should ensure that LSPs engaged by them have suitable grievance redressal mechanism on their website or apps, a recent study undertaken by us found that not all LSPs or apps have the kind of mechanisms we thought they would,” he said, adding that poorly managed third-party relationships can lead to not only customer dissatisfaction and reputational damage, but may also invite regulatory and supervisory actions.

Also Read | Mint explainer: Why cyber insurance plans may need to include buggy software updates

Rao flagged cybersecurity as another critical area for financial institutions, including the ability to assess and ensure the preparedness of third-party service providers to protect their digital assets and customer information.

Dependency on third parties can also create vendor lock-in situations, where reliance on a single vendor for critical services or lack of vendor diversification can increase dependency risks and limit the entities’ flexibility to adapt to changing market conditions or technological advancements.

Microsoft estimated that 8.5 million computers worldwide were affected due to the outage on 19 July, triggered after cybersecurity software company CrowdStrike rolled out a routine update. The outage caused severe disruptions, including crashing IT systems and derailing air services, news channels and stock exchanges, among others.

Also Read: After Microsoft outage, YouTube users report widespread issues with app, uploads, and website

Grievance redressal, transparency

The deputy governor also highlighted shortfalls in customer conduct and transparency by financial entities, saying that it is one area where on-ground actions have “fallen short of expectations”, which can have significant repercussions on customers’ trust and satisfaction.

“However, we continue to observe instances of slow response times to customer queries and complaints, lengthy wait times on customer service hotlines and delayed email responses, contributing to customer dissatisfaction,” he said.

Also Reaad: Deepfakes, fraudsters and hackers are coming for cybersecurity jobs

Some entities continue to face criticism for their lack of transparency regarding fees, charges, and penal provisions associated with their products and services, wherein customers are often surprised by hidden fees or unclear terms, leading to disputes and complaints.

As a result, RBI continues to receive increased volume of complaints regarding misleading sales practices to attract customers, including misrepresentation of product features, false promises of benefits, or aggressive sales tactics that pressure customers into purchasing products they do not need or understand, he said, adding that another “unique” set of complaints also relates to difficulties in closing accounts or terminating services.

“Lengthy and cumbersome account closure procedures, coupled with unclear requirements and documentation, frustrate customers, and prolong their association with the entity against their wishes,” Rao said.

He added that the regulator’s recent instructions on fixation of EMIs or providing a Key Fact Statement (KFS) along with Annual Percentage Rate (APR) are examples where probably transparency at the level of industry “would have taken care of the issue itself without the regulator having to step in”.

While automation is helping with faster response to complaints, there is an underlying need for an “experienced man in the middle” to ensure the human touch and understanding in dealing with customer grievances, Rao said.

Also Read | Cybersecurity: Microsoft’s Azure woes and Google’s acquisition moves

He urged boards of financial entities to take an active role in identifying/ approving the head of control and assurance functions, facilitate clear lines of communication between the board and heads of control and assurance functions, and ensure that different business units don’t assess the risks independently or in silos.