RBI’s IT outsourcing framework — and how Vihaya fits
The Reserve Bank of India’s Master Direction on Outsourcing of IT Services, paired with the Cloud Outsourcing direction, defines how Indian banks and NBFCs may engage external technology providers. The framework is strict on data localisation, audit rights, and exit-management — and Vihaya’s deployment model satisfies the structural requirements by construction.
Pre-revenue caveat
Vihaya is pre-revenue. No bank has deployed Vihaya yet. Every line below describes the design intent and the template artefacts in the pilot SOW — not delivered customer outcomes. Final compliance posture is the bank’s determination, not Vihaya’s certification.
How Vihaya is designed to map to the framework
| RBI requirement | Vihaya design posture |
|---|---|
| Data localisation | Designed to deploy in the bank’s VPC (AWS Mumbai / GCP Mumbai / Azure South India). Vihaya does not store customer data in its own environment. |
| Right to audit | Clause in the pilot SOW template; audit trail designed to be accessible via the customer’s existing tooling |
| Exit management | Plan included at pilot kickoff; data and IP transition documented in the template |
| BCP / DR | Runbook with RPO/RTO targets designed for handoff delivery |
| Sub-contracting | Sub-contracting would be limited to the foundation-model provider the bank has cleared (Azure OpenAI India, Vertex Mumbai, Anthropic, or OpenAI Enterprise). No enterprise contracts are in place yet. |
| Material risk events | Incident-event hooks designed to surface material-risk events to the bank’s reporting workflow |
RBI IT outsourcing FAQ
Which RBI direction applies to AI outsourcing?
The ‘Master Direction on Outsourcing of Information Technology Services’ issued in April 2023 (updated periodically) is the primary instrument. It applies to all scheduled commercial banks, NBFCs, urban cooperative banks, and large credit information companies.
Does this require data localisation?
Effectively yes for personal and customer data. The direction requires sensitive data to remain within India and the customer to retain the ability to retrieve and migrate data on exit. Vihaya is designed to deploy inside the bank’s own VPC (AWS Mumbai, GCP Mumbai, Azure South India) so that no data leaves the bank — no bank has deployed Vihaya yet.
What about cloud outsourcing specifically?
RBI’s 2023 Master Direction on Outsourcing of IT Services covers cloud arrangements alongside other IT outsourcing. Vihaya is designed to be deployment-model-agnostic — it would run on whichever CSP the bank has cleared, with the bank as the cloud-account owner.
What’s in the exit-management plan?
Standard contents: data extraction format, timeline for migration, IP-handover provisions, transition support. Vihaya’s pilot SOW template includes an exit-management plan. Practically: customer data would sit in their own database in their own VPC — exit is one snapshot away.
Want to see this in your environment?
30-minute discovery call. We follow up with a draft SOW shortly after.
Talk to us about a pilot