Your vendor contracts may be compliant. But what about the people who actually do the work?
The Rules Have Changed
In November 2025, the Reserve Bank of India released new Outsourcing Directions that apply to banks, NBFCs, and financial institutions across India. These are not small updates. They represent a complete shift in how regulators view outsourcing.
The message is simple: if you outsource it, you still own it.
Banks and NBFCs cannot wash their hands of responsibility by pointing to a vendor contract. The Board and senior management remain fully accountable for everything that happens in outsourced operations. This includes the people doing the work.
Most organisations are now busy updating their vendor contracts and IT agreements. Legal teams are working overtime. Compliance officers are reviewing policies.
But there is a gap. A rather large one.
Who is tracking the actual workforce?
The Human Element: Where Compliance Often Falls Short
When we speak of outsourcing, we often think of systems, software, and service agreements. But outsourcing is ultimately about people. Contract staff, vendor employees, and third-party personnel are the ones who access your systems, handle your data, and interact with your customers.
The RBI Directions recognise this. Several provisions speak directly to the human side of outsourcing:
- Due Diligence of Vendor Employees. Regulated entities must evaluate the quality of background checks and verification that service providers conduct on their staff. This is not optional. The Directions specifically require documented evidence of employee screening.
- Essential Personnel Tracking Banks must identify skilled resources as “essential personnel” with backup arrangements for critical functions. This means knowing who does what, who can replace them, and having records to prove it.
- Inventory of Outsourced Services A complete inventory must include not just vendors, but “key entities involved in their supply chains.” This extends to the people in the chain.
- Access Controls Staff access to data must be on a “need to know” basis with appropriate controls. This requires knowing who has access, why they have it, and when they use it.
- Six-Hour Incident Reporting Cyber incidents must be reported to RBI within six hours of detection. Without visibility into your contract workforce activities, how will you know when something goes wrong?
The Numbers That YOU Should Pay Attention To…
Recent industry data paints a concerning picture:
| Finding | Statistic |
|---|---|
| Hiring discrepancy rate in BFSI sector | 11.69% |
| Candidates who misrepresent employment history | 29% |
| Data breaches involving internal actors | 35% |
| Breaches linked to human factors | 60% |
Sources: AuthBridge Workforce Fraud Files 2025, IBM Cost of Data Breach Report 2024
Nearly 13% candidates in the BFSI sector provides inaccurate employment information. More than a third of data breaches involve someone inside the organisation. These are not abstract risks. They are everyday realities.
Now consider this: most of these statistics come from permanent employees who go through structured hiring processes. What happens when we look at contract staff, who often join faster and with less scrutiny?
The Compliance Deadline Is Real
The RBI has set a clear deadline: April 10, 2026.
All existing outsourcing agreements must comply with the new Directions by this date, or at the time of renewal, whichever comes first. New agreements must comply from day one.
This is not a target date or a best-effort guideline. It is a regulatory requirement.
Organisations that fail to demonstrate compliance may face penalties, regulatory action, and reputational damage. But perhaps more importantly, they expose themselves to operational risks that the regulations are designed to prevent.
What Auditors Will Ask
When regulators or auditors review your outsourcing arrangements, they will not stop at contracts. They will want to see:
- Documentation of background verification for contract staff with data access
- Records of essential personnel and their designated backups
- Evidence of access controls showing who can access what, and why
- Audit trails of workforce changes, role assignments, and access modifications
- Incident logs that can support the six-hour reporting requirement
Can your current systems provide this information? Can you produce it quickly and accurately?
For most organisations, the honest answer is: not quite.
Bridging the Gap with Technology
This is where modern HR Information Systems become essential.
A purpose-built HRIS can help regulated entities manage their contract workforce in a manner that meets RBI requirements:
- Centralised Workforce Records: Maintain a single source of truth for all contract staff, including verification status, role assignments, and reporting relationships.
- Background Verification Tracking: Record and monitor the status of background checks for every individual with system access. Flag gaps before they become compliance issues.
- Essential Personnel Management: Categorise staff by criticality, map backup personnel, and maintain skill matrices that support business continuity requirements.
- Access Control Documentation: Track role-based permissions, document the rationale for access decisions, and maintain logs that support audit requirements.
- Compliance Dashboards: Generate reports that demonstrate regulatory alignment, highlight exceptions, and support Board-level oversight.
- Audit-Ready Records: Maintain trails of all changes, approvals, and reviews in a format that auditors and regulators can readily verify.
The Question for BFSI Leaders
The RBI Outsourcing Directions have changed the game. Vendor contracts are being updated. IT systems are being reviewed. Legal frameworks are being strengthened.
But in the rush to achieve compliance, are we overlooking the people?
Contract staff represent both a critical resource and a potential vulnerability. They enable operations but also create exposure. Managing them effectively is no longer just good practice. It is a regulatory requirement.
The deadline is April 2026. The gap is real. The question is: what are you doing about it?
Take the First Step
Understanding your current position is the starting point. A compliance readiness assessment can help identify gaps in your contract workforce management and prioritise actions before the deadline.
See how organisations like yours are preparing for the RBI Outsourcing Directions.
This article is for informational purposes and does not constitute legal or regulatory advice. Organisations should consult qualified professionals for guidance specific to their circumstances.
