A Quick Guide On Third Party Risk Management
Why Third Party Risk Management in BFSI Demands Structural Attention
Every regulated entity in India’s financial services ecosystem relies on third parties. Payment processors, cloud infrastructure providers, KYC verification vendors, loan management system operators, data analytics firms. The list grows each year. And with it, the risk surface expands in ways that most compliance functions have not fully accounted for. Third party risk management BFSI is no longer a procurement checkbox. It is a regulatory obligation with real enforcement consequences.
The challenge is structural. When a bank outsources its core banking operations to a technology vendor, the operational risk does not transfer. When an NBFC uses a fintech partner for digital lending journeys, the data protection liability remains with the NBFC. When an insurance company relies on a third party claims processor, the policyholder’s grievance lands at the insurer’s doorstep, not the vendor’s.
Regulators in India have made this explicit. RBI’s outsourcing guidelines, SEBI’s cybersecurity framework, IRDAI’s IT governance norms, and the DPDP Act’s processor obligations all converge on one principle: the regulated entity cannot outsource accountability. This creates a risk management challenge that requires more than annual vendor reviews.
Regulatory Expectations Across Indian Financial Regulators
RBI’s Outsourcing Guidelines and Master Directions
RBI’s Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services (2006), supplemented by subsequent master directions, lay the foundation for third party risk governance in banking and NBFC operations. The guidelines mandate that a regulated entity’s board must approve outsourcing policies, maintain oversight of all material outsourcing arrangements, and ensure that outsourcing does not diminish the entity’s ability to meet regulatory obligations.
Key requirements include mandatory due diligence before entering outsourcing arrangements, contractual provisions ensuring RBI’s right to access and audit the service provider, business continuity planning that covers vendor failure scenarios, and concentration risk assessment where multiple functions depend on a single vendor. RBI has been particularly pointed about digital lending ecosystems, issuing separate guidelines in 2022 that require lending service providers and digital lending apps to comply with specific conduct standards, with the regulated entity bearing full responsibility for any deviation.
SEBI’s Vendor and Cybersecurity Requirements
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities in the securities market places explicit obligations around technology vendors. Market intermediaries, asset management companies, stock exchanges, and depositories must maintain inventories of third party technology providers, assess their cybersecurity posture, and ensure contractual obligations around incident reporting and data handling.
SEBI also expects that third party access to systems and data is governed through formal agreements, that periodic vulnerability assessments cover vendor-managed components, and that incident response plans account for vendor-originated breaches. The framework does not allow regulated entities to rely on vendor self-certification alone.
DPDP Act Processor Obligations
The Digital Personal Data Protection Act 2023 introduces a clear distinction between data fiduciaries and data processors. A regulated entity acting as a data fiduciary retains full accountability for personal data processed by its vendors (data processors). This means the BFSI entity must ensure that its processors implement appropriate technical and organizational measures, process data only for specified purposes, and delete data upon termination of the arrangement.
The Act does not require separate registration for processors, which means the fiduciary must self-govern its processor ecosystem. Without structured oversight, this creates a significant compliance gap, especially for entities with dozens or hundreds of data processors across operations.
IRDAI and CERT-In Requirements
IRDAI’s Information and Cyber Security Guidelines require insurers to assess third party risks as part of their overall information security governance. CERT-In’s 2022 directives on incident reporting mandate that any cybersecurity incident, including those originating from vendor systems, must be reported within six hours. This makes it essential for regulated entities to have real-time visibility into vendor-side incidents and pre-established escalation pathways.
| Regulator | Key Third Party Requirement | Entity Responsible |
|---|---|---|
| RBI | Board-approved outsourcing policy, audit access, BCP for vendor failure | Bank / NBFC |
| SEBI | Vendor cybersecurity assessment, incident response coverage, periodic review | Market intermediary / AMC |
| IRDAI | Information security governance over third parties | Insurer |
| CERT-In | Six-hour incident reporting, including vendor-originated incidents | All entities |
| DPDP Act | Processor oversight, purpose limitation, deletion obligations | Data fiduciary |
Common Third Party Risk Gaps in Indian Regulated Enterprises
Consider a mid-sized NBFC that uses fourteen external vendors across loan origination, credit scoring, collections, e-KYC, cloud hosting, and customer communication. Each vendor was onboarded through procurement with basic due diligence, a standard contract template, and perhaps a one-time security questionnaire. Two years later, the compliance team cannot confirm which vendors have access to customer personal data, which contracts include RBI audit clauses, or whether any vendor has sub-contracted processing to a fourth party.
This scenario is common across BFSI entities in India, and it creates three structural challenges that most risk functions are not equipped to handle.
First, there is a visibility gap. Without a centralized third party register linked to data flows, regulatory obligations, and risk classifications, the compliance function operates with incomplete information. Vendors are often managed by different business units with no single view across the enterprise.
Second, there is an assessment gap. Initial due diligence at onboarding captures a point-in-time snapshot. Vendor risk profiles change as they take on new clients, shift infrastructure, experience personnel turnover, or face their own regulatory actions. A vendor deemed low-risk at onboarding may have become a concentration risk or a data security concern eighteen months later.
Third, there is an evidence gap. When an RBI inspection team or an internal audit function asks for proof that third party risk is being managed, the compliance team must produce documentation: risk assessments, contractual clauses, monitoring records, incident reports, remediation evidence. If these exist across emails, spreadsheets, shared drives, and procurement portals, the time required to compile an auditable trail is significant, and the risk of gaps is high.
Building a Third Party Risk Assessment Process for BFSI
Classification and Tiering
The starting point for any defensible third party risk management BFSI program is a classification framework. Not all vendors carry the same risk. A canteen services provider does not need the same level of scrutiny as a cloud hosting provider that stores customer financial records. Tiering vendors by risk allows the compliance function to allocate assessment depth proportionally.
A practical tiering model considers four dimensions: data sensitivity (does the vendor access, process, or store personal or financial data), operational criticality (would vendor failure disrupt customer-facing operations or regulatory reporting), regulatory exposure (does the vendor relationship trigger specific regulatory obligations such as RBI outsourcing guidelines), and concentration risk (does the entity depend on this vendor for multiple functions or is it a sole-source arrangement).
Due Diligence at Onboarding
For Tier 1 vendors (high data sensitivity, high operational criticality), due diligence should include a comprehensive security questionnaire covering encryption standards, access controls, incident management, business continuity, and sub-contracting practices. It should also include review of the vendor’s own certifications (ISO 27001, SOC 2 where available), financial stability assessment, regulatory compliance history, and verification of contractual clauses mandated by the relevant regulator.
For Tier 2 and Tier 3 vendors, a lighter assessment can be applied, scaled to their actual risk contribution. The key is that the tiering logic and assessment methodology are documented, consistently applied, and reviewable during audits.
Contractual Safeguards
Contracts must encode the obligations that regulators expect. For RBI-regulated entities, this means including clauses for regulatory audit access, data localization compliance (where applicable), sub-contracting restrictions or notification requirements, incident reporting timelines aligned with CERT-In and sector-specific mandates, and termination and data return or destruction provisions.
The DPDP Act further requires that processor agreements specify the purpose and duration of processing, restrict onward transfers without fiduciary consent, and ensure deletion obligations are enforceable. Many existing vendor contracts in Indian BFSI predate these requirements and need systematic review and amendment.
Ongoing Monitoring vs One-Time Due Diligence
One of the most consequential gaps in third party risk management BFSI programs is treating assessment as a one-time onboarding exercise. Regulatory expectations across RBI, SEBI, and IRDAI consistently reference “ongoing” or “continuous” monitoring. The practical question is what this looks like operationally.
Ongoing monitoring should include periodic reassessment cycles (annual for Tier 1, biennial for Tier 2), triggered reassessments based on events (vendor breach, regulatory action against vendor, significant change in vendor ownership or infrastructure), continuous tracking of vendor compliance with contractual SLAs and security standards, and monitoring of external signals such as regulatory penalties, press coverage, or industry advisories.
Consider a private sector bank that relies on a single fintech partner for its UPI-based payment infrastructure. If that partner experiences a data breach, the bank must report the incident to CERT-In within six hours and to RBI as part of its cyber incident reporting obligations. Without pre-established monitoring mechanisms and escalation protocols, the bank may learn about the breach from media reports rather than from the vendor directly. This is not a hypothetical; it has occurred in India’s BFSI ecosystem.
The shift from periodic to continuous monitoring requires systematic infrastructure. Manual tracking through spreadsheets breaks down at scale, particularly for entities managing fifty or more third party relationships with varying risk tiers and regulatory touchpoints. Platforms like eQomply enable regulated enterprises to maintain a living register of third party relationships linked to risk classifications, regulatory obligations, assessment schedules, and evidence trails, ensuring that monitoring is not dependent on individual effort but embedded in operational workflows.
Evidence and Audit Trail Requirements
What Regulators and Auditors Expect to See
During RBI inspections, SEBI audits, or internal audit cycles, the expectation is not merely that third party risk is being managed, but that management can be demonstrated with evidence. The distinction matters enormously. A compliance team may be doing the right things, but if the documentation trail is incomplete, inconsistent, or scattered, the regulatory finding will reflect that.
Auditors typically look for an approved third party risk management policy with board endorsement, a complete register of third party relationships with risk classifications, documented due diligence records for each vendor aligned to their tier, evidence of periodic reviews and reassessments, records of identified issues and remediation actions with timelines, contractual compliance verification (presence of mandatory clauses), and incident records where vendor-related events occurred, including response timelines.
The Documentation Challenge at Scale
For an entity with thirty Tier 1 vendors across multiple business functions, maintaining this documentation manually is operationally expensive and error-prone. Evidence often exists in disconnected systems: procurement manages contracts, IT manages security assessments, legal manages regulatory clauses, and business units manage day-to-day performance. When an auditor requests a consolidated view of third party risk governance, the assembly exercise itself becomes a project.
This is where purpose-built GRC infrastructure creates measurable value. eQomply’s evidence management and audit readiness capabilities allow regulated enterprises to capture and link assessment records, contractual documents, monitoring outputs, and remediation trails to specific vendor relationships and regulatory requirements. When an inspection occurs, the evidence is not assembled retrospectively; it already exists in structured, exportable form.
Building an Audit-Ready Third Party Risk Program
An audit-ready program has three characteristics. First, it is traceable: every decision, assessment, and action can be linked back to the policy framework and the specific regulatory obligation it addresses. Second, it is current: documentation reflects the present state of vendor relationships, not a snapshot from eighteen months ago. Third, it is accessible: any authorized stakeholder, whether an internal auditor, a regulatory inspector, or a board committee member, can access the relevant information without a multi-week assembly exercise.
Achieving these characteristics requires consolidating third party risk management BFSI activities into a single operational layer, rather than distributing them across procurement, legal, IT, and compliance as separate workflows. The regulatory expectation is a unified view of third party risk governance. The operational infrastructure should match.
Moving from Reactive to Structured Third Party Risk Governance
The regulatory trajectory in India is clear. RBI’s increasing scrutiny of digital lending partnerships, SEBI’s formalization of cybersecurity obligations for vendor ecosystems, and the DPDP Act’s fiduciary accountability model all point in one direction: regulated entities must demonstrate structured, ongoing governance over their third party relationships, with auditable evidence.
For compliance leaders and risk officers in BFSI, the question is no longer whether to invest in third party risk management, but how to operationalize it at the scale and depth that regulators expect. This means moving beyond procurement-led onboarding checks toward a risk-based, lifecycle-oriented program that covers classification, assessment, monitoring, evidence capture, and board reporting.
If your organization is working to build or mature its third party risk management program in line with Indian regulatory expectations, eQomply provides the infrastructure to consolidate vendor risk governance, maintain continuous audit readiness, and demonstrate compliance to regulators without the overhead of manual assembly. You can explore how this works for your specific regulatory context at eqomply.com/demo.
