Module: | MODULE B: RISK MANAGEMENT
Q415: Scenario: A commercial bank outsources its core banking server hosting to a third-party cloud service provider. Due to a critical failure at the vendor's data center, the bank faces a 12-hour complete system outage, resulting in major financial and customer service losses. Based on RBI guidelines regarding Information Technology outsourcing, consider the following statements:
1. Since the core banking server was entirely outsourced, the primary operational risk and regulatory accountability are legally transferred to the third-party vendor.
2. The RBI mandates that despite the outsourcing arrangement, the bank retains ultimate accountability for the operational failure and related losses.
3. The bank must record this third-party failure event in its own internal Loss Data Collection (LDC) database under "Business Disruption and System Failures".
Which of the statements given above is/are correct?
2. The RBI mandates that despite the outsourcing arrangement, the bank retains ultimate accountability for the operational failure and related losses.
3. The bank must record this third-party failure event in its own internal Loss Data Collection (LDC) database under "Business Disruption and System Failures".
Which of the statements given above is/are correct?
✅ Correct Answer: B
The correct answer is B. Statement 1 is incorrect: A fundamental principle of banking regulation and RBI guidelines on IT outsourcing is that management can outsource operational execution, but they can NEVER outsource regulatory compliance, risk ownership, or ultimate accountability.
The bank remains fully responsible for the third-party's failures.
Statement 2 is correct: As per RBI Master Directions, the regulated entity (the bank) retains ultimate control and accountability for outsourced activities.
The bank must ensure the vendor adheres to the same security and operational standards expected of the bank itself.
Statement 3 is correct: Because the risk and the ultimate financial loss impact the bank directly, this downtime and associated losses must be formally recorded in the bank's own Loss Data Collection (LDC) system.
The correct Basel event type for a vendor data center crash is "Business Disruption and System Failures".
Therefore:
Option A is incorrect because Statement 1 is false.
Option B is correct as both Statement 2 and 3 are true.
Option C is incorrect because Statement 1 is false.
Option D is incorrect because Statement 1 is false.
The bank remains fully responsible for the third-party's failures.
Statement 2 is correct: As per RBI Master Directions, the regulated entity (the bank) retains ultimate control and accountability for outsourced activities.
The bank must ensure the vendor adheres to the same security and operational standards expected of the bank itself.
Statement 3 is correct: Because the risk and the ultimate financial loss impact the bank directly, this downtime and associated losses must be formally recorded in the bank's own Loss Data Collection (LDC) system.
The correct Basel event type for a vendor data center crash is "Business Disruption and System Failures".
Therefore:
Option A is incorrect because Statement 1 is false.
Option B is correct as both Statement 2 and 3 are true.
Option C is incorrect because Statement 1 is false.
Option D is incorrect because Statement 1 is false.