The first time foreign ownership really came up, it wasn’t on a risk slide.
It was on page 36 of a Board pack, under “Regulatory & Legal Updates”.
The Company Secretary read it out in that neutral tone people use when they don’t want to start a debate:
· “RBI has reiterated expectations around governance, data locality, and oversight for entities with significant foreign shareholding, particularly in critical infrastructure segments such as credit information companies.”
One director asked, almost as a courtesy:
“This doesn’t affect us directly, right? Our bureaus and key partners are all under RBI’s licensing anyway.”
The CRO replied:
“From a regulatory-compliance standpoint, no immediate action.
We’re aligned with RBI’s framework. Ownership patterns are already approved.”
The Chair nodded, someone suggested moving on, and the topic closed in two minutes.
Nobody asked the harder version of that question:
“If some of the most critical lenses on our borrowers sit in entities with complex foreign ownership, do we actually treat that as a risk dimension – or just as a legal fact that someone else is handling?”
Six months later, in a smaller internal meeting, the same bank’s risk and legal teams were looking at a different document:
· A data-processing and analytics agreement with a vendor that had:
– Indian operations,
– global group ownership,
– and a clause that allowed certain processing in offshore locations “for redundancy and performance”.
The legal head underlined one section and said quietly:
“On paper this is allowed. In practice, we’re trusting that the group as a whole will treat Indian borrower data in line with RBI’s intent, not just the minimum contract.”
The room was silent for a beat longer this time.
The old assumption was still there, just a little less comfortable:
“As long as RBI licenses the entity or approves the structure, foreign ownership is a regulatory matter, not a credit or franchise risk. We don’t need to think about it beyond compliance.”
That assumption feels reasonable.
It’s also how most institutions avoid looking at an awkward truth:
Foreign ownership in credit infrastructure is neither automatically dangerous nor automatically harmless.
What matters is how much of your risk and reputation flows through entities whose ultimate decisions you don’t really influence – and what you tell yourself about that.
If you strip away the careful language, the working belief inside many lenders sounds like this:
“RBI licenses CICs. RBI clears ownership structures.
As long as we’re dealing with regulated entities and following the rules,
foreign shareholding is a policy topic, not an operational risk we need to worry about.”
You hear versions of it in different rooms:
· In a Board Risk Committee, when someone raises a question on data concentration:
“CICs are licensed entities. RBI will ensure they’re controlled appropriately. We just need to use them properly.”
· In a vendor-selection meeting for analytics tools hosted by global firms:
“They’ve set up an India entity, we have standard DPAs in place, and data stays in-country as per policy. Ownership is handled at the regulator level.”
· In a policy rewrite discussion:
“We can’t redesign our whole infrastructure because some vendor or bureau has foreign parents. If RBI has allowed it, we treat it as given.”
Underneath all of this is a quiet shortcut:
· Regulatory approval = risk fully assessed.
· Ownership structure = background detail, not a design variable.
It feels efficient.
It lets risk teams focus on:
· Asset quality,
· Model performance,
· Operational losses,
· Capital and liquidity.
Ownership sits in the “corporate secretarial / regulatory liaison” bucket, not in risk’s day-to-day map.
What actually happens over time is slower and less dramatic:
· More and more of your day-to-day view of borrowers flows through entities whose ultimate decision-making is elsewhere.
· More and more technical changes in those entities are decided by global roadmaps, not Indian portfolio realities.
· More and more contract and governance language is written to be legally safe, but not emotionally honest about dependency.
Nothing explodes.
But the distance between “RBI has checked the box” and “we understand our own reliance” quietly widens.
If you stop looking at headlines and just sit in the rooms where work happens, foreign ownership doesn’t appear as a “topic”.
It appears as three recurring patterns.
In one bank, there was a Technology–Risk–Legal triage meeting about moving more bureau and analytics traffic to a new “optimised integration platform” offered by a global group with Indian operations.
On the screen: a 24–slide deck from the vendor.
· Slide 3: Global footprint and client logos.
· Slide 7: Data centres and DR setup, with India circles.
· Slide 12: Compliance and certifications.
· Slide 16: Contractual safeguards, including data localisation.
The questions from the bank’s side followed a familiar pattern:
· From IT:
– “What’s the uptime SLA?”
– “What’s the latency we can expect?”
– “How quickly can you scale if our volume doubles?”
· From Legal:
– “Confirm that no data leaves India except as per RBI norms.”
– “We need the right to audit and clarity on sub-processors.”
· From Risk:
– “Validation requirements, access to logs, reversibility if we terminate.”
Not once did anyone ask:
“If the global parent changes its strategy, gets acquired, or faces legal issues elsewhere, how much of our day-to-day risk capability would be exposed? And do we have any say in that?”
After the vendor left, the internal debrief lasted five minutes.
The shared conclusion was:
“From our side, this is compliant and technically sound.
Foreign ownership is within RBI limits.
Let’s proceed, subject to final legal sign-off.”
The Board-level summary later read:
· “Vendor X selected for integrated bureau and analytics platform.
All data usage aligned with regulatory expectations.”
No one lied.
They just didn’t write the part that really mattered:
· “We are now choosing to route a larger portion of our core credit view and decisioning through an entity whose ultimate governance sits in another jurisdiction. We have legal recourse, but limited practical influence if their priorities shift.”
That sentence never appears in any document.
But it’s the one that describes the real risk posture.
In another institution, a Vendor Risk Assessment form had a neat table on page two:
· Ownership: “Subsidiary of global Group Y, headquartered in [foreign country], Indian entity registered and RBI-compliant.”
· Criticality: “High – supports credit decisioning and risk analytics.”
· Data sensitivity: “High – includes borrower-level credit information.”
The same document then spent twelve pages on:
· Information security controls.
· RTO/RPO expectations.
· Incident-response SLAs.
· Contract expiries and renewal triggers.
Ownership surfaced only once more, in a generic sentence:
· “Any change in shareholding structure or control to be notified and subject to bank’s approval.”
In monthly Vendor Risk Committee meetings, the dashboard showed:
· Open issues: patching cycles, occasional latency breaches, one minor outage.
· Status: “All within agreed tolerance, no red flags.”
At no point did anyone ask:
“If Group Y alters its India strategy, or if global pressures push them into a different risk posture, what is our fallback for this critical function – and how long would it take to execute?”
On paper, safeguards existed:
· Contractual notice periods.
· Data-return clauses.
· Theoretical right to shift to another provider.
In the actual operation of the book, the risk was simpler:
· “We are assuming that nothing big will change at the group level in ways that hurt us faster than our contracts can protect us.”
That assumption lives in the space between the lines.
It rarely gets named.
In a quarterly Operational Risk dashboard, one bank tracked “Vendor Concentration – Critical Services”:
· Number of critical third parties.
· Spend per vendor.
· % of critical processes supported by external providers.
The line item for “Bureau and Credit-Decisioning Infrastructure” showed:
· “3 external vendors; no single vendor > 40% cost share.”
On paper, that looked diversified.
What the metric didn’t show:
· All three vendors were part of the same global group, with different Indian entities and product logos.
· The bank’s day-to-day credit view (scores, analytics, pre-screening) effectively ran through the same foreign parent’s technology and governance stack.
From a local-vendor perspective, concentration looked acceptable.
From a regulatory-entity perspective, names were varied.
From a group and control perspective, exposure was far more clustered than any dashboard showed.
When someone in a separate risk brainstorming session casually said:
“If Group Z had a serious issue tomorrow, how many of our credit and collection decisions would be directly impacted?”
it took a surprisingly long time to get a concrete answer.
If foreign ownership meaningfully shapes your dependence on external entities, why doesn’t it get more airtime?
Partly because nobody inside the institution is tasked with holding the whole picture.
· Legal & Secretarial focus on:
– Compliance with RBI and MCA guidelines.
– Approvals for shareholding changes.
– Filings and formal governance.
· Risk focuses on:
– Asset quality.
– Market and liquidity risks.
– Operational risk incidents.
· IT / Vendor Management focus on:
– SLAs, uptime, security controls.
– Contract terms, renewals, performance issues.
Foreign ownership of a key provider technically touches all three.
But unless someone explicitly says:
“Our dependence on foreign-owned credit infrastructure is itself a risk dimension; somebody needs to map and monitor it,”
it stays as:
· A one-line entry in a vendor database.
· A footnote in a legal opinion.
· A sentence in a regulatory correspondence file.
Nobody is lying.
Nobody is fully seeing it either.
When RBI approves a licence, a structure, or a transaction, the implicit internal translation often is:
“The regulator has assessed this; we can safely treat it as low risk.”
The more accurate translation is narrower:
“The regulator has decided this structure is permitted, subject to ongoing conditions and oversight.”
Those are not the same thing.
Permitted ≠ risk-free.
Permitted ≠ “you don’t need to think about your own dependence and choices”.
But in day-to-day discussions, especially under time pressure, “RBI has allowed it” becomes a convenient full stop.
As soon as someone brings up foreign ownership in a credit meeting, the conversation risks drifting into:
· Geopolitics.
· National policy.
· Data colonisation debates.
Most delivery-focused leaders don’t want to go there in a forum that has to decide things about NPAs and product funnels.
So they quietly narrow the scope:
“Let’s keep this to what affects our books and our compliance. National-level questions are for policymakers and the regulator.”
Reasonable.
But in narrowing it, they also push aside a grounded, institutional question:
· “Given the world we live in, how much of our core capability depends on decisions made in rooms we don’t sit in – and what is our tolerance for that?”
That question isn’t geopolitical.
It’s operational.
It just sounds larger than people want in a weekly meeting.
The institutions that handle this topic without drama don’t:
· Ban foreign-owned providers,
· Pretend they can rebuild everything in-house, or
· Turn every conversation into a sovereignty lecture.
They do a few quieter things.
When they look at critical services – bureaus, decision engines, analytics platforms, cloud environments that support risk – they don’t just ask:
· “Is this compliant?”
· “Is the vendor performant?”
They also ask, in plain terms:
· “Who ultimately controls this entity?”
· “If something changes at the group level, how fast could that flow through to us?”
· “Do we have a plan, or are we relying on contracts to save us from physics?”
This shows up not as a new framework, but as:
· A column in an internal criticality register that’s actually read, not just filled.
· A brief section in Board notes when approving major vendor or partnership shifts:
– “Group-level concentration increased / reduced as a result.”
It doesn’t block deals.
It forces an adult sentence to be written down.
When discussing a foreign-owned provider or bureau-related dependency, they explicitly distinguish:
1. Regulatory comfort:
– “Yes, RBI permits this structure. Yes, ownership is within prescribed limits. Yes, data localisation rules are met.”
2. Institutional comfort:
– “Independent of that, are we satisfied with:
• Our level of dependency?
• Our ability to exit or dual-source if needed?
• Our own understanding of how this entity fits into our risk spine?”
Sometimes the answer to the second is “not yet”.
In those cases, the response isn’t theatrical.
It might be as simple as:
· “Over the next 12–18 months, we’ll create one credible alternative path for this specific capability, even if we don’t use it day to day.”
· “We will avoid increasing exposure to this group beyond X% of our bureau / analytics traffic until we’ve tested that alternative.”
No speeches.
Just a small, explicit constraint.
In one institution, there is a quietly recurring agenda item in an annual Risk & Technology offsite:
· “External Dependence in Credit Infrastructure: Map & Scenarios.”
The artefacts for that discussion are not complicated:
· A simple chart of which providers, bureaus, platforms sit in the core of credit decisioning and monitoring.
· A footnote for each: “Ultimate ownership / control jurisdiction.”
· Three hypothetical questions:
– “If this group suspended services for 30 days, what would break first?”
– “If we had to move away from them over 12 months, what would the path look like?”
– “Where are we assuming that ‘regulation’ will solve a problem we have not yet tested ourselves?”
The output is rarely a grand plan.
It is usually a short list of:
· Two or three areas where dual capability is worth building, even partially.
· One or two contracts that need tighter practical safeguards, not just clauses buried on page 14.
· A couple of points that should be written down in the next Board note approving a big dependency.
That’s all.
But it means that when foreign ownership comes up later – in a regulator’s question, a vendor negotiation, or a risk stress test – the institution is not thinking about it for the first time.
It’s tempting to keep the original assumption:
“RBI licenses CICs, approves ownership structures, and guards systemic risk.
Our job is to comply and run our books.
Foreign ownership is a background fact, not a delivery concern.”
If you stick with that, foreign ownership will continue to appear in your world as:
· A line item in secretarial notes.
· A generic statement in vendor risk forms.
· An occasional reference in inspection observations that feels slightly external – something about “the system”, not specifically about you.
If you accept a slightly more uncomfortable view:
· That foreign ownership in your credit infrastructure is neither a scandal nor a non-issue,
· That it changes who you depend on, not just who signs which filings,
· And that you owe yourself a clear sentence on how far you’re willing to lean on decisions made outside your own governance,
then the question changes shape.
It stops being:
“Is this structure permitted, and does RBI seem comfortable?”
and becomes something more inward-facing:
“Looking only at our own book and our own spine:
how much of our day-to-day credit judgement depends on entities we do not really influence,
and are we acting as if that is purely a legal detail – or as if it is a risk choice we’re responsible for?”
For many institutions, the honest answer sits somewhere in between.
The work is not to eliminate that gap.
It’s to stop pretending it doesn’t exist.
