Due Diligence and Ongoing Monitoring

Hi everyone - I represent the TPRM team from a US based GCC in India. We are engaging with a large Indian Private Bank. The Challenge we face now is that this Indian Bank is refusing to share any due diligence documents that pertains to Information/Cyber Security. When we looked out for other private and public sector Banks as alternative options, we do face the same challenge where they do not want to share their documentation via email or via virtual sessions even after signing NDA. It seems that has been the case in few other countries as well where Banks are refusing to share their P&P documents, and they refer to their affiliate and regular diligence to their Regulatory Body/Institutions. For Example, this bank refused to share documents and states that they follow all the guidelines and also go through regular vetting by RBI (Reserve Bank of India) which is the regulatory body in India. Now we are at an impasse as we could not vet their controls, P&Ps from a cybersecurity perspective.

I would greatly appreciate if anyone can explain how other GCCs conduct due diligence on Banks in India? 

This is certainly a challenge and I would be interested to hear what others in the community have done in similar situations.  From my standpoint, I am always trying to encourage best practice which says you shouldn't engage with an organization that you cannot properly vet as the risk is to great.  That being said, i also understand that the hardnosed approach isn't always possible.  I would suggest finding out if the RBI provides any validation report that this entity actually DOES follow all the regulations. Taking someone's verbal answer is just not an acceptable form of validation. You can ask for a third audit report (do they have ANYTHING that shoes they have been evaluated against regulation/best practice??) You can also ask them to complete a questionnaire and explain that your regulations require some level of control validation. Ultimately, you need to ensure you are doing your side of due diligence so if you decide to proceed with nothing, I would suggest a thorough evaluation of the risks they present and a documented acceptance of those risk from leadership.