Reserve Bank of India vide its communication dated August 7, 2021 & 3, 2021 enlightened us with its instructions to” Non-Bank Payment System Operators” who by virtue of services they provide and the construct of models on which they operate, largely outsource their payment and settlement-related activities to various other entities

In order to enable effective management of attendant risks in outsourcing of such activities, it was announced in the Statement on Developmental and Regulatory Policies released with the bi-monthly Monetary Policy Statement 2020-21 on February 05, 2021, that a framework for outsourcing of payment and settlement-related activities by PSOs, would be issued by the Reserve Bank of India. Accordingly, a framework for the same has been provided in the Annex with the communication dated August 7, 2021.

RBI expects the PSOs to ensure that all their outsourcing arrangements, including the existing ones, would be in compliance with this framework by March 31, 2022.

A connection to RBI communication is produced below:

It is interesting to learn the instructions of RBI on opening up of new avenues for PSOs. Wherever needed, I shall quote from the text for reference and add my explanations for easy understanding.

Framework for Outsourcing of Payment and Settlement-related activities by PSOs

Let us learn various words used in above instructions such as outsourcing, continuous basis, service provider etc. as defined by RBI.

To whom the instructions are applicable?

This framework is applicable to non-bank PSOs insofar as it relates to their payment and / or settlement-related activities. It seeks to put in place minimum standards to manage risks in outsourcing of payment and / or settlement-related activities (including other incidental activities like on-boarding customers, IT based services, etc.).

The framework is not applicable to activities other than those related to payment and / or settlement services, such as internal administration, housekeeping or similar functions.

  • Outsourcing’ is defined as use of a third party (i.e., service provider) to perform activities on a continuing basis that would normally be undertaken by the PSO itself, now or in the future. ‘Continuing Basis’ would include agreements for a limited period.
  • Service provider: The term ‘service provider’ includes, but is not limited to, vendors, payment gateways, agents, consultants and / or their representatives that are engaged in the activity of payment and / or settlement systems. It also includes sub-contractors (i.e., secondary service providers) to whom the primary service providers may further outsource whole or part of some activity related to payment and settlement system activities outsourced by the PSO.
  • It is very important to understand the word outsourcing which leads us to vast quantum of instructions from RBI.
  • These instructions are applicable to PSOs situated in India or abroad. One may be advised to refer to the Companies Act, 2013 for proper understanding of various words used.

Now let us detail ourselves with outsourcing risks. What are they?

Outsourcing process is associated with several risks; following is an illustrative list of such risks:

a. Compliance Risk – Where privacy, customer / consumer and prudential laws are not adequately complied with by the service provider;

b. Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence, individual PSO may lack control over the service provider;

c. Contractual Risk – Where the PSO may not have the ability to enforce the contract;

d. Country Risk – When political, social or legal climate creates added risk;

e. Cyber Security risk – Where breach in IT systems may lead to potential loss of data, information, reputation, money, etc.;

f. Exit Strategy Risk – When over-reliant on one firm, the PSO loses related skills internally, and it becomes difficult to bring the activity back in-house; and where the PSO has entered into contracts that makes speedy exit prohibitively expensive;

g. Legal Risk – Where the PSO is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as to private settlements due to acts of omission and commission by the service provider;

h. Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and / or to provide remedies;

i. Reputation Risk – Where the service provided is poor and customer interaction is inconsistent with the overall standard expected from the PSO; and

j. Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the PSO.

Outsourcing of activities by the PSOs shall not require prior approval from RBI.

However, we understand clearly that every PSO exercises due diligence, puts in place sound and responsive risk management practices for effective oversight, and manages the risks arising from such outsourcing of activities effectively. No ifs and buts will be tolerated by RBI who would supervise without any hindrances from any PSO.

Yes, I agree that some core activities are not eligible for outsourcing like management functions including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms. However, no PSO is prohibited to use the talents of outside experts already provided by Company’s act 2013 or later added amendments.

If a customer is aggrieved, can he/she contact the PSO directly, if needed?

Adequate details of such access should be enabled through many phone numbers, e-mail ids, postal address, etc., details of which shall be displayed prominently on its website, mobile applications, advertisements, etc., and adequate awareness shall also be created about the availability of this recourse.

(Yesterday, I was searching such details of many leading public sector banks who have ignored RBI instructions to provide them in their web sites invariably. Sad but true.)

Let us keep in mind the role of Board of Directors, responsibilities of senior management, and details of outsourcing agreement etc., as outlined by RBI in its instructions.

What does one expect the Board of Directors to contribute?

Starting with approval of an outsourcing policy, approving a framework to evaluate the risks and criticality of all existing and prospective outsourcing, mapping appropriate approval authorities for outsourcing, setting up suitable administrative mechanism of senior management etc. are some of the tasks of Board of Directors.

Periodical review of outsourcing and the risks involved, review of business activities to be outsourced on a timely basis, complying with regulatory instructions and periodical communication with RBI and other regulatory authorities too form the role of senior management.

Any one will be too interested to know about the outsourcing agreement that will form the base of outsourcing activities.

RBI has noted 13 instructions under the above agreement out of which identification of activities to be outsourced, maintaining consumers’ confidential details, having access to the records, books, or identifying the responsibility of service provider in outsourcing or termination clause and the minimum time to execute those clauses are of interest.

By clearly stating the role of RBI to verify the function of PSO both online and offline by periodical inspection by its officers, and to obtain the inspection reports conducted on them PSO’s senior management takes a primary role. It is clearly understood that service providers are bound by the advisory role of RBI.

It is clearly laid down by RBI that PSO must have a disaster management policies and part of its risk analysis, take periodical tests to be done to assess the effectiveness of its policies.

Let us also analyze who will monitor and control of the outsourcing activities.

Items 12.1- 12.6 clearly outline the directions.

It has been seen recently that outsourced activities do not get the required monitoring by the original organization that undertakes this action.

Monitoring and control of outsourced activities

  • The top management structure to undertake monitor and control outsourcing activities should be identified.
  • Internal and external audits form part of PSO’s compliance with its risk management framework.
  • Annual review of the performance of service provider will clearly indicate the due diligence reviews of the service providers’ performance review, meeting the expectations of the customer, and highlight any deterioration of breach of performance standards, confidentiality, security and business continuity preparedness.
  • ASO is expected to share all its reports with RBI as part of its regulatory requirements.
  • In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be given due publicity by the PSO informing the customers so as to ensure that they stop dealing with the concerned service provider.
  • Certain cases like outsourcing of cash management, may involve reconciliation of transactions between the PSO, the service provider and its sub-contractors, if any. In such cases, PSO shall ensure that this reconciliation process is carried out in a timely manner.
  • In case of utilizing group companies within a conglomerate, arms- length transactions with clear cut policies without compromising on quality in customer service, proper maintenance of books/records, periodical inspections (both internal and external) and enabling RBI to undertake systematic overview of the total operations are expected. I do hope RBI do undertake its responsibilities by periodical inspections, attending of Board meetings if necessary and lead these organizations which are yet to mature.

What about off source outsourcing?

Recent events around the world about off-source outsourcing raise deep concern and risk elements in the functioning of PSOs.

How does one expect in such situations?

  • Let me quote RBI’S own instructions. “The engagement of a service provider in a foreign country exposes the PSO to country risk. To manage such country risk, the PSO shall closely monitor government policies and, political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified.”
  • How will the foreign regulator deal with the off-source outsourcing of Indian work by PSO?
  • The off-shore regulator regulating the off-shore service provider shall neither obstruct the arrangement nor object to RBI’s visit(s) for audit / scrutiny / examination / inspection / assessment or visit(s) by PSO’s internal and external auditors;
  • The regulatory authority of the off-shore location does not have access to the data relating to Indian operations of the PSO simply on the ground that the processing is being undertaken there (not applicable if off-shore processing is done in the home country of the PSO); and
  • The jurisdiction of the courts in the off-shore location where data is processed, does not extend to the operations of the PSO in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India.

Our observations

Though simple looking in language and arrangement of instructions by RBI communication, recent upheavals in Africa, Afghanistan, or other parts of the world affected by natural calamities, the cooperation of foreign country’s government, the helping attitude of the majority community or the good will and love gained during over a long period of time alone would save the survival of activities of Indian companies. Recent issue of instructions by the central government on maintenance of data or activities undertaken under off source outsourcing are very important and would also form the basis of implementing RBI instructions in case of PSO.

One expects RBI with strict monitoring of implementation by PSO by systematic inspections and receipt of up-to-date financial data and taking strict actions in case of adverse functions. These instructions are vital in the growth of PSO who may lack resources to undertake these activities by themselves. Outsourcing has become very successful provided suitable oversight and periodical inspections are undertaken. Those who offer outsourcing can’t forget their responsibilities.

It will be interesting if results of these inspections are revealed to all stake holders of PSOs through financial reports.

Yes, I do join others who congratulate RBI for its timely services and leadership roles in offering practical instructions.


Disclaimer: The contents of this article are for information purposes only and do not constitute an advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting on the basis of the above write up.  The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that Author/TaxGuru is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof. This is not any kind of advertisement or solicitation of work by a professional.

Author Bio

Qualification: Post Graduate
Company: subramanian natarajan cpa firm
Location: NEW DELHI, Delhi, India
Member Since: 09 May 2017 | Total Posts: 181
A banker with 27 years of experience, a CPA from USA with specialization in US taxation, individual, partnership, S corporation or LLC taxation etc View Full Profile

My Published Posts

More Under Fema / RBI

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

September 2021