Reserve Bank of India vide its communication dated August 7, 2021 & 3, 2021 enlightened us with its instructions to” Non-Bank Payment System Operators” who by virtue of services they provide and the construct of models on which they operate, largely outsource their payment and settlement-related activities to various other entities
In order to enable effective management of attendant risks in outsourcing of such activities, it was announced in the Statement on Developmental and Regulatory Policies released with the bi-monthly Monetary Policy Statement 2020-21 on February 05, 2021, that a framework for outsourcing of payment and settlement-related activities by PSOs, would be issued by the Reserve Bank of India. Accordingly, a framework for the same has been provided in the Annex with the communication dated August 7, 2021.
RBI expects the PSOs to ensure that all their outsourcing arrangements, including the existing ones, would be in compliance with this framework by March 31, 2022.
A connection to RBI communication is produced below:
It is interesting to learn the instructions of RBI on opening up of new avenues for PSOs. Wherever needed, I shall quote from the text for reference and add my explanations for easy understanding.
Framework for Outsourcing of Payment and Settlement-related activities by PSOs
Let us learn various words used in above instructions such as outsourcing, continuous basis, service provider etc. as defined by RBI.
To whom the instructions are applicable?
This framework is applicable to non-bank PSOs insofar as it relates to their payment and / or settlement-related activities. It seeks to put in place minimum standards to manage risks in outsourcing of payment and / or settlement-related activities (including other incidental activities like on-boarding customers, IT based services, etc.).
The framework is not applicable to activities other than those related to payment and / or settlement services, such as internal administration, housekeeping or similar functions.
Now let us detail ourselves with outsourcing risks. What are they?
Outsourcing process is associated with several risks; following is an illustrative list of such risks:
a. Compliance Risk – Where privacy, customer / consumer and prudential laws are not adequately complied with by the service provider;
b. Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence, individual PSO may lack control over the service provider;
c. Contractual Risk – Where the PSO may not have the ability to enforce the contract;
d. Country Risk – When political, social or legal climate creates added risk;
e. Cyber Security risk – Where breach in IT systems may lead to potential loss of data, information, reputation, money, etc.;
f. Exit Strategy Risk – When over-reliant on one firm, the PSO loses related skills internally, and it becomes difficult to bring the activity back in-house; and where the PSO has entered into contracts that makes speedy exit prohibitively expensive;
g. Legal Risk – Where the PSO is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as to private settlements due to acts of omission and commission by the service provider;
h. Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and / or to provide remedies;
i. Reputation Risk – Where the service provided is poor and customer interaction is inconsistent with the overall standard expected from the PSO; and
j. Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the PSO.
Outsourcing of activities by the PSOs shall not require prior approval from RBI.
However, we understand clearly that every PSO exercises due diligence, puts in place sound and responsive risk management practices for effective oversight, and manages the risks arising from such outsourcing of activities effectively. No ifs and buts will be tolerated by RBI who would supervise without any hindrances from any PSO.
Yes, I agree that some core activities are not eligible for outsourcing like management functions including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms. However, no PSO is prohibited to use the talents of outside experts already provided by Company’s act 2013 or later added amendments.
If a customer is aggrieved, can he/she contact the PSO directly, if needed?
Adequate details of such access should be enabled through many phone numbers, e-mail ids, postal address, etc., details of which shall be displayed prominently on its website, mobile applications, advertisements, etc., and adequate awareness shall also be created about the availability of this recourse.
(Yesterday, I was searching such details of many leading public sector banks who have ignored RBI instructions to provide them in their web sites invariably. Sad but true.)
Let us keep in mind the role of Board of Directors, responsibilities of senior management, and details of outsourcing agreement etc., as outlined by RBI in its instructions.
What does one expect the Board of Directors to contribute?
Starting with approval of an outsourcing policy, approving a framework to evaluate the risks and criticality of all existing and prospective outsourcing, mapping appropriate approval authorities for outsourcing, setting up suitable administrative mechanism of senior management etc. are some of the tasks of Board of Directors.
Periodical review of outsourcing and the risks involved, review of business activities to be outsourced on a timely basis, complying with regulatory instructions and periodical communication with RBI and other regulatory authorities too form the role of senior management.
Any one will be too interested to know about the outsourcing agreement that will form the base of outsourcing activities.
RBI has noted 13 instructions under the above agreement out of which identification of activities to be outsourced, maintaining consumers’ confidential details, having access to the records, books, or identifying the responsibility of service provider in outsourcing or termination clause and the minimum time to execute those clauses are of interest.
By clearly stating the role of RBI to verify the function of PSO both online and offline by periodical inspection by its officers, and to obtain the inspection reports conducted on them PSO’s senior management takes a primary role. It is clearly understood that service providers are bound by the advisory role of RBI.
It is clearly laid down by RBI that PSO must have a disaster management policies and part of its risk analysis, take periodical tests to be done to assess the effectiveness of its policies.
Let us also analyze who will monitor and control of the outsourcing activities.
Items 12.1- 12.6 clearly outline the directions.
It has been seen recently that outsourced activities do not get the required monitoring by the original organization that undertakes this action.
Monitoring and control of outsourced activities
What about off source outsourcing?
Recent events around the world about off-source outsourcing raise deep concern and risk elements in the functioning of PSOs.
How does one expect in such situations?
Though simple looking in language and arrangement of instructions by RBI communication, recent upheavals in Africa, Afghanistan, or other parts of the world affected by natural calamities, the cooperation of foreign country’s government, the helping attitude of the majority community or the good will and love gained during over a long period of time alone would save the survival of activities of Indian companies. Recent issue of instructions by the central government on maintenance of data or activities undertaken under off source outsourcing are very important and would also form the basis of implementing RBI instructions in case of PSO.
One expects RBI with strict monitoring of implementation by PSO by systematic inspections and receipt of up-to-date financial data and taking strict actions in case of adverse functions. These instructions are vital in the growth of PSO who may lack resources to undertake these activities by themselves. Outsourcing has become very successful provided suitable oversight and periodical inspections are undertaken. Those who offer outsourcing can’t forget their responsibilities.
It will be interesting if results of these inspections are revealed to all stake holders of PSOs through financial reports.
Yes, I do join others who congratulate RBI for its timely services and leadership roles in offering practical instructions.
Disclaimer: The contents of this article are for information purposes only and do not constitute an advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that Author/TaxGuru is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof. This is not any kind of advertisement or solicitation of work by a professional.