The Statement on Developmental and Regulatory Policies dated February 05, 2021 (“Statement”) recognized that operators and participants in various authorized payment systems outsourced certain activities to optimise efficiency and lower costs, and therefore, proposed that the Reserve Bank of India (“RBI”) would issue guidelines to operators and participants of authorised payment systems. In furtherance of this proposal, a notification dated August 03, 2021 (“Notification”) was issued by the RBI, to enable effective management of attendant risks in outsourcing of payment and settlement related activities by non-bank Payment System Operators (“PSOs”). PSOs are required to ensure compliance with the Notification by March 31, 2022.
The RBI, in the Notification, seems to have followed a similar approach in laying down the framework, as it did in safeguarding the outsourcing of activities by banks and Non-Banking Financial Companies (NBFCs).
- WHAT IS OUTSOURCING?
The framework under the Notification defines ‘outsourcing’ as the use of a third-party/service provider to perform activities on a continuing basis that would ordinarily be taken by PSOs either now or in the future. The ‘service provider’ performing services for PSOs includes vendors, payment gateways, agents, consultants, and/or their representatives that are engaged in the activity of payment and/or settlement systems. Secondary service providers or sub-contractors of service providers are also included in the definition of a service provider. It is impermissible for the service provider to be owned or controlled by any director or officer of the PSO, unless it is a group company of the PSO.
The framework under the Notification lays down minimum standards to manage and mitigate the risks in outsourcing of payment and/or settlement related activities. This framework is applicable to service providers as well. The entire process of outsourcing poses numerous risks, as identified in the Notification. While outsourcing activities by PSOs do not require prior approval form the RBI, exercising excessive due diligence considering all applicable laws, performing responsive risk management practices, and entering into such outsourcing arrangements that do not hinder effective supervision by the RBI, are some of the pivotal requirements to be followed by PSOs.
The outsourcing of activities by PSOs does not reduce existing obligations of such PSO’s. The ultimate liability of any outsourced activity to the service provider lies with the board or senior management of such PSOs.
- RESPONSIBILITY OF THE PSO
The framework restricts PSOs from outsourcing core management functions, including risk management and internal audit. Outsourcing of decision-making functions such as compliance with Know Your Customer (KYC) norms is also prohibited. The extent of outsourcing arrangements is a crucial factor vis-a-vis the rights of the customer and requires that PSOs consider all applicable laws when conducting due diligence. The ultimate responsibility for all outsourced activity and to address any grievances of the customer resides with PSOs, against the services provided by PSOs or the service provider. This includes providing crucial functions such as escalation mechanisms, through various media, resulting in direct contact with PSOs. In any event, outsourcing should not result in the ability of the RBI from carrying out its supervisory functions and objectives.
PSOs that are outsourcing payment and settlement related activities should have a comprehensive outsourcing policy approved by their board, in relation to selection criteria of the service provider, parameters for grading the criticality of outsourcing, delegation of authority subject to risk involved and monitoring the operation of such activity. It is relevant to highlight that the Notification prescribes several exclusive responsibilities for board and senior management of PSOs.
- OUTSOURCING AGREEMENT
The Notification specifies that the terms and conditions governing the contract between PSOs and service providers should be recorded in written agreements that should be “vetted by the PSO’s legal counsel” for their legal effect and enforceability. These agreements are required to ensure that they address risks and strategies for mitigating such risks, while being sufficiently flexible to allow PSOs to retain adequate control over the outsourced activity, with a right to intervene as necessary to ensure compliance with legal and regulatory obligations. Key provisions should include: (i) defining the activities that are outsourced; (ii) access by the PSO to relevant records; (iii) termination clause with sufficient notice periods; (iv) controls for confidentiality of customer data; (v) audit and monitoring including access by RBI; and (vi) post termination obligations such as maintaining confidentiality and preserving records.
In order to keep the customer’s trust, PSOs must ensure security and confidentiality of information at all times. Limited access to information on a ‘need to know’ basis, separate identification of PSOs’ customer data by the service provider, review and monitor of security practices of the service provider are a few preventive measures. PSOs should have: (i) business continuity and disaster recovery plans; (ii) control over outsourced activity in case of liquidation or termination of outsourcing agreement; (iii) an availability of alternate service provider or the ability to perform the outsourced activity, in-house; and (iv) regular audit of the service provider by the auditors of the PSO to assess the risk management practices and preparedness towards continuity of business.
- Domestic outsourcing to group company: PSOs may enter into service arrangements with group companies such as sharing of premises, legal and professional services, outsourcing certain payment and settlement services, etc. Such arrangements with group companies must be properly documented and there should be clear demarcation of services that are offered by the PSO and the group company acting as service provider. The risk management practices that are adopted by PSOs while outsourcing to a related party in a group company must be identical, as if being adopted by a non-related party.
- Off-shore outsourcing: The Notification states that outsourcing services to a service provider off-shore exposes PSOs to country risk. Closely monitoring government policies, and political, social, economic, and legal conditions of the service provider’s country, establishing sound procedures are some measures that PSOs are required to implement in managing country risk problems. PSOs should ensure the following in relation to off-shore outsourcing: (i) the off-shore regulator of the service provider should neither obstruct the arrangement with PSOs nor object the audit and inspection rights of RBI; (ii) the regulatory authority of the service provider should not have access to data related to the operations of PSOs; and (iii) no extension of jurisdiction of off-shore courts where data is being processed by the off-shore service provider even though the actual transactions are undertaken by PSOs in India.
The Notification by the RBI seems to be aimed towards robustly regulating the outsourcing activities and seek to protect exposed PSOs from considerable risks, such as strategic, reputational, compliance, operational, legal etc. It appears that the RBI is seeking to address a growing trend across the industry where a significant number of activities are outsourced by PSOs to one or more service providers. Such arrangements fall short in terms of ensuring compliance with significant principles such as compliance with regulatory requirements and safeguard of customer data. Simultaneously, while many arrangements already provided the RBI with access, the message being issued by the RBI is that its right to have access to service providers in an outsourcing scenario is sacrosanct. The notification in many ways resembles the Guidelines of Managing Risks and Code of Conduct in outsourcing financial services by Banks dated November 03, 2006 which were issued in relation to Scheduled Commercial Banks, and the Directions on Managing Risks and Code of Conduct of Financial Services by NBFCs dated November 09, 2017. A trend is emerging where the RBI seems to be slowly leading PSOs down the same path of regulation as it does with NBFCs.
Authored by Abhinav Bhalaik, Partner, Namitha Mathews, Partner, Mayank Jhunjhunwala, Senior Associate, and Shashank Sharma, Associate
This material and the information contained herein prepared by Algo Legal is intended to provide general information on a subject or subjects and is not an exhaustive treatment of such subject(s). Algo Legal is not, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision. Algo Legal shall not be responsible for any loss whatsoever sustained by any person who relies on this material.
- https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=51078 ↑
- https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12136&Mode=0 ↑
- https://rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=11160 ↑
- The Notification clarifies that ‘Continuing basis’ would include agreements for a limited period. ↑
- Core management functions should include, but not be confined to, management of payment system operations (netting, settlement, etc.); transaction management (reconciliation, reporting and item processing); according sanction to merchants for acquiring; managing customer data; risk management; information technology & information security management etc. ↑
- RBI/2006/167 DBOD.NO.BP.40/21.04.158/2006-07. ↑
- https://rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=11160 ↑