The Reserve Bank of India issued rules in 2020 with the goal of regulating payment aggregators and payment gateways. Banks and Non-Banking Financial Companies are obliged to follow distinct criteria for outsourcing financial services under the current system, which includes completing due diligence on service providers, analysing the risk and capabilities of service providers, and monitoring outsourced operations.
Following that, in 2021, the Reserve Bank of India proposed an outsourcing framework to govern the outsourcing of payments and settlement-related operations by Non-bank PSOS including card networks and prepaid payment instrument businesses in India. Non-bank Payment System Operators are required to comply with the state framework by March 31 of the following year. This article looks at the new outsourcing framework’s compliance standards and the consequences for payment firms.
Outsourcing agreement Brief Outlook
The terms and conditions regulating the contract between the PSO and the service provider must be properly established in written agreements and reviewed for legal effect and enforceability by the PSO’s legal counsel. Every such agreement must include a discussion of the risks and solutions for minimising them. The agreement must be flexible enough to allow the PSO to keep enough control over the outsourced activity as well as the authority to intervene with necessary actions to fulfil legal and regulatory responsibilities. The agreement must also specify the nature of the legal connection between the parties, such as whether they are agents, principals, or otherwise.
- The following should be included as essential provisions of the agreement:
- defining the activity to be outsourced, including appropriate service and performance standards;
- having access by the PSO to all books, records, and information relevant to the outsourced activity, which is available with the service provider;
- providing for continuous monitoring and evaluation of the provider by the PSO, so that any requisite appropriate measures can be taken instantaneously;
- ensuring that precautions are taken to preserve the confidentiality of customer data and including the service provider’s obligation in the event of a breach of security and the disclosure of such customer-related information;
- integrating a contingency plan(s) to guarantee business continuity; requires prior approval/consent of the PSO for the service provider to engage subcontractors for all or a portion of an outsourced activity;
- maintaining the PSO’s right to conduct audits of the service provider, whether by internal or external auditors, or agents appointed to act on its behalf, and obtaining copies of any audit or review reports and conclusions made concerning the service provider in connection with the PSO’s services;
- adding provisions allowing the RBI or a person(s) authorised by it to have reasonable access to the PSO’s documents, transaction records, and other essential information supplied to, held, or processed by the service provider;
- The provisions recognising the RBI’s authority to have a service provider of a PSO and its books of accounts inspected by one or more of its officials, employees, or other people;
- necessitating terms pertaining to a clear duty on any service provider to comply with RBI directives insofar as they concern PSO activities; protecting customer confidentiality even after the agreement ends or is cancelled; and
- safeguarding documents and data by the service provider in line with the PSO’s legal/regulatory responsibilities, and the PSO’s interests in this respect should be safeguarded even after the services are terminated
The PSOs shall ensure that such arrangements:
- are appropriately documented in written agreements with details such as the scope of services, charges for services, and maintaining the confidentiality of customer’s data; do not cause any confusion among customers as to whose products/services they are availing, by the clear physical demarcation of the site of activities of different group entities;
- and do not compromise the confidentiality of customer’s data.
- do not prohibit RBI from obtaining information needed for PSO oversight or information related to the group as a whole.
Several risks are associated with the outsourcing process; below is a list of some of these concerns:
- When a service provider fails to comply with privacy, customer/consumer, and prudential rules, compliance risk arises.
- Concentration and Systemic Risk – When the whole sector relies substantially on a single service provider, individual PSOs may lack influence over the service provider.
- The potential that the PSO may be unable to enforce the contract is referred to as contractual risk.
- Country Risk – When the political, social, or legal context adds to the risk.
- Cybersecurity risk – A breach in IT systems that may result in the loss of data, information, reputation, or money.
- Cybersecurity risk – A breach in IT systems that may result in data, information, reputation, or financial loss.
- Exit Strategy Risk – When a PSO is excessively reliant on a single firm, the PSO loses essential knowledge internally, making bringing the activity back in-house difficult; and when the PSO has committed to contracts that make a rapid exit prohibitively expensive.
- Legal Risk – When the PSO is subject to fines, penalties, or punitive damages as a result of regulatory procedures, as well as private settlements as a result of the service provider’s acts of omission and commission;
- Operational risk is a risk that develops as a result of technical failure, fraud, error, or lack of financial capacity to satisfy promises and/or provide remedies.
- Reputation risk arises when the service provided is insufficient and customer interaction is inconsistent with the general standard expected from the PSO; strategic risk arises when the service provider wants to operate on its own behalf, which is inconsistent with the PSO’s overall strategic goals.
What exactly do Payment System and Payment System Operators imply?
A payment system is a system that is used to conduct financial transactions by transferring monetary value and consists of several mechanisms that aid in the transfer of cash. The Board for Regulation and Supervision of Payment and Settlement Systems in India is the top policy-making body in charge of payment systems.
Payment System Operators outsource payment and settlement-related tasks to various organisations through the services they provide and the models on which they operate. It has been granted permission to operate the payment system.
The New Outsourcing Framework’s Applicability
The new framework will apply to all non-bank Payment System Operators who outsource payments and settlement activities to service providers and third-party operators. Furthermore, this approach will apply to non-bank PSO service providers operating outside of India.
The New Framework’s Essential Provisions
The following are some of the important provisions:
- Control and monitoring
- Outsourcing limits within group entities and offshore outsourcing
- Activities Board and management responsibilities are prohibited.
- Policy and agreement on outsourcing
Non-bank PSOs will be expected to exercise total control over outsourced operations, and they will be held responsible for any non-compliance relating to outsourced services performed by service providers.
Furthermore, they will be expected to do continuing due diligence on service providers and ensure that service providers are in compliance with applicable laws.
It is forbidden for non-bank PSOs to outsource essential management services, such as risk management, internal audit, or decision-making functions such as KYC standards compliance, to third-party service providers. Furthermore, Non-bank Payment System Operators that have outsourced their customer grievance redressal role must offer their clients direct access to their individual nodal officials, allowing consumers to raise complaints to nodal officers if necessary.
This clear delineation between allowed and forbidden outsourcing operations would offer non-bank PSOs greater clarity on how to operate in India.
The non-bank PSO’s board of directors and senior management will be obliged to assess and analyse risks in relation to outsourcing policy on a regular basis. It will also guarantee that service providers take adequate precautions to comply with the new framework.
Non-bank PSOs will need to have a board-approved outsourcing policy in place, as well as a well-defined outsourcing agreement. The new framework also specifies which provisions must be included in the outsourcing agreement, among other things.
- Customer privacy and security are paramount. Non-bank Payment System Operators must ensure that client data is kept secure and must monitor the security procedures of service providers. Non-bank PSOs should guarantee that service providers adhere to localization of data regulations.
- Plans for business continuity and risk mitigation
Non-bank PSOs must ensure that service providers have a framework and contingency plans in place for business continuity and data recovery.
Non-bank Payment System Operators must guarantee that all group companies follow the new structure. Furthermore, they are obligated to notify clients of any activity carried out by the group company. Non-bank Payment System Operators that outsource payment and settlement activities to an offshore business must carefully analyse the risk and maintain client data protection.
Implications of the new outsourcing framework
The new standards, which are to be fulfilled in accordance with the new framework on outsourcing inside the group and to offshore companies, are expected to ensure that the group, as well as offshore businesses, will offer customer data security and all relevant compliances. However, this development may have an impact on the operations of existing payment firms as well as the industry’s technical developments.
The new approach may aid in the regulation of non-bank payment system operators in India, as well as in minimising the risk associated with non-bank PSOs outsourcing key functions. On the other hand, it might considerably raise compliances for these businesses, which can be a hardship.
This is a policy that can assist safeguard customers’ interests, but if we want to see more new participants, the regulatory approach to fintech businesses should be more balanced. It will aid in the expansion of current non-bank payment system providers in India.
Non-bank Payment System Operators must adhere to the new outsourcing framework by March 31 of the following year. It applies to all non-bank Payment System Operators that outsource payment and settlement-related operations to service providers and third-party operators.