The Reserve Bank of India (RBI) has released a framework for the outsourcing of payment and settlement-related activities by payment system operators (PSO). Recognizing that non-bank payment system operators largely outsource their payment and settlement-related activities to various third-party entities, the RBI aims to manage risks associated with outsourcing of such activities.
The framework will be applicable to service providers located in India as well as abroad. Payment System operators are expected to ensure compliance with the framework by March 31, 2022.
Aim of the Framework
Rather than prohibiting outsourcing of payment and settlement activities, the Central Bank has chosen to release the framework to manage the risks associated with it. The framework will put in place minimum standards to manage risks, while restricting the outsourcing of core management functions.
Payment System Operators shall, as a result, have a board-approved comprehensive outsourcing policy.
There are multiple risks associated with outsourcing of payment & settlement-related activities. They include concentration of outsourcing by multiple payment system operators with one service provider, cybersecurity risks, exit strategy risks, legal risks, operational risks (technological failure, fraud, error), etc.
Let’s go through some key highlights of the framework.
Can’t Outsource Core Management
First and foremost, payment system operators cannot outsource core management functions. These functions include such as management of payment system operations, transaction management (reconciliation, reporting, and item processing), managing customer data, information security management, compliance with KYC norms, etc.
About outsourcing of critical processes, the disruption of which can potentially impact business operations/ customer service/ profitability/ reputation, any PSO shall evaluate the need for outsourcing them. Further, they shall select service providers on the basis of a comprehensive risk assessment.
Further, the PSO shall be liable for the actions of its service providers. Therefore, it shall retain ultimate control over the activity it outsources and comply with all relevant laws and regulations.
Outsourcing arrangements shall not affect the rights of a customer of a PSO against the PSO. The PSO shall be responsible for addressing the grievances of its customers. In case the PSO has outsourced the grievance redressal function, the PSO shall provide its customers the option to escalate complaints with its nodal officials. As such, the PSO shall aware the customers about this recourse on websites, mobile applications, advertisements, etc.
The PSO shall enter into a written outsourcing agreement with the service provider. The agreement shall clearly chart out terms and conditions, address risks and strategies for their mitigation, and overall shall allow the PSO to retain adequate control over the activity it is outsourcing. It shall also allow the PSO to interfere in order to meet legal and regulatory obligations.
The framework further charts out some key outsourcing provisions that the agreement shall contain.
The framework also focuses on confidentiality and security of customer data. It mandates service providers to limit access to customer information. Further, if the service provider is acting as an outsourcing agent for multiple PSOs, it should be able to isolate, stop from co-mingling of information, and clearly identify a PSO’s customer information, records, documents, and assets.
The PSO shall immediately notify the RBI about any breach of security and leakage of confidential information related to customers. The PSO would be liable to its customers for any damage.
Apart from the above-mentioned, the service provider shall develop a business continuity and disaster recovery plan, put in place a management structure to monitor and control its outsourcing activities, and follow some additional due diligence requirements for off-shore outsourcing.
You can read the full guidelines here.