Draft Master Direction issued by the Reserve Bank of India, focusing on “Managing Risks and Code of Conduct in Outsourcing of Financial Services” in 2023. We will explore the key aspects and guidelines outlined in this directive, shedding light on the critical areas that financial institutions should consider when venturing into outsourcing. RBI Code of Conduct in Outsourcing of Financial Services
Understanding the Landscape
Outsourcing in the financial sector is gaining momentum as a cost-effective means of tapping into specialized expertise not readily available in-house. However, this operational decision exposes REs to various risks that necessitate careful management. The Reserve Bank of India’s “Managing Risks and Code of Conduct in Outsourcing of Financial Services” Directions, 2023, addresses these risks comprehensively.
Consolidation of Guidelines RBI Code of Conduct in Outsourcing of Financial Services
These directions consolidate, update, and harmonize existing guidelines, making it easier for REs to access the latest instructions related to outsourcing of financial services. They draw their authority from various legal provisions, including the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, and the Credit Information Companies (Regulation) Act, 2005.
The Who and What of it
Applicability
The directive applies to a broad spectrum of financial entities, including:
- Commercial Banks (Local Area Banks, Regional Rural Banks, Payments Banks, and Small Finance Banks)
- All-India Financial Institutions (Exim Bank, NABARD, NHB, SIDBI, and NaBFID)
- Non-Banking Financial Companies, including Housing Finance Companies
- Urban Co-operative Banks, State Co-operative Banks, and Central Co-operative Banks
- Credit Information Companies
These guidelines are primarily concerned with the management of risks and the code of conduct associated with outsourcing financial services. They do not cover technology-related aspects or activities unrelated to financial services, such as courier services, catering, housekeeping, and security.
Purpose
At the heart of these directions lies the principle that REs must ensure that outsourcing arrangements do not compromise their ability to meet customer obligations or hinder effective supervision by regulatory authorities. While prior approval from the Reserve Bank of India is not required for outsourcing financial services, these arrangements are subject to on-site and off-site monitoring and inspection by supervisory authorities.
Defining Key Terms
Before delving into the core principles, let’s clarify some key terms:
- Material Outsourcing Arrangement: This refers to an outsourcing agreement that, in the event of service failure or security breaches, has the potential to significantly impact an RE’s business operations, reputation, profitability, or risk management capabilities.
- Outsourcing: This involves an RE utilizing a third party, either within the same corporate group or externally, to perform activities typically conducted by the RE itself. It includes agreements for a limited period, with no perpetual arrangements allowed.
- Service Provider: The entity providing financial services, which can be a member of the RE’s group or an independent party. Sub-contractors used by service providers are also included.
- Supervisory Authority: The regulatory entity responsible for overseeing various types of REs.
What Stays In-House
These guidelines explicitly state that core management functions, policy formulation, decision-making functions, management of investment portfolios, compliance functions, and internal audit functions must not be outsourced. The final say on extending credit to customers, even if a service provider is involved in the process, remains with the RE. However, some degree of outsourcing can occur if the RE follows predefined criteria approved by the RE’s Board.
Identifying Material Outsourcing
Determining the materiality of an outsourcing arrangement is crucial. Factors to consider include:
- The significance of the activity being outsourced and the risks it poses
- Potential impacts on the RE’s financial parameters, brand, reputation, and business objectives
- The cost of outsourcing relative to the RE’s total operating costs
- Dependency levels on a single service provider for various functions
- The activities’ importance in terms of customer service and protection
- The difficulty and time involved in finding alternative service providers
- Impacts on counterparties and the financial market if the service provider fails
These criteria do not rule out other outsourcing activities, as the RE can classify them as material based on their own assessments.
Regulatory and Supervisory Requirements
The supervisory authority is tasked with reviewing the implementation of these guidelines during inspections, with a specific focus on risk management systems related to material outsourcing.
REs, in turn, must:
- Consider all relevant laws, regulations, and guidelines when conducting due diligence on outsourcing.
- Ensure that the service provider upholds the same high standards of care as the RE.
- Create an inventory of services provided by service providers to evaluate their dependence on third parties.
- Be responsible for the actions of service providers and their sub-agents.
- Maintain customer information confidentiality and retain control over outsourced activities.
- Ensure that service providers do not hinder effective oversight or supervisory functions.
- Guarantee that the service provider is not owned or controlled by individuals connected to the RE.
- Establish a robust grievance redressal mechanism that is not compromised by outsourcing.
Risk Management Practices for Outsourcing
Outsourcing Policy
REs planning to outsource financial activities must have a comprehensive board-approved outsourcing policy. This policy should cover criteria for activity and service provider selection, delegation of authority based on risk and materiality, and systems for monitoring and reviewing outsourced operations.
Role of the Board and Senior Management
The board and senior management are ultimately responsible for managing risks associated with outsourcing. They must establish governance and risk management processes for all outsourced activities. The board or a delegated committee is responsible for approving frameworks to assess risks and materiality, approval of outsourcing activities, and creating administrative structures for implementing these directions. Senior management is responsible for evaluating risks, developing and implementing prudent outsourcing policies, and ensuring ongoing reviews of these policies and procedures.
Evaluating Risks
Key risks to evaluate include compliance risk, concentration and systemic risk, contractual risk, counterparty risk, country risk, exit strategy risk, legal risk, operational risk, reputation risk, and strategic risk.
Evaluating Service Provider Capability
REs should conduct appropriate due diligence to assess a service provider’s capability to fulfill obligations. This should cover financial, operational, qualitative, quantitative, and reputational factors.
The Outsourcing Agreement
The agreement between the RE and the service provider should be well-defined and vetted for legal effect and enforceability. It should include provisions for activities outsourced, service level agreements, continuous assessment, contingency plans, data confidentiality, the use of subcontractors, access to documents, audits, the right of supervisory authority to access information, termination clauses, and more.
These guidelines provide a robust framework for managing risks and ensuring the smooth operation of outsourced financial services. By adhering to these principles, financial institutions can tap into the potential of outsourcing while safeguarding their operations and reputation.
In consideration of the aforementioned, it is crucial to take into account the RBI’s guidelines concerning data storage, specifically within the framework of:
- ‘Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017,’ as communicated in circular DNBR (PD) 090/03.10.124/2017-18 dated October 04, 2017, subject to periodic amendments.
- ‘Storage of Payment System Data,’ as stipulated in circular DPSS.CO.OD No.2785/06.08.005/2017-2018 dated April 6, 2018, alongside the ‘FAQ on Storage of Payment System Data,’ with due consideration for amendments over time.
- ‘Guidelines on Digital Lending,’ detailed in circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 02, 2022, taking into account periodic revisions.
Section 15: Ensuring Confidentiality and Security
15.1 The bedrock of public trust and customer confidence in REs hinges on their unwavering commitment to safeguarding and preserving the security and confidentiality of customer data within the purview of the service provider.
15.2 Access to customer data by the service provider’s personnel should be confined to a ‘need-to-know’ basis, exclusively within areas necessitating said data for outsourced functions.
15.3 The sharing and storage of data with the service provider must transpire through secure channels, and data should be encrypted. Furthermore, the RE should institute a systematic procedure for secure removal, disposal, or destruction of data by the service provider.
15.4 In cases where the service provider acts as an outsourcer for multiple REs, measures should be instituted to prevent the intermingling of assets, documents, information, and records.
15.5 Regular scrutiny of the service provider’s control processes and security practices is incumbent upon REs. Additionally, the service provider must promptly report any security breaches.
15.6 The REs have a responsibility to immediately notify the supervisory authority in the event of any security breach or unauthorized leakage of customer-related confidential information. In such circumstances, the RE will be held accountable to its customers for any resultant damages.
Section 16: Responsibilities of Direct Sales Agents (DSA)/ Direct Marketing Agents (DMA)/ Recovery Agents
16.1 REs must establish a code of conduct for DSA/DMA/Recovery Agents, which should be sanctioned by the Board. These agents must pledge to adhere to this code, ensuring responsible and sensitive handling of their duties. This includes aspects such as customer solicitation, the timing of communication, safeguarding customer information, and providing accurate product terms and conditions.
16.2 It is imperative that REs and their Recovery Agents refrain from resorting to intimidation, harassment, or any form of verbal or physical coercion in their debt collection efforts. This also entails avoiding actions intended to publicly humiliate, infringe upon the privacy of, or send inappropriate messages to debtors, their guarantors, family members, referees, friends, or making false representations.
16.3 In addition, REs and their Recovery Agents are prohibited from contacting borrowers/guarantors before 8:00 a.m. and after 7:00 p.m. for debt recovery purposes.
Section 17: Business Continuity and Disaster Recovery Management
17.1 The REs are mandated to compel their service providers to establish a robust framework for documenting, maintaining, and testing Business Continuity and Recovery procedures. Regular testing of these plans is essential, and joint testing with the RE, particularly in cases of significant outsourcing, should occur at least annually.
17.2 To mitigate the risk of unexpected termination or liquidation of the service provider, REs must retain a degree of control over their outsourcing agreements, ensuring they can continue business operations seamlessly.
17.3 In the pursuit of a viable contingency plan, REs must contemplate the availability of alternative service providers and the possibility of in-house insourcing. Costs, time, and resources associated with such contingencies should be taken into account.
17.4 When outsourcing involves shared facilities, the RE should guarantee that the service provider can segregate the RE’s information, documents, records, and assets. This separation is vital to safeguarding data accessibility and business continuity.
Section 18: Oversight of Outsourced Activities
18.1 REs are required to establish a management structure for monitoring and controlling their outsourcing activities.
18.2 A comprehensive record of all significant outsourcing agreements should be maintained and periodically reviewed by senior management and the Board or its Committee.
18.3 Monitoring and control reports must be periodically assessed, with any adverse developments reported to the Board or its Committee.
18.4 The REs should conduct thorough pre- and post-implementation reviews for new outsourcing arrangements or modifications to existing ones.
18.5 Regular audits, at least on an annual basis, should evaluate risk management practices in outsourcing, ensuring REs adhere to their risk management framework and regulatory requirements.
18.6 REs are obligated to annually review the financial and operational condition of the service provider to gauge its ability to meet outsourcing obligations and report their findings to the supervisory authorities.
18.7 An annual Compliance Certificate, detailing outsourcing contracts and audit findings, should be submitted to the respective supervisory authorities.
18.8 In the event of outsourcing agreement termination due to specific reasons such as fraud, data leakage, breach of confidentiality, or blacklisting by regulatory bodies, REs must publicly disclose these events through various channels.
Section 19: Redressal of Grievances Related to Outsourced Services
19.1 REs should establish a Grievance Redressal Machinery, as outlined in various circulars issued by the RBI and relevant supervisory authorities. This machinery should also address issues related to outsourced services.
19.2 The REs should prominently publicize their Grievance Redressal mechanism in branches and on their websites, indicating the handling of outsourced services-related grievances. The contact information of designated grievance redressal officers should be readily available, and customer grievances should be addressed promptly.
Section 20: Reporting of Transactions to Competent Authorities
REs bear the responsibility for reporting Currency Transactions Reports and Suspicious Transactions Reports to competent authorities in relation to customer activities carried out by service providers.
Section 21: Reporting to the Supervisory Authority
REs must report all significant financial outsourcing arrangements to the supervisory authority on a quarterly basis, utilizing the prescribed reporting format.
Section 22: Centralized List of Outsourced Agents
In cases of premature termination of service provider contracts for reasons such as fraud, data leakage, confidentiality breaches, or blacklisting, REs must inform relevant organizations like the Indian Banks’ Association (IBA) or RBI-recognized Self-Regulatory Organizations (SROs). These entities maintain caution lists of such service providers for sharing among member REs.
Chapter-VI: Outsourcing within a Group/ Conglomerate
- In group structures, REs may enter into back-office and service arrangements with group entities, sharing various resources and outsourcing financial services. However, these arrangements must maintain an arm’s length relationship and adhere to specified policies and service level agreements. Customers should be informed about the