RBI Notification

New Outsourcing Framework for Non-Bank PSOS: Implications

The Reserve Bank of India in 2020 had released certain guidelines with an intention to regulate payment aggregators and payment gateways. As per the present framework, banks and Non-Banking Financial Companies are required to follow different rules for outsourcing financial services, which includes performing due diligence of service providers, evaluating the risk and ability of service providers and monitoring outsourced activities. 

After that Reserve Bank of India in 2021 brought forth an outsourcing framework to regulate outsourcing of payments and settlement related activities by Non-bank Payment System Operators^[1], including card networks as well as prepaid payment instrument companies in India. The Non-bank Payment System Operators must comply with the new framework by March 31 next year. This write-up examines the compliance requirements under the new outsourcing framework and the implications on payment companies.

What do you mean by Payment System and Payment System Operators?

Payment system refers to a system which is used to do financial transactions through monetary value transfer and comprises of different mechanism that helps in transfer of funds. In India, the board for Regulation and Supervision of payment and Settlement Systems is the highest policy making body on payment system.

Payment System Operators, through the services they extend and the type of models on which they function, outsource their payment and settlement related activities to different entities. It has been granted an authorization for the operation of payment system.

Applicability of the New Outsourcing Framework

The new framework shall apply to all non-bank Payment System Operators outsourcing payments and settlement related activities to service providers and third party operators. Moreover, this framework will also apply to service providers to non-bank PSOs operating outside India.

Essential Provisions of the New Framework

Some of the essential provisions are as follows:

• Monitoring and Control

The non-bank PSOs shall be required to use complete control over the outsourced activities, and they will be liable for any non-compliance in respect of the outsourced activities undertaken by the service providers. Moreover, they will be required to use ongoing diligence on service provider and make sure that service providers are complying with laws applicable.

• Activities Prohibited

Non-bank PSOs shall be prohibited to outsource core management functions, including risk management, internal audit or decision making functions like KYC norms compliance to third party service providers. Moreover, those Non-bank Payment System Operators who outsourced their customer grievance redressal function shall provide their customers direct access to their respective nodal officers, which will allow customers, if needed, to raise complaints to nodal officers. This clear demarcation between permissible and prohibited outsourcing activities will provide improved clarity to non-bank PSOs on how to function in India.

• Board and Management Responsibilities

The board of the non-bank PSO and its senior management will be required to review the outsourcing policies periodically and also evaluate risks. It shall also ensure that enough measures are taken by the service providers while complying with the new framework.

• Outsourcing policy and agreement

Non-bank PSOs will require a board approved outsourcing policy, and there must be a well defined outsourcing agreement in place. The new framework also provides for certain clauses that must be included in the outsourcing agreement, inter alia.

1. Customer confidentiality and security Non-bank Payment System Operators should make sure that they keep the customer data confidential, and they must monitor the security practices of the service providers. The non-bank PSOs should ensure that localization of data requirements are followed by the service providers.
2. Business continuity and risk mitigation plans

Non-bank PSOs must ensure that service providers have framework as well as contingency plans for continuity of business and data recovery.

• Outsourcing within group entities and offshore outsourcing restrictions

Non-bank Payment System Operators should ensure that group entities comply with the new framework. Further, they are required to inform customers regarding any activities performed by the group entity. Those Non-bank Payment System Operators who outsource payment and settlement activities to the offshore entity have to carefully assess the risk and ensure that the confidentiality of customer data.

Implications of the new outsourcing framework

The additional requirements, which is to be followed as per the new framework on outsourcing within the group and to offshore entities, is projected to ensure that group, as well as offshore entities, will provide data protection of customers and all related compliances. However, this development can affect the extant payment companies operations and could also hamper the technological advancements in the industry.

The new framework can help in the regulation of non-bank payment system operators in India and also reducing the risk arising from outsourcing of core activities by non-bank PSOs. However, on the flip side, it can significantly increase compliances for these companies, which can serve as burden.

This is a measure that can help in protecting the interest of consumers, but if we desire to see more new players, then the regulatory approach towards fintech companies should be more balanced. It will help in sustaining the growth of existing non-bank payment system operators in India.

Conclusion

The Non-bank Payment System Operators must comply with the new outsourcing framework by March 31 next year. It shall apply to all non-bank Payment System Operators outsourcing payments and settlement related activities to service providers and third party operators.

Read our article:RBI extends access to Centralized Payment System to non-banks in phases