NBFC

Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

The Reserve Bank of India, acting in accordance with the authority granted to it by Section 45 L of the Reserve Bank of India Act, 1934, and to establish the necessary safeguards that will apply to the outsourcing of activities by NBFCs, issues the Directions. Within two months of the date of this circular, NBFCs are recommended to perform a self-assessment of their current outsourcing arrangements and bring them in accordance with the Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs.

What is Outsourcing?

The term “outsourcing” refers to the NBFC using a third party, either an associated entity within a corporate group or an entity that is external to the corporate group, to carry out ongoing tasks that the NBFC would typically carry out, either now or in the future, on its own.

Because they have outsourced a variety of tasks, NBFCs are subject to the risks. Additionally, the outsourced activities must fall under regulatory oversight to:

1. a) safeguard the interests of NBFC clients and
2. b) guarantee that the NBFC in question and the Reserve Bank of India have access to all pertinent books, documents, and information the service provider holds. Some of the typical outsourced financial services are application processing (loan origination, credit card), document processing, marketing and research, loan supervision, data processing, and back office-related operations.

Activities that can be outsourced: 

The only material financial services, such as application processing (loan/credit card), document processing, marketing, and loan supervision, including data processing, debt recovery, back office-related operations, etc., may be outsourced by NBFCs under these regulations. 

Some of the major risks associated with outsourcing are Reputation Risk, Compliance Risk, Legal Risk, Strategic Risk, Contractual Risk, Access Risk, Exit Strategy Risk, Counterparty Risk, Concentration and Systemic Risk. The failure of a service provider to deliver a certain service, a security or confidentiality breach, or the service provider’s noncompliance with legal and regulatory standards can result in financial losses or reputational damage for the NBFC and may also pose systemic issues.

Activities that shall not be outsourced:

However, NBFCs that opt to outsource financial services must refrain from outsourcing core management tasks like internal audit, strategic and compliance functions, and decision-making tasks like confirming that deposit account opening procedures adhere to KYC requirements, approving loans (including retail loans), and managing investment portfolios. However, subject to following the guidelines, NBFCs may outsource these tasks within a group or conglomerate. Furthermore, even though the duty of internal auditing is one of management, internal auditors may work under contract.

Material Outsourcing

For the purposes of these guidelines, major outsourcing agreements are those that, in the event of a disruption, could significantly affect the firm’s operations, reputation, profitability, or customer service. The degree of materiality of outsourcing would depend on the following factors:

• The significance of the risk posed by the activity being outsourced to the NBFC.
• The potential impact of outsourcing on the NBFC’s earnings, solvency, liquidity, funding capital, and risk profile.
• The likely impact on the NBFC’s reputation and brand value. 
• The ability to achieve its business objectives, strategy, and plans should the service provider fail to perform the service.
• The outsourcing cost is a percentage of the NBFC’s overall operating costs.
• The total exposure to that service provider in cases where the NBFC outsources multiple functions to the same service provider and
• The importance of the activities outsourced in terms of customer service and protection.

Risk Management Practices for Outsourced Financial Services

An NBFC must implement a thorough outsourcing policy that has been approved by its board and includes, among other things, criteria for selecting such activities and service providers, delegation of authority based on risks and materiality, and systems to monitor and review the operations of any subcontractors.

Risks Assessment

When outsourcing, the NBFCs must assess and protect against the following risks:

Strategy Risk: When a service provider acts independently of the NBFC and conflicts with its overarching strategy objectives.

Reputation Risk: Occurs when the level of service is poor, and client interactions fall short of the general expectations of the NBFC.

Compliance Risk: Occurs when a service provider does not fully abide by privacy, consumer, and prudential rules.

Operational Risk: Emerging from a lack of financial resources to meet obligations and/or provide remedies, fraud, error, or technological failure.

Legal Risk: Where the NBFC is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.

Exit Strategy Risk: Where the NBFC is over-reliant on one firm, the loss of relevant skills in the NBFC itself prevents it from bringing the activity back in-house and where the NBFC has entered into contracts that make speedy exits prohibitively expensive.

Counterparty Risk: Where there are inappropriate credit or underwriting assessments.

Contractual Risk: The NBFC may not have the ability to enforce the contract.

Concentration and Systemic Risk: The overall industry has considerable exposure to one service provider; hence, the NBFC may lack control over the service provider.

Country Risk: Due to the political, social or legal climate creating added risk.

Outsourcing Agreement

The legal effect and enforceability of the terms and conditions regulating the relationship between the NBFCs and the service provider shall be carefully outlined in written agreements and reviewed by the legal counsel of the NBFC. Each such agreement must cover the risks and methods for reducing them. The agreement must be sufficiently flexible to give the NBFC the right to maintain a suitable level of control over the outsourcing as well as the ability to take appropriate action to comply with legal and regulatory requirements. The agreement must specify the type of legal connection between the parties, including whether they are acting as agents, principals, or in another capacity. The following are some important clauses of the contract:

• The NBFC must ensure it has access to all books, records, and information relevant to the outsourced activity available with the service provider.
• The contract must provide for continuous monitoring and assessment by the NBFC of the service provider so that any necessary corrective action can be taken right away.
• The contract must clearly define what activities are going to be outsourced, including appropriate service and performance standards.
• Controls to ensure customer data confidentiality and service providers’ liability in case of security breaches and leakage of confidential customer-related information shall be incorporated.
• There must be backup procedures in place to maintain business continuity.
• The contract must stipulate that the NBFC must first approve or consent before the service provider uses subcontractors for all or a portion of an outsourced operation.
• It shall grant the NBFC the right to conduct audits on the service provider by its internal or external auditors or by representatives designated to act on its behalf and the right to obtain copies of any audit or review reports and findings made on the service provider in connection with the services rendered for the NBFC.
• Outsourcing contracts must have provisions allowing the Reserve Bank of India or anyone with their permission to quickly access documents, transaction records, and other information provided to, stored, or processed by the service provider.
• The outsourcing agreement must also state that the Reserve Bank has the right to request that one or more of its officers, employees, or other individuals inspect an NBFC’s service provider and its books and accounts.
• The confidentiality of the customer’s information must be maintained even after the contract expires or is terminated, and the NBFC must have the necessary safeguards to ensure the confidentiality of the customer’s information.

Security and Confidentiality

 The security and confidentiality prescribed by the direction of the RBI are:

• The NBFC’s stability and reputation depend on the public’s and customers’ faith in the organisation. As a result, the NBFC will work to preserve and safeguard the security and privacy of client information within the service provider’s control or custody.
• Employees of the service provider will only be granted ‘need to know’ access to customer information in areas where it is necessary to carry out the outsourced task.
• To maintain the confidentiality of the information, the NBFC must make sure that the service provider can clearly distinguish and separate the NBFC’s client information, records, documents, and assets. Care must be taken to protect in situations when the service provider serves as an outsourcing agent for different NBFCs to prevent the mixing of data/documents, records, and assets.
• The service provider must report security breaches, and the NBFC must regularly examine and monitor the service provider’s security practices and control procedures.
• In the event of a security breach and the disclosure of private customer data, the NBFC must notify RBI right away. In these circumstances, the NBFC would be responsible for its clients on damages.

Monitoring and Control of Outsourced Activities 

The NBFC must have a management structure in place to oversee and manage its outsourcing operations. It must ensure that the service provider’s monitoring and control of outsourced operations are addressed in outsourcing agreements with them.

• NBFCs shall maintain a central record of all material outsourcing that is easily accessible for assessment by the Board and senior management. The records must be immediately updated, and the board or risk management committee must be given half-yearly reviews.
• The NBFC’s compliance with its risk management framework, the requirements of these directions, and the appropriateness of the risk management practise adopted in overseeing and managing the outsourcing arrangement are all subject to routine audits by either internal or external auditors of the NBFC.
• NBFCs must examine the service provider’s financial and operational status at least once a year to determine if it can continue to fulfil its outsourcing commitments. 
• Suppose an outsourcing agreement is terminated for any reason in cases where the service provider interacts with customers. In that case, the termination must be announced by posting a notice on the website, posting it prominently in the branch, and notifying the customers. This will ensure that the customers do not continue to do business with the service provider.
• In some circumstances, such as outsourcing cash management, the NBFC, the service provider, and its subcontractors may need to reconcile transactions.
• All outsourced activities must also have a strong internal auditing mechanism in place, which the NBFC will oversee.

Reporting transactions to the FIU or other appropriate agencies

Regarding the service providers’ customer-related operations, NBFCs would be accountable for reporting currency transactions and suspicious transactions to the FIU or any other competent body.

Conglomerate or group outsourcing

In a group structure, NBFCs may have back-office and service agreements with group entities, such as sharing of facilities, access to legal and other professional services, use of hardware and software, centralization of back-office tasks, outsourcing of specific financial services to other group entities, etc. 

Before engaging into such agreements with group entities, NBFCs must have a board-approved policy and service level agreements with those entities that define how resources, such as premises, employees, and other resources, would be shared. Where many group entities are involved, or cross-selling is detected, the clients must also be specifically told about the company that is actually providing the product or service.

Off-shore outsourcing of Financial Services

By hiring service providers abroad, an NBFC exposes itself to country risk economic, social, and political circumstances and events that could have a negative impact on the NBFC. Such circumstances and occurrences could make it difficult for the service provider to adhere to the terms of its contract with the NBFC.

NBFCs shall consider and closely monitor government policies and the political, social, economic, and legal conditions in the countries where the service provider is based, both during the risk assessment process and on an ongoing basis, to manage the country risk associated with such outsourcing activities, and shall establish sound procedures for dealing with country risk issues. 

In general, only parties operating in nations that typically enforce confidentiality terms and agreements are allowed to enter into agreements. A precise statement of the agreement’s controlling law is also required.

The activities that are outsourced outside of India must be carried out in a way that doesn’t interfere with attempts to promptly supervise or reassemble the NBFC’s activities there.

When it comes to the off-shore outsourcing of financial services related to Indian operations, the NBFCs shall additionally make sure that:

• NBFCs must also make sure that the relevant off-shore regulator will not block the agreement or object to RBI inspection visits or visits by the NBFCs’ internal and external auditors.
• The liquidation of either the offshore custodian or the Indian NBFC won’t affect management or the RBI’s access to records.

Simply because the processing is being done there, the regulatory authority of the off-shore location does not have access to the data relevant to the Indian operations of the NBFCs.

The courts in the off-shore location where the data is kept do not have jurisdiction over the NBFC’s operations in India because the data is processed there even though the actual transactions are still carried out there. All original records are still kept there.

Conclusion

The NBFC’s Board and senior management are in charge of setting up an effective structure for monitoring and managing outsourced activities as well as carrying out their specific tasks and obligations. The NBFC is required to conduct adequate due diligence on the service provider, taking into account their background, financial stability, internal control, standing, security, and business continuity management. The requirement of strong grievance redressal procedures must be in place for services rendered by the outsourced agency.

FAQs: –