Draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services - ஆர்பிஐ - Reserve Bank of India
Draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services
Draft Master Direction for Comments All Commercial Banks (including Local Area Banks, Regional Rural Banks, Payments Banks, and Small Finance Banks) Master Direction - Reserve Bank of India Regulated Entities (REs) are increasingly using outsourcing as a means for reducing costs as well as for availing specialist expertise not available internally. Outsourcing of a permissible activity is an operational decision of REs, but it exposes them to various risks which need to be managed. The directions on managing these risks have been incorporated in the enclosed Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023. 2. These Directions have been prepared by incorporating, updating and where required, harmonizing the extant directions/guidelines/instructions to enable REs to have all current instructions on outsourcing of financial services at one place for reference. 3. These Directions are being issued in exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, Section 45L of the Reserve Bank of India Act, 1934, Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions/laws enabling the Reserve Bank of India in this regard. Yours faithfully, (Sunil T S Nair) Draft Master Direction - Reserve Bank of India In exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, Section 45L of the Reserve Bank of India Act, 1934, Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions/laws enabling the Reserve Bank of India in this regard, the Reserve Bank of India being satisfied that it is necessary and expedient in the public interest to do so, hereby, issues the Directions hereinafter specified. Chapter – I 1. Preliminary These Directions shall be called the Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023. 2. Applicability 2.1 These Directions shall be applicable to the following entities, unless specifically mentioned otherwise:
2.2 These Directions are concerned with managing risks and code of conduct in outsourcing of financial services. These Directions are not applicable to technology-related aspects and activities not related to banking/financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, etc. An Illustrative list of financial outsourcing arrangements to which these Directions are applicable is provided in Annex I. 2.3 These Directions shall apply mutatis mutandis to subcontracted activities, as well. 3. Purpose The underlying principle of these Directions is that the RE should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers nor impede effective supervision by the supervisory authority. REs desirous of outsourcing of financial services shall not require prior approval from the Reserve Bank of India (RBI). However, such arrangements shall be subject to on-site/ off- site monitoring and inspection/ scrutiny by the supervisory authority. 4. Definitions For the purpose of these Directions, the following definitions shall apply: 4.1 “Material outsourcing arrangement” means an outsourcing arrangement which– (i) in the event of failure of service or breach of security, has the potential to either materially impact an RE’s– (a) business operations, reputation, strategies, or profitability; or (b) ability to manage risk and comply with applicable laws and regulations, or (ii) in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on the RE’s customers. 4.2 “Outsourcing” refers to an RE’s use of a third party (either an affiliated entity within a group or an external entity) to perform activities that would normally be undertaken by the RE itself on a continuing basis, now or in the future. ‘Continuing basis’ would include agreements for a limited period. This means REs shall not enter into perpetual agreements1. 4.3 “Regulated Entities” (REs) refers to the entities mentioned in paragraph 2.1. 4.4 "Service provider" means the provider of financial services who may either be a member of the group to which the RE belongs, or an unrelated party. It also includes sub-contractors to whom the service providers may further outsource some activity. 4.5 “Supervisory Authority” means, (i) RBI in case of Commercial Banks (including LABs, PBs, SFBs, and UCBs), NBFCs, CICs, and AIFIs. (ii) NABARD in case of StCBs, CCBs, and RRBs. (iii) NHB in case of HFCs. All other words or expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or The Credit Information Companies (Regulation) Act, 2005 or Companies Act 2013 and rules/regulations made thereunder. Chapter-II 5. REs shall not outsource core management functions including policy formulation, decision-making functions like determining compliance with KYC norms, according sanction for loans [i.e. an RE shall take a final call on extending credit to any particular customer irrespective of whether a service provider is involved or not in the process. Further, if the RE follows a template structure for sanctioning loans through a service provider as per a pre-decided criterion (that is approved by the Board of the RE), the RE should demonstrate to the supervisor that the lending call/ decision to lend was solely taken by the RE and the role of the service provider is only that of a facilitator], management of investment portfolio, compliance function, and internal audit function2. Chapter-III 6. Materiality of outsourcing would be based on the following criteria, which should be considered on a gross basis, i.e., prior to application of any risk mitigants or controls:
7. The criteria as mentioned in paragraph 6, however, shall not preclude other outsourcing activities as determined by the RE from being classified as material outsourcing. Chapter-IV 8. The supervisory authority, during the course of Inspection, shall review the implementation of these Directions, including an assessment of the quality of related risk management systems, particularly in respect of material outsourcing. 9. The regulatory and supervisory requirements and role of REs inter alia include the following: (i) The REs shall consider all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, when performing its due diligence in relation to outsourcing. (ii) The outsourcing of any activity by an RE does not diminish its obligations, as also that of its Board / Senior Management, who have the ultimate responsibility for the outsourced activity. REs shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would be employed by the REs, if the activities were conducted by the REs and not outsourced. Accordingly, REs shall not engage in outsourcing of any activity that would result in their internal control, business conduct or reputation being compromised or weakened. (iii) REs shall establish an inventory of services provided by the service providers (including key entities involved in their supply chains) to map their dependency on third parties and periodically evaluate the information they receive from the service providers. (iv) REs shall be responsible not only for the actions of their service provider but also of their sub-agents engaged in the context of outsourced activity. They shall also be responsible for the confidentiality of customer information available with the service provider and retain ultimate control of the outsourced activity. (v) REs shall ensure that the service provider shall neither impede/interfere with the ability of the RE to effectively oversee and manage its activities nor impede the supervisory authority in carrying out the supervisory functions and objectives. (vi) REs shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the RE, or their relatives. The terms control, director, key managerial personnel, and relative have the same meaning as assigned under respective Directions issued for the REs. However, an exception to this requirement may be made with the approval of Board or a Committee of the Board, followed by appropriate disclosure. (vii) REs shall have a robust grievance redressal mechanism, which in no way shall be compromised on account of outsourcing i.e. responsibility for redressal of customers’ grievances related to outsourced services shall rest with the RE. (viii) Outsourcing arrangements shall not affect the rights of a customer against the RE, including the ability of the customer to obtain redressal as applicable under relevant laws. As, in the process of dealing with the REs, the customers are required to deal with the service providers, REs shall incorporate a clause in the product literature /brochures etc., stating that they may use the services of agents in sales/marketing, etc. of the products. The role of agents may also be indicated in broad terms. Chapter-V 10. Outsourcing Policy The RE intending to outsource any of its financial activities shall put in place a comprehensive Board approved outsourcing policy. The policy shall incorporate, inter alia, criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria as indicated in Chapter-III, delegation of authority depending on risk and materiality, and systems to monitor and review the operations of these activities. 11. Role of the Board of Directors (Board) and Senior Management 11.1 The Board and Senior Management shall be ultimately responsible for managing risks inherent in outsourcing arrangements. They shall have the responsibility to put in place an effective governance mechanism and risk management process for all outsourced activities. 11.2 The Board or a Committee of the Board of the RE to which powers have been delegated shall be responsible, inter alia, for:
11.3 Senior Management of the RE shall be responsible for:
12. Evaluation of the Risks Some of the key risks in outsourcing that need to be evaluated by the REs are: - (i) Compliance Risk- Privacy, confidentiality and statutory laws/prudential regulations not adequately complied with by the service provider. (ii) Concentration and Systemic Risk- Due to lack of control of individual REs over a service provider, more so when overall banking/financial services industry has considerable exposure to one service provider. (iii) Contractual Risk – Arising from whether or not the RE has the ability to enforce the contract. (iv) Counterparty Risk- Arising due to non-adherence by the service providers to the performance requirements (e.g.: submission of incorrect data on borrowers’ income level may lead to inappropriate underwriting or credit assessments by the RE). (v) Country Risk- Due to economic, political, social or legal climate thereby creating added risks when the service provider is a foreign based entity, or the outsourcing happens in a foreign country. (vi) Exit Strategy Risk- Could arise from over-reliance on one firm, the loss of relevant skills in the RE itself preventing it from bringing the activity back in-house and where the RE has entered into contracts wherein speedy exits would be prohibitively expensive or disruptive. (vii) Legal Risk- Includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to commissions and omissions of the service provider. (viii) Operational Risk – Arising due to technology failure, error, fraud, inadequate processes, and lack of financial capacity to fulfil obligations and/or provide remedies. (ix) Reputation Risk- Poor service from the service provider, and its customer interaction not being consistent with the overall standards of the RE, or failure in preservation and protection of confidential customer information. (x) Strategic Risk – Conduct of business by the service provider in a manner inconsistent with the overall strategic goals of the RE. 13. Evaluating the Capability of the Service Provider 13.1 In considering or renewing an outsourcing arrangement, REs shall undertake appropriate due diligence to assess the capability of the service provider to comply with obligations in the outsourcing agreement. REs shall consider whether the systems of service providers are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable. REs shall also consider, while evaluating the capability of the service provider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Where possible, REs shall obtain independent reviews and market feedback on the service provider to supplement their own findings. 13.2 While carrying out due diligence, REs shall take into consideration financial, operational, qualitative, quantitative, and reputational factors. Due diligence shall involve an evaluation of all available information about the service provider, including but not limited to the following: -
14. The Outsourcing Agreement 14.1 The terms and conditions governing the contract between the RE and service provider shall be carefully defined in written agreements and vetted by the RE’s legal counsel for their legal effect and enforceability. The agreement should address the risks and also cover the risk mitigation strategies. It shall be sufficiently flexible to allow the RE to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. It shall also bring out clearly the nature of legal relationship between the parties, i.e., whether principal, agent, or otherwise. 14.2 Some of the key provisions to be covered in the agreement are given below. It should:
Provided that the above shall be subject to RBI instructions on storage of data including:
15. Confidentiality and Security 15.1 Public confidence and customer trust in REs is a prerequisite for their stability and reputation. Hence, the REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. 15.2 Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function. 15.3 Sharing of data by the RE with the service provider shall be through secure channels. Both sharing and storage3 of data with the service provider shall be in an encrypted manner. The RE shall also ensure that there is a structured process in place for secured removal/ disposal/ destruction of data by the service provider. 15.4 In instances where service provider acts as an outsourcing agent for multiple REs, care shall be taken to build adequate safeguards so that there is no comingling of assets, documents, information and records. 15.5 The REs shall review and monitor the control processes and security practices of the service provider on a regular basis and require the service provider to report security breaches to them. 15.6 The REs shall immediately notify the supervisory authority in the event of any breach of security and leakage of confidential customer related information. In these eventualities, the RE shall be liable to its customers for any damage. 16. Responsibilities of Direct Sales Agents (DSA)/ Direct Marketing Agents (DMA)/ Recovery Agents (applicable to commercial banks, cooperative banks4 and NBFCs) 16.1 REs shall put in place a Board approved code of conduct for DSA/ DMA/ Recovery Agents and obtain their undertaking to abide by the code. They shall ensure that the DSA/ DMA/ Recovery Agents are properly trained to handle their responsibilities with care and sensitivity, particularly aspects such as soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer, etc. The RE and their Recovery Agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude upon the privacy of the debtors'/their guarantors’ family members, referees and friends, sending inappropriate messages either on mobile or through social media, making threatening and anonymous calls, persistently5 calling the borrower/guarantor, making false and misleading representations, etc. Further, the REs and their Recovery Agents are barred from calling the borrower/guarantor before 8:00 a.m. and after 7:00 p.m.6 for recovery of overdue loans. 17. Business Continuity and Management of Disaster Recovery Plan 17.1 The RE shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity and Recovery procedures. The RE shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan. Further, in case of material outsourcing, the RE shall also conduct occasional joint testing and recovery exercises with its service provider, at least annually. 17.2 In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the RE shall retain an appropriate level of control over its outsourcing and the right to intervene with appropriate measures to continue its business operations without any break in the operations and its services to the customers. 17.3 In establishing a viable contingency plan, REs shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved. 17.4 Outsourcing often leads to the sharing of facilities operated by the service provider. The RE shall ensure that service providers are able to isolate the RE's information, documents and records, and other assets. This is to ensure that in adverse conditions and/ or termination of the contract, all documents, record of transactions and information with the service provider, and assets of the RE, can be removed from the possession of the service provider or deleted, destroyed, or rendered unusable in order to continue its business operations. 18. Monitoring and Control of Outsourced Activities 18.1 The RE shall have in place a management structure to monitor and control its outsourcing activities. 18.2 A central record of all material outsourcing shall be maintained. The records shall be updated promptly and half yearly reviews placed before the Board or its Committee. 18.3 Reports on the monitoring and control activities shall be reviewed periodically by the Senior Management and, in case of any adverse development, the same shall be put up to the Board or its Committee for information. 18.4 The RE shall perform comprehensive pre- and post- implementation review of new outsourcing arrangements or when amendments are made to the outsourcing arrangements. 18.5 Regular audits at least annually by either the internal or external auditors of the RE shall assess the adequacy of the risk management practices adopted in managing and overseeing the outsourcing arrangement, the RE's compliance with its risk management framework and the requirements of these Directions. A report of these audits shall be placed before the Board or ACB of the RE. 18.6 REs shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality and security, and business continuity preparedness. 18.7 REs shall also submit an Annual Compliance Certificate giving the particulars of outsourcing contracts, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken through the Board, to their respective supervisory authorities. 18.8 The event of termination of any outsourcing agreement, on account of the below-mentioned reasons (indicative in nature), where the service provider deals with customers, shall be publicised by publishing in the leading local newspaper with sufficient circulation in the locality, displaying at a prominent place in the branches, and posting it on the RE’s website so as to ensure that the customers do not continue to deal with the service provider,
18.9 REs shall immediately notify the supervisory authority in the event of any significant problems that have the potential to materially affect the outsourcing arrangement and, as a consequence, materially affect the business operations, profitability, reputation or strategies of the RE. 18.10 Certain cases, like outsourcing of cash management, might involve reconciliation of transactions between the RE, the service provider and its sub-contractors. In such cases, REs shall ensure that reconciliation of transactions between the RE and the service provider (and/ or its sub-contractor), are carried out as advised in RBI guidelines on ‘Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019 as amended from time to time and other such instructions issued by the regulator/ supervisory authority. 18.11 Incentive compensation review: REs shall also ensure that an effective process is in place to review and approve any incentive compensation that may be embedded in service provider contracts, including a review of whether existing governance and controls are adequate in light of risks arising from incentive compensation arrangements. As the service provider may, in certain instances of outsourcing, represent the RE by selling products or services on its behalf, the RE should consider whether the incentives provided might encourage the service provider to take imprudent risks. Inappropriately structured incentives may result in reputational damage, increased litigation, or other risks to the RE. An example of an inappropriate incentive would be one where variable fees or commissions encourage the service provider to direct customers to products of the RE with higher profit margins without due consideration to suitability of such products for the customer. 19. Redressal of Grievances related to Outsourced Services 19.1 REs shall constitute Grievance Redressal Machinery as contained in
19.2 The REs shall give wide publicity to their Grievance Redressal mechanism by displaying it at a prominent place in their branches and also by placing the information on their website. It shall be clearly indicated that REs' Grievance Redressal mechanism will also deal with the issues relating to services provided by the outsourced agencies. The name and contact details (Telephone/ Mobile nos. as also email address) of designated grievance redressal officer, escalation matrix and principal nodal officer (wherever applicable) of the RE shall be made known and widely publicised. The said designated officer shall ensure that grievances of customers are redressed promptly. 19.3 The grievance redressal procedure of the RE and the time frame fixed for responding to the complaints shall be placed on the RE's website. If a complainant does not get any reply from the RE within 30 days after the RE received the complaint or is not satisfied with the reply of the RE, she will have the following options for redressal of her grievance/s:
20. Reporting of transactions to FIU or other competent authorities REs shall be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the REs' customer related activities carried out by the service providers. 21. Reporting to the supervisory authority REs shall report all material financial outsourcing arrangements (including arrangements involving extensive data sharing across geographic locations as part of process outsourcing and when data pertaining to Indian operations are processed abroad) to the supervisory authority on a quarterly basis. Reporting format shall be prescribed separately. 22. Centralised List of Outsourced Agents If a service provider’s contract is terminated prematurely prior to the completion of the contracted period of service, on account of the reasons mentioned below (indicative in nature), Indian Banks' Association (IBA)/respective RBI-recognised Self-Regulatory Organizations (SROs) would have to be informed of the reasons for termination,
IBA/respective RBI-recognised SROs would be maintaining a caution list of such service providers for sharing among themselves and the respective member REs. Chapter-VI 23. In a group structure, REs may have back-office and service arrangements/ agreements with group entities e.g. sharing of premises, legal and other professional services, hardware and software applications, centralized back-office functions, outsourcing certain financial services to other group entities, etc. However, REs at all times shall maintain an arm's length relationship in such dealings (including sharing of data and servers7). Before entering into such arrangements with group entities, REs shall have a Board approved policy in this regard as well as service level agreements/ arrangements with their group entities, which shall also cover demarcation of shared resources such as premises, IT hardware including servers, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or where there is any kind of cross selling of product/services. 24. While entering into such arrangements, REs shall ensure the following:
25. REs shall ensure that their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable. 26. If the premises of the RE are shared with the group entities for the purpose of cross-selling, the REs shall take measures to ensure that the entity's identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in the RE’s premises shall mention nature of arrangement of the entity with the RE so that the customers are clear on the seller of the product. 27. REs shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities. 28. The risk management practices to be adopted by the RE while outsourcing to a related party (i.e. party within the Group) shall be identical to those specified in Chapter V of these Directions. Chapter-VII 29. The engagement of service providers in a foreign country exposes the RE to country risk, may adversely affect the RE and could prevent the service provider from carrying out the terms of its agreement with the RE. To manage the country risk involved in such outsourcing activities, the RE shall establish sound procedures for dealing with country risk problems, take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified. 30. The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise the RE in a timely manner. 31. The outsourcing related to overseas operations of REs shall be governed by both, these guidelines and the host country guidelines. Where there are differences, the more stringent of the two would prevail. However, where there is any conflict, the host country guidelines would prevail. 32. As regards the off-shore outsourcing of financial services relating to Indian Operations, REs shall additionally ensure that
Chapter-VIII 33. With the issue of final Directions, the directions/guidelines/instructions contained in the following circulars, issued by RBI stand repealed.
Examples of financial outsourcing arrangements 1. The following is an indicative list of some services that, when performed by a third party, would be regarded as financial outsourcing arrangements for the purposes of these Directions:
2. The following arrangements would generally not be considered financial outsourcing arrangements for the purpose of these Directions:
1 REs shall be given sufficient time (say 3 – 6 months) to bring their existing outsourcing agreements in compliance with the final Master Direction on the matter subsequently. 2 However, where required, experts including former employees can be hired on a contractual basis subject to the Audit Committee of the Board (ACB)/Board being assured that such expertise does not exist within the audit function of the RE. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function. 3 For outsourcing arrangements entered by REs with a Lending Service Provider (LSP)/ Digital Lending App (DLA), refer to para 11 on ‘Storage of data’ of ‘Guidelines on Digital Lending’ issued vide circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 02, 2022. 4 Co-operative banks are not permitted to appoint DSA/DMA for raising deposits in terms of para 27 of Master Direction - Reserve Bank of India (Co-operative Banks - Interest Rate on Deposits) Directions, 2016, dated May 12, 2016, as amended from time to time. 5 For example- calling repeatedly 6 Not applicable to microfinance loans covered under ‘Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans) Directions, 2022’, dated March 14, 2022. 7 Please refer to ‘Master Direction on Outsourcing of Information Technology Services’ issued vide circular ref. DoS.CO.CSITEG/SEC.1/31.01.015/2023-24 dated April 10, 2023. |