The Reserve Bank of India (RBI) has come out with a framework to put in place minimum standards to manage risks in outsourcing of payment and settlement-related activities by non-bank payment system providers (PSOs), which they have to comply with by March 31, 2022.
The central bank has said the PSOs must have board-approved policies for outsourcing such activities. The board of the PSOs also has to undertake periodic reviews of outsourcing policy, strategies, and arrangements for their continued relevance, safety, and soundness.
In a circular issued on Tuesday, the RBI said, "The PSOs shall not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms”.
Further, while considering or renewing an outsourcing arrangement, the PSO should forge an agreement such that it allows them the flexibility to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations.
Also, the agreement should be such that the PSOs have access to all books, records, and information relevant to the outsourced activity, available with the service provider. Also, they should have the right to conduct an audit of the service provider. And, the agreement should have clauses by virtue of which it allows RBI to call for an inspection of the service provider’s accounts.
The RBI has said by outsourcing any activity to a third-party service provider, a PSO cannot wash its hands off the obligations of the outsourced activity. “The PSO shall, therefore, be liable for the actions of its service providers and shall retain ultimate control over the outsourced activity”, the RBI said.
“Outsourcing arrangements shall not affect the rights of a customer of a payment system against the PSO, as well as those of a payment system participant against the PSO, including her/his ability to avail grievance redressal as applicable under the relevant laws”, the RBI said.
The central bank emphasizing the importance of security and confidentiality of customer information said the PSO has to immediately notify the RBI about any breach of security and leakage of confidential information related to customers. “In such eventualities, the PSO would be liable to its customers for any damage”, the RBI has said.
Also, the third-party service provider to which the payment and settlement activities have been outsourced by the PSOs have to be able to isolate and clearly identify the PSO's customer information, documents, records, and assets to protect their confidentiality. “Where the service provider acts as an outsourcing agent for multiple PSOs, there should be strong safeguards (including encryption of customer data) to avoid co-mingling of information, documents, records, and assets of different PSOs,” the RBI said.