Tag Archives: outsourcing

outsourcing of payment & settlement related activities

RBI circular dated 3rd August, 2021 wherein they have laid down conditions for outsourcing of payment & settlement related activities by payment system operators. Here’s the gist.

1. Introduction

1.1. This framework is applicable to non-bank PSOs insofar as it relates to their payment and / or settlement-related activities.

1.2. It seeks to put in place minimum standards to manage risks in outsourcing of payment and / or settlement-related activities (including other incidental activities like on-boarding customers2, IT based services, etc.).

1.3. The framework is not applicable to activities other than those related to payment and / or settlement services, such as internal administration, housekeeping or similar functions.

1.4. For the purpose of this framework, ‘outsourcing’ is defined as use of a third party (i.e. service provider) to perform activities on a continuing basis that would normally be undertaken by the PSO itself, now or in the future. ‘Continuing basis’ would include agreements for a limited period.

1.5. The term ‘service provider’ includes, but is not limited to, vendors, payment gateways, agents, consultants and / or their representatives that are engaged in the activity of payment and / or settlement systems. It also includes sub-contractors (i.e., secondary service providers) to whom the primary service providers may further outsource whole or part of some activity related to payment and settlement system activities outsourced by the PSO.

1.6. This framework is applicable to a service provider, whether located in India or elsewhere.

1.7. The service provider, unless it is a group company of the PSO, shall not be owned or controlled by any director or officer of the PSO or their relatives; the terms – control, director, officer and relative – have the same meaning as assigned to them under the Companies Act, 2013.

1.8. Outsourcing process is associated with several risks; following is an illustrative list of such risks:

  1. Compliance Risk – Where privacy, customer / consumer and prudential laws are not adequately complied with by the service provider;
  2. Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence, individual PSO may lack control over the service provider;
  3. Contractual Risk – Where the PSO may not have the ability to enforce the contract;
  4. Country Risk – When political, social or legal climate creates added risk;
  5. Cyber Security risk – Where breach in IT systems may lead to potential loss of data, information, reputation, money, etc.;
  6. Exit Strategy Risk – When over-reliant on one firm, the PSO loses related skills internally, and it becomes difficult to bring the activity back in-house; and where the PSO has entered into contracts that makes speedy exit prohibitively expensive;
  7. Legal Risk – Where the PSO is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as to private settlements due to acts of omission and commission by the service provider;
  8. Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and / or to provide remedies;
  9. Reputation Risk – Where the service provided is poor and customer interaction is inconsistent with the overall standard expected from the PSO; and
  10. Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the PSO.

1.9. It is essential that the PSO, which is outsourcing its activities, ensures the following:

  1. Exercises due diligence, puts in place sound and responsive risk management practices for effective oversight, and manages the risks arising from such outsourcing of activities.
  2. Outsourcing arrangements do not impede its effective supervision by RBI.

1.10. Outsourcing of activities by the PSOs shall not require prior approval from RBI.

2. Activities that shall not be outsourced

2.1. The PSOs shall not outsource core management functions3, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms. However, while internal audit function itself is a management process, the auditors for this purpose can be appointed by the PSO from its own employees or from the outside on contract.

3. Criticality of outsourcing

3.1. The PSO shall carefully evaluate the need for outsourcing its critical processes and activities, as also selection of service provider(s) based on comprehensive risk assessment. The critical processes are those, which if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability and / or customer service.

4. PSO’s role and regulatory and supervisory requirements

4.1. Outsourcing of any activity by the PSO shall not reduce its obligations, and those of its board and senior management, who are ultimately responsible for the outsourced activity. The PSO shall, therefore, be liable for the actions of its service providers and shall retain ultimate control over the outsourced activity.

4.2. The PSO, while exercising due diligence in respect of outsourcing, shall consider all relevant laws, regulations, guidelines and conditions of authorisation / approval, licensing or registration.

4.3. Outsourcing arrangements shall not affect the rights of a customer of a payment system against the PSO, as well as those of a payment system participant against the PSO, including her / his ability to avail grievance redressal as applicable under the relevant laws. Responsibility of addressing the grievances of its customers shall rest with the PSO, including in respect of the services provided by the outsourced agency (i.e., service provider).

4.4. A PSO, which has outsourced its customer grievance redressal function, must also provide its customers the option of direct access to its nodal officials for raising and / or escalating complaints. Such access should be enabled through adequate phone numbers, e-mail ids, postal address, etc., details of which shall be displayed prominently on its website, mobile applications, advertisements, etc., and adequate awareness shall also be created about the availability of this recourse.

4.5. If the customer is required to have an interface with the service provider to avail products of the PSO, then the PSO shall state the same through the product literature / brochure, etc., and also indicate therein the role of such service provider.

4.6. A PSO must ensure that outsourcing does not impede or interfere with the ability of the PSO to effectively oversee and manage its activities; nor does it prevent RBI from carrying out its supervisory functions and objectives.

5. Outsourcing policy

5.1. To outsource any of its payment and settlement-related activities, the PSO shall have a board-approved comprehensive outsourcing policy, which incorporates, inter-alia, criteria for selection of such activities and service providers; parameters for grading the criticality of outsourcing; delegation of authority depending on risks and criticality; and, systems to monitor and review the operation of these activities.

6. Role of the board and responsibilities of the senior management

6.1. Role of the board

The board of the PSO, or a committee of the board to which powers have been delegated, shall be responsible, inter-alia, for the following:

  1. approving a framework to evaluate the risks and criticality of all existing and prospective outsourcing;
  2. approving policies that apply to outsourcing arrangements;
  3. mapping appropriate approval authorities for outsourcing depending on risks and criticality;
  4. setting up suitable administrative mechanism of senior management for the purpose of this framework;
  5. undertaking periodic review of outsourcing policy, strategies and arrangements for their continued relevance, safety and soundness;
  6. deciding on business activities to be outsourced and approving such arrangements; and
  7. complying with regulatory instructions.

6.2. Responsibilities of the senior management

The senior management shall be responsible for:

  1. evaluating the risks and criticality of all existing and prospective outsourcing, based on the framework approved by the board;
  2. developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
  3. reviewing periodically the effectiveness of policies and procedures, and for identifying new outsourcing risks as they arise;
  4. communicating, in a timely manner, to the board any information related to outsourcing risks;
  5. ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested periodically; and
  6. ensuring an independent review and audit for compliance with the set policies.

6.3. A central record of all outsourcing arrangements shall be maintained and it shall be readily accessible for review by the board and senior management of the PSO. The record shall be updated promptly, and half yearly reviews shall be placed before the board or its senior management.

7. Evaluating capability of the service provider

7.1. While considering / renewing an outsourcing arrangement, the PSO shall include issues related to undue concentration of such arrangements with a service provider.

8. Outsourcing agreement

8.1. The terms and conditions governing the contract between the PSO and the service provider shall be carefully defined in written agreements and vetted by PSO’s legal counsel for their legal effect and enforceability. Every such agreement shall address the risks and the strategies for mitigating them. The agreement shall be sufficiently flexible to allow the PSO to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e. whether agent, principal or otherwise. Some of the key provisions of the agreement should incorporate the following:

  1. defining activity to be outsourced, including appropriate service and performance standards;
  2. having access by the PSO to all books, records and information relevant to the outsourced activity, available with the service provider;
  3. providing for continuous monitoring and assessment by the PSO of the service provider, so that any necessary corrective measure can be taken immediately;
  4. including termination clause and minimum period to execute such provision, if deemed necessary;
  5. ensuring controls are in place for maintaining confidentiality of customer data and incorporating service provider’s liability in case of breach of security and leakage of such information related to customers;
  6. incorporating contingency plan(s) to ensure business continuity;
  7. requiring prior approval / consent of the PSO for use of sub-contractors by the service provider for all or part of an outsourced activity;
  8. retaining PSO’s right to conduct audit of the service provider, whether by its internal or external auditors, or by agents appointed to act on its behalf, and to obtain copies of any audit or review reports and findings made about the service provider in conjunction with the services performed for the PSO;
  9. adding clauses to allow RBI or person(s) authorised by it to access the PSO’s documents, record of transactions and other necessary information given to, stored or processed by the service provider, within a reasonable time;
  10. keeping clauses to recognise the right of RBI to cause an inspection to be made of a service provider of a PSO and the books of accounts, by one or more of its officers or employees or other persons;
  11. requiring clauses relating to a clear obligation on any service provider to comply with directions given by RBI insofar as they involve activities of the PSO;
  12. maintaining confidentiality of customer’s information even after the agreement expires or gets terminated; and
  13. preserving documents and data by the service provider in accordance with legal / regulatory obligations of the PSO, and the PSO’s interests in this regard shall be protected even after termination of the services.

9. Confidentiality and security

9.1. Public confidence and customer trust in the PSO is a prerequisite for its stability and reputation. PSO shall ensure the security and confidentiality of customer information in the custody or possession of the service provider.

9.2. Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to areas where the information is required to perform the outsourced function.

9.3. The service provider shall be able to isolate and clearly identify the PSO’s customer information, documents, records and assets to protect their confidentiality. Where the service provider acts as an outsourcing agent for multiple PSOs, there should be strong safeguards (including encryption of customer data) to avoid co-mingling of information, documents, records and assets of different PSOs.

9.4. The PSO shall regularly review and monitor the security practices and control processes of the service provider and require the service provider to disclose security breaches.

9.5. The PSO shall immediately notify RBI about any breach of security and leakage of confidential information related to customers. In such eventualities, the PSO would be liable to its customers for any damage.

9.6. The PSO shall ensure that the extant instructions related to storage of payment system data shall be strictly adhered to by service provider, domestic or off-shore.

10. Responsibilities of Direct Sales Agents (DSAs) / Direct Marketing Agents (DMAs)

10.1. The PSOs shall ensure that the DSAs / DMAs are properly trained to handle their responsibilities with care and sensitivity, particularly for aspects such as soliciting customers, hours of calling, privacy of customer information, conveying the correct terms and conditions of the products on offer, etc.

10.2. The PSOs shall put in place a board-approved code of conduct for DSAs / DMAs and obtain their undertaking to abide by the same.

11. Business continuity and management of disaster recovery plan

11.1. Service provider shall develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures arising out of any outsourced activity. The PSO shall ensure that the service provider periodically tests the business continuity and recovery plans, and shall also consider conducting occasional joint exercises for testing of business continuity and recovery procedures with its service provider.

11.2. To mitigate risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the PSO shall retain adequate control over its outsourcing and shall have the right to intervene with appropriate measures to continue its business operations and its services to the customers in such cases without incurring prohibitive expenses or any break in its operations and services to the customers.

11.3. As part of contingency plan, the PSO shall consider the availability of alternative service provider(s), as well as the possibility of bringing the outsourced activity back in-house in an emergency and assess the cost, time and resources that would be involved.

11.4. The PSO’s information, documents and records, and other assets shall be isolable by the service provider. This is to ensure that in appropriate situations, all documents, record of transactions and information given to the service provider, and assets of the PSO, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

12. Monitoring and control of outsourced activities

12.1. The PSO shall put in place a management structure to monitor and control its outsourcing activities. It shall ensure that outsourcing agreement with the service provider contains provisions to address monitoring and control by it of the outsourced activities.

12.2. Regular audit by either the internal or external auditors of the PSO shall be conducted to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangements and the PSO’s compliance with its risk management framework.

12.3. The PSO shall, at least on an annual basis, review the financial and operational conditions of the service provider to assess its ability to fulfil its outsourcing obligations. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.

12.4. In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be given due publicity by the PSO informing the customers so as to ensure that they stop dealing with the concerned service provider.

12.5. Certain cases like outsourcing of cash management, may involve reconciliation of transactions between the PSO, the service provider and its sub-contractors, if any. In such cases, PSO shall ensure that this reconciliation process is carried out in a timely manner.

12.6. A robust system of internal audit of all outsourced activities shall be put in place and monitored by the board of the PSO.

13. Outsourcing within a group / conglomerate

13.1. The PSO could have back office and service arrangements / agreements with group entities; for instance, sharing of premises, legal and other professional services, hardware and software applications, centralised back office functions, outsourcing certain payment and settlement services to other group entities, etc. Such arrangements with group entities shall be based on the PSO’s board-approved policy and service level arrangements / agreements with its group entities. The agreements shall cover demarcation of shared resources like premises, personnel, etc. Wherever there are multiple group entities involved or any cross-selling is observed, the customers shall be informed about the actual company / entity offering the product / service.

13.2. The PSO shall ensure that such arrangements:

  1. are appropriately documented in written agreements with details like scope of services, charges for services and maintaining confidentiality of customer’s data;
  2. do not cause any confusion among customers as to whose products / services they are availing, by clear physical demarcation of the site of activities of different group entities;
  3. do not compromise ability of the PSO to identify and manage risks on a standalone basis; and
  4. do not prevent RBI from being able to obtain information required for supervision of the PSO or pertaining to the group as a whole.

13.3. The PSO shall ensure that its ability to carry out operations in a sound fashion is not affected if premises or other services (such as IT systems and support staff) provided by the group entities become unavailable.

13.4. If sharing of premises is done with the group entities for cross-selling, the PSO shall take measures to ensure that the entity’s identification is distinctly visible and clear to the customers. Any communication by group entities (marketing brochure, verbal communication by staff / agent, etc.) in the PSO’s premises shall mention nature of arrangement of the entities with the PSO, so that customers are clear about the seller of the product.

13.5. The PSO’s advertisement or any agreement shall not give any overt or tacit impression that it is in any way responsible for the obligations of its group entities.

13.6. The risk management practices to be adopted by the PSO while outsourcing to a related party (i.e. party within the group / conglomerate) shall be identical to those specified above in this framework for a non-related party.

14. Additional requirements for off-shore outsourcing

14.1. The engagement of a service provider in a foreign country exposes the PSO to country risk. To manage such country risk, the PSO shall closely monitor government policies and, political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified.

14.2. The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of the PSO in a timely manner.

14.3. As regards off-shore outsourcing of its services relating to Indian operations, the PSO shall ensure the following:

  1. The off-shore regulator regulating the off-shore service provider shall neither obstruct the arrangement nor object to RBI’s visit(s) for audit / scrutiny / examination / inspection / assessment or visit(s) by PSO’s internal and external auditors;
  2. The regulatory authority of the off-shore location does not have access to the data relating to Indian operations of the PSO simply on the ground that the processing is being undertaken there (not applicable if off-shore processing is done in the home country of the PSO); and
  3. The jurisdiction of the courts in the off-shore location where data is processed, does not extend to the operations of the PSO in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India.

15. Members / Participants of payment systems operated by the PSOs

15.1. In some payment systems operated by the PSOs, there could be other members / participants also. Some of these entities such as token requestors in tokenisation services rendered by card networks, third party application providers in Unified Payments Interface (UPI), etc., may not be directly regulated or supervised by RBI. Many of these entities may provide payment services directly to customers as well. It is prudent for such entities to put in place a system to manage risks arising out of activities outsourced by them.

15.2. As a best practice, the PSOs may engage with all participants in a payment transaction chain to encourage them to implement this framework in letter and spirit.

Leave a comment

Filed under banking laws

outsourcing of financial services

RBI has laid down guidelines for outsourcing of financial services/ activities by co-operative banks vide their circular dated 28th June, 2021. Co-operative banks have been asked to conduct an assessment of their present outsourcing activities and bring them in line with these guidelines. The salient features of the guidelines are :

Guidelines on Managing Risks in Outsourcing of Financial services by Co-operative Banks

Introduction

1.1 ‘Outsourcing’ is defined as use of a third party to perform activities on a continuing basis that would normally be undertaken by a co-operative bank itself, now or in the future. ‘Continuing basis’ would include agreements for a limited period.

1.2 These guidelines are intended to provide direction and guidance to co-operative banks to adopt sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from outsourcing activities.

1.3 The underlying principles behind these guidelines are that the co-operative bank should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI, nor impede effective supervision by Reserve Bank of India (RBI)/ National Bank for Agriculture and Development (NABARD)1. Co-operative banks, therefore, have to take steps to ensure that the service provider employs the same high standard of care in performing the services as would be employed by them, if the activities were conducted by the banks and not outsourced. Accordingly, co-operative banks should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened.

1.4 These guidelines are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues as also activities not related to financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc. Co-operative banks which desire to outsource would not require prior approval from RBI / NABARD. However, such arrangements would be subject to on-site / off-site monitoring and inspection/scrutiny by RBI / NABARD.

2. Activities that shall not be outsourced

Co-operative banks which choose to outsource financial services, however, shall not outsource core management functions including policy formulation, internal audit and compliance, compliance with KYC norms, credit sanction and management of investment portfolio. However, where required, experts, including former employees, could be hired on a contractual basis subject to the Audit Committee of Board/Board being assured that such expertise does not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.

3. Material Outsourcing

During Inspections/ scrutinies, RBI / NABARD will review the implementation of these guidelines to assess the quality of related risk management systems particularly in respect of material outsourcing. Material outsourcing arrangements are those, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of co-operative banks. Materiality of outsourcing would be based on:-

  1. The level of importance to the co-operative bank of the activity being outsourced as well as the significance of the risk posed by the same;
  2. The potential impact of the outsourcing by the co-operative bank on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
  3. The likely impact on the co-operative bank’s reputation and brand value, and ability to achieve its business objectives, strategies and plans, should the service provider fail to perform the service;
  4. The cost of the outsourcing as a proportion of total operating costs of the co-operative bank;
  5. The aggregate exposure to that particular service provider, in cases where the co-operative bank outsources various functions to the same service provider;
  6. The significance of activities outsourced in context of customer service and protection.

4. Co-operative bank’s role

4.1 The outsourcing of any activity by a co-operative bank does not diminish its obligations, and those of its Board and CEO along with the Management, who have the ultimate responsibility for the outsourced activity. Co-operative banks shall, therefore, be responsible for the actions of their service provider including actions of the Business Correspondents and their retail outlets / sub-agents and the confidentiality of information pertaining to the customers that is available with the service provider. The bank shall retain ultimate control of the outsourced activity.

4.2 The co-operative banks shall consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration when performing its due diligence in relation to outsourcing.

4.3 The grievance redressal mechanism of co-operative banks should not be compromised on account of outsourcing. Outsourcing arrangements shall not affect the rights of a customer against the co-operative bank, including the ability of the customers to redress their grievances as applicable under relevant laws.

4.4 Outsourcing shall not impede or interfere with the ability of a co-operative bank to effectively oversee and manage its activities nor should it impede RBI / NABARD in carrying out its supervisory functions and objectives.

4.5 The service provider should not be owned or controlled by any director or officer/employee of the co-operative bank or their relatives having the same meaning as assigned under the Companies Act, 2013 and the Rules framed thereunder from time to time.

5. Risk Management practices for outsourcing

5.1 Outsourcing Policy

A co-operative bank intending to outsource any of its financial activities shall put in place a comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia, criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria indicated in para 3, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities.

5.2 Role of the Board of Directors (Board), and CEO along with the Senior Management

5.2.1 The Board, and CEO along with the Senior Management shall be ultimately responsible for outsourcing operations and for managing risks inherent in such outsourcing relationships. The Board and CEO along with the Management shall have the responsibility to institute an effective governance mechanism and risk management process for all outsourced operations.

The Board shall be responsible, inter alia, for: –

  1. Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
  2. Laying down appropriate approval authorities for outsourcing depending on risks and materiality;
  3. Undertaking regular review of the framework for its efficacy and update the same to ensure that the outsourcing strategies and arrangements have continued relevance, effectiveness, safety and soundness;
  4. Deciding on business activities of a material nature to be outsourced and approving such arrangements;
  5. Assessment of management competencies to develop sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements; and
  6. Setting up suitable administrative framework of management for the purpose of these guidelines.

5.2.2 Chief Executive Officer (CEO) and Senior Management of the bank shall be responsible for:

  1. Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;
  2. Developing and implementing sound and prudent procedures commensurate with the nature, scope and complexity of the outsourcing;
  3. Reviewing periodically the effectiveness of policies and procedures;
  4. Communicating information pertaining to material outsourcing risks to the Board in a timely manner;
  5. Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
  6. Ensuring that there is independent review and audit for compliance with set policies; and
  7. Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks.

5.3 Evaluation of the Risks

The indicative key risks in outsourcing that need to be evaluated by the co-operative banks are: –

  1. Strategic Risk – The service provider may conduct business on its own behalf, which is inconsistent with the overall strategic goals of the bank.
  2. Reputation Risk – Poor service from the service provider, its customer interaction not being consistent with the overall standards of the bank, or failure in preservation and protection of confidential customer information.
  3. Compliance Risk – Privacy, consumer and prudential laws not adequately complied with.
  4. Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/or provide remedies.
  5. Legal Risk – Includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.
  6. Exit Strategy Risk – This could arise from over-reliance on one firm, the loss of relevant skills in the bank itself preventing it from bringing the activity back in-house and where the bank has entered into contracts wherein speedy exits would be prohibitively expensive.
  7. Counterparty Risk – Due to inappropriate underwriting or credit assessments.
  8. Contractual Risk – Arising from whether or not the bank has the ability to enforce the contract.
  9. Country Risk – Due to political, social or legal climate creating added risk.
  10. Concentration and Systemic Risk – Due to lack of control of individual banks over a service provider, more so when overall banking industry has considerable exposure to one service provider.

5.4 Evaluating the Capability of the Service Provider

5.4.1 In considering or renewing an outsourcing arrangement, co-operative banks shall undertake appropriate due diligence to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence should take into consideration qualitative, quantitative, financial, operational and reputational factors. Co-operative banks shall consider whether the service providers’ systems are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable to it. Co-operative banks shall also consider, while evaluating the capability of the service provider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Where possible, co-operative banks may obtain independent reviews and market feedback on the service provider to supplement their own findings.

5.4.2 Due diligence should involve an evaluation of all available information about the service provider, including but not limited to the following: –

  1. Past experience, competence to implement and support the proposed activity over the contracted period;
  2. Financial soundness and ability to service commitments even under adverse conditions;
  3. Business reputation, culture, compliance, complaints and outstanding or potential litigation;
  4. Security, internal controls, audit coverage, reporting, monitoring and business continuity management;
  5. External factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact service performance;
  6. Ensuring due diligence by service provider of his employees; and.
  7. Ability to effectively service all the customers with confidentiality where a service provider has exposure to multiple banks.

5.5 The Outsourcing Agreement

The terms and conditions governing the contract between a co-operative bank and service provider should be carefully defined in written agreements and vetted by bank’s legal counsel on their legal effect and enforceability. Every such agreement should address the risks and risk mitigation strategies. The agreement should be sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement should also bring out the nature of legal relationship between the parties, i.e., whether agent, principal or otherwise.

Some of the key provisions of the contract would be:

  1. The contract should clearly define the activities being outsourced including Service Level Agreements (SLAs) to agree and establish accountability for performance expectations. SLAs must clearly formalize the performance criteria to measure the quality and quantity of service levels.
  2. The co-operative bank shall ensure its ability to access all books, records and information relevant to the outsourced activity available with the service provider.
  3. The contract should provide for continuous monitoring and assessment of the service provider by the co-operative bank so that any necessary corrective measure can be initiated immediately.
  4. Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information shall be incorporated.
  5. A termination clause and notice period should be included.
  6. Contingency plans to ensure business continuity should be included.
  7. The contract should provide for the prior approval/consent of co-operative bank for use of subcontractors by the service provider for all or part of an outsourced activity. Before according the consent, co-operative banks should review the subcontracting arrangement and ensure that these arrangements are compliant with the extant guidelines on outsourcing.
  8. The contract should provide the co-operative banks with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the co-operative bank.
  9. Outsourcing agreement should include a clause to allow RBI/NABARD or persons authorised by it to access the co-operative bank’s documents, records of transactions, logs and other necessary information given to, stored or processed by the service provider, within a reasonable time. This includes information maintained in paper and electronic formats.
  10. Outsourcing agreement should also include a clause to recognise the right of the RBI / NABARD to cause an inspection of a service provider of a co-operative bank and its books and accounts by one or more of its officers or employees or other authorised persons.
  11. The outsourcing agreement should also provide that confidentiality of customers’ information should be maintained even after the contract expires or gets terminated. Further, co-operative bank shall have necessary provisions to ensure that the service provider preserves documents as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

5.6 Confidentiality and Security

5.6.1 Public confidence and customer trust in co-operative bank is a prerequisite for the stability and reputation of the bank. Hence, the co-operative banks shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody of the service provider.

5.6.2 Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.

5.6.3 The co-operative banks shall ensure that the service provider is able to isolate and clearly identify the co-operative bank’s customer information, documents, records and assets to protect the confidentiality of the information. In the instances, where service provider acts as an outsourcing agent for multiple banks, care should be taken to build adequate safeguards so that there is no comingling of information/documents, records and assets.

5.6.4 The co-operative banks shall review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches.

5.6.5 The co-operative banks shall immediately notify RBI / NABARD in the event of any breach of security and leakage of confidential customer related information. In these eventualities, the co-operative bank shall be liable to its customers for any damage.

5.7 Business Continuity and Management of Disaster Recovery Plan

5.7.1 Co-operative banks shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. Banks need to ensure that the service provider periodically tests the Business Continuity and Recovery Plan. Banks may also conduct joint testing and recovery exercises with its service provider at mutually agreed frequency but at least annually.

5.7.2 In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, co-operative banks shall retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the bank and its services to the customers.

5.7.3 In establishing a viable contingency plan, co-operative banks should consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

5.7.4 Co-operative banks to ensure that in adverse conditions and/ or termination of the contract, all documents, records of transactions and information given to the service provider and assets of the bank can be removed from the possession of the service provider in order to enable the bank to continue its business operations; or deleted, destroyed or rendered unusable.

5.8 Monitoring and Control of Outsourced Activities

5.8.1 The co-operative banks shall have in place a management structure to monitor and control their outsourcing activities. It shall also be ensured that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities.

5.8.2 A central record of all material outsourcing that is readily accessible for review by the Board and CEO along with the management of the co-operative bank shall be maintained. The records should be updated promptly and half yearly reviews should be placed before the Board.

5.8.3 Regular audits at least annually by either the internal auditors or external auditors of the bank should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and these guidelines.

5.8.4 Co-operative banks shall at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness. Co-operative banks shall also submit an Annual Compliance Certificate giving the particulars of outsourcing contracts, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken through Board, to the Regional Offices of RBI / NABARD.

5.8.5 The event of termination of any outsourcing agreement for any reason where the service provider deals with customers, shall be publicised by displaying at a prominent place in the branches and posting it on the bank’s website so as to ensure that the customers do not continue to deal with the service provider.

5.8.6 Certain cases, like outsourcing of cash management, might involve reconciliation of transaction between the co-operative banks, the service provider and its sub-contractors. In such cases, banks should ensure reconciliation of transactions between the bank and the service provider (and /or its subcontractor) are carried out as advised in RBI guidelines on ‘Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019 as amended from time to time.

5.8.7 A robust system of internal audit of all outsourced activities shall be put in place and monitored at the Board level.

5.9 Redressal of Grievances related to Outsourced services

5.9.1 The co-operative banks shall give wide publicity to the Grievance Redressal Machinery within the bank and also by placing the information on their website. It should be clearly indicated that co-operative banks’ Grievance Redressal Machinery will also deal with the issues relating to services provided by the outsourced agencies. The name and contact number of designated grievance redressal officer of the co-operative bank should be made known and widely publicised. The designated officer should ensure that genuine grievances of customers are redressed promptly.

5.9.2 The grievance redressal procedure of the co-operative bank and the time frame fixed for responding to the complaints shall be placed on the bank’s website.

5.10 Reporting of transactions to FIU or other competent authorities

Co-operative banks shall be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the banks’ customer related activities carried out by the service providers.

6 Centralised List of Outsourced Agents

If a service provider’s contract is terminated prematurely prior to the completion of contracted period of service, Indian Banks’ Association (IBA) would have to be informed with reasons for termination. IBA would be maintaining a caution list of such service providers for the entire banking industry for sharing among banks.

Leave a comment

Filed under Uncategorized