The Reserve Bank of India ("RBI") recently (on August 03, 2021) issued Circular CO.DPSS.POLC.No.S-384/02.32.001/2021-2022 ("Outsourcing Circular") with the aim of creating a framework to govern the outsourcing of payment and settlement related activities by Payment System Operators ("PSOs"). The Outsourcing Circular applies to all PSOs, including Prepaid Payment Instrument (PPI) issuers, and prescribes certain essential standards and requirements for any payment and settlement related outsourcing arrangement of a PSO.
Summary and Analysis
Background and Intent
The RBI first announced the issuance of such a framework in its Statement on Developmental and Regulatory Policies dated February 05, 2021, and has since clarified that the intent of the framework is to manage the cybersecurity and other risks arising out of outsourcing arrangements. This framework is broadly aligned with similar instructions previously issued by the RBI to banks and NBFCs.
Timelines for Compliance
The Outsourcing Circular requires PSOs to ensure that their respective outsourcing arrangements (new and existing arrangements) comply with the RBI's framework by March 31, 2022. This essentially requires PSOs to revisit their existing outsourcing contracts, including intra-group arrangements, and bring them in line with the Outsourcing Circular by the end of the current financial year.
The Outsourcing Circular covers all outsourcing arrangements of PSOs that deal with payment or settlement related functions. The RBI has explicitly included any arrangements pertaining to customer on-boarding and IT based services within the scope of this circular but has excluded matters such as internal administration and housekeeping. This inclusion of "IT based services" is notable, since the RBI's outsourcing instructions to banks and NBFCs specifically carve-out and exclude "technology related issues" from their scope.
The Outsourcing Circular also clarifies that this framework applies to Indian and foreign "service providers", and that such entities may include vendors, payment gateways, agents, consultants, and/or their representatives.
The Outsourcing Circular prohibits PSOs from outsourcing certain "Core Management Functions". As per the Outsourcing Circular, this includes:
- management of payment system operations (netting, settlement, etc.);
- transaction management (reconciliation, reporting and item processing);
- according sanction to merchants for acquiring;
- managing customer data;
- risk management; and
- information technology & information security management.
PSOs are also prohibited from outsourcing compliance and decision making functions, including determining compliance with KYC norms. These restrictions are largely in line with regulations presently applicable to Banks and NBFCs. This requirement also implies that a licensed PSOs would need some "substance" in the form of employees, management, and other capabilities in order to operate. As a result, it may not be permissible for a PSO to operate as a "shell entity" by purely relying on intra-group outsourcing and secondment arrangements to run its operations.
Outsourcing of Customer Grievance Redressal
The Outsourcing Circular permits a PSO to outsource customer grievance redressal functions. However, in such a scenario, the PSO must provide customers the option of directly accessing the PSO's nodal officials to raise/escalate complaints. Such access should be enabled through multiple modes.
The Outsourcing Circular repeatedly emphasizes on the fact that an outsourcing arrangement would not reduce the obligations or accountability of the PSO towards the RBI, payment system participants or customers. While not unexpected, this clarification may require PSOs to evaluate their existing outsourcing arrangements more closely, particularly where the PSO has outsourced customer-facing functions or responsibilities. More direct and specific indemnity provisions may need to incorporate into existing outsourcing contracts as a result.
Outsourcing Policy and Records
Each PSO is required to implement a board-approved and comprehensive outsourcing policy. This policy must be framed in accordance with the principles set forth in the Outsourcing Circular. A PSO is also required to maintain a central record of all outsourcing arrangements entered into by it. These records must be updated promptly and placed before the board of directors or senior management bi-annually for review.
The Outsourcing Circular contains a non-exhaustive list of essential requirements and provisions for in-scope outsourcing agreements. PSOs would need to examine their existing agreements and execute addendums/amendments to ensure that these agreements incorporate the 13 items/issues identified by the RBI:
1. Scope and nature of activities being outsourced;
Monitoring and Supervision by PSO
2. PSO's access to the service provider's books, records and activities relevant to the outsourced activities;
3. PSO's monitoring and step-in rights over the activities of the service provider;
4. A sub-contracting clause, which requires the service provider to obtain the consent of the PSO to use sub-contractors;
5. PSO's ability to conduct an audit on the service provider using internal or external auditors or agents;
Monitoring and Supervision by RBI
6. Clauses recognizing the RBI's jurisdiction over the PSO, and ability of the RBI to access the PSO's documents, record of transactions and other necessary information given to, stored or processed by the service provider;
7. Clauses recognizing the right of RBI to inspect the service provider and its books of accounts;
8. Clauses obligating the service provider to comply with directions given by RBI relating to the outsourced activities;
Confidentiality and Data Security
9. Obligations of the service provider to maintain confidentiality vis-à-vis the PSO's data after termination of the outsourcing contract;
10. Controls to ensure confidentiality of customer data and indemnity provisions to pass on liability to a service provider upon instances of breach;
Termination and Post-Termination
11. A termination clause that describes the rights of each party to terminate the arrangement;
12. Contingency plans for business continuity;
13. Obligations of the service provider to preserve or maintain documents and data pertaining to the outsourced activities in accordance with the PSO's legal obligations.
Confidentiality and Data Storage.
PSOs are required to ensure that their service providers adhere to the RBI's instructions on storage of payment system data. Essentially, this would mean that all data pertaining to domestic payment transaction would need to be stored exclusively in India.
The Outsourcing Circular requires PSOs to "regularly review and monitor the security practices and control processes of the service provider". However, no further guidance is provided on how a PSO is expected to undertake this obligation.
Monitoring and Control
The Outsourcing Circular requires PSOs to implement several measures to monitor and control its in-scope outsourcing activities. While most of these measures are fairly standard, PSOs are required to conduct an annual review of the financial and operational conditions of the service provider to assess capabilities. Therefore, PSOs may need to ensure that their agreements with service providers require these entities to submit financial reports and related documents to enable such review.
The Outsourcing Circular introduces certain additional compliances for intra-group outsourcing arrangements. While the principles applicable are largely the same as those applicable to third-party arrangements, the RBI has stressed on the fact that such arrangements should not result in confusion for the consumer. For instance, the RBI has clarified that when multiple group entities are involved in a consumer-facing arrangement, customers must be made aware of the actual company/entity offering the product/service. This requirement is particularly relevant to PSOs that are a part of groups or conglomerates that offer and cross-sell various regulated and unregulated products/offerings.
Notably, the Outsourcing Circular requires PSOs to ensure that its ability to carry out operations is not adversely affected if premises or other services (such as IT systems and support staff) provided by its group entities become unavailable. This requirement is noteworthy and may require PSOs to have a contingency plan to operate without support from its group companies.
PSOs that engage service providers outside India are now subject to certain enhanced obligations. Most notably, such a PSO would need to carry out a diligence on the country to which its operations are proposed to be outsourced. While not explicitly required as per the Outsourcing Circular, it may be advisable for such a PSO to obtain a formal legal opinion (or similar legal advice) from reputed advisors in every such jurisdiction before the commencement of a large outsourcing arrangement. We know that monetary and regulatory authorities of other jurisdictions (including Singapore and Hong Kong) require similar legal opinions from locally licensed banks and financial institutions who engage service providers in India. Such legal opinions would assist PSOs in demonstrating compliance with Para 14 of the Annex of the Outsourcing Circular.
Among other things, a PSO engaging a service provider outside India would need to ensure that:
- An offshore regulator that has jurisdiction over the service provider would not obstruct the RBI from carrying out inspections/audits;
- An offshore regulator would not have access to data relating to the PSO's Indian operations simply on the ground that the processing is being undertaken there; and
- The jurisdiction of offshore courts would not extend to the PSO in India merely because the outsourcing activities are carried on there.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.