INTRODUCTION
The Payment System Operators (PSO) provide for the platform and mechanism in order to outsource their payment and settlement-related activities.
Reserve Bank of India vide circular CO.DPSS.POLC.No.S-384/02.32.001/2021-2022 dated 03.08.2021 under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007) has issued the framework to regulate the outsourcing of payment and settlement-related activities by PSO in order to provide the effective mechanism to address the risks involved in outsourcing of such activities.
As per the framework issued by RBI, every PSO is required to comply with the new framework designed by the RBI in light of the existing regulations by 31.03.2022.
APPLICABILITY OF FRAMEWORK
The said framework is applicable to non-banking PSOs who are involved in outsourcing payment and settlement-related activities.
The main objective of the framework is to create optimum and necessary regulations and mechanisms for the regulations of the outsourcings payment and settlement-related activities made by PSOs and service providers, including other incidental activities like onboarding customers, IT-based services, etc.)
The framework shall be applicable to the PSOs irrespective of their location in India or offshore. According to the framework, the service provider shall not be owned by any director, or officer of PSOs or any of its relatives (except Group Company) within the meaning provided under Companies Act 2013.
However, the framework is not applicable to the activities such as internal administration, housekeeping, or similar functions.
ASSOCIATED RISKS IN OUTSOURCING OF PAYMENT AND SETTLEMENT RELATED ACTIVITIES
1. Risk of Compliance – Lack of appropriate regulations to provide secured information and data of end-users can result in the risk of data privacy and consumer laws among the end-user and PSOs.
2. Concentration and Systemic Risk – Lack of control and exposure by the PSOs over the service provider.
3. Contractual Risk – PSOs may experience the absence of Legal understanding and enforcement of contracts.
4. Country Risk – Political, social, and legal environment of a country is also a risk for PSOs.
5. Legal Risk – The PSOs may encounter fines and penalties due to omissions and failure of service providers to comply with the regulated norms and regulations.
6. Cyber Security Risk – The absence of a proper IT system may lead to the risk of hacking and loss of data, information, reputation, and money.
7. Exit Strategy Risk – Continuous reliance over the single entity for outsourcing activities may result in the loss of development of skills among the PSOs in-house. In fact, PSOs can also experience the speedy exit prohibitively expensive
8. Reputation Risk – There is a reputation risk for the PSOs due to poor and inconsistent customer interaction.
9. Operational Risk – Failure in technology, fraud, errors, and inadequate financial stability may result in the risk of operations in PSOs.
10. Strategic Risk – There is always a risk of different strategic goals for PSOs as services providers approaching the businesses may have different strategies towards the outsourcing of activities.
ACTIVITIES RESTRICTED FOR PSOs FOR OUTSOURCING
The framework does not allow the PSOs to outsource the following activities
- Management of payment system;
- Operations (netting, settlement, etc.);
- Transaction Management (reconciliation, reporting and item processing;
- Risk Management;
- Information;
- Technology & Information security management; etc.
- Risk management;
- Internal Audit;
- Compliance;
- Decision Making.
PARAMETERS FOR OUTSOURCING
The PSOs shall ensure the activities that are outsourced shall be subject to appropriate due diligence, calculated risk, selection of activities that are required to be outsourced in order to curtail the risk of loss of business operations, reputation, profitability, and /or customer service.
ROLE AND RESPONSIBILITIES OF THE PSOs
1. The PSOs shall be responsible for the actions of its service providers and merely outsourcing the activities by the PSO does not reduce the obligation of being responsible, accountable, and liable for the activities that are outsourced.
2. The PSOs shall execute their due diligence in light of respective and applicable laws, regulations, circulars, and notifications.
3. The outsourcing arrangements shall not affect the rights of the end-users for the grievances relating to the payment and other concerns against the PSOs.
4. Along with the grievance mechanism, the PSOs shall also provide the end-users direct excess of grievance to nodal officers through various modes of communications such as telephone, emails, postal addresses, etc.
5. The PSOs shall make available all the required information such as product literature/ brochures to enable the interface between end-users and service providers.
RESPONSIBILITIES OF DIRECT SALES AGENTS (DSAS) / DIRECT MARKETING AGENTS (DMAS)
1. The PSOs shall ensure the appropriate training of Direct Sales Agents (DSAs)/ Direct Marketing Agents (DMAs) in order to adopt the responsibilities such as soliciting customers, hours of calling, the privacy of customer information, conveying the correct terms and conditions of the products on offer, etc.
2. PSOs shall also maintain the practice of board-approval code for DSAs and DMAs and abide by them vide undertakings.
OUTSOURCING POLICIES
The framework mandates the formulation of a comprehensive outsourcing policy along with its approval from the board which shall be comprised of criteria for selection of activities to be outsourced, service providers, parameters for grading the criticality of outsourcing; delegation of authority subject to risks; criticality involved and a mechanism to monitor the activities.
RESPONSIBILITIES OF SENIOR MANAGEMENT
The board and senior management are accountable and responsible for the following:
1. Reviewing and approval of the framework, policies to evaluate the risk involved and its application to various outsourcing activities.
2. To set up a mechanism of suitable administration of senior management
3. Mechanism to review and of the policies outsourced and formulation of strategies for its smooth functioning
4. Quick and effective decision-making process of activities to be outsourced and complying with relevant and applicable laws and regulations.
5. Continuous evaluation of risk and critically involved in the activities outsourced in present and in future as well.
6. Evaluation of policies and their correct execution and implementation in light of nature, scope, and complexity of the outsourcing activity;
7. Continuous communication about the risks involved in the policies and activities outsourced.
8. Proper formulation of contingency plans in light of practice and realistic approach to meet the contingencies.
9. A central record of all the arrangements of outsourcing activities shall be maintained and it shall be easily made available and accessible for the board and senior management.
OUTSOURCING AGREEMENTS
- The PSOs are required to execute the outsourcing agreements with the service providers which should be reviewed and vetted by the PSOs.
- Each agreement with service providers shall mention the details of the activities along with the risk involved and the strategies to curtail the same.
- The Agreement shall consist of a suitable window of flexibility in order to retain control over the activities outsourced and to meet the legal and regulatory obligations.
- The framework also provides for the factors and parameters to design and execute the Agreement.
PRIVACY AND SECURITY
- The PSOs shall ensure that the data privacy and security of the data and information of the end-users shall be secured.
- The data and information of the end-user shall not be provided to common people including the staff of the PSOs. The access of data to the staff and information of end-users shall be on the “Need to Know Basis”.
- The service provider shall be equally responsible to maintain a secured database for the data and information collected from the end-users.
- The service provider shall also consist of the appropriate system to avoid the mingling of information and documents of end-users wherein the service providers are associated with several PSO’s.
- The PSO shall regularly or periodically monitor the security practices among their staff and also in the premises of service provider and also enable the regular information from the service provider in case of lapse of security practices or a breach in the security of service providers.
- The PSO shall on an immediate basis inform the RBI about the breach of security and leakage of the data and information of the end-users among them and their service providers.
MANAGEMENT OF DISASTER RECOVERY MECHANISM
- The PSOs shall along with their service providers develop the appropriate ad robust mechanism to test and scrutinize the continuation of the business by identifying the risk and evaluating the recovery plans and their strategies.
- The PSO shall have an appropriate mechanism to identify the possible risk arising from the outsourcing activities and the risk of unexpected termination of the outsourcing agreement without hampering the continuity of the business.
- The PSO shall also consider the alternative of service providers in order to avoid the disruption in outsourcing of activities and shall also consider working of outsourcing activities in-house, in order to curtail the cost and time.
- PSOs shall ensure that the documents, data, and information provided to the service provider shall be deleted and destroyed as and when required, in order to continue business operations.
MONITORING AND CONTROL OF OUTSOURCED ACTIVITIES
- The PSO shall ensure an effective mechanism to monitor and control outsourcing activities in PSOs and among service providers.
- PSOs shall conduct regular auditing processes by the internal and external auditors in order to identify the adequacy in the risk management and control practices and procedures for outsourcing activities.
- PSOS shall ensure an annual review of the financial and operational conditions of the service providers.
- In case of termination of the outsourcing agreement between PSO and Service providers, the PSOs shall intimate the end-users about the same in order to curtail the future deals of the end-users and service providers.
- The PSOs shall ensure the accurate reconciliation process of the cash flows between the PSOs and Service providers if any.
AMLEGALS REMARKS
The framework intends to provide a comprehensive approach for PSOs and service providers towards the formulation, regulation, and execution of the outsourcing activities.
The framework governs the overall understanding and provides the road map for the PSOs for their outsourcing activities in light of the benefit of end-users in terms of the data privacy and confidentiality of their data and information.
Thus, the framework provided by the RBI can act as a “Bible” for the PSOs and service providers to understand the lacunae in outsourcing activities and strategies to fill the lacunae’s by mandatory audit, data privacy, and continuous monitoring over the PSOs and service providers.
However, the framework lacks the mechanism about the strategy and mechanism to build a structure to consider all the activities in-house by PSO’s themselves. Lesser the outsourcing of activities less would be the cost, procedural delay, and continuous monitoring over the service providers.
For any queries or feedback, feel free to get in touch with arushi.vyas@amlegals.com or siddharth.kakka@amlegals.com.
Leave a Reply