Master Direction by RBI on Managing Risks and Code of Conduct in Outsourcing of Financial Services 2023
The Reserve Bank of India (RBI) has released a comprehensive draft master direction on managing risks and code of conduct in outsourcing of financial services for regulated entities (REs). This consolidates all existing guidelines into a single master direction applicable to commercial banks, urban cooperative banks, non-banking financial companies (NBFCs), housing finance companies (HFCs), all-India financial institutions and credit information companies regulated by RBI.
The master direction aims to ensure that outsourcing arrangements neither diminish the RE’s obligations towards customers nor impede effective regulatory supervision by RBI. It emphasizes adoption of sound governance practices and risk management frameworks by REs for all outsourced activities.
Scope and Applicability:
The directions cover outsourcing of financial services like loan processing, document management, cash management, IT services, marketing, etc. Non-financial activities like security, housekeeping, courier services, legal advice, etc. are excluded. The guidelines will also apply to sub-contracted activities. Core management functions like internal audit, compliance, decision-making and policy formulation cannot be outsourced. RBI approval is not required for outsourcing financial services, but RBI retains the right to access all details about outsourced activities during inspections.
Identification of Material Outsourcing:
Identification of material outsourcing arrangements will depend on factors like impact on revenue, operations, reputation, customer service and compliance in case of failure of the service provider. Materiality will also depend on concentration risk, difficulty in finding alternative service providers, and the business criticality of the outsourced activity.
Risk Management Framework:
REs need to implement a comprehensive risk management framework commensurate with the nature, scope and complexity of outsourcing activities. This includes evaluation of country risk, concentration risk, operational risk, reputation risk, exit strategy risk, counterparty risk, compliance risk, and strategic risk. Due diligence shall be undertaken to assess track record, financial soundness, governance and internal controls, audit coverage, security practices, insurance coverage, reliance on sub-contractors, and continuity arrangements of the service provider.
The outsourcing contract shall clearly define duties, performance standards, contingency plans, monitoring mechanisms, confidentiality obligations, dispute resolution process, right to audit, termination provisions, liability for defaults, etc. Sub-contracting shall require prior approval of the RE.
RBI Access to Records:
The agreement shall allow RBI or its authorized representatives access to all documents, records, logs and other information related to outsourced activities with the service provider.
Outsourcing to group entities shall be at arm’s length, based on objective assessment, and with adequate safeguards to protect customer information confidentiality. It should not hamper supervision by RBI, or cause confusion regarding service providers. Shared premises and resources must be clearly demarcated contractually.
REs shall manage country risk and ensure cooperation of offshore supervisors. Confidentiality clauses and governing laws shall be examined. Records relating to Indian operations shall not be accessible to offshore jurisdiction solely because they are processed there.
Customer Redressal Mechanism:
REs shall constitute a grievance redressal machinery for complaints related to outsourced services and publicize details regarding escalation matrix. Responsibility for redressal shall rest with the RE.
REs shall report all material outsourcing arrangements to RBI/supervisory authority and submit annual compliance certificate of audits. Immediate notification required for any breach of security and confidentiality, or service provider defaults.
REs shall be provided sufficient time to bring existing outsourcing agreements into compliance with the master direction.
In summary, the proposed master direction aims to streamline all existing guidelines on outsourcing based on feedback from regulated entities. It endeavors to strengthen governance, risk management and controls around outsourcing activities. Adoption of these guidelines is important for REs to ensure customer service and protection is not compromised while leveraging outsourcing arrangements.