Cautious Approach to be taken by NBFCs while outsourcing activities ancillary to financial services

By Mayank Agarwal & Anita Baid, ( finserv@vinodkothari.com)

The Reserve Bank of India (RBI), on the 9^th of November, 2017 released a notification bringing out the Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Non-Banking Financial Companies (NBFCs).[1] (“Directions”) These Directions are a much awaited outcome of the draft guidelines[2] which had been issued long back, in the year 2015. The Directions come in the wake of ever-increasing need to outsource ancillary activities such as applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities in order to provide the customers best possible services associated with the core business of the company. The Directions have been issued to ensure that there exists no possibility of discrepancy or fallibility that could affect the customer as well as the NBFC in an adverse manner.

Applicability

The Directions shall be applicable for all NBFCs including CICs, P2Ps, Account Aggregators and Standalone Primary Dealers. The directions shall apply to all ‘Material Outsourcing Agreements’ undertaken by these NBFCs. Before we delve into the criteria for determining the materiality, let us understand how ‘Outsourcing’ has been defined in the Directions. ‘Outsourcing’ has been defined as, “the NBFC’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future”. Further, Continuing Basis includes agreements that are valid for a limited period of time.

Material Outsourcing Agreements means those agreements upon which the business of the NBFC is highly dependent on. Para 3 of the Directions state the criteria for materiality of the outsourced activity, which are as follows:

• the level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by the same;
• the potential impact of the outsourcing on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
• the likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service;
• the cost of the outsourcing as a proportion of total operating costs of the NBFC;
• the aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider and
• the significance of activities outsourced in context of customer service and protection.

Based upon the aforementioned criteria the NBFC shall determine those outsourcing agreements that are material and accordingly comply with these Directions in respect of such agreements.

What is the immediate course of action for NBFCs?

The NBFCs are required to carry out a self-assessment of the existing outsourcing agreements and consequently ensure that these agreements are in line with the Directions within a period of 2 months from its date of issuance. A Board approved Outsourcing policy needs to be put in place specifying the various conditions that must be kept in mind while outsourcing.

More importantly, the outsourcing of activities by the NBFC would NOT require prior approval from RBI, however the Bank may conduct an inspection of such arrangements. The Board of Directors and the Senior Management shall bear the ultimate responsibility for the activities carried out by the service provider. Additionally, the NBFC retains ultimate control over the outsourced activity and is not freed of its obligations by outsourcing of the respective activity.

Activities prohibited from Outsourcing

NBFCs have been prohibited from outsourcing the following activities:

• Core management functions including:
• Internal Audit
• Strategic and Compliance functions
• Decision-making functions such as:
• determining compliance with KYC norms for opening deposit accounts
• according sanction for loans
• management of investment portfolio.

Further, outsourcing of services relating to credit cards shall be subject to the existing directions of RBI dealing with credit card operations.[3]

These restrictions ensure that the principal activity of the company is not shared with any third party and in no manner compromised. However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to certain compliances, which include a Board approved policy. The service level agreements with the group entities must distinctly mention the demarcation of sharing resources i.e. premises, personnel, etc. The risk associated with an NBFC must be adjudged on a stand-alone basis and must not be compromised in any case.

Why is there a need for these Directions?

These directions have come in the wake of the several types of risks associated with the outsourcing arrangements, which have been defined under para 5.3 as follows:

• Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the NBFC.
• Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the NBFC.
• Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.
• Operational Risk– Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.
• Legal Risk – Where the NBFC is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.
• Exit Strategy Risk – Where the NBFC is over-reliant on one firm, the loss of relevant skills in the NBFC itself preventing it from bringing the activity back in-house and where NBFC has entered into contracts that make speedy exits prohibitively expensive.
• Counter party Risk – Where there is inappropriate underwriting or credit assessments.
• Contractual Risk – Where the NBFC may not have the ability to enforce the contract.
• Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the NBFC may lack control over the service provider.
• Country Risk – Due to the political, social or legal climate creating added risk.

Thus, outsourcing to a third party exposes both the NBFC as well as the customers to numerous risks which can lead to micro-level as well as macro-level breakdown. Hence, there is a need to carry out the outsourcing activities in a regulated manner to diminish the impact of these risks.

The Directions have been framed in a manner to assure safety to the operations of the NBFC and isolating it from any of the aforesaid risks.

Outsourcing Policy and Code of Conduct

An NBFC intending to outsource any of its financial activities shall put in place a comprehensive Board approved outsourcing policy which incorporates, inter alia:

• criteria for selection of such activities as well as service providers
• delegation of authority depending on risks and materiality
• systems to monitor and review the operations of these activities.

Additionally, NBFCs shall put in place a board approved Code of conduct for DSA/ DMA/ Recovery Agents and obtain their undertaking to abide by the code. NBFCs shall also constitute Grievance Redressal Machinery as contained in RBI’s circular on Grievance Redressal Mechanism.

The instant step for NBFCs is to ensure the drafting and implementation of the aforesaid policy within the prescribed timeline.

Role of Board and Senior Management

Some of the integral activities that the Board and the Senior Management have to execute involve maintaining secrecy of data and conducting regular diagnosis of such arrangements. A few important activities as specified in the directions are:

• Board approved Outsourcing Policy(including outsourcing within a group/ conglomerate, if applicable)
• Board approved Code of Conduct for DSA/DMAs/ Recovery Agents
• Board approved framework for evaluation of risks and materiality of all prospective and existing outsourcing arrangements
• Half-yearly review of the central record of material outsourcing by the Board (it can be delegated to the Risk Management Committee)
• Setting up a suitable administrative framework of senior management for the purpose of these directions
• Regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness by the Board
• Periodical review of effectiveness of policies and procedures
• Ensuring that there is independent review and audit for compliance with set policies.

The list of boxes to be ticked is very long and might actually distract the Board and Senior Management from carrying out the core management activities of to the company.

Regulatory supervision of outsourced activities

The tasks outsourced by the NBFC must be continually monitored and overseen. The NBFC must be at all times be aware of the quality of service that its customers are being provided by the service provider as they are nothing but a mere representation of the company itself. Keeping this in mind, a management structure must be set up in order to supervise and control the activities outsourced by the NBFC. In order to keep the data relating to outsourced activities up-to-date and ensure that the risks associated with the same has overtime not increased, regular audits, either by the internal audit or the external auditors, must be conducted. Yearly review of the financial and operational condition of the service provider must be carried out in order to assess its ability to continue to meet its outsourcing obligations. Finally, the audit committee must also conduct an ageing analysis of the transactions with outsourced vendors and must also monitor the robust system of internal auditors of all outsourced activities.

However, such keen supervision can be regarded as an additional compliance burden for the NBFC as well as the service provider.

Appointment and Role of Service Provider

The service provider may either be a member of the group/ conglomerate to which the NBFC belongs, or an unrelated party. The appointment of a service provider must be done after considering various facets which not only affect the reputation of the NBFC, but also has a systemic impact. Extensive due diligence must be carried out and the service provider must comply with the criteria mentioned in the outsourcing agreement as well. The process of due diligence must be comprehensive in nature and must consider the financial, qualitative, quantitative, operational and reputational status of the service provider. Para 5.4.2 of the directions lay out a brief list of conditions that must be considered at the time of appointment of a service provider, which are as follows:

1. past experience and competence to implement and support the proposed activity over the contracted period;
2. financial soundness and ability to service commitments even under adverse conditions;
3. business reputation and culture, compliance, complaints and outstanding or potential litigation;
4. security and internal control, audit coverage, reporting and monitoring environment, business continuity management and
5. ensuring due diligence by service provider of its employees.

The Service provider must ensure that it provides the same high standard of care in performing the services as is expected to be employed by the NBFCs itself. They must maintain a robust framework for documenting, maintaining and testing business continuity and recovery procedures and also isolate the NBFC’s information, documents and records, and other assets. Utmost care is to be taken with issues related to handling of public data, hence ensuring that the privacy of such data remains intact at all times and there is no scope of mishandling of the same. Most importantly, the service provider, more specifically the recovery agents, must make sure that they do not carry out any coercive activities in order to seek repayment.

The Directions levy numerous conditions on the operations of the service provider and the main focus of the Directions remain on the fact that the service provided by them satisfies the customer and is not sub-standard in nature.

Preservation of Data

With the increasing number of the masses flocking to NBFCs in order to carry out financial transactions, confidentiality of data and its security has taken the centre stage in the Directions, with the paramount activity of the NBFC being to ensure preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. It must ensure that the access to customer information by staff of the service provider should be on ‘need to know’ basis. Further, the company must ensure that no co-mingling of data or document takes place in cases where a single service provider serves various NBFCs. The NBFC are required to review and monitor the security practices and control processes of the service provider on a regular basis and report to RBI, immediately, in case of a breach of security or leakage of data.

Off-shore Outsourcing

A major leeway that has been granted under the Directions and which was prohibited in the draft guidelines is the removal of restriction on appointment of an offshore service provider. This significantly expands the alternatives available to the NBFC, thus also reducing Concentration Risk.  However, the Directions stress on the fact that the regulatory body of the offshore entity must not act as a hindrance in case the NBFC or the RBI wants to carry out an inspection of the service provider. The Directions further mandate that all original records must continue to be maintained in India itself and that the offshore regulatory body does not possess any data relating to Indian operations of the NBFC.

Conclusion- Compliance burden or freedom granted?

The Directions are a welcome change in the growing NBFC sector. Although the directions are very focused in nature and do impose several compliance requirements on both NBFCs as well as the service providers, they will also allow the NBFC to perform its core activities with more efficiency, thus aiding its growth. Eventually, the implementation of the Directions will determine whether they act as a resistance in the regular operations of the NBFC as well as the service provider and deter their productivity or on the contrary increase the productivity of the NBFCs. Nonetheless, the Directions come at a time when playing it safe is actually the safer option rather than granting freedom when it comes to NBFCs because of their burgeoning popularity in the Indian context.

[1]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11160&Mode=0

[2]https://rbi.org.in/scripts/bs_viewcontent.aspx?Id=2993

[3]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=2627&Mode=0