Draft framework for Financial Services Outsourcing

/1 Comment/in , /by

Elevating Risk Management and Regulatory Compliance

– Team Finserv | finserv@vinodkothari.com

Introduction

Financial institutions are increasingly turning to outsourcing for cost efficiency and achievement of strategic objectives. The need and economics of outsourcing are quite clear as there is increasing specialisation in several functions in the lending journey , particularly, cloud-sourcing, use of shared technology, software and applications, etc. However, this reliance on third-party providers introduces challenges and risks like data protection, security, operational resilience, service continuity, shifting of risks and compliance responsibilities to unregulated entities, raising concerns about maintaining control, risk management, and regulatory compliance. This  necessitates  regulatory guidelines for regulated institutions, especially when service providers have concentrated functions or engage in regulated activities.

The concerns about outsourcing by financial entities have been a part of regulatory attention for years. In 2005, the Basel Committee framed General Principles on Outsourcing, and it was indicated in 2023 that these principles will be superseded by new outsourcing principles. The European Banking Authority also has comprehensive guidelines on outsourcing IOSCO also has set principles on outsourcing by entities coming within its regulatory domain. 

Currently, RBI has different guidelines for outsourcing by different financial institutions.  In this article, the author examines the RBI’s recently released Draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services (“Proposed Master Direction”/”Draft Master Directions”), intended to repeal the existing guidelines and cover all financial institutions under its gamut, particularly focusing on the major changes, that these Proposed Directions bring with them..  .

What is the meaning of outsourcing? 

First of all, outsourcing refers to the functions which, in normal course, are expected to be undertaken by the financial services entity itself, and which form a part of its ordinary business. This is the major line of distinction between procurement or professional services and outsourcing. For example, property management services, security services, legal services, audit services, etc. are commonly provided by third party agencies. Managing its properties cannot be said to be the business of a financial services firm – hence, engaging a property manager is not a case of outsourcing. Same goes for legal, audit, consulting, valuation and other professional services.

Outsourcing is defined by the Basel 2005 document as “a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future”. [Emphasis added]. The IOSCO Consultation Paper defines outsourcing as “a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, services or activities (collectively, “tasks”) that would, or could in principle, otherwise be undertaken by the regulated entity itself. This may also be referred to as onshoring, offshoring, near-shoring or right-shoring, depending on the organisational context and the relationship with affiliates and service providers.”

Applicability on entities

The Proposed Master Directions is a comprehensive guideline applicable to:

  • All commercial banks, including RRBs (which was earlier excluded),
    • Local Area Banks (“LABs”), 
    • Payment Banks (“PBs”), 
    • Small Finance Banks (“SFBs”), 
  • All India Financial Institutions (“AIFIs”), 
  • NBFCs and HFCs, 
  • Credit Information Companies and 
  • Cooperative Banks. 

The scope has been expanded to include all financial outsourcing arrangements entered into by the aforesaid entities, whether material or non-material, as well as subcontracted outsourcing arrangements. However, they do not extend to technology-related outsourcing or activities unrelated to banking/financial services.

It would be important to note that the existing outsourcing guidelines for banks and NBFCs, respectively, are applicable only in case of material outsourcing transactions. Henceforth, a single comprehensive guidelines shall be applicable on the aforesaid regulated entities for all outsourcing transactions.

What constitutes financial services outsourcing arrangement?

The existing outsourcing guidelines provided certain examples of financial services outsourcing, while the Proposed Master Directions prescribes a clear list in Annex 1, listing down what constitutes financial services arrangement and non-financial service arrangements. Upon analysis of the activities as listed in Annex 1 it can be inferred that any function facilitating the RE’s financial or banking activities, delegated to a third-party service provider (internal or external), shall be considered an outsourcing of financial services. 

Based on the list provided under Annex 1, an illustrative list of permitted and non-permitted arrangements can be derived:

Functions which cannot be outsourced

The Proposed Master Directions reaffirm existing rules and highlight that core management functions like decision-making and ensuring compliance with KYC norms cannot be outsourced. They also clarify that policy formulation and internal audit must be handled internally, but external experts can assist with internal audits. Additionally, when it comes to decision-making for credit sanctioning, the regulated entity is ultimately responsible for sanctioning loans, and for template-based decisions, criteria must be approved by the board. Notably, the Proposed Master Directions remove the option of outsourcing these activities within a group, suggesting that these functions cannot be outsourced even within the same group.

Understanding the Terminology:

  • Outsourcing: 

The proposed definition of outsourcing aligns with that as provided in the extant banking guidelines and the Basel guidelines on outsourcing of financial services. The meaning intends to include continuing agreements but not perpetual agreements. Regulated entities shall be provided 3-6 months to bring such existing perpetual agreements, if any in alignment with the provisions of the Proposed Master Directions, once notified.

In this regard, perpetual agreements would refer to such arrangements that do not have any specific expiry period or termination clause.

  • Service Provider: 

The definition has been a new insertion and includes subcontractors, both within the group and unrelated third parties.

  • Supervisory Authorities:

The Proposed Master Directions being one single comprehensive guidelines for different regulated financial institutions, specifies supervisory authorities for each of them which are as follows:

Reserve Bank of India Commercial Banks (including LABs, PBs, SFBs, and UCBs), NBFCs, CICs, and AIFIs.
NABARDStCBs, CCBs, and RRBs
NHBHFCs.

Classification as Material Outsourcing Arrangement 

The existing guidelines categorise financial outsourcing arrangements into two groups: material and non-material arrangements. The extant guidelines only apply to material financial outsourcing arrangements. Material arrangements are defined as those that, if disrupted, could significantly affect a company’s business operations, reputation, profitability, or customer service. In this regard, each regulated entity was required to implement a methodology for classification of any outsourcing transaction as material. The various parameters to be considered were specified in the regulations, however, the qualitative/quantitative thresholds were entity specific.

However, the Proposed Master Directions introduce a more detailed definition of “material outsourcing arrangement.” 

“4.1 “Material outsourcing arrangement” means an outsourcing arrangement which–

(i) in the event of failure of service or breach of security, has the potential to either 

materially impact an RE’s–

(a) business operations, reputation, strategies, or profitability; or

(b) ability to manage risk and comply with applicable laws and regulations,

or

(ii) in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on the RE’s customers.”

The proposed changes have broaden the classification of material outsourced activities by considering breaches or data loss related to customer information in financial outsourcing arrangements as material, taking into account the potential impact on the entity’s customers.

Approach for classification of Material Outsourcing Arrangement:

The classification of outsourcing arrangements into material or non-material is vital for the REs, upholding their control and responsibility, safeguarding the interests of customers and borrowers. It facilitates proportionate and appropriate risk management measures, especially in higher-risk material outsourcing agreements. 

While determining whether an outsourcing arrangement qualifies as a material outsourcing arrangement, both the existing guidelines as well as the Proposed Master Directions provide certain deciding factors. The Proposed Master Directions further clarify that assessment for classification of the outsourcing arrangement shall be done without considering any risk mitigation measures or controls i.e on a gross basis.

In addition to the factors already in place, the Proposed Master Directions introduce two new factors for classifying an arrangement as material outsourcing:

  • The level of difficulty, including the time required, to find an alternative service provider or bring the business activity in-house.
  • The potential impact on the entity’s counterparties and the broader financial market in case the service provider fails to deliver the service.

This means that the opportunity costs (both qualitatively and quantitatively) of finding an alternative service provider and the impact of failure/termination of RE’s outsourcing arrangement on the financial market must be considered. Additionally, any arrangement that, in the opinion of the RE, holds significant importance for the entity can be classified as material, even if it doesn’t fit the specific factors mentioned in the guidelines. 

Determination of Material Outsourcing Arrangements:

Classification of  an outsourcing arrangement as material includes the following steps:

  1. Outsourcing Policy: The Board approved Outsourcing Policy should include guidelines for the selection of activities and service providers, and the parameters for defining material outsourcing based on criteria outlined in Chapter-III, and the significance of the outsourcing arrangement on the business of the RE.
  2. Decision-Making: The Proposed Master Directions empower senior management to determine which business activities are material, using parameters as laid down in Board approved policy. 
  3. Outsourcing Agreement: Once an arrangement is classified as material, the outsourcing agreement should incorporate specific key provisions as outlined in Para 24 of the Master Directions and also discussed  below.
  4. Compliance Requirements: Material outsourcing arrangements mandate adherence to additional  compliance requirements as laid down in the next section. 
  5. Quarterly Reporting: It is mandatory to submit quarterly reports on material outsourcing arrangements to the supervisory authority.

Compliance Obligations for Material Outsourcing Arrangements

Specific risk management measures for material arrangements include:

  1. The regulated entity must maintain a centralised record of all material outsourcing agreements
  2. In material outsourcing arrangements the outsourcing agreement must specify service locations, data processing regions, and should outline procedures for notifying the RE if the service provider changes its location
  3. Material outsourcing arrangements mandate periodic joint testing and recovery exercises between the regulated entity and its service provider, at least annually
  4. The RE shall be required to report to the Supervisory Authority on a quarterly basis of the material outsourcing arrangements, in the format as may be specified.
  5. Supervisory Authority shall review during inspections, the effective implementation and robust risk management systems, particularly in case of material outsourcing arrangements.

Outsourcing in group entities 

The provisions in respect of outsourcing within the group entities remain unaltered. The Proposed Master Directions stress the need for REs to maintain an arm’s length relationship with their group companies and manage any conflicts of interest. Accordingly, while selecting a group entity for outsourcing, objective reasons must be provided, demonstrating the maintenance of an arm’s length relationship. 

The Proposed Master Direction in respect of outsourcing arrangements involving service providers outside the group companies introduce additional restrictions. These include the prohibition of such service providers being owned or controlled by the Key Management Personnel (KMP) or any person in the Regulated Entity (RE) who has approved the outsourcing arrangement. However, an exception is allowed if the arrangement is approved by the Board, with appropriate disclosures being made. 

Compliances involved in case of outsourcing:

A. Evaluating the capability of the Service provider

The Proposed Master Directions provide further guidance on assessing the capability of the service provider by introducing additional factors for evaluation, such as external factors like the economic and legal environment in the service provider’s jurisdiction, ability to maintain client confidentiality, disaster recovery plans, historical performance, reliance on subcontractors, and the adequacy of insurance coverage.

B. Monitoring and Control of Outsourced Arrangements 

  1. The Proposed Master Directions introduce additional measures for overseeing outsourcing arrangements in companies. Senior management of the RE shall be now required to periodically review outsourcing arrangements and present any adverse observations to the Board for note, as opposed to all reviewed observations previously.
  2. The mandate for conducting regular internal and external audits remains unchanged, with a clear timeline that these should be conducted at least annually to assess risk management practices. Further, reports of such audits are to be presented before the Board or the Audit Committee.
  3. REs are now mandated to submit the Annual Compliance Certificate to the respective Supervisory Authorities, including the following details: compliance with the directions, particulars of outsourcing arrangements entered into, audit frequency, major findings, and actions taken by the company and the Board in respect of such findings.
  4. The Proposed Master Directions clarify the mode of information dissemination to customers regarding the termination of outsourcing arrangements, including publishing in local newspapers having wide circulation, posting on the website, and displaying prominently at the company’s branch, to protect customer interests.
  5. The Proposed Master Directions introduce an incentive compensation review requirement for REs. They must assess incentive compensation in service provider contracts, considering the potential risks associated with such arrangements, and ensuring that appropriate incentives are provided to to prevent the taking of imprudent risks by the service providers. Inappropriate incentives could lead to reputational damage or increased legal risks.

C. Outsourcing Agreements

The Draft Master Directions propose additional provisions in outsourcing agreements. These additions include clauses to strengthen the regulatory compliance, risk management, and oversight in the outsourcing arrangements such as:

  • Requiring prior approval from the RE for use of subcontractors by the service provider in any outsourced activity, subject to review of compliance with these directions.
  • Imposing an obligation on service providers to adhere to supervisory authority instructions in relation to the RE’s activities.
  • Including termination clauses with a defined execution period.
  • Specifying the types of material adverse events necessitating immediate reporting by the service provider for risk mitigation.
  • Defining events of default, indemnities, resolution procedures, remedies, and parties’ recourse in the agreement.

D. Confidentiality and Security

The Proposed Master Directions mandate the RE to share data with service providers exclusively through secure channels, ensuring that data storage and sharing are carried out in an encrypted manner. Furthermore, service providers are required to adhere to a structured process for the removal, disposal, or destruction of data, thereby reinforcing data protection measures.

E. Responsibilities of the DSA and DMA 

The provisions relating to appointing DSAs and DMAs apply to commercial banks, NBFCs, and co-operative banks. However, it shall be noted that co-operative banks are prohibited from appointing DSA and DMA for deposit raising under their governing directions. The Directions prohibit intimidation and harassment during recovery practices, including inappropriate messages, threats, false representations, or persistent calls(which includes repeated calling) Furthermore, recovery agents cannot contact borrowers/guarantors before 8:00 a.m. or after 7:00 p.m., except for microfinance loans, which follow their own regulations for recovery practices.

F. Business Continuity and Management of Disaster Recovery Plan

Under the Proposed Master Directions REs must ensure their service providers have a strong business continuity and disaster recovery plan. For material outsourcing, both parties are mandated to conduct periodic joint testing and recovery exercises, with a stipulated annual frequency as per the newly introduced draft master directions.

G. Grievance Redressal Mechanism

REs must prominently display details of their Grievance Redressal mechanism in branches and on their website. The details of designated grievance redressal officers, escalation matrix, and principal nodal officers must be widely publicised for prompt customer grievance resolution. REs must publish their timeline for resolution of customer complaints on their website. If a complaint remains unresolved or unsatisfactory for 30 days, complainants should be provided additional alternative redressal options as introduced by the draft master directions:

  1. Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI in case of RBI supervised REs to which RBI’s Integrated Ombudsman Scheme, 2021 does not apply, or 
  2. Grievance Redressal mechanism of the respective supervisory authority in case of REs supervised by an authority other than RBI.

Conclusion:

To summarise, a comprehensive and inclusive risk management framework has been developed in case of outsourcing by REs including banks, NBFCs, ARCs, and credit information companies. This framework aligns with various supervisory authorities such as RBI, NHB, etc. The RBI has harmonised the Proposed Master Directions with existing outsourcing guidelines for financial services, in line with Basel regulations and international risk management standards.

The proposed regulations introduce several compliance obligations. Moreover, they classify outsourcing arrangements into material and non-material categories to ensure proportional risk management. This approach recognizes that regulated entities may increase outsourcing for cost-saving and strategic goals, while emphasising the need for these entities to maintain control over outsourced functions. This safeguards against the collapse of service providers causing systemic risks for the regulated entity. Additionally, the regulations mandate that the supervisory authority oversees both regulated and unregulated service providers.

Our resources related to the topic:

  1. UNDERSTANDING THE CONCEPT OF OUTSOURCING- ENVISAGING A TOUGH ROAD AHEAD FOR THE SERVICE PROVIDERS
  2. Directions on Outsourcing of Financial Services by NBFCs
  3. Cautious Approach to be taken by NBFCs while outsourcing activities ancillary to financial services
  4. Outsourcing (Direct Selling Agent) v. Business Correspondent route
  5. Draft guidelines on outsourcing of financial services by NBFCs
  6. RBI regulates outsourcing of IT Services by financial entities
You might also like
Presentation on Draft Directions on Securitisation of Standard Assets
Guaranteed Emergency Line of Credit: Understanding and FAQs
Simplifying the KYC process and business identifier
RBI granted moratorium on term loans: Impact on securitisation and direct assignment transactions
Resolution Framework for Covid-19-related stress
Debugging the Digital Lending Domain
Taxability of Corporate Guarantees under GST
The cult of easy borrowing: New age NBFCs ride high on tempting loan offers
1 reply
  1. Lakshmi Narasimhan
    Lakshmi Narasimhan says:

    I am not sure whether the guidelines provides separate dispensation for foreign banks, in a clearer manner, as many of them have dependencies on their parent or regional entities (called offshoring or centralisation of functions with their group entities). The guidelines can make it clear as to what extent the foreign banks can centralise or offshore with their group entities. preferably it should provide a negative list (if any) of activities which cannot be offshored and necessarily to be onshore. May be something like AML/CFT related activities. it should also preferably restrict offshoring to countries which are not acceptable.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *