Exploring Core Financial Services Solution for NBFCs
Applicability, Features, Modules & Challenges
– Subhojit Shome, Executive and Parth Ved, Executive | finserv@vinodkothari.com
Background
As a part of the overhaul for the NBFC Sector, the Reserve Bank of India (‘RBI’) had, on October 22, 2021, introduced the Scale Based Regulations (SBR): ‘A Revised Regulatory Framework for NBFCs’. Upon application of SBR, NBFCs will now be divided into four major categories starting from base layer, followed by middle and upper layers and a top layer. The categories can be briefly summarised through the below chart (visit https://vinodkothari.com/sbr/ to read our write-ups on SBR and related topics).
Through SBR, various governance guidelines have been newly introduced while the existing guidelines have been modified to keep up with the current market practices. One of the requirements is the introduction of Core Financial Services Solution (CFSS) for NBFCs vide RBI circular dated February 23, 2022 (‘CFSS Circular’).
In this article, we discuss the applicability of CFSS on NBFCs, explore the current core banking systems of banks, highlight the necessary modules which can be adopted by NBFCs along with the issues that may arise during implementation.
Applicability of CFSS
The table below summarises the applicability of CFSS for different layers of NBFCs along with the timeframe for its implementation:
Category of NBFC | No. of Fixed point service delivery units | Applicability | Timeframe for implementation |
---|---|---|---|
NBFC-Base Layer (NBFC-BL) | – | Not mandatory | No timeframe, however, they may consider the implementation of a CFSS for their own benefit. |
NBFC-Middle Layer (NBFC-ML) | Less than 10 | Not mandatory | No timeframe, however, they may consider the implementation of a CFSS for their own benefit. |
10 or more | Mandatory | On or before September 30, 2025 | |
NBFC-Upper Layer (NBFC-UL) | Less than 10 | Not mandatory | No timeframe, however, they may consider the implementation of a CFSS for their own benefit. |
10 or more | Mandatory | On or before September 30, 2025 (ensure that CFSS is implemented at least in 70% of ‘Fixed point service delivery units’ on or before September 30, 2024) |
Quarterly progress report
NBFCs will also be required to furnish a quarterly progress report on implementation of the CFSS, along with various milestones as approved by the Board / Committee of the Board. It shall be furnished to the Senior Supervisory Manager (SSM) Office of the RBI starting from quarter ending March 31, 2023.
Understanding CFSS & its features
The CFSS Circular broadly lists down the features that the CFSS is expected to have. It states that the CFSS shall be ‘akin to the Core Banking Solution (CBS) adopted by banks’. While the Circular is thin on the functional requirements, it does provide some key fundamental must-haves, as discussed below, that the CFSS should have.
- Digital front-end for products & offerings of the NBFC
Providing a digital customer interface to the customer will be a part of CFSS. The customer interface should be able to offer all the services that a customer may require. In case of NBFCs which are into lending activities, this will generally include checking loan eligibility, carrying out KYC, EMI payments, accessing e-statements, updating personal information, contacting customer care, locating nearest branches of the NBFC, etc. The intent is to provide a seamless customer interface in digital offerings and transactions relating to NBFC’s products and services.
- Anytime anywhere accessibility
Presently, many of the NBFCs operate through physical branches to interact with customers. This severely limits the accessibility of the customer. The digital customer interface, as a part of CFSS, is intended to be available and accessible 24*7 by the customer.
- Integration with systems
Another aspect of CFSS is the backend integration of CFSS with the different systems and functions of the NBFC. It should not happen that an NBFC is operating with systems completely independent of each other with no interlinking. Of course this also does not mean that the CFSS is expected to be a one-stop solution with every aspect of the NBFC’s functions integrated into it. An NBFC can still continue using its existing systems while implementing the CFSS modules. However, it should be ensured that the systems are able to pick-up required data independently without manual interaction. The purpose is to limit human intervention for smooth functioning be it through one single solution or multiple solutions integrated with each other.
- Centralised database
Since the CFSS is expected to be a dynamic solution with both front-end interface and backend integration and interlinked to other functions of the NBFCs, it will require appropriate database management systems to provide information to its users with the ability to collate, store and retrieve necessary client specific and other operational information. Hence, it is expected to have a centralised database including the accounting records. Further, the system should also be able to maintain logs of all the activity/ changes/modifications and should be auditable. The thrust behind the prescription of a “centralised database” is to ensure the integrity and consistency of the data presented to the users of the system rather than to specify the physical architecture of such a database.
- Reporting & MIS
This is again a requirement on the backend. Implementation of CFSS will only be successful if it is able to deliver information to its users be it the NBFC, its employees, customers, regulators, etc. The CFSS modules are expected to have the required reporting requirements as per the regulatory formats which will help in early identification of red flags and detection of frauds.
Is this a new concept for NBFCs?
While the concept of core banking solution has been around in India since the turn of the millennium, CFSS is substantially a new concept for NBFCs which envisages a marked change in terms of client experience, interactions, IT capabilities and general operations of NBFCs. Implementation and maintenance of CFSS in the applicable NBFCs will, of course, need to be in compliance with the RBI’s NBFC IT Framework Master Directions and KYC Master Directions. These Directions lay down several principle-based requirements for the IT framework of an NBFC and even infrastructural requirements for the KYC process; some of these requirements are summarised below:
Master Direction – Information Technology Framework for the NBFC Sector
While the IT Framework does not provide a prescription for the functional architecture of an NBFC’s IT system, it does lay down requirements regarding information (including cyber) security and information systems audit. NBFCs should be mindful of these requirements in their implementation of the CFSS.
With FinTech vendors providing substantial off-site cloud hosted solutions, the IT services outsourcing provisions of the IT Framework will also come into play.
Master Direction – Know Your Customer (KYC) Direction, 2016
The RBI prescribes, in its KYC Master Directions, detailed functional (and even infrastructural) requirements for regulated entities (RE) including NBFCs when it comes to KYC. NBFCs also need to run a wide variety of tests on their infrastructure (vulnerability assessment, penetration testing, security audit, etc.) and application software and relevant APIs / web services (functional, performance, maintenance strength) and get certified by RBI accredited agencies before going live.
Hence, although the CFSS as a whole is a new regulatory concept, there are existing technology guidelines that NBFCs need to pay heed to when applying this concept.
As stated earlier, banks have adopted ‘core banking solution’ for quite some time now. And since CFSS is expected to be ‘akin to CBS adopted by banks’, it is pertinent to explore and understand the CBS modules used by banks.
CBS modules for Commercial Banks
Based on a study of the CBS products provided by some of India’s leading technology providers (Infosys – Finacle, TCS – BaNCS) for banks and financial services we were able to identify, at a high level, the following functional modules and stacks:
It may be noted that NBFCs, as compared to banks, have specific products and offerings, and hence they may not be required to implement all the modules of a CBS adopted by banks.
CBS requirements for Urban Co-operative Banks
It would also be worthwhile to have a look at the CBS functional modules specified as the minimum common requirements for an urban co-operative bank (UCB) by the Institute for Development and Research in Banking Technology (IDRBT) (recommended as reference material by the RBI vide its circular dated August 16, 2017), given that CFSS functional modules will have a fair amount of commonality with them.
Minimum functional requirements:
The chart below lists down the ‘Common Minimum Functional Modules’ of UCB (modules unrelated to NBFC CFSS are greyed out):
Major features of CBS modules specified by IDRBT
- Single unique ID per customer per transaction: IDRBT’s requirement document envisages a single unique ID per Customer retrievable by all branches of the Bank and available for use by all functional modules. This effectively means KYC requirements are processed at a single point while the facility to update KYC will be at any of the bank’s branches. The document also stipulates assigning a unique ID for each individual transaction which can be recorded, tracked and audited.
- Branch transfer: The system should also have the ability to transfer accounts from one branch to another without the transaction being treated as a premature closure of the original account.
- Compatibility with Legacy systems: In case the bank has onboarded only some of its branches onto the CBS system while the rest still remain on a non-CBS (legacy) system, the IDRBT document prescribes that the system should be able to feed information from non-core branches at any point for amalgamation and generation of Reports. Also, customers should continue to have the flexibility of transferring their accounts from one branch to another be it with core-branches or other branches.
- Infrastructure: The IDRBT document prescribes that the database server should have at least n+1 redundancy (i.e. at least one active backup in case of any failure to ensure continuity). Further, the hardware utilisation should not exceed 80% of overall capacity and should be scalable to meet future needs. The sizing & scaling should be done based on the volume of transactions per day, peak load, number of accounts, users, concurrent users, transactions per second, and transaction time for different types of transactions and number of branches.
- Authentication & Authorisation: The IDRBT inter-alia prescribes that the CBS should have the ability to support third party single sign and have the ability to verify digital signatures for the data being uploaded. Further any and all Personally Identifiable Information (PII) and confidential information should be stored in encrypted form.
- Cloud Storage Facilities: Use of cloud storage has seen a steep rise in recent years. In a separate document published in 2013, the IDRBT has also laid down a Cloud Security Framework for Indian banks which requires the cloud service provider to provide a written proof that any customer data will not be stored outside India.
There are several other technical requirements applicable to Banks, however, this exploratory article restricts itself to the ambit of CFSS for NBFCs and several technical requirements are not covered here.
Challenges in implementing CFSS for NBFCs
While some NBFCs may have in place a centralised solution, others may have different solutions for multiple functions and products which are independent of each other. Implementing a new system brings with it several challenges. Some of the key issues are discussed below.
Expensive solutions
Banking technology solution providers usually offer a generalised platform-based solution with additional customisations as required by the bank. On the other hand, NBFCs tend to be specialised financial service providers focused on select product offerings. Care must be taken by the NBFC that only the required functional modules are incorporated in the solution to minimise cost else they will have to onboard an unnecessarily expensive solution. On top of this, the NBFC will continue to have to incur cost for customisation of the solution to cater to its specialised lending practices or retain its existing loan management system (LMS).
The integration problem
As we have mentioned above NBFCs are specialised lenders and financial service providers and those belonging to the middle and upper layers of the SBR framework will have their own existing customer-relationship-management (CRM) systems, data management, reporting and risk management systems. These would represent significant investments and ongoing commitments on the part of the NBFC which cannot be written off without incurring significant losses and disruptions. As per a Mckinsey Report on the core systems strategy of banks, one option to avoid this problem is by installing the new solution separate from its current technology system and then migrate customers gradually onto the new framework.
Such an approach, of course, brings with it all the issues associated with systems migration like ensuring data integrity across the new and legacy systems, consistent UX, managing third party interactions, switchover/fallback protocols, etc.
Adoption by employees and customers
The history of implementation of CBS in Indian banks is marked by both employee and managerial resistance to such a paradigm shift in systems and processes. Though the digitisation in the financial service sector has increased significantly, NBFCs should not fall for a false sense of security that the adoption of CFSS will be without its hiccups given employees and management will be well entrenched in the current technology and process frameworks. Awareness, buy-in and training programs will, most definitely, be needed and should be planned well in advance. Additionally, one should also look at the integration and user experience (UX) aspects of the technology solution to increase ease of adoption and reduce adverse technology shock.
Conclusion
In light of the fact that NBFCs cannot be considered as a homogenous class when one considers the diverse and often highly specialised nature of their business activities and also with a significant number of NBFCs taking their product offerings online with minimal physical points of presence (PoP), interests of the users of financial services as well as its providers would be better served with regulatory guidelines on the common minimum functionalities for CFSS of NBFCs. The existing guidelines specified for UCBs and the well-established CBS platforms of commercial banks may act as a relevant source of guidance for implementation of CFSS for NBFCs.
Further, the draft directions on IT Outsourcing and IT Governance, Risks, Controls and Assurance Practices proposed to be released by the RBI in the coming months, as mentioned in its Statement on Developmental and Regulatory Policies dated February 10, 2022 may also provide some guidance on CFSS implementation.
Our resources on Scale Based Regulations: https://vinodkothari.com/sbr/
Leave a Reply
Want to join the discussion?Feel free to contribute!