The Reserve Bank of India (“RBI”) had recently sought comments from the public on the proposed draft Master Directions – RBI (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023 (“Draft Directions”). The Draft Directions are addressed to all banks, NBFCs (including housing finance companies), All India Financial Institutions and Credit Information Companies (collectively, “REs”). Key highlights of the Draft Directions are set out below:
B. Salient Features
- Scope and applicability:
Currently, ‘outsourcing’ by banks and NBFCs is covered by way of separate directions issued by the RBI in this regard and the Draft Directions seek to consolidate the outsourcing norms for the REs under a single set of directions. Consequently, once implemented, the Draft Directions will repeal and replace the existing outsourcing framework.
The Draft Directions retain the theme of REs being barred from outsourcing their core functions. Unlike the existing outsourcing framework, which did not distinguish between different types of outsourcing arrangements, the Draft Directions set out a list of services which will be deemed to be ‘financial outsourcing arrangements’ (for e.g. back office operations, cash management, manpower management, etc.). REs will have to report details of material financial outsourcing arrangements to the ‘supervisory authority’ on a quarterly basis.
The Draft Directions also expressly set out a negative list of arrangements which fall outside the scope of financial outsourcing arrangements (for e.g. functions legally required to be undertaken by a service provider such as statutory audits).
- Material outsourcing:
Additionally, the Draft Directions seek to introduce the concept of ‘material outsourcing arrangements’ which have been defined as “Outsourcing arrangements which:
(i.) in the event of failure of service or breach of security, has the potential to either materially impact an RE’s– (a) business operations, reputation, strategies, or profitability; or (b) ability to manage risk and comply with applicable laws and regulations, or
(ii.) in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on the RE’s customers”.
The Draft Directions place the onus on the REs to identify such arrangements and inter alia requires the REs to place enhanced safeguards vis-à-vis business continuity/ disaster recovery plans for such arrangements (such as the service provider being required to undertake joint testing and recovery exercises, at least on an annual basis).
- Supervisory Authority: The RBI and NHB (vis-à-vis housing finance companies) have been designated as supervisory authorities to inspect/ periodically review the outsourcing arrangements.
- Offshore Outsourcing:
The Draft Directions also seek to mitigate country risks that may arise in case of offshore service providers.
Outsourcing arrangements pertaining to the RE’s overseas operations will be governed in terms of both, the Draft Directions and the host country’s laws (i.e. the country of the offshore service provider) governing such arrangements and in case of differences, the laws which are more stringent shall prevail and in case of conflict, the laws of the host country shall prevail.
In relation to the use of offshore service providers for Indian operations, the Draft Directions prescribe that the REs must inter alia ensure that the host country’s regulator (i.e. the regulator of the country in which the offshore service provider is located) does not have access to data pertaining to the Indian operations; and all original records are maintained in India.
- Caution List and Cautionary Advertising:
If an RE prematurely terminates a service provider arrangement on account of fraud, data breaches, confidentiality breaches, blacklisting by the Government of India or any other regulator then the same will have to be intimated to the Indian Banks’ Association/ respective RBI-recognized self-regulatory organizations so that they may maintain a caution-list of such service providers for sharing amongst themselves and their respective member REs. In case of a customer-facing service provider, such termination would also have to be publicly advertised cautioning customers to not interact with the service provider.
- Data Localisation Obligations: Whilst not prescribed previously, the Draft Directions now require the outsourcing arrangements to specifically require compliance with data localisation norms by the service providers. The obligation would have applied to the REs nonetheless in terms of the relevant localisation requirements prescribed by the regulator and the inclusion appears to be a consolidation of such position.
- Compliance Timeline: Once implemented, the REs may be provided a timeline of 3 to 6 months to ensure compliance, depending on the materiality of the arrangements, the technical lifts required and ensuring minimal service disruption to the customers.
With the timeline for public comments now being over, the final directions, as and when they are promulgated, will have to be carefully evaluated to ascertain the implications on REs and service providers.