On 3 August 2021, the Reserve Bank of India (RBI) issued the ‘Framework for Outsourcing of Payment and Settlement-related Activities by Payment System Operators’ (Framework), under the Payment and Settlement Systems Act, 2007 (PSSA). The Framework regulates certain outsourcing activities by non-bank payment system operators (PSOs). While certain banks are also authorised to act as PSOs, the Framework only applies to non-bank PSOs since banks and non-banking financial companies are already subject to similar requirements in relation to the outsourcing of their financial service activities.
A ‘payment system’ is a system that enables clearing, payment or settlement (or all of them) between a payer and a beneficiary and includes systems enabling operations relating to credit, debit and smart cards, money transfer and other similar activities but does not include a stock exchange. Examples of such payment systems include digital wallets like PayTm and Mobikwik, card payments networks like MasterCard and American Express, Unified Payments Interface (UPI) etc.
The term ‘outsourcing’ is defined as the use of a third party to perform activities on a continuing basis, including short term arrangements, that would normally be undertaken by the PSO itself. Therefore, apart from the vendor, the Framework also applies to agents, consultants and their representatives, as well as sub-contractors engaged by the vendor, whether or not located in India. Such outsourcing is very common in the financial services sector.
Additionally, the RBI has observed in the Framework that it would be prudent for payment system participants such as third-party UPI application providers, token requestors etc. which are not directly regulated or supervised by the RBI but may be providing direct payment services to customers to implement a system to manage outsourcing risks. As a best practice, the RBI has therefore recommended that PSOs may engage with such payment participants to encourage them to implement the Framework. Consequently, it seems likely that PSOs may seek to contractually require participants in their payment systems to implement the Framework. The Framework’s release comes in light of recent cyber-attacks that targeted customer data in the possession of certain PSOs as a result of which large amounts of information was allegedly leaked. The Framework seeks to manage the risks to PSOs which may arise from vulnerabilities in the systems of vendors.
The Framework covers outsourcing of payment and/or settlement related activities of PSOs, i.e., the processes in a payment system which enable the transfer of funds from the payer to the payee. Payment gateways, tokenisation solutions, application hosting, KYC verification, payment reconciliation etc. are also covered.
Additionally, the Framework applies to incidental activities such as the onboarding of customers and IT support services. Activities that are not related to payment or settlement services such as internal administration, house-keeping and similar activities are explicitly excluded from the Framework.
The Framework restricts PSOs from outsourcing their core management functions, including risk management and internal audit, compliance and decision-making functions such as determining compliance with KYC norms. A similar restriction also applies to banks and NBFCs. However, the Framework takes it one step further and specifies that the following additional core management functions will be restricted: (i) management of payment system operations such as netting, settlement, etc.; (ii) transaction management (reconciliation, reporting and item processing); (iii) sanctioning merchants for acquiring or managing customer data; (iv) risk management; (v) information technology (IT) and information security (IS) management.
Many PSOs currently do not have the means and/or resources to invest in the sophisticated systems necessary for carrying on activities like transaction and risk management handling of customer data. and extensive IT and IS functions. Similarly, while PSOs may have capacity for undertaking IT/ IS functions, PSOs often opt to outsource these functions in order to focus on their core business. They usually engage specialized vendors who provide the necessary platforms or infrastructure as services to the PSOs at significantly lesser costs. However, outsourcing of such functions could result in increased cyber security threats since a fault on the vendor’s systems could potentially expose all PSOs relying on the services of such vendor and affect millions of customers. This seems to be the intent behind restricting such outsourcing.
While the Framework restricts outsourcing of core management functions, it allows PSOs to outsource their ‘critical processes’ after evaluating the need for such outsourcing and the selection of vendors, based on a comprehensive risk assessment. Critical processes are those which,if disrupted, will have the potential to significantly impact the PSOs’ business operations, reputation, profitability and / or customer service. There is a possibility that such processes may overlap with the PSOs core management functions and the Framework should ideally have provided further guidance to help distinguish the two categories.
A PSO may outsource functions to its group companies subject to its board approved policy. The arrangement needs to be documented as a written agreement setting out the service levels to be met by the group entity, service charges to be paid by the PSO, confidentiality obligations on the group entity in respect of customer data etc. The PSO must also ensure that the agreement with the group entity does not prevent the RBI from obtaining any information required for the supervision of the PSO, or pertaining to the group as a whole. Current outsourcing arrangements between PSOs and their group entities may need to be re-examined in light of these restrictions.
The Framework also stipulates certain conditions for cross-selling by PSO and group entities with the intent to ensure that customers are informed of which entity actually provides the services. The PSO must not give the impression that it is responsible for the obligations of the group entities. Additionally, the vendor must not be owned or controlled by any director or officer of the PSO or their relatives unless it is a group company of the PSO. This move appears to improve transparency in financial service offerings from PSOs.Download PDF to read more
If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form.