Search Your Queries Related To Trilegal

Update

RBI Framework for Outsourcing of Payment and Settlement Activities by Non-Bank Payment System Operators

02 Sep 2021

Cloud thumb image
The RBI has released a new framework governing the outsourcing of activities by non-bank payment system operators. In this update we summarize the salient features of this framework and its implications.

On 3 August 2021, the Reserve Bank of India (RBI) issued the ‘Framework for Outsourcing of Payment and Settlement-related Activities by Payment System Operators’ (Framework), under the Payment and Settlement Systems Act, 2007 (PSSA). The Framework regulates certain outsourcing activities by non-bank payment system operators (PSOs). While certain banks are also authorised to act as PSOs, the Framework only applies to non-bank PSOs since banks and non-banking financial companies are already subject to similar requirements in relation to the outsourcing of their financial service activities.

A ‘payment system’ is a system that enables clearing, payment or settlement (or all of them) between a payer and a beneficiary and includes systems enabling operations relating to credit, debit and smart cards, money transfer and other similar activities but does not include a stock exchange. Examples of such payment systems include digital wallets like PayTm and Mobikwik, card payments networks like MasterCard and American Express, Unified Payments Interface (UPI) etc.

The term ‘outsourcing’ is defined as the use of a third party to perform activities on a continuing basis, including short term arrangements, that would normally be undertaken by the PSO itself. Therefore, apart from the vendor, the Framework also applies to agents, consultants and their representatives, as well as sub-contractors engaged by the vendor, whether or not located in India. Such outsourcing is very common in the financial services sector.

Additionally, the RBI has observed in the Framework that it would be prudent for payment system participants such as third-party UPI application providers, token requestors etc. which are not directly regulated or supervised by the RBI but may be providing direct payment services to customers to implement a system to manage outsourcing risks. As a best practice, the RBI has therefore recommended that PSOs may engage with such payment participants to encourage them to implement the Framework. Consequently, it seems likely that PSOs may seek to contractually require participants in their payment systems to implement the Framework. The Framework’s release comes in light of recent cyber-attacks that targeted customer data in the possession of certain PSOs as a result of which large amounts of information was allegedly leaked. The Framework seeks to manage the risks to PSOs which may arise from vulnerabilities in the systems of vendors.

Scope of the Framework

The Framework covers outsourcing of payment and/or settlement related activities of PSOs, i.e., the processes in a payment system which enable the transfer of funds from the payer to the payee. Payment gateways, tokenisation solutions, application hosting, KYC verification, payment reconciliation etc. are also covered.

Additionally, the Framework applies to incidental activities such as the onboarding of customers and IT support services. Activities that are not related to payment or settlement services such as internal administration, house-keeping and similar activities are explicitly excluded from the Framework.

Core management functions and critical processes

The Framework restricts PSOs from outsourcing their core management functions, including risk management and internal audit, compliance and decision-making functions such as determining compliance with KYC norms. A similar restriction also applies to banks and NBFCs. However, the Framework takes it one step further and specifies that the following additional core management functions will be restricted: (i) management of payment system operations such as netting, settlement, etc.; (ii) transaction management (reconciliation, reporting and item processing); (iii) sanctioning merchants for acquiring or managing customer data; (iv) risk management; (v) information technology (IT) and information security (IS) management.

Many PSOs currently do not have the means and/or resources to invest in the sophisticated systems necessary for carrying on activities like transaction and risk management handling of customer data. and extensive IT and IS functions. Similarly, while PSOs may have capacity for undertaking IT/ IS functions, PSOs often opt to outsource these functions in order to focus on their core business. They usually engage specialized vendors who provide the necessary platforms or infrastructure as services to the PSOs at significantly lesser costs. However, outsourcing of such functions could result in increased cyber security threats since a fault on the vendor’s systems could potentially expose all PSOs relying on the services of such vendor and affect millions of customers. This seems to be the intent behind restricting such outsourcing.

While the Framework restricts outsourcing of core management functions, it allows PSOs to outsource their ‘critical processes’ after evaluating the need for such outsourcing and the selection of vendors, based on a comprehensive risk assessment. Critical processes are those which,if disrupted, will have the potential to significantly impact the PSOs’ business operations, reputation, profitability and / or customer service. There is a possibility that such processes may overlap with the PSOs core management functions and the Framework should ideally have provided further guidance to help distinguish the two categories.

Arrangements with group companies

A PSO may outsource functions to its group companies subject to its board approved policy. The arrangement needs to be documented as a written agreement setting out the service levels to be met by the group entity, service charges to be paid by the PSO, confidentiality obligations on the group entity in respect of customer data etc. The PSO must also ensure that the agreement with the group entity does not prevent the RBI from obtaining any information required for the supervision of the PSO, or pertaining to the group as a whole. Current outsourcing arrangements between PSOs and their group entities may need to be re-examined in light of these restrictions.

The Framework also stipulates certain conditions for cross-selling by PSO and group entities with the intent to ensure that customers are informed of which entity actually provides the services. The PSO must not give the impression that it is responsible for the obligations of the group entities. Additionally, the vendor must not be owned or controlled by any director or officer of the PSO or their relatives unless it is a group company of the PSO. This move appears to improve transparency in financial service offerings from PSOs.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.








    Disclaimer

    Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website, www.trilegal.com, you acknowledge that:

    • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
    • This website should not be construed as providing legal advice for any purpose.
    • All information, content, and materials available on this website are for general informational purposes only.
    • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
    • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
    • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
    • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
    • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
    • The contents of this website are the intellectual property of Trilegal.

    We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

    • The types of information we collect and why we collect them.
    • How we use your information to provide a personalized experience.
    • The measures we take to ensure the security of your data.
    • Your rights and choices in managing your personal information.
    • How we may share information with trusted partners for specific purpose.

    For more information, please read our terms of use and our privacy policy.

    Up arrow