The Reserve Bank of India on Tuesday announced the framework for outsourcing payment and settlement-related activities by payment system operators (PSO). The objective is to put in place minimum standards to manage risks in outsourcing of payment and settlement-related activities including tasks such as onboarding customers and IT-based services.

“This framework is applicable to non-bank PSOs insofar as it relates to their payment and settlement-related activities,” the RBI said, adding that it is applicable to all service providers, whether located in India or abroad.

The central bank has set a deadline of March 31, 2022 for PSOs to ensure that all their outsourcing arrangements, including the existing ones, are in compliance with the framework.

Risk management

The framework has said PSOs will not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms.

Core management functions would include management of payment system operations such as netting and settlement, transaction management like reconciliation, reporting and item processing, according sanction to merchants for acquiring, managing customer data, risk management, information technology and information security management.

The Statement on Developmental and Regulatory Policies released with the bi-monthly Monetary Policy Statement on February 5 this year had announced the plan for such a framework to enable effective management of attendant risks in outsourcing of such activities.

The service provider, unless it is a group company of the PSO, will not be owned or controlled by any director or officer of the PSO or their relatives.

The RBI framework has further said the PSO will carefully evaluate the need for outsourcing its critical processes and activities and also the selection of service providers based on comprehensive risk assessment.

“Outsourcing of any activity by the PSO shall not reduce its obligations, and those of its board and senior management, who are ultimately responsible for the outsourced activity,” it has said, adding that the PSO will be liable for the actions of its service providers and will retain ultimate control over the outsourced activity.

Further, to outsource any of its payment and settlement-related activities, the PSO will have a board-approved comprehensive outsourcing policy.

Ensuring confidentiality

The PSO will also ensure the security and confidentiality of customer information in the custody or possession of the service provider and will immediately notify RBI about any breach of security and leakage of confidential information related to customers, the framework said.

“In such eventualities, the PSO would be liable to its customers for any damage,” it stated.

The PSO will also maintain a central record of all outsourcing arrangements, which will be readily accessible for review by the board and senior management.

Further, the PSO will also put in place a management structure to monitor and control its outsourcing activities.

In the case of offshore service providers, the PSO will also closely monitor government policies and, political, social, economic, and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems.