The Reserve Bank of India on Tuesday announced the framework for the outsourcing of payment and settlement activities by payment system operators (PSOs). The aim is to establish minimum standards for managing risk in the outsourcing of payment and settlement related activities, including tasks such as onboarding customers and IT services.
“This framework is applicable to non-bank PSOs as it relates to their payment and settlement activities,” the RBI said, adding that it applied to all service providers, whether located in India. or abroad.
The central bank has set a deadline of March 31, 2022 for PSOs to ensure that all their outsourcing agreements, including existing ones, comply with the framework.
The executive said PSOs would not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC standards.
Basic management functions would include managing payment system operations such as clearing and settlement, managing transactions such as reconciling, reporting and processing items, depending on the penalties imposed on merchants for acquisition, customer data management, risk management, information technology and information security management.
The Development and Regulatory Policy Statement issued with the bimonthly monetary policy statement on February 5 this year announced the plan for such a framework to enable effective management of the risks inherent in outsourcing such activities.
The service provider, unless it is a PSO group company, will not be owned or controlled by any director or officer of the PSO or their relatives.
The RBI executive further stated that the PSO will carefully assess the need to outsource its critical processes and activities as well as the selection of service providers based on a comprehensive risk assessment.
“The outsourcing of any activity by the PSO will not reduce its obligations, as well as those of its board of directors and its management, which are ultimately responsible for the outsourced activity,” he said. said, adding that the PSO will be responsible for the actions of its service. suppliers and will retain ultimate control of the outsourced activity.
Additionally, to outsource any of its payment and settlement related activities, the OSP will have a full outsourcing policy approved by the Board of Directors.
The PSO will also ensure the security and confidentiality of customer information held or held by the service provider and will immediately notify RBI of any breach of security and leakage of confidential customer information, depending on the framework.
“In such eventualities, the PSO would be liable to its customers for any damage,” he said.
The PSO will also maintain a central registry of all outsourcing arrangements, which will be readily available for review by the board of directors and senior management.
In addition, the PSO will also set up a management structure to monitor and control its outsourcing activities.
In the case of offshore service providers, the PSO will also closely monitor government policies and political, social, economic and legal conditions in the countries where the service provider is based, both during the risk assessment process. and on an ongoing basis, and establish robust procedures to address country risk issues.