Listen to this post
FIG Paper (No. 32) - Outsourcing of Financial Services: Harmonising the Law and Looking Ahead

Background

The Reserve Bank of India (“RBI”) issued the draft Master Direction – Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023 (“Draft MD”), on October 26, 2023. With the COVID-19 pandemic and the digitisation of financial services globally, financial institutions started becoming increasingly dependent on their service partners and agents to reduce costs and avail expertise not available internally.

While outsourcing is becoming more prevalent, the inherent risk associated with such activity has also been increasing. The Draft MD reflects the regulator’s cognizance of this phenomenon and aims to consolidate existing financial services (“FS”) outsourcing guidelines and incorporate global best practices.

Applicability

The Draft MD applies to all Commercial Banks, All-India Financial Institutions (e.g., EXIM Bank, NABARD, SIDBI, etc.), all Non-Banking Financial Companies (“NBFC”), all Co-operative Banks and all Credit Information Companies (“CIC”) (collectively, “Regulated Entities” or “REs”). While previous iterations of FS outsourcing guidelines applied only to Commercial banks, Co-operative Banks, and NBFCs separately, the draft MD widens its scope to include Regional Rural Banks, Local Area Banks, All-India Financial Institutions, CICs and non-scheduled payment banks, i.e., REs that were earlier not covered within FS outsourcing regulation.

The Draft MD, in line with earlier iterations, is not applicable to technology-related aspects and activities not related to banking/ financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, etc.

Key Highlights

  1. Streamlining of regulations: The Draft MD incorporates, updates and harmonises three extant guidelines and directions on outsourcing of financial services, viz., first, by commercial banks (November 3, 2006), second, by co-operative banks (June 28, 2021), and third, by non-banking financial companies (October 22, 2021) (annexed to the scale-based regulatory framework for NBFCs (“NBFC MD”) as a reiteration of the November 9, 2017 directions) (collectively, the “Extant Guidelines”). This streamlining marks a shift from an entity-based to an activity-based regulatory framework.
  2. Group outsourcing: Under the group outsourcing norms, there is a major departure from the earlier norms, viz., NBFCs have been put on par with banks. The NBFC MD allowed NBFCs in a group/ conglomerate to outsource core functions within the group, subject to compliance with certain requirements such as obtaining prior Board approval, executing outsourcing agreement and carrying out the transaction on an arm’s length basis. Core functions include internal audit, strategic and compliance functions such as determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans), and management of investment portfolio. Notably, the Draft MD does not contain this carve-out for NBFCs, indicating a clear intention across the board, that core management functions cannot be outsourced by any RE.
  3. Clarity on outsourcing internal audit: Paragraph 2 of the NBFC MD stated that while internal audit function is a core management process, internal auditors may be employed on contract. While core management functions cannot be outsourced, there was some ambiguity that allowed smaller NBFCs to leverage the audit function of entities within their group, on a contractual basis. The Draft MD clearly permits and outlines the bounds of outsourcing of internal auditing function in footnote 2 to paragraph 5. Where required, experts, including former employees, can be hired on a contractual basis only if the Board/ audit committee of the Board is satisfied that such expertise is not available internally. Moreover, while such contracting is now clearly permitted by the Draft MD, REs are solely liable for their audit reports and have the responsibility to identify and address conflicts of interest in this regard.
  4. Outsourcing agreements: Per the Extant Guidelines, the decision on what FS activities could be outsourced and what were considered as core management functions were determined by the REs themselves. However, in the Draft MD, the RBI has provided clarity on what can and cannot be outsourced and annexed an illustrative list of ‘financial’ outsourcing arrangements in Annex 1 of the Draft MD, which includes application processing, middle and back office operations and claims administration. There is also a ‘negative list’ of arrangements that are not considered as ‘financial’ outsourcing arrangements, including functions legally required to be outsourced (such as statutory audit), telecommunication services, and market information services.

Implications

  1. Interface with new data law: Under the recently introduced Digital Personal Data Protection Act, 2023 (“DPDP Act”), REs outsourcing financial services, involving any personal data processing, are likely to be classified as ‘data fiduciaries’, while their service partners will likely be ‘data processors’. While there exists data privacy requirements under the RBI guidelines, data confidentiality, processing, and data sharing in existing outsourcing arrangements will have to be reviewed and aligned with the DPDP Act and its rules, whenever the latter is notified.
  2. Applicability of conflicting outsourcing guidelines: The repeal provisions of the Draft MD provide for repealing of the directions dated November 9, 2017, applicable to NBFCs, however it fails to mention Annex XIII of the NBFC MD, dated October 22, 2021. If the NBFC MD is not repealed and continues to be applicable, important provisions like core function outsourcing within a group will still be permitted for NBFCs, even though it has been disallowed in the Draft MD. It remains to be seen if this will be specifically repealed in the final version of the directions.
  3. Review of existing arrangements: Upon finalisation of the Draft MD into final directions, REs now falling within the scope of the framework, including NBFCs, will be required to carefully evaluate gaps in their outsourcing policies and revamp existing arrangements/ contracts with their service providers, especially with group entities.

Conclusion

Through the Draft MD, the RBI has taken steps towards consolidating and harmonising guidelines on outsourcing of financial services by moving from an entity-based to an activity-based regulatory framework. Under this harmonised framework, that applies to a wider set of REs, we note a clear focus on more effective risk management at a systemic level – a sign of mature regulatory supervision.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lily Vadera Lily Vadera

Senior regulatory advisor in the  Financing Practice at the Mumbai office of Cyril Amarchand Mangaldas. She is the former Executive Director, Reserve Bank of India (RBI)  has served RBI for more than three decades and headed the crucial department of regulation where she…

Senior regulatory advisor in the  Financing Practice at the Mumbai office of Cyril Amarchand Mangaldas. She is the former Executive Director, Reserve Bank of India (RBI)  has served RBI for more than three decades and headed the crucial department of regulation where she dealt with the regulatory framework for various entities in financial sector, covering all categories of banks and non-banking finance companies. She framed regulations for Fintech players and played significant role in amalgamation of banks in stress. She also played an important role as a member of Insolvency Law Committee set up by Ministry of Corporate Affairs. She can be reached at lily.vadera@cyrilshroff.com

Photo of Anu Tiwari Anu Tiwari

Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu…

Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu represents both Indian and multinational fintech, banking, broker-dealer, exchange, asset management, speciality finance and information technology companies on transactional, enforcement and regulatory matters.

Anu has been a member of RBI’s Committee on Household Finance, SEBI’s Working Group on Mutual Fund Regulation, Fintech Committee of the Confederation of Indian Industries (CII) and a visiting faculty at the SP Jain School of Global Management.

Mr. Tiwari has been recognised by Chambers & Partners, IFLRMergerMarket and as Lawyer of the Year 2021, India, by Global Law Experts for his work in the M&A, Financial Regulatory and Blockchain/  Cryptocurrency space. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Vishrut Jain Vishrut Jain

Senior Consultant in the financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Vishrut has represented various Indian and multinational fintech and information / emerging technology companies on transactional, enforcement and regulatory matters. He can be reached at vishrut.jain@cyrilshroff.com.

Photo of Aditya Sarkar Aditya Sarkar

Associate in the Financial Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. He can be reached at aditya.sarkar@cyrilshroff.com

Photo of Anushri Mandal Anushri Mandal

Associate in the Financial Service Regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Anushri has worked on various transactional and advisory matters. Her focus has been on M&A and FinTech matters. She can be reached at anushri.mandal@cyrilshroff.com