India – FIG Paper (No. 32 – Series 1): Outsourcing Of Financial Services: Harmonising The Law And Looking Ahead.

Background 

The Reserve Bank of India (“RBI”) issued the draft Master Direction – Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023 (“Draft MD”), on October 26, 2023. With the COVID-19 pandemic and the digitisation of financial services globally, financial institutions started becoming increasingly dependent on their service partners and agents to reduce costs and avail expertise not available internally. 

While outsourcing is becoming more prevalent, the inherent risk associated with such activity has also been increasing. The Draft MD reflects the regulator’s cognizance of this phenomenon and aims to consolidate existing financial services (“FS”) outsourcing guidelines and incorporate global best practices. 

Applicability 

The Draft MD applies to all Commercial Banks, All-India Financial Institutions (e.g., EXIM Bank, NABARD, SIDBI, etc.), all Non-Banking Financial Companies (“NBFC”), all Co-operative Banks and all Credit Information Companies (“CIC”) (collectively, “Regulated Entities” or “REs”). While previous iterations of FS outsourcing guidelines applied only to Commercial banks, Co-operative Banks, and NBFCs separately, the draft MD widens its scope to include Regional Rural Banks, Local Area Banks, All-India Financial Institutions, CICs and non-scheduled payment banks, i.e., REs that were earlier not covered within FS outsourcing regulation. 

The Draft MD, in line with earlier iterations, is not applicable to technology-related aspects and activities not related to banking/ financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, etc. 

Key Highlights 

1. Streamlining of regulations: The Draft MD incorporates, updates and harmonises three extant guidelines and directions on outsourcing of financial services, viz., first, by commercial banks (November 3, 2006), second, by co-operative banks (June 28, 2021), and third, by non-banking financial companies (October 22, 2021) (annexed to the scale-based regulatory framework for NBFCs (“NBFC MD”) as a reiteration of the November 9, 2017 directions) (collectively, the “Extant Guidelines”). This streamlining marks a shift from an entity-based to an activity-based regulatory framework. 

2. Group outsourcing: Under the group outsourcing norms, there is a major departure from the earlier norms, viz., NBFCs have been put on par with banks. The NBFC MD allowed NBFCs in a group/ conglomerate to outsource core functions within the group, subject to compliance with certain requirements such as obtaining prior Board approval, executing outsourcing agreement and carrying out the transaction on an arm’s length basis. Core functions include internal audit, strategic and compliance functions such as determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans), and management of investment portfolio. Notably, the Draft MD does not contain this carve-out for NBFCs, indicating a clear intention across the board, that core management functions cannot be outsourced by any RE. 

3. Clarity on outsourcing internal audit: Paragraph 2 of the NBFC MD stated that while internal audit function is a core management process, internal auditors may be employed on contract. While core management functions cannot be outsourced, there was some ambiguity that allowed smaller NBFCs to leverage the audit function of entities within their group, on a contractual basis. The Draft MD clearly permits and outlines the bounds of outsourcing of internal auditing function in footnote 2 to paragraph 5. Where required, experts, including former employees, can be hired on a contractual basis only if the Board/ audit committee of the Board is satisfied that such expertise is not available internally. Moreover, while such contracting is now clearly permitted by the Draft MD, REs are solely liable for their audit reports and have the responsibility to identify and address conflicts of interest in this regard. 

4. Outsourcing agreements: Per the Extant Guidelines, the decision on what FS activities could be outsourced and what were considered as core management functions were determined by the REs themselves. However, in the Draft MD, the RBI has provided clarity on what can and cannot be outsourced and annexed an illustrative list of ‘financial’ outsourcing arrangements in Annex 1 of the Draft MD, which includes application processing, middle and back office operations and claims administration. There is also a ‘negative list’ of arrangements that are not considered as ‘financial’ outsourcing arrangements, including functions legally required to be outsourced (such as statutory audit), telecommunication services, and market information services. 

Implications 

5. Interface with new data law: Under the recently introduced Digital Personal Data Protection Act, 2023 (“DPDP Act”), REs outsourcing financial services, involving any personal data processing, are likely to be classified as ‘data fiduciaries’, while their service partners will likely be ‘data processors’. While there exists data privacy requirements under the RBI guidelines, data confidentiality, processing, and data sharing in existing outsourcing arrangements will have to be reviewed and aligned with the DPDP Act and its rules, whenever the latter is notified. 

6. Applicability of conflicting outsourcing guidelines: The repeal provisions of the Draft MD provide for repealing of the directions dated November 9, 2017, applicable to NBFCs, however it fails to mention Annex XIII of the NBFC MD, dated October 22, 2021. If the NBFC MD is not repealed and continues to be applicable, important provisions like core function outsourcing within a group will still be permitted for NBFCs, even though it has been disallowed in the Draft MD. It remains to be seen if this will be specifically repealed in the final version of the directions. 

7. Review of existing arrangements: Upon finalisation of the Draft MD into final directions, REs now falling within the scope of the framework, including NBFCs, will be required to carefully evaluate gaps in their outsourcing policies and revamp existing arrangements/ contracts with their service providers, especially with group entities. 

Conclusion 

Through the Draft MD, the RBI has taken steps towards consolidating and harmonising guidelines on outsourcing of financial services by moving from an entity-based to an activity-based regulatory framework. Under this harmonised framework, that applies to a wider set of REs, we note a clear focus on more effective risk management at a systemic level – a sign of mature regulatory supervision.