The Reserve Bank of India formalised the framework for payment companies to outsource payment and processing activities to third parties, while Upstox and Mobikwik focused on customer payment data last year.
Under the new rules, licensed non-bank payment system operators (OSP) cannot outsource basic administrative functions, including internal audits and KYC compliance, to external service providers.
As defined by the central bank, the basic administrative functions include managing payment system operations such as clearing and settlement, transaction management including reconciliation, reporting and line processing, transaction data management, customers, risk management, information technology and information security management, etc. The central bank also added that the board of directors of the Payment companies must “carefully examine” the need to outsource responsibilities.
“The OSP will carefully consider the need to outsource its critical processes and activities and the selection of service providers based on a comprehensive risk assessment,” the central bank said. “Critical processes are those that, if interrupted, have the potential to have a significant impact on business operations, reputation, profitability and / or customer service.”
The new rules also stipulate that liability for third party losses rests with the responsible members of the board of directors and senior management of the approved payment providers. “The outsourcing of any activities by the PSO will not diminish its obligations and those of its board of directors and senior management, who are ultimately responsible for the outsourced activities,” the central bank said.
RBI first announced the plan as part of the monetary policy announcement on February 5, 2021 in order to enable effective management of the risks associated with the outsourcing of payment and settlement activities.
“The resilience of the digital payment ecosystem to operational risks needs to be constantly updated,” said RBI Governor Shaktikanta Das during his address to the MPC in February.
“A potential area of operational risk is associated with outsourcing by payment system operators and authorised payment system participants,” he added. “In order to manage the risks associated with outsourcing and to ensure that the code of conduct is adhered to when outsourcing services in connection with payments and billing, the RBI will issue guidelines for the outsourcing of such services by these companies,” said the governor of RBI.
In addition, the central bank has also requested non-bank PSOs to make clear contractual requirements on the outsourced responsibilities and to carry out their own due diligence with regard to technology and legal compliance when working with relevant third-party companies.