RBI Issues Outsourcing Guidelines For Payment System Operators

RBI says payment system operators must not outsource core management functions.

The digital payment service PhonePe, operated by Flipkart, is demonstrated during an arranged photograph in Bengaluru, India. (Photographer: Samyukta Lakshmi/Bloomberg)
The digital payment service PhonePe, operated by Flipkart, is demonstrated during an arranged photograph in Bengaluru, India. (Photographer: Samyukta Lakshmi/Bloomberg)

The Reserve Bank of India issued a new framework for outsourcing of activities by payment system operators. The regulator also reiterated that despite any outsourcing, the responsibility of any breaches or malpractices will lie with the operator and not the entity to which operations have been outsourced.

"The Payment System Operators (PSOs), by virtue of services they provide and the construct of models on which they operate, largely outsource their payment and settlement-related activities to various other entities," the RBI said in its circular on Tuesday.

It laid down guard rails on what activities can and cannot be outsourced, while also asking that the role of board be strengthening in outsourcing policies.

Key guidelines introduced by the RBI include:

  • PSOs shall not outsource core management functions including risk management, internal audit, compliance and decision-making functions.

  • PSOs shall carefully evaluate the need for outsourcing critical processes and activities.

  • Outsourcing of any activity shall not reduce the liability of the PSOs, its board and senior management.

  • Outsourcing shall not affect the rights of the consumers against the PSOs.

  • A PSO must have a board-approved framework for outsourcing of any payments related activity.

  • The board must undertake periodic review of the outsourcing policies, strategies and arrangements.

  • The management must ensure independent review and audit of set policies.

  • A central record of all outsourcing arrangements must be maintained and made readily accessible to the board and management.

With respect to agencies that the PSOs can tie up with, the RBI requires certain minimum criteria be met.

  • The PSOs must ensure proper training of direct sale agents and direct marketing agents.

  • A board approved code of conduct for DSAs and DMAs must be put in place with an undertaking of compliance from them.

  • PSOs shall conduct annual reviews of the service providers financials to ensure that they are able to continue providing outsourcing services.

  • In case of termination of contract with an outsourcing agency, the PSOs shall ensure adequate publicity is given to such a termination for the public.

  • The PSO shall consider the availability of alternative service providers, as well as the possibility of bringing the outsourced activity back in-house in an emergency and assess the cost, time and resources that would be involved.

  • If dealing with own group entities for outsourcing services, the PSOs must ensure that the customer is given clear information about the actual company which is offering the product or service.

  • The PSOs shall ensure that arrangements with group entities do not affect the ability to identify and manage risks on a standalone basis.

  • In case of off-shore outsourcing of Indian payments related activities, the PSOs must ensure that the off-shore regulator does not have access to the Indian payments data simply of the basis of off-shore processing of such data.

  • Similarly, PSOs must ensure that the courts in the off-shore locations do not have jurisdiction over the Indian operations, simply due to off-shore processing of data.