RBI releases directions on managing risks and code of conduct in outsourcing of financial services by NBFCs
The Reserve Bank of India releases Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Non-Banking Financial Companies (NBFCs). NBFCs are advised by RBI to conduct a self-assessment of their existing outsourcing arrangements and bring these in line with the aforesaid Directions within two months from the date of this circular (November 9,2017). The details of the directions are mentioned below.
1.1 ‘Outsourcing’ is defined as the NBFC’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future.‘Continuing basis’ includes agreements for a limited period.
1.2 NBFCs have been outsourcing various activities and are hence exposed to various risks. Further, the outsourced activities are to be brought within regulatory purview to a) protect the interest of the customers of NBFCs and b) to ensure that the NBFC concerned and the Reserve Bank of India have access to all relevant books, records and information available with service provider. Typically outsourced financial services include applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.
1.3 Some key risks in outsourcing are Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Access Risk, Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the service provider can lead to financial losses or loss of reputation for the NBFC and could also lead to systemic risks.
1.4 It is therefore imperative for the NBFC outsourcing its activities to ensure sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from such outsourced activities. The directions are applicable to material outsourcing arrangements as explained in para 3 which may be entered into by an NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the NBFC belongs, or an unrelated party.
1.5 The underlying principles behind these directions are that the regulated entity shall ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision by RBI. NBFCs, therefore, have to take steps to ensure that the service provider employs the same high standard of care in performing the services as is expected to be employed by the NBFCs, if the activities were conducted within the NBFCs and not outsourced. Accordingly, NBFCs shall not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened.
1.6 (i) These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc. NBFCs which desire to outsource financial services would not require prior approval from RBI. However, such arrangements would be subject to on-site/ off- site monitoring and inspection/ scrutiny by RBI.
(ii) In regard to outsourced services relating to credit cards, RBI’s detailed instructions contained in its circular on credit card activities vide DBOD.FSD.BC.49/24.01.011/2005-06 dated November 21, 2005 would be applicable.
2. Activities that shall not be outsourced
NBFCs which choose to outsource financial services shall, however, not outsource core management functions including Internal Audit, Strategic and Compliance functions and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans) and management of investment portfolio. However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions in Para 6. Further, while internal audit function itself is a management process, the internal auditors can be on contract.
3. Material Outsourcing
For the purpose of these directions, material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on:
· the level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by the same;
· the potential impact of the outsourcing on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
· the likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service;
· the cost of the outsourcing as a proportion of total operating costs of the NBFC;
· the aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider and
· the significance of activities outsourced in context of customer service and protection.
4. NBFC’s role and Regulatory and Supervisory Requirements
4.1 The outsourcing of any activity by NBFC does not diminish its obligations, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. NBFCs would therefore be responsible for the actions of their service provider including Direct Sales Agents/ Direct Marketing Agents and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. NBFCs shall retain ultimate control of the outsourced activity.
4.2 It is imperative for the NBFC, when performing its due diligence in relation to outsourcing, to consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration.
4.3 Outsourcing arrangements shall not affect the rights of a customer against the NBFC, including the ability of the customer to obtain redress as applicable under relevant laws. In cases where the customers are required to deal with the service providers in the process of dealing with the NBFC, NBFCs shall incorporate a clause in the relative product literature/ brochures, etc., stating that they may use the services of agents in sales/ marketing etc. of the products. The role of agents may be indicated in broad terms.
4.4 The service provider shall not impede or interfere with the ability of the NBFC to effectively oversee and manage its activities nor shall it impede the Reserve Bank of India in carrying out its supervisory functions and objectives.
4.5 NBFCs need to have a robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing.
4.6 The service provider, if not a group company of the NBFC, shall not be owned or controlled by any director of the NBFC or their relatives; these terms have the same meaning as assigned under Companies Act, 2013.
5. Risk Management practices for Outsourced Financial Services
5.1 Outsourcing Policy
An NBFC intending to outsource any of its financial activities shall put in place a comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia, criteria for selection of such activities as well as service providers, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities.
5.2 Role of the Board and Senior Management
5.2.1 Role of the Board
The Board of the NBFC, or a Committee of the Board to which powers have been delegated shall be responsible inter alia for the following:
approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
laying down appropriate approval authorities for outsourcing depending on risks and materiality;
setting up suitable administrative framework of senior management for the purpose of these directions;
undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness and
deciding on business activities of a material nature to be outsourced, and approving such arrangements.
5.2.2 Responsibilities of the Senior Management
Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;
developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
reviewing periodically the effectiveness of policies and procedures;
communicating information pertaining to material outsourcing risks to the Board in a timely manner;
ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
ensuring that there is independent review and audit for compliance with set policies and
undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.
5.3 Evaluation of the Risks
The NBFCs shall evaluate and guard against the following risks in outsourcing:
Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the NBFC.
Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the NBFC.
Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.
Operational Risk- Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.
Legal Risk – Where the NBFC is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.
Exit Strategy Risk – Where the NBFC is over-reliant on one firm, the loss of relevant skills in the NBFC itself preventing it from bringing the activity back in-house and where NBFC has entered into contracts that make speedy exits prohibitively expensive.
Counter party Risk – Where there is inappropriate underwriting or credit assessments.
Contractual Risk – Where the NBFC may not have the ability to enforce the contract.
Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the NBFC may lack control over the service provider.
Country Risk – Due to the political, social or legal climate creating added risk.