This article is written by Aditya Anand pursuing a five-year integrated course at Symbiosis Law School, Noida. In this article, the author has covered most of the information in detail as stated in the notification issued by RBI for the outsourcing of payment and settlement-related activities.
The notification issued by the Reserve Bank of India(RBI) published on August 3, 2021, has been discussed thoroughly in this article. The regulation of any system maintains efficiency and effectiveness and so the framework acts as a torchbearer to keep the system in the right direction. The necessary alteration and analysis is the need of the hour for the proper functioning of the system. The purpose of this framework for the outsourcing of payment and settlement-related activities issued by RBI is to ensure that there is an effective management system to manage the probable risk in outsourcing activities.
It was also announced in the Statement on Developmental and Regulatory Policies released with the bi-monthly Monetary Policy Statement 2020-21 on February 05, 2021. It was stated that the decisive authority of the outsourcing of payment and settlement-related activities by payment system operators (PSOs) will be with the Reserve Bank of India. The framework shall also be applicable to non-bank PSOs related to payment and settlement activities.
RBI is the apex organization for framing rules and regulation of monetary policies in the country. It was established on April 1, 1935, as per the provisions of the Reserve Bank of India Act, 1934. This national institution is fully owned and controlled by the Government of India. Out of many other important functions, RBI is also the regulator and supervisor of the payment and settlement system as it introduces different frameworks to upgrade safe and efficient modes of payment systems in the country and to meet the requirements of the public at a large scale. The objective of these functions is to maintain the trust and confidence of the public in payment and settlement-related activities and systems.
It is a type of business practice of hiring a party that is not related to the company or payment system operators. It is for hiring services that were earlier performed by the payment system operators. The purpose of this method is to widen the scope of responsibility and reduce labour costs significantly. The hired services provider would have to complete the assigned task but the authority and some of the main responsibility can only be vested with the payment system operators. Their liability remains the same even if the execution of work or services is performed or managed by the assigned companies.
Payment and settlement
The payment and settlement system in India is governed by the Payment and Settlement Act, 2007. In general, payment means the process of transferring the money that is owed or obliged to pay whereas settlement is a wider term that is an agreement to resolve the differences or disputes. Payment can also be received against settlement. Payment and settlement play a vital role in the improvement and development of the economic efficiency of any country. The payment has also been defined under Section 2(i) in the Payment and Settlements Act, 2007 that is a system that enables payment to be effected between payer and beneficiary involving clearing, payment, or settlement service or all of them.
The Reserve Bank of India is the central bank of India that plays a developmental role and undertakes various initiatives to ensure that authorized payment systems of the country are safe, secure, sound, efficient, and accessible to the public. Usually, the central bank of any country is the driving force in the development of national payment systems. The sub-committee formed under the central board of the Reserve Bank of India is the highest policy-making body on payment systems in the country. The sub-committee is known as the Board for Regulation and Supervision of Payment and Settlement systems. The Board is the apex authority to authorize, prescribe policies, and set up definite standards to regulate and supervise payment and settlement systems in the country. The Department of Payment and Settlement Systems acts as a secretariat to the Board and executes the directions of the RBI.
Payment system operators
The payment System Operator is an authorized party that is registered under the Companies Act, 1956 or the Companies Act, 2013 that undertakes the operation of payment systems. They provide services and operate on a certain model and mainly deal in payment and settlement-related activities.
A service provider or payment service provider is a third party that accepts a wide variety of payments through a single channel. The service providers are not limited to vendors, payment gateway, agents, and consultants that are engaged in activities of payment and settlement systems but also include subcontractors or secondary service providers to whom the primary service providers may further outsource or be part of the activity outsourced by PSO.
They act as a mediator between the payment system operators and the public. The service provider holds all the details of customers and it is authorized by the registered payment system operators. The service provider is an extended version of the payment system operators for effective management and efficient operation. Payment system operators would be responsible for any breach of data by the service providers.
What is the aim
- The framework has been issued to enable effective management of probable risk in outsourcing and other activities.
- The framework aims to reduce the risk in outsourcing payment and settlement-related activities to a minimum level including IT-based services and onboarding customers.
- The development towards providing better customer service as well as to reduce the breaches of data and any kind of malpractices.
- The PSO should ensure that they provide confidentiality and security to the customers.
- The framework also orders the payment system operators to formulate the code of conduct for the service providers who are involved in outsourcing.
- The first proposal for such a framework specifically related to outsourcing by payment system operators was announced in February. The framework was stated in the Statement on Developmental and Regulatory Policies released with the monetary policy statement.
- The framework was issued under Section 10 (2) which has to be read with Section 18 of the Payment and Settlement Act, 2007.
- RBI also made it clear that PSO will not have to seek any prior approval for outsourcing.
- The framework statements ensure that there is minimum risk in outsourcing payment and settlement-related activities.
- The framework also directs PSOs that they should have an efficient and responsive risk management system as well as practices for effective oversight and tackle the risk arising during outsourcing of activities. The PSOs will have to exercise due diligence and care in this regard.
What does the notification say
- The PSO shall be responsible for its core management functions such as risk management, internal audit, compliance, and decision-making functions.
- The PSO should carefully work on the evaluation of the need for outsourcing. It should analyze its critical process and activities as well as a selection of providers based on comprehensive risk assessment.
- The RBI has also issued the caution notice which states that PSO will be solely responsible for any outsourcing activities. There will be no reduction of obligation for the board and senior management and thus they shall be ultimately responsible for the outsourced activity.
- The PSO shall also be liable for the actions of its providers and should possess absolute control over the activities related to outsourcing.
- The PSO should have a board-approved comprehensive framework for the outsourcing of any payment-related activity.
- The PSO board should undertake periodic reviews of the outsourcing policies, strategies, and arrangements.
- Outsourcing should not affect any rights of customers granted against the PSO.
- The PSO is required to maintain a central record related to all types of outsourcing activities. It should also be readily accessible to the board as well as management. The record should be updated on a timely basis and half-yearly reviews should be presented before senior management.
- The PSO shall commence the customer grievance redressal function and must provide its customers with the option of direct access to its nodal officers for any kind of complaint or grievances.
- The RBI also directs service providers to develop and set up a strong framework for documentation, maintenance, check of business continuity and recovery procedures.
- The PSO shall make clear that Direct Marketing Agents are properly trained to handle their responsibilities efficiently. They should handle with care and should act sensibly in customer-related services, calling hours, the privacy of customer information, and convey the correct terms and conditions of the products that are offered.
Statement released by RBI on Developmental and Regulatory policies
The statement released by RBI on 5th February 2021 explains various types of developmental and regulatory policy measures and highlights various points on upgrading the payment and settlement systems. The points are discussed below.
- Setting up of 24*7 helpline for digital payment services
The purpose of setting up a 24*7 helpline system is to address customer queries related to digital payment products. Thus, the helpline will also build trust and confidence. The benefit of this helpline will reduce the expenditure on financial as well as human resources. These resources were necessary for addressing queries and grievances.
The payment system operators would be required to establish a centralized industry-wide 24*7 helpline system for addressing customer queries in respect of different types of digital payment products and also provide information on available grievance redressal mechanisms by September 2021.
The establishment of the helpline system will mitigate the communication gap between payment system operators and customers. This would make the customer feel safer while carrying out transactions as the queries will get resolved easily. This helpline system will create a user-friendly environment for the customers.
The initiative of safety and security features and measures for redressal of grievances was undertaken by the Reserve Bank of India to enhance the digital payments experience of users and provide a secure dedicated system for their queries.
- Guidelines on outsourcing for operators and participants of authorized payment systems
The RBI shall issue specialized guidelines to operators and participants of authorized payment systems. There are several types of risks in the payment systems and hence RBI takes this matter into cognizance and reduces the risks in outsourcing to ensure a safer payment system for customers.
The purpose of these guidelines is to make sure that PSO adheres to the code of conduct while outsourcing payment and settlement-related services. The payment system operators and participants of several authorized payment systems conduct numerous types of specialized activities on account of products offered by them as well as the operation of different payment systems designed by them.
The importance of such guidelines on outsourcing will optimize efficiency and lower costs. There are certain vulnerabilities in the system of entities that provide such outsource activities that can pose cybersecurity risks to the customers or principal entity.
- Enabling participation in CTS clearing across all branches in the country
CTS or cheque truncation system is the process of stopping the flow of the physical cheque issued by a drawer at some point by the presenting bank en-route to the paying bank branch. The replacement of this process is an electronic image of the cheque that will be transmitted to the paying branch through the clearinghouse, along with relevant information like data on the MICR band, date of presentation, presenting bank, etc.
It was started in 2010 and since then it is operating. The system presently covers almost 1,50,000 branches across the three cheque processing units with CTS. It has been reported that almost 18,000 bank branches are still not included in the formal clearing agreements.
The statement proposes to bring all such branches under the CTS clearing mechanism by September 2021. The objective of this statement is to bring operational efficiency in paper-based clearing and eliminate all kinds of barriers that reduce the efficiency as well as to make the process of collection and settlement of cheques faster that would result in better services. The statement also conveys that for this proposal separate guidelines will be issued.
What does the law say
The RBI has itself stated that the whole framework is issued under Section 10(2) and Section 18 of the Payment and Settlement Act, 2007. Section 10(2) empowers RBI to issue guidelines from time to time as it finds necessary without any prejudice to Section 10(1). The guidelines that will be issued for the effective and efficient management of the payment system or with reference to any particular payment system.
Section 18 defines the power of the Reserve Bank of India to give directions without any prejudice. If the RBI feels that the direction is in accordance with the provisions and is in the public interest then it may lay down policies, if necessary, on the regulation of payment systems including electronic, nonelectronic, domestic, and international payment systems. It may give directions in writing if it finds necessary to system providers or system participants.
The PSS Act, 2007 has been formulated to govern and regulate the activities which involve payment and settlement of transactions in lieu of paying or settling a transaction by cash or other means of physical movement of payment instruments.
In the PSS Act, 2007, the two Regulations have been mandated by the RBI, namely, the Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008 (BPSS Regulations) and the Payment and Settlement Systems Regulations, 2008 (‘PPS Regulations, 2008’). These Regulations came into force along with the PSS Act, 2007 on 12th August 2008. They together provide the necessary statutory support to the RBI for overviewing the payment and settlement systems in the country. They play a vital role and lay down the necessary requirements for commencing or carrying the payment systems.
Why are payment system operators important
A payment system operator means a legal entity responsible for operating a payment system. The PSO provides services by operating on certain models. They largely outsource their payment and settlement-related activities to various other entities. It is a kind of institution which has been authorized for the operation of a payment system. The authority has to work in accordance with the laws governing under the Payments and settlements Act, 2007.
There are different payment system operators in India and its certificate of authorisation is issued by the Reserve Bank of India under the Payment and Settlements Act, 2007 for setting up and operating a payment system in India. Some of the common institutions are the Clearing Corporation, National Payment Corporations of India, American Express Banking Corp., and various other payment system operators. The RBI has issued a list of 68 authorized payment system operators currently operating in India.
The judiciary is also the deciding authority as it enforces laws. A petition was filed by advocate Abhishek Sharma in the Delhi High Court seeking to impose the penalty on the Google company for alleged violations of laws. The petition also requested to direct Google India Digital Service to provide an undertaking to not store data on its app under the UPI ecosystem and further it should not be shared with any third party. Thus, the plea was filled to seek action against Google Pay for violating the central bank guidelines. The plea was heard by the two-judge bench constituted of Chief Justice D.N Patel and Justice Prateek Jalan who also issued notice to Google India Digital Service Pvt Ltd. Any further information or progress has not been published officially. The information provided above is based on the authentic website that is also hyperlinked just to make an appraisal.
What are they required to do
- As per the RBI, when the PSO would be executing work regarding outsourcing then they must act according to relevant laws, regulations, guidelines and should act in conformity to conditions of approval or authorization, licensing, or registration.
- PSO shall be responsible for addressing all the grievances and complaints of customers including any kind of other issues in respect of services that are provided by a service provider or any outsourcing agency.
- The details such as phone number, emails, or any other relevant information should be provided promptly on the PSO’s website, advertisement, and other applications. Customers can file the complaint at their convenience and the information should be updated prominently. An adequate awareness should also be created of this system among the users.
- The PSO should also make sure that outsourcing activities don’t affect the ability of the PSO to effectively implement and oversee as well as efficiently manage its activities. The RBI should conveniently carry out its supervisory functions and objectives.
- The PSO shall provide product literature or brochure to the desired customer who is required to have an interface with the service provider to avail products of the PSO and the role of such service provider should be stated.
What is the role of the Board
The assigned board of the PSO, or approved committee of the board to which powers have been delegated, shall play the role for the following acts which have been discussed below:
- To approve a framework for the evaluation of risks and critical analysis of all existing as well as prospective outsourcing.
- To formulate and ratify the policies that should be applied in outsourcing arrangements.
- They should depict appropriate approval authorities for outsourcing depending on risks and criticality.
- To establish the suitable administrative mechanism of senior management for fulfilling the objectives of this framework.
- To undertake periodic review of outsourcing policy, strategies, and arrangements for their continued relevance, safety, and soundness.
- The board should be the deciding authority on business activities related to outsourcing and to mandate such arrangements.
- The authorities should work as per the rules and regulations that are stated in the framework and validated by the RBI.
What does the management have to do
The senior management shall be responsible for the following acts that have been discussed below-
- To evaluate the risks and criticality of all types of existing and prospective outsourcing. The outsourcing is based on the framework mandated by the authorized committee or board.
- To develop and implement such outsourcing policies and procedures that would be sound and reasonable so that it can adjust with the nature, scope, and complexity of the outsourcing activities.
- The effectiveness of policies and procedures should be reviewed on a periodic basis by the management, and it should identify the different types of new outsourcing risks that may arise in the future.
- The management should communicate in a timely manner, to the board for any information related to outsourcing risks that can be predicted.
- To set up contingency plans that should be based on reality as well as probable disruptive scenarios that may arise in the future. So the plans should be on standby and tested periodically.
- To ensure that there is an independent review and audit for compliance with the set policies.
How will it affect customer service
The main purpose of the framework is to provide better customer service and satisfaction. This required upgrading of some of the service processing systems. The customer care details should be accessible and in working condition. It should be enabled through many phone numbers, e-mail ids, postal addresses, etc., and the details of which shall be displayed prominently on its website, mobile applications, advertisements, etc. Adequate awareness among the customers shall also be created about the availability of this recourse.
What is the outsourcing agreement
When the PSO extends its responsibilities and task to any service provider then the PSO and service provider has to agree and work under the compliance of certain norms. The terms and conditions stated in the contract between the PSO and the service provider shall be thoroughly defined in written agreements and reviewed by the PSO’s legal counsel for their legal effect and enforceability. The agreement shall be ratified by both the parties to make it enforceable as per the law. The agreement shall describe the risks and the strategies that should be implemented to reduce them. The agreement should not be stubborn as it shall allow the PSO to retain adequate control over the outsourced activity as well as the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall describe the nature of the legal relationship between the parties, that is whether agent, principal or otherwise. Some of the key points of the agreement are mentioned below:
Key points of the agreement
- To define the activity that has to be outsourced, including appropriate service provided to customers and performance standards.
- The PSO should have access to all books, records, and other relevant information of the outsourced activity that is available with the service provider.
- There shall be continuous monitoring and assessment by the PSO of the service provided so that in case of any error the rectification of that error should be taken instantaneously.
- The agreement shall include the termination clause of the service provider and minimum time to execute such provision if it is considered necessary.
- The service provider shall ensure that everything is under control. The customer data is safe and confidentiality has been maintained. The service provider would be held liable in case of any breach of security and leakage of such data related to customers.
- There should be a clause of contingency plans to ensure business continuity.
- The service provider would require prior validation of the PSO for use of subcontractors or secondary service providers by the primary service provider for all or part of an outsourced activity.
- The service provider would retain the PSO’s right to conduct an audit of transactions whether by its internal or external auditors, or there can be assigned agents to execute the act on its behalf. The right to obtain copies of any audit or review reports and findings made about the service provider in addition to the services performed for the PSO.
- The service provider shall add clauses stating the granting of permission to allow RBI or any other person appointed by it to access the PSO’s documents containing a record of transactions and other relevant information that was given to them. The information processed by the service provider should also be produced within a reasonable time.
- They shall keep clauses to recognize the right of RBI that they can conduct an inspection of a service provider of a PSO by one or more of its officers or employees or other authorized person appointed by the RBI and they can check any book of accounts.
- The ratifying clauses should be stated that would describe a clear obligation on any service provider to comply with directions given by RBI insofar as they involve activities of the PSO.
- The maintenance of the confidentiality of customer’s information even after the agreement expires or gets terminated.
- There should also be a clause for preserving documents and data by the service provider in accordance with the legal obligations of the PSO, and the PSO’s interests in this regard shall be protected even after the termination of the services.
Risk management system
The framework lays down some of the stringent guidelines in order to reduce the risk effectively and to improve the efficiency of the organization. The guidelines that are issued by the RBI to manage the risk is that the PSOs will not outsource any of their core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms.
The core management functions that are dealt with by the highest authoritative posts or senior management would include various types of management functions which also include payment system operations. For example, netting, and settlement, transaction management like reconciliation, reporting, and item processing for sanctioning it to merchants for acquiring, managing customer data, risk management, information technology, and information security management and other such activities.
There is a strict prohibition on the control of service providers by the PSO unless it is a group company of the PSO. If not then it will not be owned or controlled by any director or officer of the PSO or their relatives.
RBI’s concern about privacy issues
The PSO will have to adhere to the guidelines related to confidentiality and security of the customer information as this cannot be compromised at any cost. The PSO should ensure that the security and confidentiality of customer information is maintained and they are safe in the custody or possession of the related service provider. In case of any mishappenings related to data then RBI should be notified about any kind of cyberattack, breach of security or data, and leakage of confidential information related to customers, the framework stated.
In case of any such kind of discrepancies or such events, the PSO would be held liable to its customers for any kind of damages that are suffered by the customers. Further, the PSO should maintain a proper management structure to monitor and control its outsourcing activities.
In the case of offshore service providers, the PSO will also closely monitor government policies, political, social, economic, and legal conditions of the home country where the service provider is officially based in any kind of situation as it can be during the risk assessment process or on a continuous basis. It should establish sound and prudent procedures for dealing with country risk problems.
Outsourcing by the PSO
What are the risks involved
- Compliance risk
There are certain laws related to privacy, consumer, and prudential laws that every service provider is obliged to follow. They are required to work as per the law of the land. The risk is associated with laws that are not adequately complied with by the service providers. In other words, it is an organization’s potential exposure to legal penalties, financial forfeiture, and material loss resulting from its failure to act in accordance with the laws and regulations. This is also known as integrity risk.
- Concentration and systematic risk
Concentration risk defines the probability of loss arising from a lack of diversification. Thus resulting in a lack of control by an individual PSO. Systematic risk describes the possible events at the company level that could trigger severe instability or can lead to the collapse of an entire industry or economy. The industry has considerable exposure to one service provider and individual PSOs may lack control over that monopolistic service provider.
- Contractual risk
The risk is associated with the unenforceability of the contract by the PSOs. The contract is mainly composed of two things. The first is the chance of facing losses as a result of the payment system not fulfilling the terms of the contract. The second is the chance of facing losses due to the nonfulfillment of conditions of the contract. The risk may arise when the PSO may not enforce the contract.
- Country risk
The risk of gain that can arise after investing in a particular country is commonly known as country risk. It further specifies the degree of risk up to which extent it can lead to losses. The uncertainty can lead to various factors such as political, social risk, economic risk, or legal climate risk.
- Cyber security risk
Cybersecurity risk is the risk of probable loss due to a cyberattack or breach of any data in the IT systems of an organization. There can be potential loss of data information, reputation, money, etc. The data is a significant part that holds customer information and other delicate information which can result in huge losses.
- Exit strategy risk
When PSO depends solely on one firm then it may lose its related skills internally and eventually after a span of time it will really come to regain the same skills. If the PSO has entered into any contracts with only one firm then its immediate exit would be highly expensive as the PSO cannot take easy exits. So, ultimately the risk associated with PSO would make speedy exit prohibitively expensive.
- Legal risk
This is the risk of financial or reputational losses that can be the result of unawareness, ambiguous situations, or any kind of wrongful acts. The risk can be in the form of fines, penalties, or positive damages that can be the result of supervisory actions for which the PSO would be liable to pay. This also includes the private settlements due to acts of omission and commission by the service providers.
- Operational risk
The risk arose due to any kind of technology failure, fraud, the inadequate financial capacity to execute due obligations and to provide remedies. In other words, it is the prospect of loss resulting from inadequate or failed procedures, policies, or systems.
- Reputation risk
Reputation is an integral part of any organization as it describes the status of its image in the public. A good reputation helps in earning the trust and confidence of the people. The risk of reputation can be a threat or danger to the established name of the PSO. If poor service is provided to the customer and there is a lack of customer interaction then its reputation can be at stake due to non-fulfillment of the standard expectations by the PSO.
- Strategic risk
The strategic risk can be the internal as well as external events that create a hindrance in the path of strategic and objective goals. There can be several consequences of this risk in the long term. In other words, Where the service provider conducts business on its behalf that can be inconsistent with the overall strategic goals of the PSO.
What does the policy say
The policy states that in order to outsource any of its payment and settlement-related activities, the PSO shall have a board-approved comprehensive outsourcing policy that has the authority over various types of activities and they shall have specified criteria for selection of such activities as well as service providers. The parameters for grading the criticality of outsourcing and delegation of authority depend upon the risks and critical factors and there should be established systems to monitor and review the operation of these activities.
How critical can outsourcing be
The PSO shall carefully analyze the need for outsourcing its processes and specifications. The outsourcing activities should be studied thoroughly and the selection of service providers shall be based on comprehensive risk assessment. The critical processes are those, if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability, or customer service.
How to monitor and control outsourcing
- The top management structure of the PSO should identify, undertake, monitor, and control outsourcing activities. It shall ensure that the outsourcing agreement with the service provider contains provisions to address monitoring and control of the outsourced activities.
- There should be an assessment of regular audits by either the internal or external auditors of the PSO and its purpose will be to assess the adequacy of the risk management practices that must be implemented in overseeing and managing the outsourcing arrangements. Internal and external audits form part of the PSO’s compliance with its risk management framework.
- The PSO should review the financial and operational conditions of the service provider annually to assess its ability as if they are capable of fulfilling outsourcing obligations. This kind of due diligence review shall highlight any deterioration or breach in performance standards, confidentiality and security, and business continuity preparedness.
- In case, if any outsourcing agreement gets terminated due to any reason and the service provider deals with the customers then the information shall be given due publicity by the PSO and it should be formally published in a statement informing the customers about the termination of the agreement so as to ensure that they stop dealing subcontractors with the concerned service provider.
- There can be certain cases like outsourcing of cash management that may involve reconciliation of transactions between the PSO and the service provider as well as its subcontractors if any. In such cases, PSO shall ensure that this reconciliation process is carried out in a timely manner.
- A strong system of internal audit of all outsourced activities shall be put in place and monitored by the board of the PSO. The PSO is expected to share all its reports with RBI as part of its regulatory requirements.
- If the PSO is required for maximum utilization then a conglomerate, arm length transactions shall be executed with clear-cut policies without compromising on the quality of customer service. The proper maintenance of books and records, periodical inspections that can be both internal and external as well as enabling RBI to undertake a systematic overview of the total operations are expected.
The RBI plays a remarkable role as it is the government authority holding the trust of the customers. So, one has an expectation from RBI that it will strictly monitor and regulate the payment settlement systems, operators, and service providers. The system contains personal and financial information that is extremely delicate for its customers. Thus, from the details stated above it can be readily mentioned that RBI is strict regarding the payment and settlement system and no part can be compromised in any situation. Strict actions should be undertaken in case of any adverse functions by anybody.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: