+91-9825600907

The Reserve Bank of India has formalised the framework for payment companies outsourcing payment and settlement related activities to third party operators. The central bank’s fresh guidelines come at a time when India’s tech ecosystem has seen several high-profile cyber attacks such as those at Juspay, Upstox and Mobikwik over last year targeting customers’ payments data.

As per the new rules, licensed non-bank Payment System Operators (PSOs), cannot outsource core management functions, including internal audits, and compliance with KYC norms to third-party service providers.

As defined by the central bank, core management functions include management of payment system operations such as netting and settlement, transaction management including reconciliation, reporting and item processing, managing customer data, risk management, information technology Security management etc.

The central bank also added that the board of payment companies must “carefully evaluate” the need for outsourcing responsibilities.

“The PSO shall carefully evaluate the need for outsourcing its critical processes and activities, as well as selection of service provider(s) based on comprehensive risk assessment,” the central bank said. “The critical processes are those, which if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability and / or customer service.”

The new rules also state that the liability of third-party losses would fall on the relevant board members and senior management of licensed payment operators. “Outsourcing of any activity by the PSO shall not reduce its obligations, and those of its board and senior management, who are ultimately responsible for the outsourced activity,” the central bank said.

The RBI had first announced the plan during the monetary policy announcement on 5 February 2021 with a view to enable effective management of attendant risks in outsourcing of payment and settlement activities.

“The resilience of the digital payment ecosystem to operational risks needs to be constantly upgraded,” RBI Governor Shaktikanta Das had said during his February MPC address.

“A potential area of operational risk is associated with outsourcing by payment system operators and participants of authorised payments systems,” he added. “To manage the attendant risks in outsourcing and ensure that code of conduct adhered to while outsourcing payment and settlement related service, RBI shall issue guidelines on outsourcing of such services by these entities,” RBI Governor has said.

In addition, the central bank has also asked non-bank PSOs to have clear contractual specifications on responsibilities being outsourced as well as conduct its own due diligence on technology and legal compliances when working with relevant third-party companies.

 

You cannot copy content of this page

error: