Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

Introduction

Outsourcing in NBFCs involves using third parties to perform activities traditionally handled by the NBFC itself. This can be done within the same corporate group or with external entities. Outsourcing is common in NBFCs for various activities, leading to exposure to different risks. These activities, including processing applications, document handling, and data processing, need regulatory oversight to protect customer interests and ensure access to relevant information by the NBFC and the Reserve Bank.

Outsourcing involves several risks such as strategic, reputation, compliance, operational, legal, and others. Failures or breaches by the service provider can lead to significant losses or reputational damage for the NBFC and may pose systemic risks.

NBFCs must manage these risks effectively through robust risk management practices. These instructions apply to material outsourcing arrangements, whether the service provider is located in India or abroad, and whether they are part of the same group or external.

The principles behind these instructions ensure that outsourcing does not hinder an NBFC’s obligations or supervisory effectiveness. NBFCs must ensure that service providers maintain high standards of service. Outsourcing should not weaken internal control or business conduct. These instructions do not cover technology-related issues or non-financial services like courier or janitorial services. NBFCs do not need prior approval from the Reserve Bank for outsourcing financial services but are subject to monitoring and inspection.

Specific instructions for credit card services are outlined in the Reserve Bank’s ‘Master Direction – Credit Card and Debit Card – Issuance and Conduct Directions, 2022’.

Activities that Shall Not be Outsourced

NBFCs must not outsource core management functions like internal audit, strategic and compliance functions, and key decision-making processes. However, within a group, these functions can be outsourced with compliance to specific instructions.

Material Outsourcing

Material outsourcing arrangements are those that significantly impact business operations, reputation, profitability, or customer service. The materiality of outsourcing depends on the importance and risk of the activity, its impact on the NBFC, and factors like cost, exposure to the service provider, and significance in customer service and protection.

NBFC’s Role and Regulatory and Supervisory Requirements

NBFCs retain ultimate responsibility for outsourced activities. They must ensure compliance with laws, regulations, and customer rights. Service providers should not hinder the NBFC’s oversight or the Reserve Bank’s supervisory functions. A robust grievance redress mechanism is essential. Service providers, if not part of the NBFC group, should not be controlled by any NBFC director or their relatives.

Risk Management Practices for Outsourced Financial Services

Outsourcing Policy

NBFCs planning to outsource financial activities must have a comprehensive policy approved by their Board. This includes criteria for selecting activities and service providers, risk assessment, and monitoring systems.

Role of the Board and Senior Management

The Board is responsible for approving risk evaluation frameworks, setting approval authorities, and reviewing outsourcing strategies. Senior management must implement policies, ensure compliance, and manage risks effectively.

Evaluation of the Risks

NBFCs must evaluate risks like strategic, reputation, compliance, operational, legal, exit strategy, counterparty, contractual, concentration and systemic, and country risks.

Evaluating the Capability of the Service Provider

Due diligence is crucial in assessing the service provider’s capability. This includes evaluating their financial, operational, and reputational factors, compatibility with the NBFC’s systems, and performance standards.

The Outsourcing Agreement

Contracts with service providers must be well-defined, legally vetted, and address all risks. They should allow the NBFC to maintain control and intervene when necessary. Key provisions should include service definitions, access to information, monitoring arrangements, data confidentiality, contingency plans, and audit rights.

Confidentiality and Security

NBFCs must ensure the security and confidentiality of customer information with the service provider. Regular monitoring of the service provider’s security practices is necessary. Any security breach must be reported to the Reserve Bank.

Responsibilities of Direct Sales Agents (DSA)/Direct Marketing Agents (DMA)/Recovery Agents

NBFCs must ensure that these agents are well-trained and adhere to a code of conduct. They should not engage in intimidating or harassing debt collection practices. Specific guidelines apply to microfinance loans.

Business Continuity and Management of Disaster Recovery Plan

Service providers must have robust business continuity and recovery plans. NBFCs should ensure control over outsourcing and have contingency plans for emergencies.

Monitoring and Control of Outsourced Activities

NBFCs must monitor and control outsourcing through a management structure, regular audits, and financial reviews of the service provider. They should maintain records of all material outsourcing arrangements.

Redress of Grievances related to Outsourced Services

NBFCs must have a grievance redressal mechanism for issues related to outsourced services. They should respond to customer complaints within a specified timeframe.

Reporting of Transactions to FIU or Other Competent Authorities

NBFCs are responsible for reporting currency and suspicious transactions related to outsourced activities to the Financial Intelligence Unit or other authorities.

Outsourcing within a Group/Conglomerate

NBFCs must have a Board-approved policy for outsourcing within their group. Customers should be clearly informed about the entity offering the product or service. Risk management practices for outsourcing to related parties should be the same as for external parties.

Off-shore Outsourcing of Financial Services

Off-shore outsourcing exposes NBFCs to country risk. They must manage this risk by monitoring conditions in the service provider’s country and establishing contingency plans. Off-shore outsourcing should not hinder the Reserve Bank’s supervisory ability or the NBFC’s operations in India.

Introduction to RBI – NBFC Scale Based Regulation

Regulations applicable for NBFC-BL

Regulations applicable for NBFC-ML

Regulatory Instructions for NBFC-UL

Directions for NBFC – Micro Finance MFIs

Specific Directions for NBFC-Factors and NBFC-ICCs

Specific Directions for Infrastructure Debt Funds IDFs-NBFC

Scoring Methodology for Identification of NBFC as NBFC-UL

Regulatory Guidance on Implementation of Ind AS by NBFCsv

Norms on Restructuring of Advances by NBFCs

Early Recognition of Financial Distress

Flexible Structuring of Long Term Project Loans to Infrastructure and Core Industries