RBI said PSOs cannot outsource core management functions , including risk management and internal audit, compliance and decision-making functions such as determining compliance with KYC norms.
The Reserve Bank of India (RBI) on August 3 announced a framework for Payment Systems Operators with respect to outsourcing payment and settlement activities to other entities.
As part of this, the RBI said PSOs cannot outsource core management functions including risk management and internal audit, compliance and decision-making functions such as determining compliance with KYC norms.
Core management functions include management of payment system operations such as netting and settlement, transaction management including reconciliation, reporting and item processing, managing customer data, risk management, information technology and information security management etc.
However, while internal audit function itself is a management process, the auditors for this purpose can be appointed by the PSO from its own employees or from the outside on contract, the RBI said.
The RBI had first announced the plan during the monetary policy announcement on 5 February, 2021 with a view to enable effective management of attendant risks in outsourcing of payment and settlement activities.
The RBI said PSOs need to carefully evaluate the need for outsourcing its critical processes and activities, as also selection of service provider based on comprehensive risk assessment. “The critical processes are those, which if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability and / or customer service,” the RBI said.
Even if PSOs outsource activities, the liability for the actions of service providers will remain ultimately with the PSOs, the RBI said, adding the outsourcing arrangements should not affect the rights of a customer of a payment system against the PSO to avail grievance redressal as applicable under the relevant laws.
The RBI has outlined the role and responsibilities of the Board and senior management in implementing the framework and reviewing periodically the effectiveness of the policies and procedures. The RBI said the PSO should regularly review and monitor the security practices and control processes of the service provider and require the service provider to disclose security breaches.
Further, PSOs should ensure that the direct sales agents are properly trained to handle their responsibilities with care and sensitivity, particularly for aspects such as soliciting customers, hours of calling, privacy of customer information, conveying the correct terms and conditions of the products on offer, etc. To this extent, the PSOs need to put in place a board-approved code of conduct for DSAs and obtain their undertaking to abide by the same, the RBI said.
Other important features of the new framework include the need for a robust system of internal audit of all outsourced activities. The RBI said PSOs must engage with all participants in a payment transaction chain to encourage them to implement this framework in letter and spirit.