Background
In 2020, the Reserve Bank of India (RBI) issued guidelines to regulate payment aggregators and payment gateways. The existing framework mandates banks and NBFCs to follow various rules for outsourcing of financial services, which include among others,conducting due diligence of service providers, evaluating risk and capability of service providers, and monitoring and controlling the outsourced activities.
On the same lines, on August 3, 2021, the RBI released a framework (New Framework) to regulate the outsourcing of payment and settlement-related activities by non-bank Payment System Operators (non-bank PSOs), including card networks and prepaid payment instrument companies operating in India. The non-bank PSOs will have to comply with the New Framework by March 31, 2022.
In this update, we discuss the key compliance requirements under the New Framework and the implications on payment companies.
Applicability
The New Framework will be applicable to all non-bank PSOs outsourcing payment, and settlement related activities to service providers and third-party operators. More importantly, the New Framework will apply even to service providers to non- bank PSOs, who operate from outside India.
Key provisions
The key provisions of the New Framework are:
- Prohibited activities – Non-bank PSOs will not be allowed to outsource core management functions, including risk management, internal audit or decision-making functions such as compliance of KYC norms to third-party service providers. Further, non-bank PSOs who have outsourced their customer grievance redressal function will have to provide their customers with direct access to their respective nodal officers so that customers can raise complaints with the nodal officers if needed. The distinction between permissible and prohibited outsourcing activities will give greater clarity to non-bank PSOs on how to conduct their operations in India.
- Monitoring and control – Non-bank PSOs will have to exercise full control over the outsourced activity and will be held liable for any non-compliances in respect of the outsourced activities undertaken by the service providers. Further, non-bank PSOs will have to exercise ongoing diligence on the service provider and ensure that the service provider complies with all applicable laws.
- Board and management responsibilities – The board of the non-bank PSO and its senior management will have to periodically review the outsourcing polices, evaluate risks, and ensure that sufficient measures are taken by services providers in complying with the New Framework.
- Outsourcing policy and agreement – Non-bank PSOs will need a board approved outsourcing policy and a well-defined outsourcing agreement in place. Further, the New Framework also sets out some clauses that should be incorporated in the outsourcing agreement, inter alia:
- Customer confidentiality and security – Non-bank PSOs will have to ensure confidentiality of customer data and regularly monitor the security practices of service providers. Further, non-bank PSOs will have to ensure that data localization requirements are complied with by the service providers.
- Business continuity and risk mitigation plans – Non-bank PSOs will have to ensure that service providers have the framework and contingency plan for business continuity and data recovery.
- Customer confidentiality and security – Non-bank PSOs will have to ensure confidentiality of customer data and regularly monitor the security practices of service providers. Further, non-bank PSOs will have to ensure that data localization requirements are complied with by the service providers.
- Outsourcing within group entities and offshore outsourcing restrictions –
- Non-bank PSOs will have to ensure that group entities also comply with the New Framework.
- Non-bank PSOs will have to inform customers about any activities performed by a group entity.
- Non-bank PSOs outsourcing the payment and settlement activities to offshore entities will carefully have to assess the risks involved and ensure that customer data is adequately protected.
The additional requirements in the New Framework on outsourcing within the group and outsourcing to offshore entities is a step to ensure that group and offshore entities ensure customer data protection and all related compliances. However, this move shall impact the operations of existing payment companies and hinder the technological advancements in the industry.
- Non-bank PSOs will have to ensure that group entities also comply with the New Framework.
Conclusion
The New Framework will play a major role in regulating non-bank PSOs in India and mitigate the risks emanating from outsourcing of core activities by non-bank PSOs. At the same time, it will significantly increase the compliance burden for these companies.
Although the RBI is correct in protecting consumer interest, the regulatory approach towards fintech companies should be balanced to encourage new players and sustain the growth of existing non-bank PSOs in India.
The recent RBI action against Mastercard (see update) has created a lot of uncertainty, which should be avoided going forward.
About the Author
N. Raja Sujith has more than 23 years of experience in corporate and commercial law, including foreign investment, technology, outsourcing, joint ventures, M&A, restructuring and insolvency, and real property law. He also represents private equity and venture capital funds, and start-up companies in their financial investments, due diligence, and documentation. He has been recognized as one of the leading corporate/M&A practitioners in India. He has co-authored this update with Sinjini Majumdar, Associate at Majmudar & Partners.
Swati Agrawal is an Associate at Majmudar & Partners.