RBI publishes standards for payment outsourcing, PSO settlement activity
The Reserve Bank of India (RBI) has developed a framework to put in place minimum standards to manage the risks associated with the outsourcing of payment and settlement activities by non-bank payment system (PSO) providers, to which they must comply by March 31, 2022.
The central bank said PSOs must have policies approved by the board of directors for outsourcing these activities. The PSO board should also undertake periodic reviews of the outsourcing policy, strategies and arrangements to ensure their relevance, security and soundness.
In a circular issued Tuesday, the RBI said: “PSOs should not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC standards “.
In addition, when reviewing or renewing an outsourcing agreement, the PSO should enter into an agreement that gives it the flexibility to retain adequate control over the outsourced activity and the right to intervene with measures. appropriate to meet legal and regulatory obligations.
In addition, the agreement must be such that the PSOs have access to all books, records and information relating to the outsourced activity, available from the service provider. In addition, they should have the right to audit the service provider. And, the agreement should contain clauses under which it allows RBI to request an inspection of the service provider’s accounts.
The RBI has stated that by outsourcing any activity to a third-party service provider, a PSO cannot wash its hands of the obligations of the outsourced activity. “The PSO will therefore be responsible for the actions of its service providers and will retain ultimate control over the outsourced activity,” the RBI said.
“Outsourcing agreements will not affect the rights of a customer of a payment system against the OSP, as well as those of a participant in the payment system against the OSP, including its ability to invoke a remedy in accordance with the relevant laws, ”said RBI.
The central bank, stressing the importance of security and confidentiality of customer information, said the PSO must immediately notify the RBI of any security breaches and leaks of confidential customer information. “In such eventualities, the PSO would be liable to its customers for any damage,” the RBI said.
In addition, the third party service provider to which payment and settlement activities have been outsourced by the PSOs must be able to isolate and clearly identify the client information, documents, records and assets of the PSOs in order to protect their confidentiality. “When the service provider acts as an outsourcing agent for multiple PSOs, there should be strong safeguards (including encryption of customer data) to avoid the mixing of information, documents, records and assets of different PSOs, ”the RBI said.