RBI has invited comments on draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services. These Directions shall be applicable to the following entities, unless specifically mentioned otherwise:
- All Commercial Banks [including Local Area Banks (LABs), Regional Rural Banks (RRBs), Payments Banks (PBs), and Small Finance Banks (SFBs)];
- All-India Financial Institutions (AIFIs) (viz. Exim Bank, NABARD, NHB, SIDBI, and NaBFID);
- All Non-Banking Financial Companies (NBFCs) including Housing Finance Companies (HFCs);
- All Urban Co-operative Banks (UCBs), State Co-operative Banks (StCBs), and Central Co-operative Banks (CCBs); and
- All Credit Information Companies (CICs).
Some of the key risks in outsourcing that need to be evaluated by the REs are: –
(i) Compliance Risk- Privacy, confidentiality and statutory laws/prudential regulations not adequately complied with by the service provider.
(ii) Concentration and Systemic Risk- Due to lack of control of individual REs over a service provider, more so when overall banking/financial services industry has considerable exposure to one service provider.
(iii) Contractual Risk – Arising from whether or not the RE has the ability to enforce the contract.
(iv) Counterparty Risk- Arising due to non-adherence by the service providers to the performance requirements (e.g.: submission of incorrect data on borrowers’ income level may lead to inappropriate underwriting or credit assessments by the RE).
(v) Country Risk- Due to economic, political, social or legal climate thereby creating added risks when the service provider is a foreign based entity, or the outsourcing happens in a foreign country.
(vi) Exit Strategy Risk- Could arise from over-reliance on one firm, the loss of relevant skills in the RE itself preventing it from bringing the activity back in-house and where the RE has entered into contracts wherein speedy exits would be prohibitively expensive or disruptive.
(vii) Legal Risk- Includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to commissions and omissions of the service provider.
(viii) Operational Risk – Arising due to technology failure, error, fraud, inadequate processes, and lack of financial capacity to fulfil obligations and/or provide remedies.
(ix) Reputation Risk- Poor service from the service provider, and its customer interaction not being consistent with the overall standards of the RE, or failure in preservation and protection of confidential customer information.
(x) Strategic Risk – Conduct of business by the service provider in a manner inconsistent with the overall strategic goals of the RE.
Comments / Feedback, if any, may be sent by email with the subject line “Comments on draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services”, by November 28, 2023.