What changed
RBI released a formal framework for outsourcing payment and settlement-related activities by non-bank PSOs, effective from August 3, 2021. It sets minimum standards to manage risks like compliance, concentration, cyber security, and exit strategy. All existing outsourcing arrangements must be compliant by March 31, 2022.
What it means for you
Non-bank PSOs must now adhere to strict guidelines when outsourcing core payment functions, including customer onboarding and IT services. This increases operational oversight and due diligence requirements, potentially raising compliance costs. Banks dealing with PSOs should ensure their partners meet these standards to avoid systemic risks.
What you must do
- Review all existing outsourcing contracts for payment and settlement activities against the new framework.
- Ensure compliance with the framework by March 31, 2022, including for sub-contractors.
- Assess and mitigate risks such as concentration, cyber security, and exit strategy in outsourcing arrangements.
- Verify that service providers are not owned or controlled by directors or officers of the PSO, unless they are group companies.
Who it affects
Non-bank Payment System Operators (PSOs), Service providers including vendors, payment gateways, agents, and consultants, Banks and financial institutions partnering with PSOs
Does this framework apply to all outsourcing by PSOs?
No, it applies only to payment and settlement-related activities, including incidental ones like customer onboarding and IT services. Internal administration or housekeeping functions are excluded.
What is the deadline for compliance?
All outsourcing arrangements, including existing ones, must comply with the framework by March 31, 2022.
Does the framework apply to service providers outside India?
Yes, it applies to service providers located in India or elsewhere, as per the circular.