Regulation of outsourcing finally extended to NBFCs

By Shruti Rajan and Rutu Gandhi, Cyril Amarchand Mangaldas

Outsourcing has become increasingly complex. The world over, laws and regulatory frameworks have been put in place to permit execution and management to take place outside, while ensuring that the key risks and responsibilities continue to remain within the domain of the regulated entity.

Shruti Rajan Partner Cyril Amarchand Mangaldas
Shruti Rajan
Cyril Amarchand Mangaldas

While outsourcing has been a regulated activity for banks and insurance companies in India for a long time, it has remained an unregulated activity in respect of non-banking financial companies (NBFCs).

NBFCs typically outsource financial services such as processing of loan applications and documentation, loan supervision, research and marketing, and data processing and back-office related activities. To address concerns arising on account of the reputational or operational risks associated with such activities, and to introduce a framework for regulating the outsourcing of activities by NBFCs, the Reserve Bank of India (RBI) on 9 November 2017 notified the Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Service by NBFCs.

The directions apply to material outsourcing arrangements entered into by an NBFC with a service provider within India or abroad. Material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the NBFC’s business operations, reputation, profitability or customer service. NBFCs are now subject to a higher compliance threshold and are expected to play a more proactive role in terms of supervision and risk management vis-à-vis outsourcing. In brief, NBFCs are now required to put in place a comprehensive mechanism so as to ensure that outsourcing activities do not adversely affect their ability to fulfil their obligations to clients as well as to the regulator and the regulator’s ability to effectively supervise such an arrangement.

Rutu GandhiSenior associateCyril Amarchand Mangaldas
Rutu Gandhi
Senior associate
Cyril Amarchand Mangaldas

Any activity which has the potential to impede the ability of an NBFC to maintain its financial viability and obligations to its clients is of particular concern to the RBI. Accordingly, the directions clarify that NBFCs are precluded from outsourcing core management functions including internal audit (internal auditors may be on contract), strategic and compliance functions and decision-making functions (such as determining compliance with know your customer norms for opening deposit accounts, granting loans and managing of investment portfolio).

The directions also specify requirements for NBFCs to outsource financial activities within their group. These include a board-approved policy, appropriate service-level agreements, adequate communication to customers (where applicable), etc. The documentation with respect to such arrangements is also required to adhere to the prescribed norms.

On account of the cross-border risks pertaining to data privacy, confidentiality, exit options and supervision, etc., the compliance requirements are stricter for offshore outsourcing of financial services. Where the offshore service provider is a regulated entity, such outsourcing arrangements are subject to additional compliances.

The directions have been introduced for operational efficiencies. Outsourcing does not take away from an NBFC’s liabilities and obligations. The NBFC, its board and senior management retain responsibility in respect of outsourced activities and are answerable for the acts of their service providers. While contemplating or renewing an outsourcing arrangement, an NBFC is required to ensure that the service provider can comply with the specified obligations and deal with contingencies. The directions require that outsourcing be done pursuant to a contract and also specify the key provisions that must be incorporated in such contracts.

The emphasis of the directions is on protection of the security and confidentiality of customer information, disaster recovery management, supervision and segregation of information. In addition, NBFCs are required to submit to audits on an ongoing basis so as to assess the adequacy of their risk management procedures.

Although the directions were issued in final form more than two years after they were issued as a draft, the principles they embody have largely been industry norms, especially among financial conglomerates with other regulated businesses. However, the directions have brought clarity and certainty on the regulator’s thinking and the need to align processes. The directions also are likely to have an impact on smaller entities, startups and peer-to-peer lending NBFCs, which will need to revise their business plans to fulfil the specific requirements and ensure that they have in-house structure in place to service core business and risk management functions.

Cyril Amarchand Mangaldas is India’s largest full-service law firm. Shruti Rajan is a partner and Rutu Gandhi is a senior associate at the firm.

Peninsula Chambers,

Peninsula Corporate Park,

Lower Parel, Mumbai – 400 013 India

New Delhi | Bengaluru | Hyderabad |

Chennai | Ahmedabad

Contact details

Tel: +91 22 2496 4455

Fax: +91 22 2496 3666