Under the framework, PSOs will not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms.
The Reserve Bank on Tuesday came out with a detailed framework for outsourcing of activities by Payment System Operators (PSOs) with a view to mitigate risks and ensure continuity of service.
Under the framework, PSOs will not outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms. Also, a PSO will be required to carefully evaluate the need for outsourcing its critical processes and activities, as well as selection of service providers based on comprehensive risk assessment.
The RBI has also clarified that outsourcing of any activity by the PSO will not reduce its obligations, and those of its board and senior management, who will ultimately be responsible for the outsourced activity. “The PSO shall, therefore, be liable for the actions of its service providers and shall retain ultimate control over the outsourced activity,” the framework said.
The outsourcing arrangements, it added, will not affect the rights of a customer of a payment system against the PSO, as well as those of a payment system participant against the PSO. The PSOs, by virtue of services they provide and the construct of models on which they operate, largely outsource their payment and settlement-related activities to various other entities, RBI said. The framework has been issued in order to enable effective management of attendant risks in outsourcing of such activities.
Outsourcing is defined as use of a third party (service provider) to perform activities on a continuing basis that would normally be undertaken by the PSO itself, now or in the future.
As per the framework, a PSO which has outsourced its customer grievance redressal function must also provide its customers the option of direct access to its nodal officials for raising and / or escalating complaints. Also, the PSO should have a board-approved comprehensive outsourcing policy. The framework also lists out the role of the board and responsibilities of the senior management.
The service provider will also have to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures arising out of any outsourced activity, it added.