NFBCs which work under asset light model or with limited bandwidth often tend to outsource both their core and non-core functions. Accordingly, outsourcing as an activity holds significant relevance in the context of NBFC and Fintech space as, unlike any other sector, the Reserve Bank of India has outlined specific guidelines around the same to regulate the increasing instances of outsourcing which affects huge customer base due to the nature of activity and outreach of institutions engaged in providing credit facilities to every section of the economic strata.
The Reserve Bank of India, in recent times, has increased its vigilance to access NBFCs adherence to the outsourcing regulations. The same is evident from some of its recent orders, where it has not only rebutted NBFCs for flouting outsourcing norms but barred it from outsourcing the activities in question.
Outsourcing of various financial and non-financial activities by NBFCs in both traditional and digital lending-recovery process has been a matter of concern for the apex bank which came into the limelight more specifically during the COVID-19 pandemic, when the market was flooded with host of money lending apps to lure people to borrow money at low interest rates with zero or minimal collateral. Such outsourced agencies being outside the direct purview or control of RBI, felt free to resort to practices as per their own will. This however resulted in undue hardship to the borrowers and breach of other directions which were in contrast to guidelines prescribed by the RBI for NBFCs and lenders engaged in the activity of providing credit.
In this article we aim to highlight the various provisions enumerated by the Reserve Bank of India, to curb the widespread malpractices prevalent in the industry by the outsourced agencies engaged by NBFCs and Fintechs.
Let us first understand what exactly is meant by ‘outsourcing’ in the context of NBFCs. RBI defines ‘Outsourcing’ as the NBFCs use of third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future where ‘continuing basis’ includes agreements for a limited period.
The regulations outlined by RBI w.r.t outsourcing across all categories of NBFCs, can broadly be classified into following categories on the basis of the outsourced activity and mode of outsourcing:
- Outsourcing of financial activity
- Outsourcing of information technology services
- Outsourcing over digital lending platforms
- Outsourced activities related to credit cards
Key guidelines to be followed under each head are outlined below:
- core management functions including Internal Audit, Strategic and Compliance function and Decision-making functions such as KYC, loan sanctions, can’t be outsourced.
- formulation of Board approved policy and its contents thereof
- implementation of robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing and in no way affects the ability of the customer to obtain redress as applicable under relevant laws
- responsibility of Board/committees and senior management w.r.t evaluation of various risks arising out of such arrangements, undertaking periodic review, ensuring contingency plan, defining approval authority etc.
- evaluating the capability of the service provider by performing appropriate due diligence to access the capability of the service provider to comply with the obligations in the outsourcing agreement
- preservation and protection of security and confidentiality of customer information in the custody or possession of the service provider
- business continuity and disaster recovery plan of service provider
- maintaining appropriate level of control and right to intervene in the outsourcing activity
- ensuring that the DSA/DMA/Recovery Agents are properly trained to handle their responsibilities as per the Fair Practice Code and Code of Conduct defined for them
- annual review of the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations including ensuring that the service provider is not owned or controlled by any director of the NBFC or their relatives
- ensuring sound and responsive risk management practices for effective oversight, due diligence and management of risks arising out of such outsourced activities.
- managing various risks and monitoring in off-shore outsourcing arrangements
- outsourcing within a group/conglomerate
- Storage, computing and movement of data in cloud environments
- Cloud service management and management and security considerations
- Disaster recovery and cyber resilience
- Outsourcing of security operations center
- names of digital lending platforms engaged as agents shall be disclosed on the website of the NBFC
- digital lending platforms engaged as agents shall be directed to disclose upfront to the customer, the name of the NBFC on whose behalf they are interacting with him
- sanction letter should be issued to the borrower on letterhead of the NBFC concerned immediately after sanction but before execution of the loan agreement
- a copy of loan agreement along with a copy each of all enclosures quoted in the loan agreement shall be furnished to the borrowers at the time of sanction / disbursement of loans
- effective oversight and monitoring shall be ensured over digital lending platform engaged by the NBFC
- adequate efforts must be made towards creation of awareness about the grievance redressal mechanism
- NBFCs which outsource the various credit card operations have to be extremely careful that the appointment of such service providers does not compromise with the quality of the customer service and the NBFC’s ability to manage credit, liquidity and operational risks. In the choice of the service provider, NBFCs have to be guided by the need to ensure confidentiality of the customer’s records, respect customer privacy, and adhere to fair practices in debt collection.
- NBFC should ensure that the DSAs engaged by them for marketing their credit card products scrupulously adhere to its own Code of Conduct for credit card operations which should be displayed on its website and be available easily to any credit card holder.
- NBFC should have a system of random checks and mystery shopping to ensure that their agents have been properly briefed and trained in order to handle with care and caution their responsibilities, particularly in the aspects like soliciting customers, hours for calling, privacy of customer information, conveying the correct terms and conditions of the product on offer, etc.
Outsourced financial services include applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others. The norms defined for outsourcing of financial activities excludes technology related issues and activities not related to financial services viz. courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc.
The guidelines are detailed under the following heads detailing the responsibility of NBFCs:
In addition to the guidelines specified for outsourcing of financial activities above, following additional specific guidelines related to the following to be adhered:
However, the guidelines for outsourcing of IT services as enumerated above are in the form of draft directions as on today.
NBFCs which engage digital lending platforms as their agents to source borrowers or to recover dues, must follow the following instructions:
While outsourcing can also result in economies of scale, cost reduction and efficient operations but NBFCs shall keep in mind that the onus of compliance with regulatory instructions rests solely with them, hence they should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened.