RBI/2021-22/64 DOR.ORG.REC.27/21.04.158/2021-22 June 28, 2021 The Chief Executive Officer All Co-operative Banks Madam / Dear Sir, Guidelines for Managing Risk in Outsourcing of Financial Services by Co-operative Banks It is observed that the co-operative banks are increasingly using outsourcing as a means for reducing costs as well as for availing specialist expertise, where these are not available internally. 2. While it is entirely the banks’ prerogative to take a view on the desirability of outsourcing a permissible activity having regard to all relevant factors, including the commercial aspects of the decision, such outsourcing results in banks being exposed to various risks. To enable the co-operative banks to put in place necessary safeguards for addressing the risks inherent in outsourcing of activities, guidelines on managing risks in outsourcing are given in Annex. 3. Co-operative banks are advised to conduct a self-assessment of their existing outsourcing arrangements and bring the same in line with these guidelines within a period of six months from the date of issue of this circular. Yours faithfully (Sunil T. S. Nair) Chief General Manager Annex Guidelines on Managing Risks in Outsourcing of Financial services by Co-operative Banks Introduction 1.1 'Outsourcing' is defined as use of a third party to perform activities on a continuing basis that would normally be undertaken by a co-operative bank itself, now or in the future. 'Continuing basis' would include agreements for a limited period. 1.2 These guidelines are intended to provide direction and guidance to co-operative banks to adopt sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from outsourcing activities. 1.3 The underlying principles behind these guidelines are that the co-operative bank should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI, nor impede effective supervision by Reserve Bank of India (RBI)/ National Bank for Agriculture and Development (NABARD)1. Co-operative banks, therefore, have to take steps to ensure that the service provider employs the same high standard of care in performing the services as would be employed by them, if the activities were conducted by the banks and not outsourced. Accordingly, co-operative banks should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened. 1.4 These guidelines are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues as also activities not related to financial services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc. Co-operative banks which desire to outsource would not require prior approval from RBI / NABARD. However, such arrangements would be subject to on-site / off-site monitoring and inspection/scrutiny by RBI / NABARD. 2. Activities that shall not be outsourced Co-operative banks which choose to outsource financial services, however, shall not outsource core management functions including policy formulation, internal audit and compliance, compliance with KYC norms, credit sanction and management of investment portfolio. However, where required, experts, including former employees, could be hired on a contractual basis subject to the Audit Committee of Board/Board being assured that such expertise does not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function. 3. Material Outsourcing During Inspections/ scrutinies, RBI / NABARD will review the implementation of these guidelines to assess the quality of related risk management systems particularly in respect of material outsourcing. Material outsourcing arrangements are those, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of co-operative banks. Materiality of outsourcing would be based on:- -
The level of importance to the co-operative bank of the activity being outsourced as well as the significance of the risk posed by the same; -
The potential impact of the outsourcing by the co-operative bank on various parameters such as earnings, solvency, liquidity, funding capital and risk profile; -
The likely impact on the co-operative bank’s reputation and brand value, and ability to achieve its business objectives, strategies and plans, should the service provider fail to perform the service; -
The cost of the outsourcing as a proportion of total operating costs of the co-operative bank; -
The aggregate exposure to that particular service provider, in cases where the co-operative bank outsources various functions to the same service provider; -
The significance of activities outsourced in context of customer service and protection. 4. Co-operative bank's role 4.1 The outsourcing of any activity by a co-operative bank does not diminish its obligations, and those of its Board and CEO along with the Management, who have the ultimate responsibility for the outsourced activity. Co-operative banks shall, therefore, be responsible for the actions of their service provider including actions of the Business Correspondents and their retail outlets / sub-agents and the confidentiality of information pertaining to the customers that is available with the service provider. The bank shall retain ultimate control of the outsourced activity. 4.2 The co-operative banks shall consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration when performing its due diligence in relation to outsourcing. 4.3 The grievance redressal mechanism of co-operative banks should not be compromised on account of outsourcing. Outsourcing arrangements shall not affect the rights of a customer against the co-operative bank, including the ability of the customers to redress their grievances as applicable under relevant laws. 4.4 Outsourcing shall not impede or interfere with the ability of a co-operative bank to effectively oversee and manage its activities nor should it impede RBI / NABARD in carrying out its supervisory functions and objectives. 4.5 The service provider should not be owned or controlled by any director or officer/employee of the co-operative bank or their relatives having the same meaning as assigned under the Companies Act, 2013 and the Rules framed thereunder from time to time. 5. Risk Management practices for outsourcing 5.1 Outsourcing Policy A co-operative bank intending to outsource any of its financial activities shall put in place a comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia, criteria for selection of such activities as well as service providers, parameters for defining material outsourcing based on the broad criteria indicated in para 3, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities. 5.2 Role of the Board of Directors (Board), and CEO along with the Senior Management 5.2.1 The Board, and CEO along with the Senior Management shall be ultimately responsible for outsourcing operations and for managing risks inherent in such outsourcing relationships. The Board and CEO along with the Management shall have the responsibility to institute an effective governance mechanism and risk management process for all outsourced operations. The Board shall be responsible, inter alia, for: - -
Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements; -
Laying down appropriate approval authorities for outsourcing depending on risks and materiality; -
Undertaking regular review of the framework for its efficacy and update the same to ensure that the outsourcing strategies and arrangements have continued relevance, effectiveness, safety and soundness; -
Deciding on business activities of a material nature to be outsourced and approving such arrangements; -
Assessment of management competencies to develop sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements; and -
Setting up suitable administrative framework of management for the purpose of these guidelines. 5.2.2 Chief Executive Officer (CEO) and Senior Management of the bank shall be responsible for: -
Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board; -
Developing and implementing sound and prudent procedures commensurate with the nature, scope and complexity of the outsourcing; -
Reviewing periodically the effectiveness of policies and procedures; -
Communicating information pertaining to material outsourcing risks to the Board in a timely manner; -
Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested; -
Ensuring that there is independent review and audit for compliance with set policies; and -
Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks. 5.3 Evaluation of the Risks The indicative key risks in outsourcing that need to be evaluated by the co-operative banks are: - -
Strategic Risk – The service provider may conduct business on its own behalf, which is inconsistent with the overall strategic goals of the bank. -
Reputation Risk - Poor service from the service provider, its customer interaction not being consistent with the overall standards of the bank, or failure in preservation and protection of confidential customer information. -
Compliance Risk - Privacy, consumer and prudential laws not adequately complied with. -
Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/or provide remedies. -
Legal Risk - Includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider. -
Exit Strategy Risk - This could arise from over-reliance on one firm, the loss of relevant skills in the bank itself preventing it from bringing the activity back in-house and where the bank has entered into contracts wherein speedy exits would be prohibitively expensive. -
Counterparty Risk - Due to inappropriate underwriting or credit assessments. -
Contractual Risk – Arising from whether or not the bank has the ability to enforce the contract. -
Country Risk - Due to political, social or legal climate creating added risk. -
Concentration and Systemic Risk - Due to lack of control of individual banks over a service provider, more so when overall banking industry has considerable exposure to one service provider. 5.4 Evaluating the Capability of the Service Provider 5.4.1 In considering or renewing an outsourcing arrangement, co-operative banks shall undertake appropriate due diligence to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence should take into consideration qualitative, quantitative, financial, operational and reputational factors. Co-operative banks shall consider whether the service providers’ systems are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable to it. Co-operative banks shall also consider, while evaluating the capability of the service provider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Where possible, co-operative banks may obtain independent reviews and market feedback on the service provider to supplement their own findings. 5.4.2 Due diligence should involve an evaluation of all available information about the service provider, including but not limited to the following: - -
Past experience, competence to implement and support the proposed activity over the contracted period; -
Financial soundness and ability to service commitments even under adverse conditions; -
Business reputation, culture, compliance, complaints and outstanding or potential litigation; -
Security, internal controls, audit coverage, reporting, monitoring and business continuity management; -
External factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact service performance; -
Ensuring due diligence by service provider of his employees; and. -
Ability to effectively service all the customers with confidentiality where a service provider has exposure to multiple banks. 5.5 The Outsourcing Agreement The terms and conditions governing the contract between a co-operative bank and service provider should be carefully defined in written agreements and vetted by bank’s legal counsel on their legal effect and enforceability. Every such agreement should address the risks and risk mitigation strategies. The agreement should be sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement should also bring out the nature of legal relationship between the parties, i.e., whether agent, principal or otherwise. Some of the key provisions of the contract would be: -
The contract should clearly define the activities being outsourced including Service Level Agreements (SLAs) to agree and establish accountability for performance expectations. SLAs must clearly formalize the performance criteria to measure the quality and quantity of service levels. -
The co-operative bank shall ensure its ability to access all books, records and information relevant to the outsourced activity available with the service provider. -
The contract should provide for continuous monitoring and assessment of the service provider by the co-operative bank so that any necessary corrective measure can be initiated immediately. -
Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information shall be incorporated. -
A termination clause and notice period should be included. -
Contingency plans to ensure business continuity should be included. -
The contract should provide for the prior approval/consent of co-operative bank for use of subcontractors by the service provider for all or part of an outsourced activity. Before according the consent, co-operative banks should review the subcontracting arrangement and ensure that these arrangements are compliant with the extant guidelines on outsourcing. -
The contract should provide the co-operative banks with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the co-operative bank. -
Outsourcing agreement should include a clause to allow RBI/NABARD or persons authorised by it to access the co-operative bank’s documents, records of transactions, logs and other necessary information given to, stored or processed by the service provider, within a reasonable time. This includes information maintained in paper and electronic formats. -
Outsourcing agreement should also include a clause to recognise the right of the RBI / NABARD to cause an inspection of a service provider of a co-operative bank and its books and accounts by one or more of its officers or employees or other authorised persons. -
The outsourcing agreement should also provide that confidentiality of customers’ information should be maintained even after the contract expires or gets terminated. Further, co-operative bank shall have necessary provisions to ensure that the service provider preserves documents as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services. 5.6 Confidentiality and Security 5.6.1 Public confidence and customer trust in co-operative bank is a prerequisite for the stability and reputation of the bank. Hence, the co-operative banks shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody of the service provider. 5.6.2 Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function. 5.6.3 The co-operative banks shall ensure that the service provider is able to isolate and clearly identify the co-operative bank’s customer information, documents, records and assets to protect the confidentiality of the information. In the instances, where service provider acts as an outsourcing agent for multiple banks, care should be taken to build adequate safeguards so that there is no comingling of information/documents, records and assets. 5.6.4 The co-operative banks shall review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches. 5.6.5 The co-operative banks shall immediately notify RBI / NABARD in the event of any breach of security and leakage of confidential customer related information. In these eventualities, the co-operative bank shall be liable to its customers for any damage. 5.7 Business Continuity and Management of Disaster Recovery Plan 5.7.1 Co-operative banks shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. Banks need to ensure that the service provider periodically tests the Business Continuity and Recovery Plan. Banks may also conduct joint testing and recovery exercises with its service provider at mutually agreed frequency but at least annually. 5.7.2 In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, co-operative banks shall retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the bank and its services to the customers. 5.7.3 In establishing a viable contingency plan, co-operative banks should consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved. 5.7.4 Co-operative banks to ensure that in adverse conditions and/ or termination of the contract, all documents, records of transactions and information given to the service provider and assets of the bank can be removed from the possession of the service provider in order to enable the bank to continue its business operations; or deleted, destroyed or rendered unusable. 5.8 Monitoring and Control of Outsourced Activities 5.8.1 The co-operative banks shall have in place a management structure to monitor and control their outsourcing activities. It shall also be ensured that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities. 5.8.2 A central record of all material outsourcing that is readily accessible for review by the Board and CEO along with the management of the co-operative bank shall be maintained. The records should be updated promptly and half yearly reviews should be placed before the Board. 5.8.3 Regular audits at least annually by either the internal auditors or external auditors of the bank should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and these guidelines. 5.8.4 Co-operative banks shall at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness. Co-operative banks shall also submit an Annual Compliance Certificate giving the particulars of outsourcing contracts, the prescribed periodicity of audit by internal / external auditor, major findings of the audit and action taken through Board, to the Regional Offices of RBI / NABARD. 5.8.5 The event of termination of any outsourcing agreement for any reason where the service provider deals with customers, shall be publicised by displaying at a prominent place in the branches and posting it on the bank’s website so as to ensure that the customers do not continue to deal with the service provider. 5.8.6 Certain cases, like outsourcing of cash management, might involve reconciliation of transaction between the co-operative banks, the service provider and its sub-contractors. In such cases, banks should ensure reconciliation of transactions between the bank and the service provider (and /or its subcontractor) are carried out as advised in RBI guidelines on ‘Outsourcing of Cash Management – Reconciliation of Transactions’ dated May 14, 2019 as amended from time to time. 5.8.7 A robust system of internal audit of all outsourced activities shall be put in place and monitored at the Board level. 5.9 Redressal of Grievances related to Outsourced services 5.9.1 The co-operative banks shall give wide publicity to the Grievance Redressal Machinery within the bank and also by placing the information on their website. It should be clearly indicated that co-operative banks' Grievance Redressal Machinery will also deal with the issues relating to services provided by the outsourced agencies. The name and contact number of designated grievance redressal officer of the co-operative bank should be made known and widely publicised. The designated officer should ensure that genuine grievances of customers are redressed promptly. 5.9.2 The grievance redressal procedure of the co-operative bank and the time frame fixed for responding to the complaints shall be placed on the bank's website. 5.10 Reporting of transactions to FIU or other competent authorities Co-operative banks shall be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the banks' customer related activities carried out by the service providers. 6 Centralised List of Outsourced Agents If a service provider’s contract is terminated prematurely prior to the completion of contracted period of service, Indian Banks' Association (IBA) would have to be informed with reasons for termination. IBA would be maintaining a caution list of such service providers for the entire banking industry for sharing among banks.
|