6th December 2005

The world over, banks are increasingly using outsourcing, to third parties who may be unrelated or member of the group/conglomerate as a means of both reducing cost and accessing specialist expertise, not available internally and achieving strategic aims. Outsourcing brings in its wake, several risks like Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Access Risk Concentration and Systemic Risk. The failure to manage these risks can lead to financial losses/reputational risk for the bank and could also lead to systemic risks within the entire banking system in the country. It would therefore be imperative for the bank outsourcing its activities to ensure effective management of these risks.

2. The enclosed draft guidelines on Outsourcing is intended to provide direction and guidance to banks to adopt sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from such outsourcing activities.

3. In terms of these draft guidelines, banks would not require prior approval from RBI for outsourcing services except when the service provider is located outside India or when the outsourcing is in relation to doorstep banking. The underlying principles behind these guidelines are that outsourcing arrangements should neither diminish the banks' obligation to customers and RBI nor impede effective supervision by RBI.

4. The draft guidelines cover issues relating to activities that should not be outsourced; legal obligations of the bank that outsources its activities; the regulatory and supervisory requirements; risk management practices; role of Board and senior management; due diligence requirements while selecting service providers; coverage in outsourcing agreements; service providers obligation to maintain confidentiality and security; code of conduct of DSA / DMA/ Recovery Agents; Business Continuity and Disaster Recovery Plans; monitoring and control of outsourced activities; and the requirement of a robust grievances redressal machinery.

5. Banks will have to put in place a Board approved policy for outsourcing based on the final guidelines.

Typically outsourced financial services include applications processing (loan origination, credit card), document processing, investment management, marketing and research, supervision of loans, data processing and back office related activities etc.

1.2 Outsourcing brings in its wake, several risks. Some key risks in outsourcing may be Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Access Risk Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by either the service provider or the outsourcing bank can lead to financial losses/reputational risk for the bank and could also lead to systemic risks within the entire banking system in the country. It would therefore be imperative for the bank outsourcing its activities to ensure effective management of these risks.

1.3 This draft guideline on Outsourcing is intended to provide direction and guidance to banks to adopt sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from such outsourcing activities. This draft guideline is applicable to outsourcing arrangements entered into by a bank with a service provider located in India or elsewhere. The service provider may either be a member of the group/conglomerate to which the bank belongs, or an unrelated party.

1.4 The underlying principles behind these guidelines are that the regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision by RBI. Banks therefore have to take steps to ensure that the service provider employs the same high standard of care in performing the services as would be employed by the banks if the activities were conducted within the banks and not outsourced. Accordingly banks should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened.

1.5 (i) Banks would not require prior approval from RBI for outsourcing of financial or other services except where the service provider is located outside India or when the outsourcing is in relation to doorstep banking. Banks have been advised vide our circular DBOD No. BL.BC.86/22.01.001/2004-05 dated April 30,2005 to seek RBI's prior approval for doorstep banking schemes formulated with the approval of their Boards. The banks will however have to keep the RBI informed of all the financial services outsourced by them

(ii) In regard to outsourced services relating to credit cards, RBI's detailed instructions contained in its circular on credit card activities vide RBI/2005-06 /211 DBOD .FSD.BC.49/24.01.011/2005-06 dated 21st November 2005 would be applicable.

Banks cannot outsource core management functions like corporate planning, organisation, management and control and decision-making functions like determining compliance with KYC norms for opening deposit accounts, according sanction for loans and management of investment portfolio.

During AFIs, RBI will review the implementation of these guidelines to assess the quality of related risk management systems particularly in respect of material outsourcing. Material outsourcing arrangements are those, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability. Materiality of outsourcing would be based on :

• The level of importance to the bank of the activity being outsourced
• The potential impact of the outsourcing on the bank on various parameters such as earnings, solvency, liquidity, funding and capital and risk profile;
• The likely impact on the bank’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service;
• The cost of the outsourcing as a proportion of total operating costs of the bank;
• The aggregate exposure to that particular service provider, in cases where the bank out sources various functions to the same service provider.

4.1 The outsourcing of any activity by bank does not diminish its obligations, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. Banks would therefore be responsible for the actions of their service provider including DSAs/ DMAs and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. Banks should retain ultimate control of the outsourced activity.

4.2 It is imperative for the bank, when performing its due diligence in relation to outsourcing, to consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration.

4.3 Outsourcing arrangements should not affect the rights of a customer against the bank, including the ability of the customer to obtain redress as applicable under relevant laws. Since the customers are required to deal with the service providers in the process of dealing with the bank, banks should reveal to their customers in the product brochures/agreements etc., the role of the service provider and their obligation towards the customers

4.4 Outsourcing, whether the service provider is located in India or abroad should not impede or interfere with the ability of the bank to effectively oversee and manage its activities or impede the Reserve Bank of India in carrying out its supervisory functions and objectives.

4.5 Banks need to have a robust grievance redressal mechanism, which in no way should be compromised on account of outsourcing.

A bank that has entered into or is planning material outsourcing, or is planning to vary any such outsourcing arrangements, should notify RBI of such arrangements.

A bank intending to outsource any of its financial activities should put in place a comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia, criteria for selection of such activities as well as service providers, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities

6.2.1 The Board of the bank, or a committee delegated by it, should be responsible interalia for:-

• Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
• Laying down appropriate approval authorities for outsourcing depending on risks and materiality.
• Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness and
• Deciding on business activities of a material nature to be outsourced, and approving such arrangements.

• Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the board;
• Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing;
• Reviewing periodically the effectiveness of policies and procedures;
• Communicating information pertaining to material outsourcing risks to the board in a timely manner;
• Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested; and
• Ensuring that there is independent review and audit for compliance with set policies.
• Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.

The key risks in outsourcing that need to be looked into by the banks are: -

(a) Strategic Risk – The service provider may conduct business on its own behalf, which is inconsistent with the overall strategic goals of the bank

(b) Reputation Risk – Poor service from the service provider, its customer interaction not being consistent with the overall standards of the bank

(c) Compliance Risk – Privacy, consumer and prudential laws not adequately complied with

(d) Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/or provide remedies

(e) Exit Strategy Risk – This could arise from over–reliance on one firm, the loss of relevant skills in the bank itself preventing it from bringing the activity back in-house and contracts entered into wherein speedy exits would be prohibitively expensive

(f) Counterparty Risk – Due to inappropriate underwriting or credit assessments

(g) Country Risk – Due to the political, social or legal climate creating added risk

(h) Contractual risk – arising from whether or not the bank has the ability to enforce the contract

I) Concentration and Systemic Risk – Due to lack of control of individual banks over a service provider, more so when overall banking industry has considerable exposure to one service provider.

6.4.1 In considering or renewing an outsourcing arrangement, appropriate due diligence should be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence should take into consideration qualitative and quantitative, financial, operational and reputational factors. Banks should consider whether the service providers' systems are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable to it. Where possible, the bank should obtain independent reviews and market feedback on the service provider to supplement its own findings.

6.4.2 Due diligence should involve an evaluation of all available information about the service provider, including but not limited to:-

• Past experience and competence to implement and support the proposed activity over the contracted period;
• Financial soundness and ability to service commitments even under adverse conditions;
• Business reputation and culture, compliance, complaints and outstanding or potential litigation;
• Security and internal control, audit coverage, reporting and monitoring environment, Business continuity management;
• External factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact service performance.
• Ensuring due diligence by service provider of its employees.

6.5.1 The terms and conditions governing the contract between the bank and the service provider should be carefully defined in written agreements and vetted by a competent authority on their legal effect and enforceability. Every such agreement should address the risks and risk mitigation strategies identified at the risk evaluation and due diligence stages. The agreement should be sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement should also bring out the nature of legal relationship between the parties – i.e. whether agent principal or otherwise. Some of the key provisions of the contract would be

• The contract should clearly define what activities are going to be outsourced including appropriate service and performance standards.
• The bank must ensure it has the ability to access all books, records and information relevant to the outsourced activity in the service provider
• The contract should provide for continuous monitoring and assessment by the bank of the service provider so that any necessary corrective measure can be taken immediately.
• A termination clause and minimum periods to execute a termination provision, if deemed necessary, should be included.
• Controls to ensure customer data confidentiality and service providers' liability in case of breach of security and leakage of confidential customer related information.
• Contingency plans to ensure business continuity
• The contract should provide for the approval by the bank of the use of subcontractors by the service provider for all or part of an outsourced activity
• Provide the bank with the right to conduct audits, on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the bank.
• Outsourcing agreements should include clauses to allow the Reserve Bank of India or persons authorised by it to access the bank’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time. The Agreement should further provide that in the event these are not made accessible to RBI within a reasonable time, the bank would be liable to pay supervisory fees to RBI.
• Outsourcing agreement should also include clause to recognise the right of the Reserve Bank to cause an inspection to be made of a service provider of a bank and its books and account by one or more of its officers or employees or other persons.

6.6.1 Public confidence and customer trust in the bank is a prerequisite for the stability and reputation of the bank. Hence the bank should seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider.

6.6.2 Access to customer information by staff of the service provider should be limited to those areas where the information is required in order to perform the outsourced function.

6.6.3 The bank should ensure that the service provider is able to isolate and clearly identify the bank’s customer information, documents, records and assets to protect the confidentiality of the information.

6.6.4 Review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches.

6.6.5 The bank should immediately notify RBI in the event of any breach of security and leakage of confidential customer related information. In these eventualities, the bank would be liable to its customers for any damage.

6.7.1 Code of conduct for DSA's formulated by Indian Banks Association (IBA) could be used in formulating their own codes for DSAs / DMAs/ Recovery Agents. Banks should ensure that the DSAs/ DMAs/ Recovery Agents are properly trained to handle with care, their responsibilities particularly aspects like soliciting customers, hours of calling privacy of customer information and conveying the correct terms and conditions of the products on offer etc.

6.7.2 Recovery Agents should adhere to extant instructions on Fair Practices Code for lending (Circular DBOD. Leg.No. BC.104 /09.07.007 /2002-03 dated 5^th May 2003) as also their own code for collection of dues or in the absence of such a code at the minimum adopt the IBA's code for collection of dues and repossession of security. It is essential that the recovery agents refrain from action that could damage the integrity and reputation of the bank and that they observe strict customer confidentiality.

6.7.3 The bank and their agents should not resort to intimidation or harassment of any kind either verbal or physical against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the credit card holders’ family members referees and friends, making threatening and anonymous calls or making false and misleading representations.

6.8.1 A bank should require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. Banks need to ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.

6.8.2 In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, banks should retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the bank and its services to the customers.

6.8.3 In establishing a viable contingency plan, banks should consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

6.8.4 Outsourcing often leads to the sharing of facilities operated by the service provider. The bank should ensure that service providers are able to isolate the bank’s information, documents and records, and other assets. This is to ensure that in adverse conditions, all documents, records of transactions and information given to the service provider, and assets of the bank, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

6.9.1 The bank should have in place a management structure to monitor and control its outsourcing activities. It should ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities.

6.9.2 A central record of all material outsourcing that is readily accessible for review by the board and senior management of the bank should be maintained. The records should be updated promptly and form part of the corporate governance reviews undertaken by the board and senior management of the bank.

6.9.3 Regular audits by either the internal auditors or external auditors of the bank should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and the requirements of these guidelines.

6.9.4 Banks should at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.

a) Generally, a time limit of 60 days may be given to the customers for preferring their complaints / grievances.

b) Banks should constitute Grievance Redressal Machinery within the bank and give wide publicity about it through electronic and print media. The name and contact number of designated grievance redressal officer of the bank should be made known and widely publicised. The designated officer should ensure that genuine grievances of customers are redressed promptly without involving delay.

c) The grievance redressal procedure of the bank and the time frame fixed for responding to the complaints should be placed on the bank's website.

d) If a complainant does not get satisfactory response from the bank within 60 days from the date of his lodging the compliant, he will have the option to approach the Office of the concerned Banking Ombudsman for redressal of his grievance/s

7.1 Outsourcing outside India will require RBI’s prior approval and the factors to be looked into are as under:

The engagement of service providers in a foreign country exposes a bank to country risk - economic, social and political conditions and events in a foreign country that may adversely affect the bank. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with the bank. To manage the country risk involved in such outsourcing activities, the bank should take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements should only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement should also be clearly specified.

7.3 Outsourcing in a country outside India where the bank does not have a branch is not permitted.

7.4 A bank should notify RBI if any overseas authority were to seek access to its customer information. If such access seems unwarranted RBI would require the bank to take steps to make alternative arrangements for the outsourced activity.

The risk management practices expected to be adopted by a bank while outsourcing to a related party ( i.e party within the Group/ Conglomerate) would be identical to those specified in Para 6 of this draft guideline.

Banks may conduct a self-assessment of their existing / proposed outsourcing arrangements, viewed in the light of this guidance note and rectify deficiencies/shortcomings if any observed in this regard.