The Reserve Bank of India (RBI) has issued a framework for Payment System Operators (PSOs) to ensure that risks in outsourcing of payments and settlement-related activities by the non-bank providers.
The framework applies to vendors, payment gateways, agents, consultants and their representatives.
The framework also applies to sub-contractors who work on projects outsourced by the PSOs.
The framework prohibits PSOs from outsourcing “…core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms,” said the framework.
It further added that for internal audits, PSO can appoint its own employees or outsiders on a contract basis.
As part of the framework, PSOs will be required to flag data breach at the level of service provider to RBI and will be liable to pay damage to the customers.
For offshore service providers to the PSO, RBI has said that the provider should not object to scrutiny by internal or external auditors appointed by PSOs as well as RBI.
Other requirements flagged by RBI include a board-approved code of conduct stipulated by the PSO for direct sales agents or marketing agents, keeping in mind privacy of customer information, hours of calling among other aspects.
The PSOs shall not outsource core management functions3, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms.
However, while internal audit function itself is a management process, the auditors for this purpose can be appointed by the PSO from its own employees or from the outside on contract.
The framework from RBI comes at a time when outsourced services for KYC compliance and similar services have been adopted by PSOs for growth.
Earlier this year JusPay Technologies which provides mobile checkout and payment processing solutions confirmed data breach of nearly 10 crore cardholders’ information. Air India also reported that personal data of nearly 4.5 million passengers was leaked due to a breach in passenger service system provider SITA.