The RBI vide its Statement on Developmental and Regulatory Policies dated February 08, 2024 announced its decision to mandate Regulated Entities (REs) to provide Key Fact Statement (KFS) for retail and Micro, Small & Medium Enterprise (MSME) loans. Following the aforesaid, RBI issued a notification dated April 15, 2024 (Circular) to “harmonise” the instructions in this regard for all REs. Since the intent of the RBI is to harmonise similar requirements, the KFS Circular overrides similar extant requirements in case of lending by banks to individuals, and digital lending. RBI/2017-18/87DNBR.PD.CC.No.090/03.10.001/2017-18 November 09, 2017 To All Non-Banking Financial Companies (NBFCs), Madam/ Sir, Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs In exercise of the powers conferred under Section 45 L of the Reserve Bank of India Act, 1934, the Reserve Bank of India after being satisfied that it is necessary and expedient in the public interest so to do and with a view to put in place necessary safeguards applicable to outsourcing of activities by NBFCs, hereby issues the Directions as set out in the Annex. 2. NBFCs are advised to conduct a self-assessment of their existing outsourcing arrangements and bring these in line with the aforesaid Directions within two months from the date of this circular. 3. The Non-Banking Financial Company – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016, Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016, Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, Core Investment Companies (Reserve Bank) Directions, 2016, Standalone Primary Dealers (Reserve Bank) Directions, 2016 and Non-Banking Financial Company – P2P (Reserve Bank) Directions, 2017 have been accordingly updated. Yours faithfully, (C. D. Srinivasan)Chief General Manager Annex Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs 1. Introduction 1.1 ‘Outsourcing’ is defined as the NBFC’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future. ‘Continuing basis’ includes agreements for a limited period. 1.2 NBFCs have been outsourcing various activities and are hence exposed to various risks as detailed in para 5.3. Further, the outsourced activities are to be brought within regulatory purview to a) protect the interest of the customers of NBFCs and b) to ensure that the NBFC concerned and the Reserve Bank of India have access to all relevant books, records and information available with service provider. Typically outsourced financial services include applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others. 1.3 Some key risks in outsourcing are Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Access Risk, Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the service provider can lead to financial losses or loss of reputation for the NBFC and could also lead to systemic risks. 1.4 It is therefore imperative for the NBFC outsourcing its activities to ensure sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from such outsourced activities. The directions are applicable to material outsourcing arrangements as explained in para 3 which may be entered into by an NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the NBFC belongs, or an unrelated party. 1.5 The underlying principles behind these directions are that the regulated entity shall ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision by RBI. NBFCs, therefore, have to take steps to ensure that the service provider employs the same high standard of care in performing the services as is expected to be employed by the NBFCs, if the activities were conducted within the NBFCs and not outsourced. Accordingly, NBFCs shall not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened. 1.6 (i) These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc. NBFCs which desire to outsource financial services would not require prior approval from RBI. However, such arrangements would be subject to on-site/ off- site monitoring and inspection/ scrutiny by RBI. (ii) In regard to outsourced services relating to credit cards, RBI’s detailed instructions contained in its circular on credit card activities vide DBOD.FSD.BC.49/24.01.011/2005-06 dated November 21, 2005 would be applicable. 2. Activities that shall not be outsourced NBFCs which choose to outsource financial services shall, however, not outsource core management functions including Internal Audit, Strategic and Compliance functions and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans) and management of investment portfolio. However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions in Para 6. Further, while internal audit function itself is a management process, the internal auditors can be on contract. 3. Material Outsourcing For the purpose of these directions, material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on: the level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by the same; the potential impact of the outsourcing on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile; the likely impact
