RBI plans to bar outsourcing of know-your customer compliance norms

The Reserve Bank of India (RBI) is considering a prohibition on banks and other regulated entities from outsourcing the verification of compliance with know-your-customer (KYC) norms.

A draft circular on Managing Risks and Code of Conduct in Outsourcing of Financial Services, released by the regulator, has stated this intention.

The draft specifies: “Regulated entities (REs) shall not outsource core management functions, including policy formulation, decision-making functions such as determining compliance with KYC norms, management of the investment portfolio, compliance function, and internal audit function.”

Furthermore, the draft says that REs should make the final decision to extend credit to any specific customer, regardless of whether a service provider is involved in the process or not.

The RBI has also emphasised that REs should establish a board-approved code of conduct for direct selling agents (DSAs), direct marketing agents (DMAs), and recovery agents and obtain their commitment to adhere to this code.

The draft further specifies that REs and their recovery agents are prohibited from contacting the borrower or guarantor before 8 am and after 7 pm when attempting to recover overdue loans.

REs have been instructed to ensure that DSAs, DMAs, and recovery agents receive proper training to handle their responsibilities with care and sensitivity. This includes aspects such as soliciting customers, calling hours, maintaining the privacy of customer information, and accurately conveying the terms and conditions of the products on offer.

Moreover, the RBI has made it clear that REs and their recovery agents must not resort to intimidation or harassment in any form, whether verbal or physical. This includes acts intended to publicly humiliate or intrude upon the privacy of the debtor, their guarantor’s family members, referees, and friends, sending inappropriate messages via mobile or social media, making threatening and anonymous calls, and persistently contacting the borrower or guarantor with false and misleading representations.

Additionally, if REs employ a template structure for sanctioning loans through a service provider based on predetermined criteria, they must demonstrate to the supervisor that the lending decision was made solely by the RE, and the role of the service provider is that of a facilitator.

The draft also specifies that REs intending to outsource any of their financial activities must establish a comprehensive board-approved outsourcing policy. This policy should include criteria for selecting such activities and service providers, parameters for defining material outsourcing based on broad criteria, delegation of authority based on risk and materiality, and systems for monitoring and reviewing the operations of these activities.

RBI emphasises that both the board and senior management are ultimately responsible for managing the inherent risks in outsourcing arrangements. They must establish an effective governance mechanism and risk management process for all outsourced activities.

The board or a committee of the board will be responsible for approving a framework to assess the risks and materiality of existing and prospective outsourcing arrangements, as well as the policies governing them. Senior management will evaluate these risks and materiality based on the board-approved framework.

Key risks in outsourcing that REs need to assess include compliance risk, concentration and systemic risk, contractual risk, and counterparty risk, among others.