POV on Outsourcing Policy framework for NBFC

Introduction

Outsourcing has become a prevalent practice in the Non-Banking Financial Company (NBFC) sector as it allows companies to focus on their core activities while leveraging the expertise of external service providers. However, it is vital for NBFCs to establish a comprehensive outsourcing policy framework to ensure effective risk management and adherence to regulatory requirements. This article explores the key components of such a framework, including the types of activities that can be outsourced, the evaluation of risks, the capability assessment of service providers, the content of outsourcing agreements, and the monitoring of outsourced activities.

Outsourced Activities

NBFCs can outsource various activities to external service providers, which include but are not limited to:

• Applications processing (loan origination)
• Document processing
• Marketing and research
• Supervision of loans
• Data processing
• Back office related activities

Outsourcing these activities allows NBFCs to streamline their operations, increase efficiency, and benefit from specialized expertise.

Activities that shall not be outsourced

Certain core management functions should not be outsourced to maintain control and ensure effective oversight. These functions include:

• Internal Audit
• Strategic and Compliance functions
• Decision-making functions such as determining compliance with KYC norms for loan sanction
• By retaining these functions in-house, NBFCs can uphold their organizational integrity and directly monitor critical operations.
• Material OutsourcingEvaluating and classifying the significance of outsourced activities is imperative for deciding on the level of oversight and risk management required. Factors to consider when assessing material outsourcing include:

The importance of the outsourced activity to the NBFC and the associated level of risk

• The potential impact on various parameters such as earnings, solvency, liquidity, funding capital, and risk profile
• The impact on the NBFC's reputation, brand value, and ability to achieve business objectives if the service provider fails to perform
• The cost of outsourcing relative to total operating costs
• The aggregate exposure to a specific service provider, especially when multiple functions are outsourced to the same provider
• The significance of the outsourced activities in the context of customer service and protection

By meticulously analyzing these factors, NBFCs can prioritize risk mitigation measures and allocate appropriate resources.

Outsourcing Policy

The responsibility for establishing an outsourcing policy lies with a Committee of the Board to which powers have been delegated. This committee is responsible for:

• Approving a framework to evaluate the risks and materiality of existing and prospective outsourcing, along with the corresponding policies
• Defining suitable approval authorities for outsourcing arrangements based on associated risks
• Establishing an administrative framework within senior management to ensure compliance with the outsourcing policy
• Conducting regular reviews of outsourcing strategies and arrangements to ensure their continued relevance, safety, and soundness
• Reviewing and approving material outsourcing arrangements and business activities

By entrusting these responsibilities to a dedicated committee, NBFCs can ensure comprehensive oversight of outsourcing activities.

Evaluation of the Risks

To effectively manage risks associated with outsourcing, NBFCs must thoroughly evaluate various risk factors. These include:

• Strategic Risk: Assessing the impact of outsourcing on the NBFC's long-term strategic goals and market position.
• Reputation Risk: Considering the consequences of a service provider's failure on the NBFC's reputation and brand value.
• Compliance Risk: Assessing the potential non-compliance of the service provider with applicable laws, regulations, and industry best practices.
• Operational Risk: Identifying potential disruptions or failures in outsourced processes that could adversely affect the NBFC's operations.
• Legal Risk: Evaluating the legal implications surrounding the outsourced activities and ensuring compliance with contractual obligations.
• Exit Strategy: Considering the potential challenges and risks associated with terminating an outsourcing agreement.
• Counterparty Risk: Assessing the financial stability and reputation of the service provider as a counterparty.
• Contractual Risk: Evaluating the effectiveness of contractual arrangements in protecting the interests of the NBFC.
• Concentration and Systemic Risk: Identifying and managing risks associated with over-reliance on a single service provider or a concentrated market.
• Country Risk: Assessing the political, economic, and legal risks associated with outsourcing activities in specific countries.

By conducting a comprehensive risk assessment, NBFCs can implement appropriate risk mitigation strategies and ensure resilience in their outsourcing arrangements.

Evaluating the Capability of the Service Provider

Before entering into an outsourcing agreement, NBFCs should thoroughly evaluate the capability and suitability of potential service providers. Key factors to consider include:

Past experience and competence of the service provider in similar outsourced activities.

Financial soundness and ability to fulfill commitments, even under adverse conditions.

Business reputation, compliance history, and any outstanding or potential litigation.

Security measures, internal controls, audit coverage, reporting and monitoring environment, and business continuity management.

Disaster Recovery Plan in place to ensure operational continuity in emergencies.

By conducting a rigorous assessment of service providers, NBFCs can ensure that they engage with reliable and capable partners.

Outsourcing Agreement

The outsourcing agreement forms the foundation of the relationship between the NBFC and the service provider. Key elements that should be included in the agreement are:

Clear definition of the activities being outsourced, including detailed service and performance standards.

Assurance that the NBFC has ongoing access to all relevant books, records, and information held by the service provider.

Provisions for continuous monitoring and assessment by the NBFC to rectify any deficiencies promptly.

Inclusion of a termination clause with an appropriate minimum notice period.

Controls to ensure the confidentiality of customer data and the service provider's liability in case of security breaches or data leaks.

Contingency plans to ensure business continuity in the event of disruptions to the outsourced activities.

Approval requirement for subcontracting by the service provider.

Rights of the NBFC to conduct audits on the service provider, including obtaining audit or review reports.

Provisions allowing regulatory authorities to access relevant documents and information.

Preservation of customer information confidentiality even after contract termination.

Measures to ensure document preservation as required by law.

By incorporating these elements into the outsourcing agreement, NBFCs can establish a robust and legally compliant framework.

Responsibility of outsourcing partner in terms of sales, recovery, and collection

When outsourcing sales, recovery, and collection activities, NBFCs must ensure that their partners abide by ethical and professional standards. Key considerations include:

Providing proper training to outsourcing partners to handle responsibilities with care, sensitivity, and compliance.

Requiring partners to adhere to a board-approved Code of Conduct for Sales, Marketing, and Recovery.

Prohibiting any form of intimidation, harassment, or misleading practices during debt collection efforts.

By emphasizing ethical practices and enforcing a code of conduct, NBFCs can protect the interests and well-being of their customers.

Monitoring

Monitoring of outsourced activities is crucial to maintain effective control and ensure compliance with outsourcing policies. Key aspects of monitoring include:

Maintaining records of all outsourced activities, promptly updating them as necessary, and presenting half-yearly reviews to the Board.

Conducting regular audits by internal or external auditors to assess the financial and operational condition of service providers.

Annual reviews of service providers' ability to meet outsourcing obligations.

Publicizing the termination of outsourcing agreements, particularly with customer-facing service providers, to ensure customers are informed of any changes.

By implementing a robust monitoring mechanism, NBFCs can proactively identify and address any non-compliance or risk issues arising from outsourced activities.

Conclusion

Establishing a comprehensive outsourcing policy framework is critical for NBFCs seeking to effectively manage risks associated with outsourcing activities. By carefully evaluating the importance and risks of outsourced activities, assessing service providers' capabilities, defining robust outsourcing agreements, and implementing effective monitoring mechanisms, NBFCs can achieve operational efficiency while maintaining regulatory compliance and ensuring customer protection.