Outsourcing Policy

Background and Scope

Overview

“Shivalik Small Finance Bank “(“the Bank”) is the first cooperative bank in the country to get an SFB license. The Bank is witnessing an increase in business volumes, transformation across various segments, development and introduction of new products, cross selling of products and extensive use of technology in banking.

In pursuit of growth and efficiencies, the Bank outsources certain functions to specialized agencies or person/s, so that they can be performed more efficiently and at lower costs while ensuring adequate controls at the banks end.

Definitions

‘Outsourcing’ may be defined as a bank's use of a third party (either an affiliated entity within the corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future. Continuing basis would include agreements for a limited period.

Financial Outsourcing - Typical activities under Financial Outsourcing include Application Processing (Loan Origination, Credit Card), Document processing, Marketing, and research, Supervision of loans, Data processing and Back office related activities etc.”
IT Services outsourcing - Common areas under technology operations includes,
- IT infrastructure management, maintenance, and support (hardware/ software/ firmware).
- Network and security solutions maintenance (hardware/ software/ firmware)
- Application Development, Maintenance and Testing
- Services and operations related to Data Centres.
- Cloud Computing Services.
- Managed Security Services.
- Application Service Providers (ASPs) including ATM Switch ASPs5; and
- Management of IT infrastructure and technology services associated with payment system ecosystem.
Non-Financial Outsourcing - Outsourcing arrangements like courier, Security services, Janitorial services would be considered as non–financial outsourcing and would be kept out of the purview of this policy as the Bank would have undertaken this activity under the normal course.

While outsourcing can help manage costs, provide expertise, expand product offerings, and improve services, it also results in banks being exposed to various risks which management should address. The board and the senior management are responsible for understanding the risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities. This policy document lays down the framework adopted by the bank for reviewing and approving outsourcing of financial & IT services.

Outsourcing risk is the risk of financial loss, regulatory fines, legal claims, reputation damage, loss of integrity of data, deliverables dilution due to problems with outsourced activities or disputes with service providers or vendors caused by inadequate due diligence or failing governance over the outsourced process.

This policy has been framed in line with the guidelines issued by the RBI from time to time including Guidance on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks issued by Reserve Bank of India (RBI) on November 3, 2006, and March 11, 2015 & Draft Master Direction on Outsourcing of IT Services dated 23.06.2022.

Scope

The guidelines on managing risks and code of conduct in outsourcing of financial & IT services by banks laid down by the Reserve Bank of India are concerned with managing risks in outsourcing of financial & IT services. While deciding on scope of activities to be outsourced, the following considerations should be kept in purview:

The activity should be such which could be performed efficiently by an external agency,
Such outsourcing should result in maintaining, if not enhancing the quality of customer service,
Outsourced persons should not have access to the ‘core banking software’ except for the purpose of limited enquiry and data entry, subject to authorization of Bank's officials,
It should result in cost reduction for the Bank,

Such outsourced activities should be covered under a Service Agreement spelling out the responsibilities and liabilities of the vendor.

Exclusions

Audit related assignments to relevant competent firms, for example Chartered Accountant firms/ Cert-In empaneled auditor will continue to be governed by the instructions/policy laid down by the Audit Dept.

The policy will also exclude activities not related to banking services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc.

Review

The policy would be reviewed annually or as and when considered necessary by the Board.

Objectives

In pursuit of growth and efficiencies, it is imperative that certain functions are outsourced which can be performed by specialized agencies more effectively, efficiently, and at lower costs. Banks should ensure that outsourcing arrangements neither diminish their ability to fulfil its obligations to customers nor impede effective supervision by the supervising authority. The Outsourcing Policy of the Bank aims at the following:

Meet or exceed Reserve Bank of India (RBI) requirements on outsourcing in banks.
Assign clear accountability and responsibility for management of Outsourcing activities in the bank.
Define the types of activities that can or cannot be outsourced by the bank to external vendors.
Define the various risks associated with outsourcing and the techniques the bank shall employ to mitigate the risks.
Designing a comprehensive methodology for selection of activities to outsource, selection and monitoring of vendors and assess the materiality of the outsourced activity.
Banks should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened.

Key Definitions and Terms

“BCP” means ‘Business Continuity Plan.
“DRP” means ‘Disaster Recovery Plan.
“Responsible Unit” means business unit or function in the Bank that has outsourced its activities to the Service Provider.
“Service Provider” is the person or an entity that has been appointed by the Bank to deliver outsourcing services to it.
“Regulator” means any regulators of the units and the Service Providers e.g., RBI etc.
“SLA” means Service Level Agreement entered between the unit and the service provider.
Sub-Contracting - Subcontracting refers to an arrangement whereby the outsourced agency engaged by the Bank further outsources a part of its activity to another service provider (Sub contractor).
Material outsourcing arrangements -- are those which, if disrupted, have the potential to significantly impact the business operations, reputation, or profitability.

Governance Structure

Board of Directors

Roles and Responsibilities of the Board will include the following:

Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements.
Laying down appropriate approval authorities for outsourcing depending on risks and materiality
Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness and
Deciding on business activities of a material nature to be outsourced and approving such arrangements.

Responsibility of Senior Management

Senior management shall be responsible for following:

Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board.
Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope, and complexity of the outsourcing.
Reviewing periodically the effectiveness of policies and procedures.
Communicating information pertaining to material outsourcing risks to the Board in a timely manner.
Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested.
Ensuring that there is independent review and audit for compliance with set policies.
Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.

Committee for Approval of Outsourcing Proposals

Operational Risk Management Committee shall assess, quantify, and review the risk mitigations measures being put in place for outsourced financial and technology services irrespective of the materiality.

Bank through the respective department outsourcing the activity will have the ultimate responsibility for the outsourced activity.
The outsourcing of any activity would not diminish the obligation of the Bank in respect of that activity.
Respective departments outsourcing activity will present the proposal in Operational Risk management committee (ORMC) for consideration and approval.

The Committee will also ensure the following aspects of outsourcing arrangements in the bank. Develop and implement sound and prudent Outsourcing Policy and procedures commensurate with the nature, scope, and complexity of outsourcing activities.

Undertake periodic reviews of outsourcing arrangements for their continued relevance, safety, soundness and to identify new material outsourcing risks, if any.
Ensure a central record of material outsourcing that is readily accessible for review by the Board and Senior Management and the records are updated promptly and half yearly reviews are placed before the Board.
Implement internal guidelines covering aspects such as material outsourcing, business continuity, management of Disaster Recovery Plan (DRP), and self-assessment of existing and proposed outsourcing arrangements.
Review customer grievances pertaining to activities outsourced and the redressal mechanism.
Finalize review mechanism of each service provider.
Ensuring that there is independent review and audit for compliance with set policies.
To Review the implementation of the Outsourcing Policy.
Communicate information pertaining to material outsourcing risks to the Board on an annual Basis.
Periodically review the information security risks, business continuity and disaster recovery aspects pertaining to outsourcing activities.
Approve and review specific internal guidelines for empanelment of service providers.
Review the maximum pricing structure for outsourcing activity.
Defining approval authorities for outsourcing depending on nature of risks and materiality of outsourcing.
Undertake a periodic review of outsourcing strategies and all existing material outsourcing arrangements.
Ensure transparent and timely communication of information pertaining to outsourced activities to the relevant stakeholders.
Ensure vendor maintains privacy and confidentiality of customer information.
Ensure that service Provider employs the same high standard of care in performing the outsourced activity as would have been employed by the Bank.

Due Diligence Measures for Outsource Activity

Comprehensive due diligence on the nature, scope and complexity of the outsourcing should be performed. Identify the key risk and risk mitigation strategies. e.g., in case of technology the state of security practices and controls environment offered by the service provider is a key factor.

Outsourcing agreement should include oversight and management of third-party vendor’s/ service providers & partners as a due diligence measure the agreement should also have at least following provisions.

Nature of legal relationship between the parties – i.e., whether agent, principal or otherwise. The contract should clearly define what activities are going to be outsourced including appropriate service and performance standards.
The department outsourcing the activity must ensure that Bank can access all books, records, and information relevant to the outsourced activities available with the service provider.
The contract should provide for continuous monitoring and assessment by the bank of the service provider so that any necessary corrective measure can be taken immediately.
The outsourcing agreement should provide provision for the preservation of documents and data by the service provider in accordance with the legal/regulatory obligation of the bank in this regard.

Due diligence of service provider

During the process of negotiating/ renewing an Outsourcing arrangement due diligence should be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence should involve an evaluation of all information about the service provider including qualitative, quantitative, financial, operational, and reputational factors as follows:

Past experience and competence to implement and support proposed activities over the contractual period.
Financial soundness and ability to service commitments even under adverse conditions.
Business reputation and culture, compliance, complaints and outstanding or potential litigations.
Security and internal control and monitoring environment, business continuity management.
External factors like political, economic, social, and legal environment of jurisdiction in which the service provider operates and other events that may impact service Performance.
Due diligence for sub-service providers.
Risk management, framework, alignment to applicable international standards on quality/security/ environment etc., may be considered.
Secure infrastructure facilities. ix. Employees training and knowledge transfer.
Reliance on and ability to deal with sub-contractors.

The extent of due diligence reviews may vary based on risk inherent in the outsourcing arrangements. Due diligence undertaken during the selection process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing. Outsourcing and Vendor risk management team should ensure to obtain independent reviews and market feedback to supplement internal findings. Outsourcing and Vendor risk management team should ensure that information used for due diligence is current and not more than 12 months old.

Every department shall carry out an annual assessment of their vendors to whom payment made is more than INR 10 lakhs per year.

Responsible Unit

A unit proposing the outsourcing arrangement is the responsible unit.

Roles and Responsibilities:

Propose outsourcing of activities by initiating outsourcing note as per section 9.2 of the policy.
Discuss the idiosyncratic factors of the proposed outsourcing arrangement with the review and recommendation departments and obtain approval.
Ensure all aspects of the functions are covered as part of the proposed outsourcing arrangement.
Place outsourcing note for approval to the ORMC

Responsibilities of DSA/DMA and Recovery Agents

The responsible unit ensure that the direct selling agents/direct marketing agents/recovery agents are properly trained to handle with care and sensitivity, their responsibilities particularly aspects like soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products offer etc.
Recovery agents should adhere to the extant instructions of Fair practice code on lending as also their own code of collection of dues. It is essential that the recovery agents refrain from action that could damage the integrity and reputation of the Bank and that they observe strict customer confidentiality.
The responsible unit and their agents should not resort to intimidation or harassment of any kind either verbal or physical against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors’ family members, referees, and friends, making threatening and anonymous calls or making false and misleading representations.
The Bank should have a system of random checks and mystery shopping to ensure that the agents have been properly briefed and trained to handle with care and caution, their responsibilities, particularly in the aspects included in these guidelines like soliciting customers, hours of calling etc.

Common Areas of Outsourcing

Financial and Technology Outsourcing - Outsourcing Arrangements, which would ideally have been carried out by Bank in normal course, being entrusted to other agency due to a specific reason. All financial and Technology Services outsourcing would be under the purview of the policy irrespective of its material impact. Typical activities under financial outsourcing and technology operations includes:

Banking Operations

Sourcing Leads generation.
Application processing (Loan Origination, Credit Card).
Supervision of loans.
Cash management and Collections.
Customer service helpdesk/ call centre services.
Document/ Data/ Transaction Processing including payments, loans, deposits.
Activities such as Debit card printing and dispatch, verifications.
Back office related activities etc.
Marketing and research.
Fiduciary and trading activities

Technology Operations

Technology infrastructure management, maintenance, and support.
Application development, maintenance, and testing.

Any other activity deemed fit & which is in consonance with the regulatory directives.

Prohibitions and Restrictions to Outsourcing

Core management functions including Internal Audit, Compliance functions and decision-making functions like determining compliance with Know Your Customer (KYC) norms for opening deposit accounts, according to sanction for loans and management of investment portfolio shall not be outsourced by the Bank.
In regard to outsourced services relating to credit cards, detailed instructions issued by RBI vide circular no. DBOD.FSD.BC.17/24.01.011/2007-08 dated July 02, 2007, would be followed. In regard to IT services outsourcing instructions issued by RBI in the “Guidelines
on information security, electronic banking, technology risk management, and cyber frauds” vide circular no. RBI/2010-11/494 DBS.CO.ITC.BC. No 6/31.02.008/2010-11 chapter 4, dated April 29, 2011, would be followed. Draft Master Direction on Outsourcing of IT Services dated 23.6.22 would be followed.
In the event that no adequate safeguards can be obtained to ensure that the business processes to be outsourced continues to be conducted in a controlled and sound manner, the Bank shall not outsource the business processes concerned.
The outsourcing of financial accounting and the preparation of annual accounts shall not be permitted to a service provider who is not a subsidiary or affiliate of the Bank.
The outsourcing of senior management as well as supervisory board functions is not permitted.

Core Business Functions are functions which are vital functions without which an organization cannot survive and/ or effectively achieve its objectives. These functions are specific to organization and help it differentiate from competition and involve decision making at the highest levels. These functions may include functions like Business Strategy, Pricing -, Product Design and Management, Management of Intellectual Property. Board may approve outsourcing of core business activities or functions on the basis the business benefits after Risk Management committee has evaluated associated risks and other factors as laid down in the policy.

Key Risks Involved in Outsourcing and Control Standards for Mitigation

Outsourcing arrangements can be a source of several risks. The failure of a service provider in providing specialized service, a breach in security / confidentiality, or noncompliance with legal and regulatory requirements by either the service provider or the Bank can lead to financial losses or loss of reputation. It is imperative to ensure effective management of these risks.

The key risks in outsourcing that need to be evaluated are:

Risk Type	Key Risk	Control Standards
Strategic Risk	The service provider may conduct business on its own behalf, which is inconsistent with the overall strategic goals of the bank.	At the time of selection of the service provider the responsible unit must do a thorough background check on the conduct of business of the service provider. The responsible unit must document this explicitly and provide for the review of the ORMC. The committee must provide approval for empanelment of the service provider only if the strategy of the service provider is in line with the strategic goals of the Bank
Reputational Risk	Poor service from service provider to the Bank's customer and customer interaction experience not being consistent with the overall standards of the bank	The responsible unit must ensure that the service provider's staff is adequately trained about the Bank's customer relationship policies and guidelines. The outsourced staff must not let the customer know about this third-party relationship with the Bank and work like employees of the Bank itself. Any sort of negative publicity about the service provider must be brought to the notice of the approval committee by the responsible unit.
Operational Risk	Risk of technology failure, fraud, transactional error, inadequate financial capacity to fulfil obligations and/or provide remedies.	The empanelment of the service provider must be done through a bidding process and the responsible unit must provide all the relevant information and genuine documents to the ORMC. The final decision to empanel the service provider must lie completely with the ORMC
Legal Risk	Legal risk includes but is not limited to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.	The ORMC must thoroughly check all the documents provided by the responsible unit. The legal team of the Bank must review the outsourcing agreement for any onerous clauses and ensure that the Bank's interest is taken into consideration while documenting the agreement.
Counter Party Risk	Risk arising due to inappropriate under writing and credit assessments	The Bank must mitigate this risk by following the approval process entirely for empanelment of service provider. The responsible unit must ensure that credit assessments and ratings of the service provider are good enough for the ORMC to take the decision on empanelment.
Contractual Risk	Contractual risk arising from whether or not the bank has the ability to enforce the contract.	The outsourcing agreement must be documented with the consent of the approval committee and the legal team by taking into consideration the interest of the Bank and its customers.
Concentration and Systemic Risk	Due to lack of control of individual banks over a service provider, more so when overall banking industry has considerable exposure to one service provider.	The responsible unit must ensure that all material processes are not outsourced to the same service provider and banking operations will not be affected even if one service provider is unable to provide the services.
Exit Strategy Risk	This could arise from over-reliance on one firm, the loss of relevant skills in the bank itself preventing it from bringing the activity back in house and contracts entered into wherein speedy exits would be prohibitively expensive.	The responsible unit and ORMC together must arrive at the decision of empanelling service providers for various outsourced services in the Bank. The employees of the Bank must also be well trained to take over the activities of the vendor staff when the service provider separates from the Bank
Compliance Risk	Privacy, consumer, and prudential laws not complied with	The responsible unit must evaluate if the service provider has complied with all the prudential laws applicable to it.

Risk Management Framework for Outsourcing of IT Services

IT dept shall comprehensively be responsible for identification, measurement, mitigation/ management, and reporting of risks associated with Outsourcing of IT Services arrangements.
Dept to carry out risk assessments based on internal/ external quality assurance of IT services on a periodic basis.
Dept shall be responsible for the confidentiality and integrity of data / information pertaining to the customers that is available to the service provider. Access to data at its location / data centre by service providers shall be on need-to-know basis, with appropriate controls to prevent security breaches and/or data misuse.
It will be the bank’s responsibility to preserve and protect the security and confidentiality of customer information in the custody or possession of the service provider. Access to customer information by staff of the service provider shall be on” need to know basis”.
In cases where two or more service providers collaborate to deliver an end-to-end solution, bank remains responsible for understanding and monitoring the control environment of all service providers that have access to the bank’s data, systems, records, or resources.
Where service provider acts as an outsourcing agent for multiple banks, bank to ensure adequate safeguards are in place so that there is no combining of information, documents, records, and assets. Banks to ensure that a Non-Disclosure Agreement (NDA) is in place even after the contract expires/is terminated.
Dept to ensure that incidents, including cyber incidents and those resulting in disruption of service and data loss/ leakage are reported to them by the service provider immediately but not later than one hour of detection.
Dept to review and monitor the control processes and security practices of the service provider to disclose security breaches.
Dept should immediately notify the ORMC/supervising authority in the event of breach of security and leakage of confidential customer related information.

Business Continuity Plan and Disaster Recovery Plan (IT Services)

The Bank shall require their service providers to develop and establish a robust framework for documenting, maintaining, and testing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) commensurate with the nature and scope of the outsourced activity as per extant BCP/ DR requirements.
Wherever Bank or service provider(s) are required to telework for ensuring business continuity, the baseline expectations on controls on teleworking prescribed in Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices 2022 shall be adhered to.
In establishing a viable contingency plan, Bank shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time and resources that would be involved.
In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency/ liquidation of the service provider, Bank shall retain an appropriate level of control over their It is outsourcing arrangement along with right to intervene, with appropriate measures to continue its business operations.
Bank shall ensure that service providers are able to isolate the Bank’s information, documents and records and other assets. This is to ensure that in adverse conditions and/or termination of the contract, all documents, record of transactions and information with the service provider and assets of the Bank can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed, or rendered unusable.

Materiality of Outsourcing

The risk and materiality of any outsourcing arrangement shall be identified and evaluated prior to entering any outsourcing arrangement by the responsible unit. The extent and degree to which this policy is implemented is expected to be commensurate with the materiality of the outsourcing.

As most of the items are operational in nature the responsibility to assess, quantify, and review the risk mitigations measures that needs to be put in place for outsourced financial and technology services irrespective of the materiality brought to Operational Risk Management Committee.

The Unit shall without limitation consider the following factors while assessing materiality of any outsourcing arrangement:

Level of importance to the Bank of the business activity to be outsourced,
Potential impact of the outsourcing on the earnings, solvency, liquidity, funding capital and risk profile of the Bank,
Cost of outsourcing as a proportion of total operating costs of the Bank/Unit,
Nature and extent of data sharing involved, impact on data privacy and security,
Aggregate exposure to a particular service provider, in case where various functions are outsourced to the same service provider.

Refer Annexure 1 for template to assess ‘Materiality of Outsourcing’.

Governance for Material Outsourcing Activities:

If the activity to be outsourced is rated as material as per the materiality assessment template, the following additional measures should be adhered to:

The outsourced service provider shortlisted outsourcing of activity must fulfil an additional requirement of having prior experience of providing a similar service in another organization for at least 12 months with a good feedback rating,

The ORMC may recommend a more frequent performance review of the service provider as per Section. 9.3.3 of the Policy.

Business Continuity and Disaster Recovery Plan

As far as possible, the outsourcing activities should be allocated to different service providers depending on the business requirements such that system will not become dependent on single service provider at any given point of time. The aggregate exposure to a particular service provider should be taken into account in case various activities are handled by a particular service provider. In order to manage and minimize Operational Risk, the service provider should have an effective internal control function commensurate with the level of perceived risk. It will be the responsibility of the committee to ensure these aspects before awarding contract to the service provider.

In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the Bank shall retain an appropriate level of control over the outsourcing arrangements and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the Bank and its services to the customer.

Outsourcing often leads to sharing of facilities operated by the service provider. The Bank shall ensure that service providers are able to isolate the Bank’s documents, information, records, and other assets. This is to ensure that in adverse conditions, all documents, records of transactions and information given to the service provider and assets of the Bank, can be removed from the possession of the service provider in order to continue its business operations.

Outsourcing Process

Criteria for selection of activities to be outsourced

The following criteria would be applied while determining the activities to be outsourced:

Activity is carried out by third party.
It is a financial services activity normally to be undertaken by the Bank itself.
It is a financial services activity material to the operations of the Bank (Materiality of the activity will be determined by the ORMC)
Bank decides the scope of such activities/outcome/deliverables to the entity to which the activity is assigned.
Bank does not directly supervise activities on a day-to-day basis.
Activity performed from the Bank’s premises also to be considered as outsourcing (excluding such activities where the service provider is only providing manpower)

Approval Process

Outsourcing arrangements related to financial activities are placed before the ORMC for approval by the proposer of outsourcing arrangement post obtaining sign off from review and recommendation departments.

The Bank shall adhere to the following process for both new / renewal arrangements:

Proposer of Outsourcing Arrangement	Department Head / Product Head
Review and Recommendation Departments	Risk Management, and Compliance Departments
Approver	ORMC

The proposer of outsourcing arrangement shall initiate the outsourcing note that would provide the following details:

Description of Activity to be outsourced,
Justification / need for outsourcing,
Risk factors involved in the outsourcing process such as strategic, reputation, legal, compliance, operational and counterparty risk etc.,
Statement of cost benefit analysis based on projected,
Common industry practices,
Regulatory Compliances, if any,
Parameters of materiality of outsourcing as per section 7 of the policy, which if disrupted, will have the potential to significantly impact the business operations, reputation, or profitability etc.

The proposer of outsourcing arrangement would discuss the outsourcing note with the ‘recommendation departments’ and obtain concurrence from head of departments before placing the note to the ORMC for approval.

The ORMC after due deliberations, may carry out one of the following actions:

Approve the outsourcing arrangement,
Approve the outsourcing arrangement subject to resolution of follow-up items,
Approve the outsourcing arrangement subjection to limitations and / or conditions,
Require the proposal to be re-submitted after additional working,
Decline the outsourcing arrangement.

The ORMC decisions must be based on consensus and shall be documented by way of physical sign off from all committee members participating. The decision of the committee, along with modifications suggested / reasons for rejection or deferment shall be appropriately recorded at the time of the meeting by the business / operations department in a standard template and circulated to all members via email. After obtaining approval from the ORMC, respective departments would be responsible for implementing the decision by floating RFP or identifying service providers to obtain quotation.

Evaluation of Service Provider

Pre-outsourcing Assessment

Selection of service provider will be ensured through due diligence and review of the following parameters by the responsible unit:

Competence – Qualitative and Quantitative,
Financial strength / business strategy and strength including operational, reputation and external factors,
Market survey on service provider through background checks, feedback on track record from users / clients,
Infrastructure facilities,
Compliance with regulatory/statutory guidelines,
Security and internal control assessment, audit coverage, reporting and monitoring and business continuity management,
Outsourcing costs,
Outstanding or potential litigation,
Customer service standards,
Past defaults / complaints,
Compliance with the pre-outsourcing assessment form.

Every service provider eligible to apply for the outsourcing arrangement will be required to submit requisite documents in the prescribed format as described by the bank from time to time.

The Outsourcing Agreement

The terms and conditions governing the contract between the service provider and the bank should be carefully defined in written agreement and vetted by the Legal department for legal effect and enforceability. The agreement should address the risk and risk mitigation strategies considered by the Bank and should be sufficiently flexible to allow the unit to retain an appropriate level of control over the outsourcing and the right to intervene to ensure legal and regulatory obligations.

The concerned head of business / operations department is authorized to execute the agreement as per the standard format. Additions/deletions of any clause from the standard agreement, if any, due to business specific reasons, would be carried out in consultation with the approval of the Head of Legal.

Refer Annexure 2 for details of key sections that should be part of the outsourcing agreement, at minimum.

Monitoring and Control of Outsourced Activities

Periodic Evaluation of Service Provider

On an annual basis or shorter intervals, if need be, the ORMC will perform a review of the service provider to assess the financial and operational condition, performance during the year and re-assess the capabilities of the service provider/vendor on the basis of:

Past breaches of performance standards, confidentiality and security and business continuity preparedness, if any,
Business practices and process,
Mis-selling and fraud,
Compliance with related manuals,
Compliance with applicable laws and regulations,
Compliance with post outsourcing evaluation form,
A confirmation on the statutory registrations along with a declaration on statutory registrations to be obtained from the service provider.
Service provider organization structure, infrastructure, management strength, and management controls should be reviewed.
Feedback report of the reviews needs to be maintained and stored with local operations.

The ORMC will be authorized to amend and suitably lay down evaluation criteria from time to time. The ORMC on a periodic basis may also authorize surprise checks and audits of the service provider any authorized personnel from the Bank.

In case the service provider does not perform satisfactorily during the period, the bank may decide to terminate the agreement in line with the clauses of the agreement executed with the service provider. The bank would maintain a list of terminated agencies and promoters. In case of termination of vendor, the compliance department will intimate the Indian Banking Association (IBA) with the reasons for terminations.

Other Regulatory Requirements

The following regulatory requirements are to be fulfilled by the relevant departments before outsourcing an activity to the service provider.

Service Provider should seek prior approval of the Bank (relevant department, outsourcing the activity) for use of sub-contractors for all or any part of the outsourced activity. Relevant department should ensure that the sub-contracting arrangements are compliant with the extant regulatory guidelines on outsourcing.
In cases like outsourcing of cash management services, involving reconciliation of transactions, service provider/sub-contractor should ensure that reconciliation of transactions between the Bank and service provider (and/ or its subcontractor) are carried out in a timely manner.
An ageing analysis of such entries pending reconciliation with outsourced service providers should be placed before the Audit Committee of the Board (ACB).
Internal audit department should conduct an audit of outsourced activities and submit the report to ACB.
Internal audit department would submit an ‘Annual Compliance Certificate’ giving particulars of outsourcing contracts, periodicity of audit by internal/ external auditor, major findings of the audit and action taken through Board, to the Chief General Manager in-Charge, Department of Banking Supervision, Central Office, Reserve Bank of India, Mumbai.

All products literature/ brochures etc. should have a clause stating that Bank may use the services of agents in sales/ marketing etc., of the products. The role of agents, if any should also be indicated in broad terms.

Reporting to ORMC

The status of all outsourcing contracts will be reported to ORMC on a periodic basis by the Compliance department.

Refer Annexure 3 for details to be reported to ORMC.

Internal Audit of Service Provider

The internal audit department would ensure regular audits to assess the adequacy of risk management practices adopted in overseeing and managing the outsourcing arrangement, the Bank’s compliance with its risk management framework and the requirements of these guidelines.

The Internal Audit department would prepare Annual Compliance Certificate giving particulars of outsourcing contracts, prescribed periodicity of audit, major findings and action taken and place it before the Board for approval. The Annual Compliance is to be submitted to RBI in the prescribed format on or before June 30th of the year. Refer Annexure 4 for prescribed format.

Grievance Redressal Mechanism

The Grievance Redressal Mechanism of customers coming through partner of the Bank should be ruled as per Grievance Redressal policy of the Bank approved on 14th June 2021.

Confidentiality and Security

Public confidence and customer trust in the Bank is a prerequisite for the stability and reputation of the Bank. Hence the responsible unit should seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider.
Access to customer information by the staff of the service provider should be on ‘need to know’ basis i.e., limited to those areas where the information is required in order to perform the outsourced function.
The responsible unit should ensure that the service provider is able to isolate and clearly identify/demarcate the Bank’s customer information, documents, records, and assets to protect the confidentiality of the information. In instances where the service provider acts as an outsourcing agent for multiple banks, care should be taken to build strong safeguards so that there is no missing link of information/documents, records, and assets.
The responsible unit must review and monitor the security practices and control processes of service providers on a regular basis and require the service provider to disclose security breaches.
The responsible unit should immediately notify to compliance department & committee in the event of any breach of security and leakage of confidential customer related information. In these eventualities the Bank will be liable to its customer for any damage. The compliance department may report such instances to RBI as they deem fit with the prior approval of MD/ORMC.

Annexure

Annexure 1: Materiality Assessment Template

Name of the activity:

Description of the Activity:

Proposer of Outsourcing Arrangement:

Date of Assessment:

S. No.	Criteria	Yes / No
I. Customer
1	Will the outsourcing activity require the service provider to face the customer on behalf of the Bank?
2	Will the activity require the service provider to handle customer(s) financial instruments/contract documents directly on behalf of the Bank?
3	Is the service provider the only customer contact for the particular activity?
II. Regulatory
4	Are there any specific regulatory guidelines required to be followed for this activity other than the RBI guidelines on Outsourcing?
5	Does the activity require the Bank to share customer information with the outsourced service provider or whether it impacts on data privacy/security norms?
6	Are there any adverse comments made by RBI or internal audit issues (open level 1 or level 2 issues) in their last inspection/audit on outsourcing of the activity or any service provider performing this activity?
III. Exposure
7	Will the failure of the service provider to perform this activity directly affects the income of the business group?
8	Will the outsourcing of this activity have an impact on the solvency, liquidity, funding, and capital of the Bank?
9	Cost of outsourcing of this activity (annualized) – value of the contract, fees to be paid to the outsourced agency, etc. (A)	Please put the value in INR lakh
	Total operating cost of the Bank (B)	Please put the value in INR lakh
	Is the percentage of A on B greater than 2%?
IV. Concentration
10	Is there only a particular service provider available for this activity?
V. Brand Reputation
11	Will the failure or inadequate performance of the service provider impact the brand value/ reputation of the Bank?
12	Any adverse national level media report or strictures from the High Court or above or any financial sector regulator in the past six months against the activity?
VI. Criticality (over-riding factors)
13	Will the failure or inadequate performance by the service provider have a material impact in meeting its obligations to its stakeholders (customers, regulators, and investors) including adverse impact on the customer service?
14	Will the failure or inadequate performance by the service provider have a material impact in meeting the regulatory requirements by the Bank?
Total (number of “yes”)

Remarks: The activity would be termed as material if either

The number of rows marked under the “YES” column is 5 or more,

Answer to either points 13 or 14 is marked as “YES” (Positive answer to points 13 or 14 would override the scoring requirements)

Annexure 2: Outsourcing Agreement

The following sections must form a part of the outsourcing agreement.

Parties to the agreement: Who are the parties involved, commencement of the agreement and tenure of the agreement?
Nature of relationship: Agreement should bring out the nature of legal relationship between both parties.
Description of services: Indication of what services are to be covered under the agreement along with contingency plan to ensure business continuity.
Employee section: Major responsibilities of service provider with regards to its employees. The service provider should have an appropriate code of conduct in place with the provision of punitive action in case of any breach by the employees.
Related services: Any related services that the organization feels the service provider should provide must be covered in this part.
Service level: The required service level and penalties for not adhering to the same to be covered in this section.
Sub-contract: This section should mention the prior approval/consent of the unit is required for use of subcontracts by the service provider for all or part of an outsourcing activity. If the unit chooses to accord such consent for subcontracting, the Service provider shall contractually be liable for any breaches by the sub-contractor.
Remedial actions: This section should specify remedial actions for not adhering to the agreed service levels including performance standards, data confidentiality and breach of secrecy requirements including leakage of customer related information, other restrictions as maybe deemed necessary by the Unit in respect of use of the Bank logo/brand.
Access to information: The agreement should clearly enable the Unit to access all book records and information relevant to outsourcing activity available with service provider.
Disclosure with respect to arm’s length distance: A disclosure should be made in agreement with respect to having arm’s length between the Unit and service provider (in respect with outsourcing activities covered as per RBI guidelines on outsourcing) in terms of infrastructure, manpower, decision making, record keeping etc., for avoidance of potential conflict of interests.
Reviews: The frequency of review to be carried out by the Unit should be specified in this section. Further the agreement should provide for continuous monitoring and assessment by the Unit of the service provider so that any necessary corrective measures can be taken immediately.
Audits: This section should provide the unit of the following:
The right to conduct audits on the service provider whether by its internal or external auditors or by its agents.
Oversee and manage its activities whether the service provider is located in India or abroad.
Assessment by regulator: Agreement should include clauses to allow the relevant regulator or persons authorized by it to access the Unit’s documents, records of transaction and other necessary information given to, stored, or processed by the service provider within a reasonable time.
Training: Arrangements related to training of service provider’s staff to be mentioned in this part.
Fees: This section should cover the fees payable for each activity performed by the service provider.
The service provider’s obligation: This section would cover regulatory compliance on the part of service provider; in particular compliance with respect to the Contract Labour Act and other Labour Laws to be fulfilled by the service provider should be specified clearly. Under no circumstances can the outsourced vendor charge anything directly from the customer for the services provided by the Bank.
Dispute resolution clause: This section should describe the escalation matrix for any dispute and resolution mechanism.
Termination clause: This section should have termination trigger in the SLA for breach of SLA.
Confidentiality: This section should put onus on the Service Provider to keep client confidentiality and adhere to the requirements on confidentiality imposed by unit and the relevant regulator of each Unit.
Indemnity: This section provides the Bank from all liabilities incurred due to violation of Intellectual Property Rights, Copyrights or any other legal, statutory, or regulatory requirements, arising from acts, omissions, errors, misconduct, or negligence of the service provider.
Limitation of liability: This section protects the Bank from liability of exemplary or consequential damages to the service provider, which may arise while carrying out duties for the Bank or on termination of the service provider.
Records: This section should provide for preservation of documents and data by the Service provider in accordance with the legal/regulatory obligation of the Unit in this regard.
General provisions: This section should outline the broad rules regarding preservation, nondisclosure and confidentiality of all documents/data entering the service provider’s premises even after expiry or termination of the contract.
Jurisdiction and Arbitration: This section should include the clause for the process of jurisdiction and arbitration of the outsourced services. The parties submit all their disputes arising out of or in connection with this Agreement to the exclusive jurisdiction of the Courts of []".