In order to minimise the payments risk associated with non-bank payment system operators (PSOs) outsourcing payment-related activities, the Reserve Bank of India, as stated in February this year, has now issued a framework bringing clarity to the accountability and transparency into the payments activities.
The RBI has also stated that the payment companies are not allowed to outsource core management functions, including risk management and internal audit; compliance and decision-making functions such as determining compliance with know your customer (KYC) norms.
Asserting that it is the PSO who is outsourcing, the central bank said that such an activity by the PSO will not reduce its obligations, and those of its board and senior management, who are ultimately responsible for the outsourced activity. The PSOs are, therefore, liable for the actions of its service providers and shall retain ultimate control over the outsourced activity, said the central bank.
Commenting on this, Mathew Chacko, partner, Spice Route Legal, said that the clarification that the PSO would continue to be liable for the outsourced activities, was expected, but added that it is great to have this clarified. It will lead to clearer outsourcing structures, much like how NBFCs outsource parts of their operations, he added.
The framework has once again focussed on protecting consumer rights by adding that responsibility of addressing the grievances of its customers shall rest with the payments operator, including in respect of the services provided by the outsourced agency.
The PSOs have been asked to comply with these frameworks latest by March 31, 2022.
It is worth noting that a public interest litigation was filed before the Delhi High Court in 2019 questioning the legality of Google Pay’s operations in India, which is related to the outsourcing of services. The petitioner argued that Google Pay does not figure in the list of entities authorised by the RBI to operate a payments system and hence has been operating in an unauthorised manner. The petitioner also raised concerns around Google’s unmonitored and unauthorised access to users’ sensitive personal data such as transaction details, etc., which violated one’s privacy. Google India, on the other hand, maintained its stance that it operates as a ‘technology service provider’ to its partner banks, facilitates payments through the unified payments interface (UPI) infrastructure, and does not perform payment processing and settlement functions.
In response to the court’s notice, the RBI stated that Google Pay is a third-party app provider (TPAP) and does not operate any payment systems.
The RBI has introduced a slew of reforms under the Payments and Settlement System Act for the last few months. In April this year, the central bank enabled regulated payment system operators to take direct membership in central payment systems such as RTGS and NEFT.