Outsourcing of Financial Services by Banks :
Outsourcing is a worldwide phenomenon, finding presence in every industry, including the banking industry. With a view to ensure that the banks
adequately address the risks associated with outsourcing of some of their activities (especially financial services) by banks as also to bring such
outsourced activities under the regulatory purview and protect the interests of the customers, the RBI issued circulars no. DBOD.BP.40 /21.04.158 /2006-07 dated November 3, 2006 on “Managing the Risks and Code of Conduct in Outsourcing of Financial Services by Banks” read with circular DBOD.No.BP.97/ 21.04.158/2008-09 dated December 11, 2008 and circular DBS.CO.PPD.BC.5/ 11.01. 005/2008-09 dated April 22, 2009.
The circular defines “outsourcing” as “a bank’s use of a third party (either an affiliated bank within a corporate group or a bank that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future”. ‘Continuing basis’ would include agreements for a limited period.
The said circular contains detailed requirements in respect of the various aspects related to outsourcing, including:
Activities that should not be outsourced.
Material outsourcing.
Bank’s role and regulatory and supervisory requirements.
Risk management practices for outsourced financial services.
Role of Board of Directors and senior management.
Evaluation of risks.
Evaluating the capability of the service provider.
Outsourcing agreement.
Confidentiality and security.
Responsibility of DSA/ DMA/ Recovery Agents.
Business continuity and management of disaster recovery plan.
Monitoring of outsourced activities.
Redressal of grievances related to outsourced services.
Reporting of transactions to Financial Intelligence Unit.
Off-shore outsourcing of financial services.
Self assessment/ proposed outsourcing arrangements.
Further, paragraph 5.9.3 of the circular envisages that regular audits either by the internal auditors or external auditors of the bank should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and the requirements of these guidelines. The auditor should accordingly undertake procedures necessary to meet these requirements. The scope of the auditor’s procedures would, however, be within the requirements of the SA 402, “Audit Considerations relating to an Entity Using a Service Organisation”.
As per another circular no RBI/2014-15/497 DBR.No.BP.BC.76/ 21.04.158/2014-15 dated March 11, 2015, auditor needs to check that in certain
cases, like outsourcing of cash management, which involve reconciliation of transactions between the bank, the service provider and its sub-contractors reconciliation of transactions between the bank and the service provider (and/ or its subcontractor), are carried out in a timely manner. An ageing analysis of entries pending reconciliation with outsourced vendors was placed before the Audit Committee of the Board (ACB). Auditor should also check the reason for old outstanding items therein.