OUTSOURCING

POLICY

Updated April, 2017

Strategy and Business Development Department

 Table of Contents.

1. Introduction

2. Scope of the Policy

3. Definition of Outsourcing

3.1. Indicative list of activities that can be outsourced

3.2. Activities that should not be outsourced.

3.3. Activities outsourced by the Bank.

4. Risk arising out of outsourcing

5. Management of risks

5.1. General Appraisal.

5.2. Appraisal / Selection of the Service Provider.

5.3. Risk Examination, Evaluation and Measurement

5.4. Materiality of Outsourcing

5.5. Post Outsourcing Appraisal / Monitoring and Control of

Outsourced Activities.

5.6. The Outsourcing Agreement.

5.7. Service Level Agreements (SLAs) and Performance Metrics

5.8 Periodic Risk Assessment , Audit and Reviews

5.9 Business Continuity Planning

5.10 Confidentiality and security

6. Roles and Responsibility

 6.1. Board of Directors

6.2. Senior Management

6.3. Departments at CHQ (General)

6.4. Individual Departments

7. Accounting & Expenditure

7.1 Reconciliation of Transactions

8. Delegation of Powers for approving Outsourcing Activities

9. Responsibilities of DSA/DMA/Recovery Agents.

10. Redressal of Grievances related to Outsourced services.

11. Centralized List of Outsourced Agents.

12. Off-shore outsourcing of Financial Services.

13. Outsourcing within a Group/Conglomerate.

14. Self Assessment of Existing / Proposed Outsourcing

Arrangements.

15. Review of the Policy.

1. Introduction:
1.1 The rapid expansion and the growth in the banking industry,

centralization, technological transformation, the need to focus on

core services and introduction of new services have influenced the

need of outsourcing in the banks. Apart from cost savings and

accessing specialist expertise not available internally, for achieving

strategic aims and efficient delivery mechanism, outsourcing

remains preferred destination for enabling perfection in selective

business processes.

1.2 However, this outsourcing has resulted the banks being exposed to

various risks.

1.3 Recognizing the need for outsourcing some of the selected

activities by the banks, Reserve Bank of India has put in place

comprehensive guidelines for addressing the risks that the banks

would be exposed to on account of engaging any outsourcing

agency.

1.4 The outsourcing policy of our bank based on RBI guidelines has

been devised to ensure safeguarding the interest of the bank and

the customers by adopting sound and responsive management

practices through due diligence and management of risks arising

from outsourcing activities.

1.5 The guidelines are applicable to outsourcing arrangements entered

into by the bank with the service provider/s located in India &

foreign service provider.

2. Scope of the Policy

 The policy incorporates the criteria for selection of the activities
that may be outsourced, risks arising out of outsourcing,
management of these risks, delegation of powers, etc. The policy
shall apply to activities outsourced to service providers and mutatis
mutandis to activities subcontracted by the service providers.

3. Definition of Outsourcing

For the purpose of this policy, Outsourcing shall refer to bank’s

use of a third party (either an affiliated entity within a corporate
group or an entity that is external to the corporate group) to
perform activities on a continuing basis (including agreements for
a limited period), that would normally be undertaken by the bank,
now or in the future. The activities shall refer to outsourcing of
financial services and technology related issues and activities not
related to banking services like usage of courier, catering of
staff, housekeeping and senatorial services, security of the
premises, movement and archiving of records etc. Moreover, audit-
related assignments to Chartered Accountant firms will continue to
be governed by the instructions/policy as laid down by the
Department of Banking Supervision of RBI.
3.1. Indicative list of activities that can be outsourced.

Financial services th a t c a n b e o utso u rc e d b y the b a nk ma y

include application processing (loan origination, credit card),
document processing, marketing and research, supervision of
loans, data processing and back office related activities. An
indicative list of activities that may be considered for outsourcing shall
be as under:
 Opening, settlement and closing of accounts.
 Issue and processing of Cheques.
 Managing of Customer queries (Call Centers).
 Recruitment, Selection and Training of Personnel.
 Administration of Payroll and Taxation.
 Marketing of bank products.
 Cross Selling of Bank Products like Insurance and Mutual Funds.
 Credit Card and Debit Card customer acquisition / queries.
 Sourcing leads generation.
 Cash management & collections.
  Technology infrastructure management, maintenance & support.
 Application development, maintenance and testing.
The above list is indicative only and not exhaustive. Additional
activities within the definition of outsourcing can also be outsourced
by the bank.

3.2. Activities that should not be outsourced.

Core management functions including Internal Audit, Compliance
Function and Decision-making functions like determining compliance
with KYC norms for opening deposit accounts, according sanction for
loans (including retail loans) and management of investment portfolio
shall not be outsourced by the bank.

3.3. Activities outsourced by the bank:

Presently the following services activities have been outsourced by the

bank.
a) Point of Sale (POS) & Credit/Debit Card acquisition issuance and the
reconciliation:
The bank has an agreement with:
Worldline Mumbai and MRL Posnet, Chennai for installation of POS and
backend support,
Master Card Technology Pvt. Ltd. Pune for Credit Card issuance and
back end support,
Oberthur Technologies Pvt. Ltd. Noida for Debit/Credit Card
personalization, and
lnsolutions Global Pvt. Ltd. Mumbai for Debit Card reconciliation.

The concerned department for Management, Monitoring and Control of

the outsourced activity/function is Card Issuing & Acquiring Department
CHQ.

b) Engagement of Business Correspondents (BCs) for financial inclusion:

The bank has engaged 942 Business Correspondents (BCs) for
customer interface and providing other banking services under
Financial Inclusion Plan.
The concerned department for Management, Monitoring and Control of
the outsourced activity/function is Financial Inclusion Department CHQ.
c) ATM Management Services
 The bank has an agreement with M/S Diebold Systems Private Ltd,
Mumbai for outsourcing of Cash Management Services of ATMs.
Presently out of 1090 ATMs, the bank has outsourced 291 ATMs to M/S
Diebold Systems Private Ltd for management of ATMs.
The concerned department for Management, Monitoring and Control of
the outsourced activity/function is Strategy & Business Development
Division, CHQ.

4. Risk arising out of outsourcing

Outsourcing of financial services exposes a bank to a number of risks

which need to be evaluated and effectively managed & mitigated. The
key risks that may arise due to outsourcing are:

 Strategic Risks: The service provider may conduct business on its

behalf, which is inconsistent with the overall strategic goals of the
bank.
 Reputation Risk - Poor service from the service provider, its customer
interaction may not be consistent with the overall standards of the
bank.
 Compliance Risk - Privacy, consumer and prudential laws may not be
adequately complied with by the service provider.
 Operational Risk - Arising due to technology failure, fraud, error,
inadequate financial capacity of service provider to fulfill obligations
and/or provide remedies.
 Legal Risk – includes, but is not limited to, exposure to fines, penalties
or punitive damages resulting from supervisory actions, as well as
private settlements due to omissions and commissions of the service
provider.
 Exit Strategy Risk - This could arise from over-reliance on one firm, the
loss of relevant skills in the bank itself preventing it from bringing the
activity back in-house and contracts entered into wherein speedy
exits would be prohibitively expensive.
 Counter Party Risk - Due to inappropriate underwriting or credit
assessments.
 Country Risk - Due to political, social or legal climate of country where
the service provider is located.
 Contractual Risk - This risk arises from inability or degree of ability of
the bank to enforce the contract with the service provider.
 Access Risk – An access risk arises when one or more actions or
permissions that, when available to a single user (or single role,
profile, or HR Object), creates the potential for fraud or unintentional
errors.

Concentration and Systemic Risk - Due to lack of control of the bank

over a service provider, more so when overall banking industry has

considerable exposure to one service provider. The failure of the

service provider in providing the desired services covered by the terms

of agreement or any non compliance of any legal / regulatory

requirements by the service provider can lead to reputational or

financial loss for the bank which can trigger a systemic risk in the

banking system as such.

The imperative therefore will be securing effective management by the

bank for mitigation of this risk

5. Management of risks
To enable sound and responsive risk management practices for
effective oversight, due diligence and management of risks arising
from outsourcing activities, all concerned departments which decide
to outsource a financial activity /service shall follow the below
mentioned principles applicable to arrangements entered into by the
bank with the service provider. A well defined structure of roles &
responsibilities discussed hereinafter shall be in place to decide on
the activities to be outsourced, selection of service provider, terms &
conditions of outsourcing and monitoring mechanism etc.

5.1. General Appraisal:

 Prior approval from RBI shall not be required, whether the service
provider is located in India or outside India.
 While outsourcing a financial activity, Bank shall consider all
relevant laws, regulations, guidelines and conditions of approval,
licensing or registration.
 In respect of outsourced services relating credit cards, RBI’s
detailed instructions contained in its circular on credit card
activities vide DBOD.FSD.BC. 49/24.01.011/2005-06 dated 21st
November 2005 & subsequent guidelines/modifications thereof
shall be applicable.
 Bank shall retain ultimate control of the outsourced activity, as
outsourcing of any activity by the Bank does not diminish its
obligations, and those of its Board of Directors and Senior
Management, who have responsibility for the outsourced activity.
Bank shall therefore remain responsible for the actions of its
service provider including Direct Sales Agents/ Direct Marketing
Agents and recovery agents and the confidentiality of information
pertaining to the customers that is available with the service
provider.
 Outsourcing arrangements shall neither diminish the Bank’s ability
to fulfill its obligations to customers and RBI nor impede effective
supervision by RBI. Bank shall therefore, ensure that the service
provider employs the same high standard of care in performing the
services as would be employed by the Bank, if the activities were
conducted within the Bank and not outsourced.
 Bank shall not engage in such outsourcing that would result in its
internal control, business conduct or reputation being
compromised or weakened.
 Bank shall ensure that the service provider does not impede or
interfere with the ability of the Bank to effectively oversee and
manage its activities nor does it impede the RBI in carrying out its
supervisory functions and objectives. Therefore, the right of the
Bank and the RBI to access all books, records and information
available with the service provider should remain protected.
  Bank shall continue to have a robust grievance redressal
mechanism, which shall not be compromised on account of
outsourcing. Outsourcing arrangements shall not affect the rights
of the customer against the Bank, including the ability of the
customer to obtain redress as applicable under relevant laws.
Since the customers are required to deal with the service providers
in the process of dealing with the Bank, Bank shall incorporate a
clause in the product, literature/ brochure etc. stating that they
may use the services of agents in sales/ marketing etc. of the
products.

While outsourcing a related party (i.e. party within the Group/

Conglomerate), Bank shall adopt the identical risk management
practices as in case of service providers external to the Corporate
group.

5.2. Appraisal / Selection of Service Provider:

While outsourcing or renewing contract of outsourcing of an activity with
a service provider, Bank shall take into consideration:
 That the Service Provider, if it is not a subsidiary of the Bank, is not
owned or controlled by any Director or Officer/ Employee of the Bank
or their relatives having the same meaning as assigned under Section
2 (77) of the Companies Act, 2013.
 The capability of the service provider to comply with obligations in the
outsourcing agreement such as:
o Qualitative, quantitative, financial, operational and reputational
factors;
o Compatibility with their own systems;
o Ability to develop and establish a robust framework for
documenting, maintaining and testing business continuity and
recovery procedures so that the service provider shall periodically
test the Business Continuity and Recovery Plan and occasional joint
testing and recovery exercises with its service provider and jointly
conducted by the Bank;
 Ability to isolate the Bank’s information, documents and records, and
other assets. This is to ensure that in adverse conditions, all
documents, records of transactions and information given to service
provider, and assets of the Bank, can be removed from the possession
of the service provider in order to continue its business operations, or
deleted, destroyed or rendered unusable or on the other hand, where
service provider acts as an outsourcing agent for multiple banks, care
shall be taken to build strong safeguards so that there is no
commingling of information/ documents, records and assets.
 A multiple service provider relationship/contract (where two or more
service providers collaborate to deliver an end to end solution to the
Bank) shall be possible under following scenarios:-

o One service provider shall be designated as the ‘Lead Service

Provider’, to manage the other service providers
o The concerned department of the Bank may independently enter into
stand-alone contracts with each service provider.

The concerned department of the Bank that selects from the above or
any other contractual relationship, however, shall remain responsible
for understanding and monitoring the control environment of all
service providers that have access to the bank’s systems, records or
resources.

5.3. Risk Examination, Evaluation and Measurement:

 While negotiating / renewing an outsourcing arrangement, the

concerned department shall perform due diligence to assess the
capability of the technology service provider to comply with
obligations in the outsourcing agreement. In order to examine the
capability on the above points an evaluation shall be conducted of all
available information about the service provider, including but not
limited to:-

o Past experience and competence to implement and support the

proposed activity over the contracted period;
 o Financial soundness and ability to service commitments even
under adverse conditions;
o Business reputation and culture, compliance, complaints and
outstanding or potential litigation;
o Standards of performance including in the area of customer
service;
o Security and internal control, audit coverage, reporting and
monitoring environment, Business continuity management;
o External factors like political, economic, social and legal
environment of the jurisdiction in which service provider operates
and other events that may impact service providers’ operations
and other events that may impact service performance;
o Business continuity arrangements in case of technology
outsourcing;
o Due diligence for sub-service providers;
o Risk management, framework, alignment to applicable
international standards on quality / security / environment, etc.,
may be considered;
o Secure infrastructure facilities;
o Employee training, knowledge transfer;
o Reliance on and ability to deal with sub-contractors; Where ever
possible, the Bank shall obtain independent reviews and market
feedback on the service provider to supplement its own findings.
It should be ensured that information used for due diligence is not
more than 12 months old.
 Bank shall avoid undue concentration of outsourcing arrangements
with a single service provider.
Public confidence and customer trust in the Bank is a pre-requisite for
the stability and reputation of the Bank. Hence the bank shall seek to
ensure the preservation and protection of the security and
confidentiality of customer information in the custody or possession of
the service provider. As such, access to customer information by staff
of the service provider shall be on “need to know” basis i.e. limited to
those areas where the information is required in order to perform the
outsourced function. While selecting a service provider, the concerned
 department shall identify functions to be outsourced along with
necessary controls and solicit responses from prospective bidders via
an RFP process. Proposals submitted by service providers shall be
evaluated by the concerned department in light of their needs. Any
differences in the service provider proposals as compared to the
solicitation shall be analyzed carefully. Due diligence undertaken
during the selection process shall be documented and re-performed
periodically as part of the monitoring and control processes of
outsourcing.

All the concerned departments who decide to outsource a financial

activity /service shall perform risk evaluation prior to entering into an
outsourcing agreement and should be reviewed periodically in the light
of known and expected changes, as part of the strategic planning or
review processes.
The framework for risk evaluation should include the following steps:
• Identification of the role of outsourcing in the overall business strategy
and objectives, and inter-linkages with bank’s strategic goals
• Comprehensive due diligence on the nature, scope and complexity of the
outsourcing to identify the key risks and risk mitigation strategies e.g. in
case of technology outsourcing, state of security practices and control
environment offered by the service provider is a key factor
• Analysis of the impact of such arrangement on the overall risk profile of
the bank, and whether adequate internal expertise and resources exist
to mitigate the risks identified
• Analysis of risk-return on the potential benefits of outsourcing vis-à-vis
the vulnerabilities that may arise.
The concerned department should evaluate vendor managed
processes or specific vendor relationships as they relate to
information systems and technology. All outsourced information
systems and operations may be subject to risk management and
security and privacy policies that meet the Bank’s own standards and
also those mentioned in the extant Information security Policy of the
Bank.

5.4. Materiality of outsourcing

During Annual Financial Inspections (AFI), RBI will review the

implementation of the outsourcing policy guidelines to assess
the quality of related risk management systems, particularly in
respect of material outsourcing. Material outsourcing arrangements
are those, which if disrupted have the potential to significantly impact
the business operations, reputation or profitability.
Where the Bank relies on third party employees to perform key
banking functions such as applications processing, verifications,
approvals, etc., on a continuous basis, such outsourcing shall also be
construed as ‘material’, whether or not the personnel are located
within the premises of the Bank.

Keeping in view the above, once the financial activity to be

outsourced and its service provider is selected; Bank shall assess its
materiality of outsourcing based on:

 Size and scale of operations which are outsourced.

 The level of importance to the Bank of the activity being
outsourced;
 The potential impact of the outsourcing on the Bank on various
parameters such as cost of outsourcing as a proportion of total
operating costs, earnings, solvency, liquidity, funding capital and
risk profile;
 The likely impact on the Bank’s reputation and brand value, and
ability to achieve its business objectives, strategy and plans, if
the service provider fails to perform the service;
 Nature of functions outsourced
 Nature and extent of data sharing involved. For e.g., where
outsourcing involves sharing of customer data, the engagement
may be ‘material’.
 Degree/extent of control and oversight exercised by the bank on
vendor managed processes. For e.g., the ability of bank staff to
design and influence day to day operations and decision making,
whether bank staff is able to exercise sufficient oversight over
the day to day activities performed by outsourced agencies
• Degree of control exercised by banks on outsourced entities,
regardless of a conglomerate entity structure
• Impact on data privacy and security, e.g. whether access to
customer data has to be extended to staff of the service
provider.
 • Whether the bank has adequate flexibility to switch service
providers, so that the risk of being attached to a single service
provider is adequately mitigated, and the aggregate exposure to
a single service provider.
 The aggregate exposure to that particular service provider, in
cases where the Bank outsource various functions to the same
services provider.
The concerned departments of the Bank outsourcing any activity shall
undertake a periodic review of their outsourced processes to identify
new outsourcing risks as they arise. For e.g. when the service provider
has further subcontracted work to other service providers or has
undergone a significant change in processes, infrastructure, or
management.

The materiality of outsourcing arrangement shall be considered both

at the level of the Bank as a whole and on a consolidated basis, i.e.
Bank as a whole together with its branches and entities/subsidiaries
under its control.
5.5. Post Outsourcing Appraisal / Monitoring and Control of outsourced
activities

In order to mitigate the risk of unexpected termination of the

outsourcing agreement or liquidation of the service provider and in
order to establish a structure for management and control of
outsourcing the concerned department of the Bank shall:

 Retain an appropriate level of control over its outsourcing and the

right to intervene with appropriate measures to continue its
business operations in such cases without incurring prohibitive
expenses and without any break in the operations of the Bank and
its services to the customers.
 Establish a viable contingency plan to consider the availability of
alternative service providers or the possibility of bringing the
outsourced activity back-in-house in an emergency and the costs,
time and resources that would be involved.
  Maintain a central record of all material outsourcing, including
technology outsourcing and sub service provider relationships,
that is readily accessible for review by the Board and senior
management of the bank. The records should be updated promptly
and half yearly reviews should be placed before the Board.
 Review, at least on an annual basis, the financial and operational
condition of the service provider to assess its ability to continue
to meet its outsourcing obligations. Such due diligence reviews,
which shall be based on all available information about the service
provider should highlight any deterioration or breach in
performance standards, confidentiality and security, and in
business continuity preparedness.
 Review and monitor the security practices and control processes
of the service provider on a regular basis and require the service
provider to disclose security breaches.
 Immediately and pro-actively notify RBI in the event of any
adverse developments or non-compliance with legal & regulatory
requirements in an outsourcing arrangement or breach of security
or leakage of confidential customer related information. In these
eventualities, the Bank would be liable to its customers for any
damage.
 In the event of outsourcing of technology operations, subject the
same to enhanced and rigorous change management and
monitoring controls since ultimate responsibility and
accountability rests with the bank. The concerned department
should control the management of user ids created for use of
external vendor personnel. As a contingency measure, it should
also be endeavor of the department to develop, over a period of
time, reasonable level of skills/knowledge in various technology
related areas like system administration, database administration,
network architecture and administration, etc., to effectively
engage with the vendors and also to take over these functions in
the event of any contingency.
5.6. The Outsourcing Agreement.

 The terms and conditions governing the contract between the bank
and the service provider shall be carefully defined in written
agreements and vetted by bank’s legal counsel on their legal effect
 and enforceability. Every such agreement shall address the risks and
risk mitigation strategies identified at the risk evaluation and due
diligence stages. The agreement should provide for periodic renewal,
re-negotiation and be sufficiently flexible to allow the bank to retain
an appropriate level of control over the outsourcing and the right
to intervene with appropriate measures to meet legal and regulatory
obligations. The agreement should also bring out the nature of
legal relationship between the parties i.e. whether agent, principal
or otherwise and address risks and mitigation strategies identified at
the risk evaluation and due diligence stages. The contract should
clearly define the roles and responsibilities of the parties to the
contract and include suitable indemnification clauses. Any ‘limitation
of liability’ consideration incorporated by the service provider should
be assessed in consultation with the legal department of the bank.

Some of the key provisions of the contract would be:

 The contract shall clearly define the activities that are being
outsourced, including appropriate service and performance standards.
Key performance metrics should be defined for each activity to be
outsourced, as part of the overall Service Level Agreement.
 The bank must ensure that it has the ability to access all books,
records and information relevant to the outsourced activity available
with the service provider. For technology outsourcing, requisite audit
trails and logs for administrative activities should be retained and
accessible to the bank based on approved requests.
 The contract should provide for continuous monitoring and
assessment of the service provider by the bank, so that any
necessary corrective measures are taken immediately.
 A termination clause and minimum periods to execute a termination
provision, if deemed necessary, should be included.
 Controls to ensure customer data confidentiality and service
providers’ liability in case of breach of security and leakage of
confidential customer related information. Contingency plans and
testing thereof, to ensure business continuity.
 The outsourcing agreement should :

o Provide for the prior approval/consent by the bank of the use of

sub-contractors by the service provider for all or part of an
outsourced activity. Before giving its consent, bank shall review
the subcontracting arrangements and ensure that these
arrangements are compliant with the extant guidelines on
outsourcing. The bank shall retain the ability of similar control
and oversight over the sub service provider as the service
provider.
o Specify the resolution process, the event of default, indemnities
involved and the remedies and recourse of the respective parties
to the agreement.
o Include choice of law provisions, based on the regulations as
applicable to the bank. The agreement should be tailored to
provide for specific risks relating to cross border businesses and
operations, data privacy and ownership aspects, among others.
o Provide the bank with the right to conduct audits on the service
provider whether by its internal or external auditors, or by agents
appointed to act on its behalf and to obtain copies of any audit or
review reports and findings made on the service provider in
conjunction with the services performed for the bank.
o Include clauses to allow the Reserve Bank of India or persons
authorized by it to access the bank’s documents, records of
transactions, and other necessary information given to, stored or
processed by the service provider, within a reasonable time. This
includes information maintained in paper and electronic formats.
o Include clause to recognize the right of the Reserve Bank of India
to cause an inspection to be made of a service provider of the
bank and its books and account by one or more of its officers or
employees or other persons.
o Provide that the confidentiality of customer’s information shall be
maintained even after the contract expires or gets terminated.
o Contract should include conditions for default termination / early
exit option for contracts. This should include circumstances
when the service provider undergoes a change in ownership,
becomes insolvent or goes under liquidation, received judicial
 indictment (whether within India or any other location), or when
there has been a breach of confidentiality, security, or
demonstrable deterioration in quality of services rendered.
o In all cases of termination (early or otherwise), an appropriate
handover process for data and process should be agreed by the
parties to the contract.
o Mandate controls to ensure customer data confidentiality and
service providers' liability in case of breach of security and
leakage of confidential customer related information e.g. use of
transaction-enabled mobile banking channels necessitates
encryption controls to ensure security of data in transmission.
o Provide for the preservation of documents and data by the
service provider in accordance with the legal/regulatory
obligation of the bank in this regard.

5.7. Service Level Agreements (SLAs) and performance metrics;

o The department of the bank outsourcing any activity shall
include SLAs in the outsourcing contracts to agree and establish
accountability for performance expectations. SLAs must clearly
formalize the performance criteria to measure the quality and
quantity of service levels.
o The concerned department shall develop the following towards
establishing an effective oversight program:
• Document that defines the SLA program
• SLA monitoring process
• Recourse in case of non-performance
• Escalation process
• Dispute resolution process
• Conditions in which the contract may be terminated by either
party.
For outsourced technology operations, specific metrics should be
defined around the service availability, business continuity and
transaction security, in order to measure services rendered by the
external vendor organization. The SLA and performance metrics for
outsourcing activities in technology operations should be in
accordance with the latest Information Technology Operations
/Security Policy of the Bank.
Performance expectations, under both normal and contingency
circumstances, should be defined. Provisions should be in place for
 timely and orderly intervention and rectification in the event of
substandard performance by the service provider.

5.8. Periodic Risk Assessment, Audit and Reviews

Outsourcing should not impede or interfere with the ability of the

Bank or the Regulator in performing its supervisory functions and
objectives.
The concerned department should conduct pre- and post- outsourcing
implementation reviews. It should also review its outsourcing
arrangements periodically to ensure that its outsourcing risk
management policies and procedures & guidelines, are effectively
complied with.
The concerned department should, at least on an annual basis,
review the financial and operational condition of the service provider
to assess its ability to continue to meet outsourcing obligations. Such
due diligence reviews, which should be based on all available
information about the service provider including reports by the
service provider’s external auditors, should highlight any
deterioration or breach in performance standards, confidentiality and
security, and in business continuity preparedness.
The department should periodically commission independent audit
and expert assessments on the security and control environment of
the service provider. Such assessments and reports on the service
provider should be performed and prepared by the bank’s internal or
external auditors, or by agents appointed by the bank.
Such reviews should take adequate cognizance of historical
violations or issue remediation during previous audits and
assessments. Copies of previous audits and assessments should be
shared during RBI inspections.

5.9. Business Continuity Planning

The concerned department should ensure that their business
continuity preparedness is not adversely compromised on account of
outsourcing. The department should adopt sound business continuity
management practices as issued by RBI & as per Business Continuity
Policy of the bank and seek proactive assurance that the outsourced
service provider maintains readiness and preparedness for business
continuity on an ongoing basis.
 The department, while framing the viable contingency plan, should
consider the availability of alternative service providers or the
possibility of bringing the outsourced activity back-inhouse in an
emergency (for example, where number of vendors for a particular
service is extremely limited) and the costs, time and resources that
would be involved and take suitable preparatory action.

5.10. Confidentiality and Security

The outsourcing department should be proactive to identify and

specify the minimum security baselines to be adhered to by the
service providers to ensure confidentiality and security of data. This
is particularly applicable where third party service providers have
access to personally identifiable information and critical customer
data.
The department shall take the following steps to ensure that risks
with respect to confidentiality and security of data are adequately
mitigated:
• Address, agree and document specific responsibilities of the
respective parties in outsourcing to ensure adequacy and
effectiveness of security practices, including identifying
obligations and liability in the event of a breach or default.
• Discuss and agree on the instances where customer data shall be
accessed and the user groups who will have access to the same.
Access to the Bank’s data should be strictly on a need to know
basis
• Ensure that service provider employees are adequately aware
and informed on the security and privacy policies.

6. Roles and Responsibility

6.1. Board of Directors

The Board o f D i r e c t o r s or a Committee of the Board to which
powers are delegated shall be responsible, inter alia, for:-

 Approving a framework to evaluate the risks and materiality of all

existing and prospective outsourcing and the policies that apply to
such arrangements. Laying down appropriate approval structure for
outsourcing depending on risks and materiality.
 Undertaking regular review of outsourcing strategies and
 arrangements for their continued relevance, safety and soundness.
 Deciding on business activities of a material nature to be
outsourced, and approving such arrangements.
 Instituting an appropriate governance mechanism for outsourced
processes, comprising of risk based policies and procedures, to
effectively identify, measure, monitor and control risks associated
with outsourcing in an end to end manner.
• Assessing management competencies to develop sound and
responsive outsourcing risk management policies and
procedures commensurate with the nature, scope, and
complexity of outsourcing arrangements, and
• Ensuring that quality and availability of banking services to
customers are not adversely affected due to the outsourcing
arrangements entered in to by the bank.

6.2 Senior Management

The Senior Management of the Bank shall be responsible for:-

 Evaluating the risks and materiality of all existing and
prospective outsourcing, based on the framework approved by the
Board.
 Developing and implementing sound and prudent outsourcing policies
and procedures commensurate with the nature, scope and complexity
of the outsourcing.
 Reviewing periodically the effectiveness of policies and procedures.
 Communicating information pertaining to material outsourcing risks to
the Board in a timely manner.
 Ensuring that contingency plans, based on realistic and probable
disruptive scenarios, are in place and tested adequately.
• Ensuring t h a t t h e r e i s i n d e p e n d e n t r e v i e w a n d a u d i t f o r
compliance with set policies.
• Ensuring that quality and availability of banking services to
customers are not adversely affected due to the outsourcing
arrangements entered in to by the bank.

6.3. (Department/s that outsource/ intend to outsource an activity).

 Finalize the service activity to be outsourced. Inputs from S&BD
Division, CHQ should be sought to ascertain about whether the activity
that intended to be outsourced is allowed under regulatory norms, also
 whether it is covered under the outsourcing activities as defined in the
Banks’ outsourcing policy.
 Defining terms & conditions of outsourcing taking into account the
risk and materiality involved.
 Outsourcing activities related to information technology of the Bank
should be in accordance with the latest Information Security Policy of the
Bank as well as Master guidelines on IT Services Outsourcing issued by RBI.
 Selection/ Short listing of the Service provider/s after carrying out due
diligence of service providers.
 Putting up Outsourcing proposal to Risk Management Department for
evaluation of risk and materiality of outsourcing.
 Putting up the proposal to Operational Risk Management Committee
for approval.
 Providing necessary information to Compliance Department, S&C
Department, KYC /AML Department, Risk Department & S&BD Division
CHQ about all the activities outsourced by them.
 Implementation of agreement with service providers of activities
outsourced by them.
 Review, at least on an annual basis, the financial and operational
condition of the service provider to assess its ability to continue to
meet outsourcing obligations, to highlight any deterioration or breach
in performance standards, confidentiality and security, and in business
continuity preparedness
 Periodically conduct independent audit and expert assessments on the
security and control environment of the service provider. Such
assessments and reports on the service provider shall be performed
and prepared by the Bank’s internal or external auditors, or by agents
appointed by the Bank, particularly keeping in view the clauses
related to security and control in the latest Information Security Policy
of the Bank.
 The reviews to be conducted by the concerned department should
take adequate cognizance of historical violations or issue remediation
during previous audits and assessments. Copies of previous audits and
assessments should be shared during RBI inspections.
 Report to the regulator, where the scale and nature of functions
outsourced are significant, or extensive data sharing is involved
across geographic locations as part of technology / process
 outsourcing and when data pertaining to Indian operations are stored/
processed abroad.
 Informing S&BD Division and all other concerned Departments in case
of termination of an outsourced arrangement along with reasons
thereof.
 All outsourcing agreements to be got vetted by our Law department at
CHQ, Srinagar
6.4. Roles of individual Divisions / Departments at CHQ.
 S&BD Division:
 Developing Bank’s Outsourcing policy
 Putting up the policy for review of the Board at specified timelines.
 Providing inputs to individual Divisions / Departments, who want to
outsource any activity, about whether the activity is allowed to be
outsourced under regulatory norms/ Banks’ policy & also whether it is
covered under the outsourcing activities as defined in the Banks’
outsourcing policy.
 Informing IBA, along with reasons, about termination of any
outsourcing agreement. The Division shall also ensure that Corporate
Communication Department publicizes the fact of termination for
information of general public.

 Risk Management Deptt. :

 Evaluating the risks and materiality of all existing and prospective
outsourcing activities, based on the Bank’s outsourcing policy.
 Communication of information pertaining to material outsourcing risks
to the Board in a timely manner.
 Ensuring that contingency plans, based on realistic and probable
disruptive scenarios, are in place and tested.

Undertaking periodic review of outsourcing arrangements to identify

new material outsourcing risk as they rise and to ensure that its
outsourcing risk management policies & procedures, and outsourcing
guidelines, are effectively complied with.
 S&C Department:
 All Divisions/ Departments at CHQ outsourcing a financial activity shall
inform about the performance of the outsourced financial activity to
 S&C Deptt on half yearly basis in April & October. S&C Department
shall place a consolidated note before the Board.
 Audit the financial activities being outsourced by the Bank and put up
findings to Board of Directors on annual basis.
 Submit compliance certificate to RBI about outsourced activities by
any department of the bank after its approval/vetting by the Board of
Directors.
 Submit Board approved consolidated Compliance Certificate to RBI on
annual basis giving the particulars of outsourcing contracts, the
prescribed periodicity of audit by Internal/ External Auditors, major
findings of the audit and action taken through Board.
 Customer Care Department:
To designate one of their officers as Grievance redressal officer for
outsourcing and ensuring that one officer is designated as Grievance
redressal officer at each of the Zonal offices of the Bank. The
Department shall also be responsible for publicizing name, location
and contact number of all Grievance redressal officers.
 Law Deptt.: Responsible for vetting of outsourcing agreements/SLAs to
be signed / executed by the bank with the service provider.
Also legal counseling in case of any disputes with the service provider
 Compliance Department
 Maintenance of central database of all financial activities outsourced
by the Bank.
 KYC/ AML Department:
 Reporting Currency Transactions and Suspicious Transactions
to FIU or any other competent authority in respect of the
bank’s customer related activities carried out by the service
providers.

 Corporate Communication Department:

Corporate Communication Department shall be responsible for giving
due publicity through print media about the fact of termination of any
outsourced arrangement for the information of the General Public.
Disseminate other information about the outsourcing activity as may be
required from time to time for awareness of customers/public in
general.
7) Accounting & expenditure:
 The expenditure incurred on outsourcing the financial activity shall
 be debited to the relevant sub Head of the General Ledger
(outsourcing of financial services).
 The concerned department outsourcing the activity shall in
consultation with Finance Department (BST) take up this issue with
T&ISD for opening of the relevant P&L Head.
 The sub-code so created shall also be intimated to S&C Department.
 The Procedure shall be adopted for all existing and fresh financial
activities.

 7.1 Reconciliation of Transactions.

In certain cases, like outsourcing of cash management, might

involve reconciliation of transactions between the bank, the service
provider and its sub-contractors. In such cases, the concerned
department of the bank outsourcing such activities shall ensure that
reconciliation of transactions between the bank and the service
provider (and / or its sub-contractor), are carried out in a timely
manner. An age-wise analysis of entries pending reconciliation with
outsourced vendors shall be placed by the concerned department
before the Audit Committee of the Board (ACB) on a half yearly basis
and the concerned department of the bank shall make efforts to
reduce the old outstanding entries/items therein at the earliest.
8) Delegation of Powers for approving Outsourcing Activities:
Delegation of powers for approving outsourcing activities and
reviewing the same shall remain with the Board of Directors (this is in
compliance to the directions of Board, Board resolution No.7date June
15, 2010)
The expenditure / cost to be incurred on any activity of outsourcing
shall be as per the existing powers on cost / expenditure for such type
of activity.

9) Responsibilities of Direct Sales Agents (DSAs)/ Direct Marketing Agents

(DMAs) /Recovery Agents.
Code of conduct for Direct Sales Agents formulated by the Indian
Banks’ Association (IBA), b ank’s own codes for Recovery Agents,
bank’s code for collection of dues & extant RBI instructions on Fair
Practice Code for lending should be strictly enforced by the Bank. The
Bank shall ensure that the Direct Sales Agents/Direct Marketing
Agents/Recovery Agents are properly trained to handle with care
 and sensitivity, their responsibilities, particularly aspects like
soliciting customers, hours of calling, privacy of customer
information and conveying the correct terms and conditions of the
products on offer etc.
The bank and its agents shall not resort to intimidation or
harassment of any kind either verbal or physical against any person
in their debt collection efforts, including acts intended to
humiliate publicly or intrude the privacy of the debtors’ family
members, referees and friends, making threatening and
anonymous calls or making false and misleading representations.
Concerned Departments shall ensure that list of all recovery agents is
displayed on the Bank’s website.
10) Redressal of Grievances related to Outsourced services.
 A n o ffic ia l in Cu sto me r C a re De p a rtme n t, C HQ sh a ll b e
d e sig n a te d a s Grievance Redressal Officer for outsourced
activities. Similarly an officer at each Zonal Office shall also be
designated as Grievance Redressal Officer for outsourced
activities. The name an d contact number of the designated
Grievance Redressal officers shall be made known and widely
published. Customer care Department, CHQ shall ensure that
these officers are designated at each Zonal Office and their
names/ contact numbers widely publicized.

 The designated officer shall ensure that genuine grievances of

customers are forwarded to concerned Department and follow-
up on remedial actions taken in this regard promptly without any
delay.

 Generally, a time limit of 30 days shall be given to the

customers for preferring their complaints/grievances. The
grievance redressal procedure of the bank and the time frame
fixed for responding to the complaints shall be placed on the
bank’s website.

 If a complainant does not get satisfactory response from the

bank within 60 days from the date of lodging the complaint, the
complainant will have the option to approach the office of the
concerned Banking Ombudsman for redressal of his/her
grievance/s.
11) Centralized List of Outsourced Agents.
 If the service provider’s services are terminated by the bank,
IBA will be informed with reasons for termination. IBA would
be maintaining a caution list of such service providers for the
entire banking industry for sharing among banks.
 The concerned Department which terminates an outsourced
arrangement shall inform S&BD Division & other concerned
Departments about the termination of the arrangement along with
reasons thereof. S&BD Division shall forward the information to
IBA/RBI.

12) Off-shore outsourcing of Financial Services.

 The engagement of service providers in a foreign country exposes

a bank to country risk - economic, social and political conditions
and events in a foreign country that may adversely affect the bank.
Such conditions and events could prevent the service provider
from carrying out the terms of its agreement with the bank. To
manage the country risk involved in such outsourcing activities,
the bank shall take into account and closely monitor government
policies, political, social, economic and legal conditions in
countries where the service provider is based, during the risk
assessment process and on a continuous basis, and establish
sound procedures for dealing with country risk problems. The
outsourcing department of the bank shall proactively evaluate
such risk as part of the due diligence process and develop
appropriate mitigating controls, contingency and exit strategies.
In principle, arrangements shall only be entered into with parties
operating in jurisdictions generally upholding confidentiality
clauses and agreements. The governing law of the arrangement
shall also be clearly specified. The outsourcing department should
ensure the following:

 The activities outsourced outside India shall be conducted in a

manner so as not to obstruct or hinder efforts of the bank or
regulatory authorities to perform periodic audits/inspections and
assessments, supervise or reconstruct the India activities of the
bank based on books, records and necessary documentation, in a
timely manner.

 The outsourcing department shall principally enter into

 arrangements with parties operating in jurisdictions that generally
uphold confidentiality clauses and agreements.

 The activities shall not be outsourced within jurisdictions where

access to books, records and any other information required for
audit and review purposes may be impeded due to regulatory or
administrative constraints.

 The outsourcing department should notify the Regulator where the

rights of access for the Bank and / or the Regulator are likely to be
impeded.

 Emerging technologies such as data center hosting, applications

as a service, cloud computing have given rise to unique legal
jurisdictions for data and cross border regulations. The
outsourcing department should clarify the jurisdiction for their
data and applicable regulations at the outset of an outsourcing
arrangement. This information should be reviewed periodically and
in case of significant changes performed by the service provider

 The outsourcing related to overseas operations of the bank would

be governed by both these guidelines and the host country
guidelines. Where any differences arise, the more stringent of
the two would prevail. However, where there is any conflict, the
host country guidelines would prevail.

13) Outsourcing within a Group/Conglomerate.

The risk management practices to be adopted by t h e bank while

outsourcing to a related party (i.e. party within the group/
Conglomerate, including parent or Head office, branch or a group
company, whether located within or outside India) would be identical
to those specified in these guidelines. These requirements should be
addressed as part of group wide risk assessment and management
procedures.

Due diligence on an intra-group service provider may take the form of

evaluating qualitative aspects on the ability of the service provider to
address risks specific to the bank, particularly those relating to
business continuity management, monitoring and control, and audit
and inspection, including confirmation on the right of access to be
provided to RBI to retain effective supervision over the bank, and
 compliance with local regulatory standards. The respective roles and
responsibilities of each office in the outsourcing arrangement should
be documented by the outsourcing department in writing in a formal
Service Level Agreement.

14) Self Assessment of Existing / Proposed Outsourcing Arrangements.

The concerned Departments, which have outsourced any activity, shall

conduct a self-assessment of the existing/ proposed
o u t s o u r c i n g agreements within a time bound plan and bring them
in line with the policy guidelines expeditiously. Similarly all other
Departments shall undertake immediate action with regards to the
roles/ responsibilities assigned to them vis-à-vis the existing/ proposed
outsourced activities.

15). Review of the Policy.

The policy will be reviewed at yearly intervals or as and
when considered necessary by the Management/Board of Directors of
the Bank.

*************************************************************