Legal Framework
INDEX
(I) RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks:
(II) Draft Master Direction – Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023
(III) The Digital Personal Data Protection (DPDP) Act, 2023
The below forms the legal framework under which a bank can engage truHypothesys Risk Solutions as a service provider and share data of hypothecated loan receivables statement and loan pool data for the services of risk solutions in terms of monitoring security interest of on-lending debt and loan assets acquired as part of buy-out transactions.
| Guidelines | Reference (Paragraph) |
Implications Relevant to TruHypothesys Risk Solutions |
|---|---|---|
| Typically outsourced financial services include applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities etc. | 1.1 | Monitoring of security interest is an important activity when it comes to supervision of on-lending debt as well as loans acquired under pool buy-outs / securitisation. |
| Banks which desire to outsource financial services would not require prior approval from RBI whether the service provider is located in India or outside India | 1.6 (i) | The decision to outsource the specific activity of monitoring security interest or underlying pool loans acquired and availing such services from truHypothesys Risk Solutions will not require explicit prior approval from RBI and is already being addressed by the relevant guidelines. |
|
The bank should ensure that the service provider is able to isolate and clearly identify the bankās customer information, documents, records and assets to protect the confidentiality of the information. In instances, where service provider acts as an outsourcing agent for multiple banks, care should be taken to build strong safeguards so that there is no co-mingling of information/documents, records and assets. |
5.6.3 |
a) Outsourced activity can involve sharing customer information albeit with steps to maintaining security and confidentiality
of the customer information. This allows sharing of customer information with truHypothesys Risk Solutions while we undertake
all necessary measures to ensure security and confidentiality of the customer information being shared. We will ensure necessary
controls are put in place to ensure there is no co-mingling of customer information and required compliance is being met. b) truHypothesys Risk Solutions is allowed to provide similar services to multiple banks |
Background: RBI had invited comments on the above after it was announced in the Statement on Developmental and Regulatory Policies issued as part of the Monetary Policy Statement dated August 05, 2022, that the RBI will issue a draft Master Direction on Managing Risks and Code of Conduct in Outsourcing of Financial Services.
The draft Master Directions covers many of the existing guidelines on outsourcing of financial
services. In addition, new directions are also being reckoned.
| Draft Master Directions | Reference (Paragraph) | Implications Relevant to TruHypothesys Risk Solutions |
|---|---|---|
| REs (regulated entities such as banks) desirous of outsourcing of financial services shall not require prior approval from the Reserve Bank of India (RBI). | 3. (Purpose) | Outsourcing of financial services by banks in compliance with the directions will not require prior approval from the RBI (in the context of appointing truHypothesys Risk Solutions as service provider for monitoring on-lending security interest and such services) |
| Access to customer information by staff of the service provider shall be on āneed to knowā basis, i.e., limited to those areas where the information is required in order to perform the outsourced function. | 15.2 | This clause implies that banks can share customer information with the service provider such as truHypothesys Risk Solutions for the need to monitor security interest of on-lending debt and loan assets acquired under pool buy-out transactions. |
| Sharing of data by the RE (regulated entity such as bank) with the service provider shall be through secure channels. Both sharing and storage of data with the service provider shall be in an encrypted manner. The RE shall also ensure that there is a structured process in place for secured removal/ disposal/ destruction of data by the service provider. | 15.3 | The clause describes the minimum requirements in terms of infrastructure and manner in which data could be shared with a service provider such as truHypothesys Risk Solutions. This also means truHypothesys Risk Solutions will build necessary process, technology and infrastructure for the purpose of sharing and processing of customer data2. |
| In instances where service provider acts as an outsourcing agent for multiple REs, care shall be taken to build adequate safeguards so that there is no co-mingling of assets, documents, information and records. | 15.4 | This acknowledges the fact that the service provider such as truHypothesys Risk Solutions will have other multiple banks and wholesale lenders as its clients. truHypothesys Risk Solutions will ensure necessary controls are put in place to ensure there is no co-mingling of customer information and required compliance is being met. |
| Examples of financial outsourcing arrangements: - claims administration (e.g., loan negotiation, loan processing, collateral management, collection of bad loans); As part of indicative list of some services that, when performed by a third party, would be regarded as financial outsourcing arrangements for the purposes of these Directions | Annex I 1. (iii) |
The directions, as an example, has clearly mentioned collateral management is one of the financial services activities that could be outsourced by banks. Collateral management, i.e. monitoring of security interest of on-lending debt, is an essential part of the scope of the services covered by truHypothesys Risk Solutions. |
(III)
The Digital Personal Data Protection (DPDP) Act, 2023 defines:
| As per DPDP Act, 2023 | Reference (Clause) |
Implications in the Context of TruHypothesys Risk Solutions |
|---|---|---|
|
āData Principalā means the individual to whom the personal data relates and where such individual isā (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. |
Chapter I - Preliminary Clause 2. (j) |
Underlying borrowersā loan data in the hypothecated statement or loan pool |
| āData Fiduciaryā means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. | Chapter I - Preliminary Clause 2. (i) |
- any borrowing NBFC; - bank or any wholesale lender of on-lending debt (secured by way of hypothecated loan receivables); - bank or any other investor in pool buy-out transactions |
| āData Processorā means any person who processes personal data on behalf of a Data Fiduciary; | Chapter I - Preliminary Clause 2. (k) |
truHypothesys Risk Solutions (Service provider) |
|
- A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. - Where personal data processed by a Data Fiduciary is likely to beā (a) used to make a decision that affects the Data Principal; or (b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. - A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. |
Chapter II - Obligations of Data Fiduciary Clause 8 |
An NBFC (data fiduciary) processes the data of underlying borrowers (data principals) in a statement of hypothecation and shares the same with its lender bank (another data fiduciary). Further a data fiduciary is allowed to share the data with a data processor, i.e. to draw parallel - a bank can engage a service provider such as truHypothesys Risk Solutions for the purposes of risk assessment of hypothecated receivables. An NBFC shares data of the underlying borrowers with its lender bank based on data principalās consent arising from the loan agreement executed between underlying borrowers and NBFC. Not just disclosing to the lender bank, an NBFC would have also taken the consent for sharing underlying borrowersā data with multiple institutions and agencies including credit bureaus to enable credit services. Therefore, we could conclude that lending bank as a data fiduciary could take consent from a borrowing NBFC to share the data of hypothecated loan receivables with truHypothesys Risk Solutions to process data on its behalf for risk assessment and monitoring of security interest purposes. |
Conclusion: When processing of the shared monthly/quarterly data for risk monitoring, truHypothesys Risk Solutions will ensure adequate data protection of borrower data. We will do this by:
A
Completely removing or encrypting the personally identifiable information of end borrowers (like Name, Aadhaar/KYC, date of birth, address, father's name etc.) - this will ensure that any reports or support staļ¬ will not gain access to such information
B
Providing tools to encrypt the data (monthly book debt statements etc. in Excel files) before they are uploaded to our platform for Risk Monitoring so that these files uploaded are not misused in any way by anyone who has access to our system
C
We will ensure that there is no co-mingling of data of diļ¬erent Banks and NBFCs:
- Our system will generate a unique internal reference-string for each loan originated by diļ¬erent originators. Two diļ¬erent loans will not have the same internal reference-string. (Example of reference string generated: 8743b52063cd84097a65d1633f5c74f5). This reference-string will be used for cross-matching and overlap analysis to check if the same loan is being double hypothecated and assigned more than once;
- All pieces of borrower information and loan information (like disbursal amount, outstanding amount, overdue status etc.) will be stored in separate database schemas for each Bank and NBFC. In other words, each Lender/Investor/Bank will have their data stored separate from data from other Lenders/Investors/Banks.
D
For any duplicate hypothecation or duplicate securitisation/assignment uncovered by our system, we will only inform that a duplicate security interest has been found in the system against the type of institution (example: SCB, SFB, an NBFC-ICC, etc.) without revealing the name. We will not disclose which other lender(s) or investor(s) also hold the security interest.