Non-Banking Financial Companies (NBFC) cannot outsource core management functions like internal audit, strategic and compliance functions for your Know Your Customer (KYC) norms, the sanction of loans and management of investment portfolio.
As per notification number RBI/2017-18/87 on RBI’s website, Access to customer information by the staff of the service provider shall be on ‘need to know’ basis i.e., limited to those areas where the information is required in order to perform the outsourced function. These norms must comply within 2 months.
NBFC’s must ensure that service providers are able to isolate and clearly identify the NBFC’s customer information, documents, records, and assets to protect the confidentiality of the information.
In case of any percolation of confidential customer related information should be reported to the central bank immediately. NBFCs would be responsible to its customers for any damages.
Source: Economic Times