The institution is responsible for the conduct of every recovery agent acting on its behalf — whether directly employed or through an outsourced agency. An agency that engages in prohibited collections conduct creates regulatory liability for the institution, not just for the agency. The Hard Bucket Agent AI sends agencies a data package that is simultaneously complete enough to be effective and conduct-bound enough to be compliant — with every prohibited action explicitly stated and every permitted contact documented.
The institution's liability for agency conduct
The RBI's guidelines on outsourcing of financial services, the Fair Practices Code, and the collections conduct standards all make one principle clear: the institution cannot outsource its compliance obligations. An agency acting on behalf of an institution is subject to the same conduct rules as the institution's own employees — and when an agency violates those rules, the regulatory consequence falls on the institution, not the agency. This is not a theoretical risk. RBI enforcement actions against NBFCs for collections misconduct have included cases where the prohibited conduct was performed by third-party recovery agencies, not internal staff.
The agency hand-off package that the Hard Bucket Agent AI produces is therefore not just a borrower data file. It is a conduct-bound brief that makes the institution's instructions to the agency explicit, documented, and unambiguous — so that there is no question about what the agency was told to do, and no gap in the conduct instruction that an agency could claim created ambiguity about what was prohibited.
The agency data package: what it contains
The four-step agency hand-off process
Agency Referral Decision — Account meets agency referral criteria
The Hard Bucket AI triggers an agency referral when an account meets defined criteria: Section 13(2) notice served and 30+ days into the 60-day window with no borrower response, or DPD 90+ on unsecured accounts where internal collections have not produced engagement. The referral decision includes an account suitability assessment — some accounts (those with active court proceedings, those with hardship flags requiring sensitive handling, or those approaching an agreed settlement) are held back from agency referral regardless of DPD age.
Data Package Assembly — Complete borrower and account brief
The Hard Bucket AI assembles the complete agency data package: verified borrower identity and contact details (data minimised per DPDP Act obligations — only what the agency needs for contact and recovery), account position with outstanding and legal status, collections history summary, settlement authority range, and the full conduct instructions. The package is assembled from the LMS, collections CRM, and legal case file — the agency receives a single integrated brief, not a collection of disparate documents.
Secure Transmission — Data package sent via authorised channel only
The agency data package is transmitted through the institution's authorised agency communication channel — not email, not WhatsApp, not unencrypted file sharing. The DPDP Act and RBI data security guidelines require that borrower data shared with third parties is transmitted securely and that the third party's data handling obligations are contractually specified. The Hard Bucket AI transmits only through channels where the agency's data processing agreement is in place and logs the transmission timestamp and receipt confirmation.
Agency Performance Monitoring — Contact log review and conduct oversight
The Hard Bucket AI requires weekly contact log submission from the agency and reviews each log for conduct compliance: are all contacts within the 8 AM–7 PM window? Is the contact frequency within permitted limits? Are any prohibited contact types flagged? Any conduct concern identified in the log triggers an immediate flag to the institution's compliance team — and a formal warning or agency relationship review depending on the severity. The institution's regulatory responsibility for agency conduct is only discharged by active oversight, not delegation.
What agencies must not do — and why the package makes this explicit
The prohibited conduct list in the agency package is not a courtesy note — it is a formal instruction with documented delivery. If an agency engages in prohibited conduct, the institution's first line of defence in any regulatory proceeding is that the conduct was explicitly prohibited in writing, in the agency brief, at the time of referral. This does not eliminate the institution's liability entirely — the RBI holds institutions responsible for agency conduct regardless — but it demonstrates that the institution took reasonable steps to prevent the violation and is material to the severity of any regulatory consequence.
No contact with employer, relatives, or neighbours who are not guarantors
The FPC and RBI guidelines are explicit: recovery agents may not contact employers, relatives, neighbours, or any third party who is not a named guarantor in the loan agreement. The borrower's employer address and any family contact information that exists in the institution's records are excluded from the agency data package — the agency receives only the borrower's own contact details and the guarantor's details. Exclusion is structural, not instructional.
→ Enforcement: employer address excluded from package at data level, not just instructedZero calls, messages, or visits before 8 AM or after 7 PM
The contact window is 8 AM to 7 PM. This applies to calls, WhatsApp messages, SMS, and field visits. The agency's call platform should have a technical restriction preventing dialling outside this window — but the Hard Bucket AI's conduct brief explicitly states the restriction so there is no ambiguity and no "system error" defence available.
→ Enforcement: conduct log shows timestamp of every contact — out-of-hours flagged automaticallyResidence visit requires prior written notice — at least 7 days advance
A field recovery agent may visit the borrower's registered address — but only after prior written notice has been sent, providing the borrower at least 7 days' advance notice of the visit date. Unannounced field visits are prohibited. The written notice requirement is a hard rule — it exists to prevent conduct that the RBI has classified as harassment, and its breach is among the most serious FPC violations in field recovery.
→ Enforcement: field visit authorisation only issued after written notice dispatch confirmedWeekly contact log submitted to institution — every contact documented
Every contact the agency makes — call, message, field visit — must be logged with date, time, channel, borrower response, and outcome. This log is submitted weekly to the institution and reviewed by the Hard Bucket AI for conduct compliance. An agency that fails to submit logs, or submits incomplete logs, is flagged for compliance review immediately.
→ Enforcement: log submission required weekly · AI review for out-of-window, excessive frequencyThe agency hand-off is not the end of the institution's responsibility — it is the beginning of documented, auditable oversight
The institution that sends a borrower data file to a recovery agency and considers its responsibility discharged is the institution that will face a regulatory action when the agency behaves badly. The institution that sends a conduct-bound brief with explicit instructions, transmits it through a documented channel, reviews weekly contact logs, and flags violations immediately is the institution that has discharged its oversight obligation. The Hard Bucket Agent AI makes the difference between those two positions structural rather than aspirational — the conduct instructions are embedded in every package, the log review is automatic, and the documentation of every instruction is maintained in the compliance record from the day of referral.