An LSP agreement that does not contain the clauses the RBI's outsourcing guidelines require is not a compliant agreement — regardless of how comprehensive it is in other respects. The LSP Governance AI reads every vendor agreement against the RBI's required clause checklist at the time of contracting, monitors the agreement's continuing validity as contract terms expire or change, and alerts the legal and compliance team when a clause requires updating — before a regulatory inspection, not during one.
What the RBI's outsourcing guidelines require in every LSP agreement
The RBI's outsourcing guidelines specify that LSP agreements must contain a defined minimum set of clauses covering: the scope of activities permitted (preventing the LSP from sub-contracting prohibited functions without approval), the institution's right to audit the LSP's operations, the LSP's obligation to maintain confidentiality of borrower data, the LSP's compliance with applicable laws and regulations including the FPC, provisions for termination and orderly transition of activities on contract end, and the institution's regulatory obligation to report material LSP failures to the RBI.
These are not optional — an agreement that lacks any of these clauses creates a regulatory exposure that an RBI inspector will identify when reviewing the institution's outsourcing register and asking to see the underlying contracts. The LSP Governance AI checks every agreement against this clause checklist at the time of onboarding, maintains a compliance status for each contract, and alerts when any clause is absent, ambiguous, or has become outdated due to regulatory changes.
The required clause checklist: present, partial, or missing
permitted
activities
Agreement defines permitted functions and prohibits sub-contracting without prior written approval
Schedule 1 of the Credence Collections agreement specifies: collection calls on DPD 1–90 accounts, field visits on DPD 31–90 accounts, PTP capture and reporting. Sub-contracting is prohibited without written approval. The scope is clear and specific — no ambiguity about what the LSP is and is not permitted to do.
→ Status: Compliant · No action requiredaudit
Institution has explicit right to audit LSP's operations, systems, and records with 7 days' notice
Clause 14 grants the institution, its internal auditors, statutory auditors, and the RBI (or any other regulator designated by the RBI) the right to inspect the LSP's premises, records, and systems with 7 days' notice. The clause correctly includes the RBI as a permitted inspector — many older agreements do not include this.
→ Status: Compliant · Includes RBI inspection right · No action requiredconfidentiality
/ DPDP
Confidentiality clause exists but pre-dates the DPDP Act — does not include data minimisation, purpose limitation, or retention obligations
Clause 11 contains a general confidentiality obligation covering borrower data. However, the agreement was signed in January 2022 — before the DPDP Act 2023. It does not include the specific obligations the DPDP Act now requires: data minimisation, purpose limitation, defined retention period, and sub-processor disclosure. Amendment required before January 31, 2026 (DPDP Act implementation deadline).
→ Action required: DPDP amendment by Jan 31, 2026 · Drafted by LSP Governance AI · Legal sign-off requiredcompliance
LSP obligated to comply with RBI Fair Practices Code in all borrower interactions
Clause 9 requires the LSP and all its agents to comply with the RBI's Fair Practices Code as applicable to collections: permitted calling hours (8 AM to 7 PM), prohibition on contacting family or employer without consent, prohibition on abusive language, and identification at the start of every call. Breach is an event of default entitling the institution to terminate with 7 days' notice.
→ Status: Compliant · Breach is event of default · No action requiredand
transition
Agreement does not contain an orderly transition clause — required by RBI outsourcing guidelines
The RBI's outsourcing guidelines require that every LSP agreement contain provisions for the orderly transfer of activities back to the institution or to a replacement LSP on termination — including data return, system access revocation, and agent re-assignment. The current agreement (signed February 2020) predates the strengthened outsourcing guidelines. The termination clause covers only the termination of the commercial relationship, not the operational transition.
→ Critical gap: Termination and transition clause must be added · LSP Governance AI has drafted a compliant clause · Add at next contract renewal (Feb 2025) or by side letter before thenfailure
reporting
Institution's obligation to report material LSP failures to RBI acknowledged in agreement
Clause 20 acknowledges that the institution is required under RBI guidelines to report material failures by any LSP to the RBI and confirms the LSP's obligation to cooperate with any such reporting process. This clause protects the institution's right to disclose LSP failures to the regulator without the LSP being able to claim breach of confidentiality.
→ Status: Compliant · Regulatory reporting carve-out in place · No action requiredcontinuity
BCP clause exists but LSP has not submitted the required annual BCP test report
Clause 16 requires the LSP to maintain a Business Continuity Plan and to test it annually, with a test report provided to the institution within 30 days of the test. The clause is present. However, the LSP has not submitted the FY2024–25 BCP test report — it was due by September 2025 and is now overdue by 6 weeks. The LSP Governance AI has flagged this and sent a reminder to the LSP. If not received within 14 days, the default clause will be triggered. → Action: BCP test report overdue · Reminder sent · Default notice if not received by Nov 28
Contract compliance summary: all LSPs, all clauses, this quarter
| LSP Name | Function | Contract Date | Critical Gaps | DPDP Status | BCP Current | Overall |
|---|---|---|---|---|---|---|
| Credence Collections Pvt Ltd | Collections — field and call | Feb 2020 | Transition clause missing | Amendment needed | Report overdue | Action needed |
| FinanceConnect DSA Network | DSA — home and MSME loans | Mar 2024 | None | Compliant | Current | Compliant |
| TechServ Analytics Pvt Ltd | Credit score model vendor | Jan 2023 | None | Amendment needed | Current | DPDP amendment |
| Aarya Recovery Solutions | Collection — hard bucket legal | Nov 2019 | Transition + audit right missing | Non-compliant | Test overdue | Renewal required |
| KYC Digital Solutions | V-KYC and digital onboarding | Sep 2024 | None | Compliant | Current | Compliant |
The contract that was compliant when signed may not be compliant today
A 2019 LSP agreement that satisfied the outsourcing guidelines in 2019 does not satisfy them in 2025. The strengthened outsourcing guidelines of 2021–22, the DPDP Act of 2023, and successive FPC circulars have added requirements that older agreements did not anticipate. An institution that filed its 2019 contracts and never reviewed them again is holding compliance documentation for non-compliant agreements. The LSP Governance AI monitors every contract against the current regulatory requirement, not the requirement as it was when the contract was signed — and drafts the required amendments so the legal team's job is review and sign-off, not drafting from a blank page.