OUTSOURCING POLICY

RBI Directions

RBI has issued directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs. The directions are applicable to material outsourcing arrangements which may be entered into by an NBFC with a Service Provider located in India or elsewhere. The Service Provider may either be a member of the group/ conglomerate to which the NBFC belongs or an unrelated party. These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities which are not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc. The RBI has, vide the Digital Lending Guidelines, has mandate that outsourcing arrangements entered by regulated entities (as defined in the Digital Lending Guidelines) with a LSPs and DLAs does not diminish the relevant regulated entity’s obligations and they shall continue to conform to the Digital Lending Guidelines. The REs are advised to ensure that the LSPs engaged by them and the DLAs (either of the RE or of the LSP engaged by the RE) comply with the guidelines contained in this circular Activities that shall not be outsourced The Company if chooses to outsource financial services shall not outsource following services:

• (a) Core management functions including internal audit, strategic and compliance functions;
• (b) Decision-making functions such as determining compliance with KYC norms;
• (c) Sanction of loans;
• (d) Management of investment portfolio. However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions elaborated below in outsourcing within the group.

Material Outsourcing

For the purpose of this Policy, means material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on various factors mentioned below:

• (a) The level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by outsourced activity;
• (b) The potential impact of the outsourcing activity on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
• (c) The likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, if the Service Provider fails to perform the services;
• (d) The cost of the outsourcing activity as a proportion of total operating costs of the NBFC;
• (e) The aggregate exposure to that particular Service Provider, in cases where the NBFC outsources various functions to the same Service Provider; and
• (f) The significance of activities outsourced in context of customer service and protection.

ROLES & RESPONSIBILITIES

Roles & Responsibility of Board of Directors

• (a) Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing activities and the policies that apply to such arrangements;
• (b) Deciding on business activities of a material nature to be outsourced and approving such arrangements;
• (c) Setting up suitable administrative framework of senior management for the purpose of these
• (d) Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, safety and soundness;
• (e) Undertaking responsibility for the actions of their Service Provider;
• (f) Undertaking responsibility to maintain the confidentiality of information pertaining to the customers that is available with the Service Provider;
• (g) Undertake to ensure that the Service Provider, if not a group company of the Company, shall not be owned or controlled by any director of the Company or their relatives. These terms have the same meaning as assigned under Companies Act, 2013.

Roles & Responsibility of Senior Management & Team

• (a) Evaluating the risks and materiality of all existing and prospective outsourcing based on the framework approved by the Board;
• (b) Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
• (c) Reviewing periodically the effectiveness of policies and procedures;
• (d) Communicating information pertaining to material outsourcing risks to the Board in a timely
• (e) Ensuring that contingency plans, based on realistic and probable disruptive scenarios of Service Provider, are in place and tested;
• (f) Ensuring that there is independent review and audit for compliance with set policies;
• (g) Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise;
• (h) Ensuring to have a robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing.

RISKS IN OUTSOURCING

The key risks in outsourcing are Strategic Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Concentration and Systemic Risk. The failure of a Service Provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the Service Provider can lead to financial losses or loss of reputation for the Company. The Company shall evaluate and guard against the following risks in outsourcing:

• The key risks in outsourcing are Strategic Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Concentration and Systemic Risk. The failure of a Service Provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the Service Provider can lead to financial losses or loss of reputation for the Company. The Company shall evaluate and guard against the following risks in outsourcing:
• (a) Strategic Risk – Where the Service Provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company;
• (b) Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the Service Provider;
• (c) Operational Risk – Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies;
• (d) Legal Risk – Where the Company may be subjected to fines, penalties, or punitive damages resulting from supervisory actions;
• (e) Exit Strategy Risk – Where the Company may over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in-house and contracts that make speedy exits prohibitively expensive;
• (f) Counter party Risk – Where there is inappropriate underwriting or credit assessments;
• (g) Contractual Risk – Where the Company may not have the ability to enforce the contract;
• (h) Concentration and Systemic Risk – Where the overall industry has considerable exposure to one Service Provider and hence the Company may lack control over the Service Provider.

EVALUATION AND SELECTION OF SERVICE PROVIDER

In considering or renewing an outsourcing arrangement, appropriate due diligence shall be performed to assess the capability of the Service Provider to comply with obligations in the outsourcing agreement. Due diligence shall take into consideration qualitative and quantitative, financial and operational factors. The Company shall consider whether the Service Provider’s systems are compatible with its own and also whether their standards of performance including in the area of customer service are acceptable to it. The Company shall also consider, issues relating to undue concentration of outsourcing arrangements with a single Service Provider. Where ever possible, the Company shall obtain independent reviews and market feedback on the Service Provider to supplement its own findings. Due diligence shall involve an evaluation of all available information about the Service Provider, including but not limited to the following:

• (a) Past experience and competence to implement and support the proposed activity over the contracted
• (b) Financial soundness and ability to service commitments even under adverse conditions;
• (c) Business reputation and culture, compliance, complaints and pending / potential litigations;
• (d) Security and internal control, audit coverage, reporting and monitoring environment, business continuity management and ensuring due diligence by Service Provider of its employees.

Further if due diligence seems all right then the selection should be done as follows:

• (a) Service Provider’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
• (b) Compatibility of the practices and systems of the Service Provider with the Company’s requirements and objectives;
• (c) Market feedback of the prospective Service Provider’s business reputation and track record of their services rendered in the past;
• (d) Level of concentration of the outsourced arrangements with a single party.

OUTSOURCING CONTRACTS

The Company shall ensure the terms and conditions governing the contract with the Service Provider are carefully defined in written agreements and vetted by the Company’s legal team on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The agreement shall be sufficiently flexible to allow the Company to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties. The Company will consider some of the key provisions while entering into contract with the Service Provider, which are mentioned below:

• (a) The contract shall clearly define what activities are going to be outsourced including appropriate service and performance standards;
• (b) Ensure that the Company has the ability to access all books, records and information relevant to the outsourced activity available with the Service Provider;
• (c) The contract shall provide for continuous monitoring and assessment by the Company of the Service Provider so that any necessary corrective measure can be taken immediately;
• (d) Termination clause and minimum period to execute a termination provision, if deemed necessary shall be included;
• (e) Controls to ensure customer data confidentiality and Service providers liability in case of breach of security and leakage of confidential customer related information shall being incorporated;
• (f) The contract shall provide for the prior approval/ consent by the Company of the use of subcontractors by the Service Provider for all or part of an outsourced activity;
• (g) It shall provide the Company with the right to conduct audits on the Service Provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the Service Provider in conjunction with the services performed for the Company;
• (h) Outsourcing agreements shall include clauses to allow the RBI or persons authorized by it to access the Company's documents, records of transactions, and other necessary information given to, stored or processed by the Service Provider within a reasonable time;
• (i) Outsourcing agreement shall also include a clause to recognize the right of the RBI to cause an inspection to be made of a Service Provider of the Company and its books and account by one or more of its officers or employees or other persons;
• (j) The outsourcing agreement shall also provide that confidentiality of customer's information shall be maintained even after the contract expires or gets terminated and the Company shall have necessary provisions to ensure that the Service Provider preserves documents as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

Further care shall be taken to ensure that the outsourcing contract:

• (a) Clearly defines what activities are going to be outsourced, including appropriate service and performance levels;
• (b) Provides for mutual rights, obligations and responsibilities of the Company and the Service Provider, including indemnity by the parties;
• (c) Provides for the liability of the Service Provider to the Company for unsatisfactory performance/other breach of the contract;
• (d) Specifies the responsibilities of the Service Provider with respect to the information technology security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.

DIGITAL LENDING

Loan Disbursements

Digital lending has been defined as a remote and automated lending process, largely by use of seamless digital technologies for customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service. Digital lending is catered to borrowers through DLAs (including platforms being mobile and web-based applications with user interface that facilitate digital lending services). DLAs will include apps of the Company as well as those operated by LSPs (being agent of the Company who carries out one or more of lender’s functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of the Company in conformity with extant Outsourcing Guidelines). For loans disbursed through DLAs or sourced through LSPs, the Company ensures that all loan servicing, repayment, etc., is executed by the borrower directly in the Company’s bank account without any pass-through account/ pool account of any third party. The Company does not disburse such loans to a third-party account, including the accounts of LSPs and their DLAs.

Disclosures

All commercials details in relation to the loans disbursed through the DLAs or LSPs are disclosed upfront to the borrowers vide a key fact statement (in the format set out in the Digital Lending Guidelines). The Company discloses the following on its website, from time to time, in respect of the loan products disbursed through the DLAs / LSPs:

• (a) List of LSPs;
• (b) Brief of loan products disbursed through DLAs / LSPs;
• (c) Details of recovery agent.

Due Diligence

The Company conducts due diligence on the LSP / DLA and undertakes periodic review of the LSP / DLAs. The Company has authorised it’s personnel to impact necessary and timely guidance to LSPs acting as recovery agent to comply with the norms, guidelines and instructions prescribed by the RBI.

Nodal Grievance Redressal Officer

The Company has appointed a suitable nodal grievance redressal officer to deal with fintech/ digital lending related complaints/ issues raised by the borrowers. The name and details of such officer along with the process of grievance redressal is set out on the website of the Company.

CONFIDENTIALITY & SECURITY

Public confidence and customer trust are prerequisites for the stability and reputation of the Company. Hence the Company shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the Service Provider. The Company shall ensure that:

• (a) Access to customer information by staff of the Service Provider shall be on 'need to know' basis i.e. limited to those areas where the information is required in order to perform the outsourced
• (b) The Service Provider is able to isolate and clearly identify the Company's customer information, documents, records and assets to protect the confidentiality of the information. In instances, where Service Provider acts as an outsourcing agent for multiple NBFCs, care shall be taken to build strong safeguards so that there is no commingling of information / documents, records and assets;
• (c) Regular review and monitoring of the security practices and control processes of the Service Provider and require the Service Provider to disclose security breaches;
• (d) Immediate notifying to RBI in the event of any breach of security and leakage of confidential customer related information;
• (e) No information (including personal information or data of the borrowers) shall be collected by LSPs / DLAs without the prior explicit consent of the borrowers;
• (f) All data collection by the Company is stored in the servers located in India. Nothing stated above shall preclude the Company from adhere to the mandate of disclosing / reports borrowers to the credit information companies in accordance with the Digital Lending Guidelines and/or the Outsourcing Policies and/or other extant instructions / guidelines / directions / circulars of the RBI.

BUSINESS CONTINUITY AND MANAGEMENT OF DISASTER RECOVERY PLAN

The Company shall require its Service Providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. The Company shall ensure that the Service Provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its Service Provider.

In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the Service Provider, the Company shall retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the Company and its services to the customers. In establishing a viable contingency plan, the Company shall consider the availability of alternative Service Providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved. The Company will make sure that Service Providers are able to isolate the Company’s information, documents and records, and other assets so that in appropriate situations, all documents, records of transactions and information given to the Service Provider, and assets of the Company, can be removed from the possession of the Service Provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

MONITORING AND CONTROL OF OUTSOURCED ACTIVITIES

A central record of all material outsourcing that is readily accessible for review by the Board and senior management of the Company shall be maintained. The records shall be updated promptly and on half yearly basis reviews shall be placed before the Board or Risk Management Committee. Regular audits would be done by either the internal auditors or external auditors of the Company to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement. The Company shall at least on an annual basis, review the financial and operational condition of the Service Provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the Service Provider shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness. In the event of termination of the outsourcing agreement for any reason in cases where the Service Provider deals with the customers, the same shall be publicized by displaying at a prominent place in all the offices, posting it on the website, and informing the customers so as to ensure that the customers do not continue to deal with the Service Provider.

OUTSOURCING WITHIN GROUP

In a group structure, the Company may have back-office and service arrangements/ agreements with group entities e.g. sharing of premises, legal and other professional services, and hardware and software applications, centralize back-office functions, outsourcing certain financial services to other group entities etc. Before entering into such arrangements with group entities the Company shall have an arrangement with their group entities which shall also cover demarcation of sharing resources i.e. premises, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or any cross selling observed. While entering into such arrangements, the Company shall ensure that:

• (a) Arrangements are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer's data;
• (b) Such arrangement does not lead to any confusion to the customers on whose products/ services they are availing by clear physical demarcation of the space where the activities of the Company and those of its other group entities are undertaken;
• (c) Incorporate a clause under the written agreements that there is a clear obligation for any Service Provider to comply with directions given by the RBI in relation to the activities of the Company;
• (d) The Company shall ensure that their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as information technology systems, support staff) provided by the group entities become unavailable;
• (e) If the premises of the Company are shared with the group entities for the purpose of cross-selling, the Company shall take measures to ensure that the Company's identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in the Company premises shall mention nature of arrangement of the entity with the Company so that the customers are clear on the seller of the product;
• (f) The Company shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities.

REVIEW OF THIS POLICY

This policy document will be reviewed and revised by the business team with approval of board of directors in response to changed circumstances, and in any event, at intervals of not more than half year or shorter review periods as may be stipulated by the board of directors.

IMPLEMENTATION

This Policy shall be effective from the date of adoption by the Board.

AMENDMENT

This Policy shall be amended and/or restated and updated from time to time and such amendments and/or restatements and updations shall be effective from the date of adoption by the Board.