1. INTRODUCTION:

This policy shall be termed the Outsourcing Policy for BHARATIYA FINCOM PVT LTD (hereinafter referred to as “Company”). The terms in this policy shall be considered as defined by the Reserve Bank of India in its various directions, guidelines as issued and may be issued from time to time and, or as defined herein below.

With the speedy development and growth in the finance industry, Non-Banking Financial Companies (NBFCs) have been outsourcing various activities to either an affiliated entity within a group or a third-party external to the group) to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future.

Generally, outsourced financial services include application processing, document processing, marketing and research, supervision of loans, data processing and back office-related activities etc. Due to outsourcing of various activities, NBFCs are exposed to various risks such as Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counter Party Risk, Country Risk, Contractual Risk, Access Risk, Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the service provider can lead to financial

losses or loss of reputation for the Company and could also lead to systemic risks. Therefore, the Reserve Bank of India (RBI) has in view of the public interest so to do and with a view to putting in place necessary safeguards applicable to outsourcing of activities by NBFCs, issued directions on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs” and directions for loans sourced by Banks and NBFCs over digital lending platforms adherence to fair practices code and outsourcing for facilitating the adoption of sound and responsive risk management practices for effective oversight, due diligence and management of risks while outsourcing the activities. The policy herein is the outcome of the foregoing directions of RBI.

The Board of Directors of the Company has approved this Outsourcing Policy and amended it on a time-to-time basis as per the requirement.

2. OBJECTIVE OF THE POLICY:

The objective of this Policy is to identify the criteria for the selection of such activities that may be outsourced as well as the selection of Service Provider(s), the delegation of authority depending on risks arising out of outsourcing, materiality and systems to monitor, review the operations and management of these risks.

3. ACTIVITIES THAT CAN BE OUTSOURCED:

The Services that may be outsourced by the Company may generally include application processing (loan origination), document processing, marketing and research, supervision of loans, data processing and back office-related activities etc. An indicative list of activities that may be considered for outsourcing shall be as under:

– Sourcing/Lead Generation/Recommendation of prospective Borrowers;

– Collection of Loans from Borrowers/Defaulting Borrowers;

– Field Investigation, Risk Containment Unit;

– Verification of Documents, Fraud Control, Customer Profile, and Credit checks;

– Managing Customer Queries;

– Marketing of Company’s products;

– Recruitment, Selection and Training of Personnel;

– Background verification of personnel for employment;

– Administration of Payroll and Taxation;

– Technology infrastructure management, maintenance & support;

– Application development, maintenance and testing;

– Storage, movement and archiving of records;

– Use of Courier Services, Travel Agents;

– Housekeeping and Maintenance Services;

– Legal Services

The above list is indicative and not exhaustive. The Company may outsource any activities other than those mentioned above which are permissible to be outsourced as per the RBI Guidelines.

4. ACTIVITIES THAT SHALL NOT BE OUTSOURCED:

As per RBI directions, the Company shall not outsource its core management functions or activities including Strategic and Compliance functions and decision-making functions such as determining compliance with KYC norms for sanction for loans, or Internal Audit. Further, the Internal Audit function itself is a management process, the internal auditors can be on contract. However, the Company outsource this function within the group subject to compliance with instructions as provided in the point

5. MATERIAL OUTSOURCING:

Material outsourcing arrangements are those that, if disrupted, can significantly impact the business operations, reputation or profitability. The materiality of outsourcing would be based on:

1. The level of importance and significance of the risk to the Company, of the activity is outsourced.
2. The potential impact of outsourcing on the Company, on various parameters such as earnings, solvency, liquidity, funding capital and risk profile.
3. The likely impact on the Company’s reputation and brand value and ability to achieve its business objectives, strategy and plans should the Service Provider fail to perform the service.
4. The cost of outsourcing as a proportion of the total operating costs of the Company.
5. The aggregate exposure to that particular Service Provider, in cases where the Company outsources various functions to the same Service Provider.
6. the significance of activities outsourced in the context of customer service and protection.

6. RISKS ARISING OUT OF OUTSOURCING:

Outsourcing of financial services exposes the Company to a number of risks which need to be evaluated and effectively managed and mitigated. The key risk that may arise due to outsourcing are:

1. Strategic Risk – The Service Provider may conduct business on its behalf, which is inconsistent with the overall strategic goals of the Company.
2. Reputation Risk – Poor service from the Service Provider and its customer interaction may not be consistent with the overall standards expected by the Company.
3. Compliance Risk – Privacy, consumer and prudential laws may not be adequately complied with by the Service Provider.
4. Operation Risk – Arising due to technology failure, fraud, error, or inadequate financial capacity of the Service Provider to fulfil obligations and/or provide remedies.
5. Legal Risk – Where the Company is subjected to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the Service Provider.
6. Exit Strategy Risk – This could arise from over-reliance on one firm, the loss of relevant skills in the Company itself prevents it from bringing the activity back in-house and contracts entered into wherein speedy exits would be prohibitively expensive.
7. Counterparty Risk – Due to inappropriate underwriting or credit assessments.
8. Contractual Risk – arising from whether or not the Company has the ability to enforce the contract.
9. Concentration and Systemic Risk – Due to lack of control of individual Companies over a Service Provider, more so when the overall financing industry has considerable exposure to one Service Provider.

7. SELECTION OF SERVICE PROVIDER:

To enable sound and responsive risk management practices for effective oversight, due diligence and management of risks arising from outsourcing activities, all concerned departments who decide to outsource a financial activity/service shall follow the below-mentioned principles applicable to arrangements entered into by the Company with the Service Provider. A well-defined structure of roles & responsibilities discussed hereinafter shall be in place to decide on the activities to be outsourced, selecting the service provider, terms & conditions of outsourcing and monitoring mechanism etc.:

1. The outsourcing of any activity by the Company shall not diminish its obligations, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. The Company would therefore be responsible for the actions of their service provider including Direct Sales Agents/ Direct Marketing Agents and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. The Company shall retain ultimate control of the outsourced activity.
2. In considering or renewing an outsourcing arrangement, appropriate care, skill and diligence shall be performed to assess the capability of the Service Provider to comply with obligations in the outsourcing agreement.
3. Also, all relevant laws, regulations, guidelines and conditions of approval, licensing or registration shall also be considered while outsourcing any activities.
4. Past experience and competence to implement and support the proposed activity over the contracted period;
5. Service Provider’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
6. Compatibility of the practices and systems of the Service Provider with the Company’s requirements and objectives;
7. Market feedback of the prospective Service Provider’s business reputation and track record of their services rendered in the past;
8. Security and internal control, audit coverage, reporting and monitoring environment, business continuity management and
9. ensuring due diligence by Service Provider to its employees.
10. The Service Provider, if not a group company of the Company, shall not be owned or controlled by any director of the Company or their relatives. These terms have the same meaning as those assigned under the Companies Act.

8. ROLE OF THE BOARD AND SENIOR MANAGEMENT:

8.1. Role of the Board:

The Board of the Company or Committee of the Board to which powers have been delegated shall be responsible inter alia for the following:

1. Approval of framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
2. Laying down appropriate authorities for outsourcing depending on risks and materiality;
3. Setting up the suitable administrative framework of senior management for the purpose of these directions;
4. Undertaking regular reviews of outsourcing strategies and arrangements for their continued relevance and safety and soundness; and
5. Deciding on business activities of a material nature to be outsourced and approving of such arrangements.

8.2. Responsibilities of the Senior Management:

1. Evaluate the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board;
2. Develop and implement sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
3. Review periodically the effectiveness of policies and procedures;
4. Communicate information pertaining to material outsourcing risks in the Board in a timely manner;
5. Ensure that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
6. Ensure that there is independent review and audit for compliance with set policies; and
7. Undertake periodic reviews of outsourcing arrangements to identify new material outsourcing risks as they arise.

9. OUTSOURCING OF ACTIVITY TO GROUP COMPANIES:

1. The Company may outsource its activity to any of its Group Companies to act as the Service Provider.

2. The Company shall ensure that an arm’s length distance is maintained in terms of manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests between the group company and Group Companies and accordingly necessary disclosures in this regard shall be made as part of the outsourcing agreement. Before entering into such arrangements with group entities, the Company shall have a Board approved policy and also service level agreements/arrangements with the group entities, which shall also cover the demarcation of sharing resources i.e., premises, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or any cross-selling observed.

3. While entering into such arrangements, the Company shall ensure that these:

– are appropriately documented in written agreements with details like the scope of services, charges for the services and maintaining the confidentiality of the customer’s data;

– do not lead to any confusion to the customers on whose products/ services they are availing by the clear physical demarcation of the space where the activities of the Company and those of its other group entities are undertaken;

– do not compromise the ability to identify and manage the risk of the Company on a stand-alone basis;

– do not prevent the RBI from being able to obtain information required for the supervision of the Company or pertaining to the group as a whole; and

– shall incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by the RBI in relation to the activities of the Company.

4. The Company shall ensure that its ability to carry out its operations in a sound fashion would not be affected if premises or other services (such as IT systems, and support staff) provided by the group entities become unavailable.

5. The Company shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities;

6. The marketing brochure used by the group entity and verbal communication by its staff/agent in the Company’s premises shall mention nature of the arrangement of the entity with the Company so that the customers are clear on the seller of the product

11. OUTSOURCING AGREEMENTS:

Conditions for outsourcing:

1. All outsourcing arrangements shall be executed only by way of a clearly defined and legally binding written agreement with each of the Service Providers and vetted by the Company’s Legal counsel on their legal effect and enforceability;
2. The agreement shall be sufficiently flexible to allow the Company to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations;
3. The agreement shall also bring out the nature of the legal relationship between the parties – i.e., whether agent, principal or otherwise
4. Due care shall be taken to ensure that the Outsourcing Agreement:
5. clearly defines what activities are going to be outsourced, including appropriate service and performance levels;
6. to ensure that it has the ability to access all books, records and information relevant to the outsourced activity available with the service provider;
7. provides for mutual rights, obligations and responsibilities of the Company and the Service Provider including indemnity by the parties;
8. provides for the liability of the Service Provider to the Company for unsatisfactory performance/other breach of the contract;
9. provides for the continuous monitoring and assessment by the Company of the Service Provider so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable the Company to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations;
10. includes, where necessary, conditions of sub-contracting by the Service Provider, i.e. the contract shall provide for the prior approval/ consent by the Company of the use of subcontractors by the service provider for all or part of an outsourced activity
11. has unambiguous confidentiality clauses to ensure the protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract and service providers’ liability in case of breach of security and leakage of confidential customer-related information shall be incorporated;
12. specifies the responsibilities of the Service Provider with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.;
13. provides for the preservation of the documents and data by the Service Provider as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services;
14. Provides for the mechanisms to resolve disputes arising from the implementation of the outsourcing contract;
15. provides for a termination clause and minimum period to execute a termination provision, if deemed necessary, termination rights, transfer of information and exit strategies;
16. Addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when the Company outsources its activities to a foreign Service Provider. For example, the agreement shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for the adjudication of disputes between the parties under the laws of a specific jurisdiction; and it  neither prevents nor impedes the Company from meeting its respective regulatory obligations nor the regulator from exercising its regulatory powers; and
17. Provides for the Company and /or the regulator or the persons authorized by it to have the ability to inspect, right to conduct audit through internal or external auditors, obtain copies of any audit or review reports, access all books, records and information relevant to the outsourced activity with the Service Provider.
18. Provides for the RBI or officials authorised by it to access the Company’s documents, the record of transactions, and other necessary information given to, stored or processed by the Service Provider within a reasonable time and also the right to conduct inspection on Service Provider and its books and account.

12. CLIENT CONFIDENTIALITY & SECURITY:

1. The Company is expected to take appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated. b. The Company shall prevail upon the Service Provider to ensure that the employees of the Service Provider have limited access to the data handled and only on a “need to know” basis and the Service Provider shall have adequate checks and balances to ensure the same.
2. The Company shall ensure that the service provider is able to isolate and clearly identify the Company’s customer information, documents, records and assets to protect the confidentiality of the information. In instances, where the service provider acts as an outsourcing agent for multiple NBFCs, care shall be taken to build strong safeguards so that there is no comingling of information/documents, records and assets.
3. In cases where the Service Provider is providing similar services to multiple entities, the Company shall ensure that adequate care is taken by the Service Provider to build safeguards for data security and confidentiality.
4. The Company shall review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches.
5. The Company shall immediately notify RBI in the event of any breach of security and leakage of confidential customer-related information. In these eventualities, the Company would be liable to its customers for any damages.

13. RESPONSIBILITIES OF DIRECT SALES AGENTS (DSA)/DIRECT MARKETING AGENTS (DMA)/RECOVERY AGENTS:

1. The Company shall ensure that DSA/DMA/Recovery Agents are properly trained to handle their responsibilities with care and sensitivity, particularly aspects such as soliciting customers, hours of calling, the privacy of customer information and conveying the correct terms and conditions of the products on offer etc.
2. Recovery Agent shall adhere to extant instructions on the Fair Practices Code of the Company as also their own code for collection of dues and repossession of security, it is essential that the Recovery Agents refrain from action that could damage the integrity and reputation of the Company and that they observe strict customer confidentiality.
3. The Company and their agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude on the privacy of the debtors’ family members, referees and friends, making threatening and anonymous calls or making false and misleading representations.

14. BUSINESS CONTINUITY AND MANAGEMENT OF DISASTER RECOVERY PLAN:

1. Specific contingency plans shall be separately developed for each outsourcing arrangement, as is done in individual business lines.
2. The concerned Senior Management shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the Service Provider level. Notably, it shall consider contingency plans at the Service Provider level; coordination of contingency plans at both levels and in the event of non-performance by the Service Provider.
3. In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the Company shall retain an appropriate level of control over its outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the Company and its services to the customers.
4. In establishing a viable contingency plan, the Company shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.
5. The Company shall ensure that service providers are able to isolate the Company’s information, documents and records, and other assets. This is to ensure that in appropriate situations, all documents, records of transactions and information given to the service provider, and assets of the Company, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

15. MONITORING AND CONTROL OF OUTSOURCED ACTIVITIES:

1. The Company shall have in place a management structure to monitor and control its outsourcing activities.
2. Regular audits by either the internal auditors or external auditors of the Company shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the Company’s compliance with its risk management framework and the requirements of these directions.
3. The Company shall at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
4. In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be publicized by displaying at a prominent place in the branch, posting it on the web-site, and informing the customers so as to ensure that the customers do not continue to deal with the service provider.
5. A robust system of internal audit of all outsourced activities shall also be put in place and monitored by the Audit Committee of the Board.

16. MAINTENANCE OF RECORDS:

1. The records relating to all material activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board of the Company and / or its senior management, as and when needed. The records shall be updated promptly and half yearly reviews shall be placed before the Board or Risk Management Committee.
2. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the Company.

17. REDRESSAL OF GRIEVANCES RELATED TO OUTSOURCED SERVICES:

The Company shall appoint a Grievance Redressal Officer. The designated officer shall ensure that the genuine grievances of the Customers are redressed promptly without any delay. Generally, a time limit of 30 days shall be given to the customers for resolving their complaints/grievances. The grievance redressal procedure of the Company and the time frame fixed for responding to the complaints shall be placed on the Company’s website.

18. REPORTING REQUIREMENTS:

The Company shall be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the Company’s customer-related activities carried out by the Service Providers.

19. REVIEW:

The policy shall be reviewed at regular intervals or as and when considered necessary by the management/ Board of Directors of the Company.