gogreencapital.in

TAPFIN CAPITAL PRIVATE LIMITED (TCPL)
Policy on Outsourcing of Financial Services

LAST UPDATED ON: 15-02-2025

Policy on Outsourcing of Financial Services​

1.  Objectives & Regulatory Framework

TCPL may outsource any of its financial activities at any point of time in future and shall put in place a comprehensive outsourcing policy approved by its Board, which incorporates, inter alia criteria for selection of such activities as well as service providers, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities.

The objective of having a policy in place for outsourcing activity is to protect the interest of the customers and investors of TCPL and to ensure that the Company and the Reserve Bank of India have access to all relevant books, records and information available with service provider and to ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision by RBI.

TCPL therefore shall take steps to ensure that the service provider employs the same high standard of care in performing the services as is expected to be employed by TCPL, as if the activities were conducted within TCPL and not outsourced. Accordingly, TCPL shall not engage in outsourcing that would result in the Company’s internal control, business conduct or reputation being compromised or weakened.

A.   RBI Directions

RBI has issued directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs. The directions are applicable to material outsourcing arrangements which may be entered into by an NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the NBFC belongs or an unrelated party.

These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities which are not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc.

B.   Activities that shall not be outsourced

TCPL, if and when it chooses to outsource financial services, shall not outsource the following services:

  • Core management functions including internal audit, strategic and compliance
  • Decision-making functions such as determining compliance with KYC
  • Sanction of
  • Management of investments

However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions elaborated below in outsourcing within the group.

C.  Material Outsourcing

For the purpose of these directions, material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on various factors mentioned below:

  • the level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by outsourced activity;
  • the potential impact of the outsourcing activity on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
  • the likely impact on the NBFC’s reputation and brand value, and ability to achieve

its business objectives, strategy and plans, if the service provider fails to perform the services;

  • the cost of the outsourcing activity as a proportion of total operating costs of the NBFC;
  • the aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider and
  • the significance of activities outsourced in context of customer service and

2.  Roles & Responsibility

A.   Roles & Responsibility of Board of Directors
  • Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing activities and the policies that apply to such arrangements.
  • Deciding on business activities of a material nature to be outsourced and approving such arrangements;
  • Laying down appropriate approval authorities for outsourcing depending on risks and materiality;
  • Setting up suitable administrative framework of senior management for the purpose of these directions;
  • Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, safety and soundness;
  • Responsibility for the actions of their service provider
  • Responsibility to maintain the confidentiality of information pertaining to the customers that is available with the service provider;
  • Shall ensure that the service provider, if not a group company of the TCPL, shall not be owned or controlled by any director of the Company or their relatives. These terms have the same meaning as assigned under Companies Act, 2013.
B.    Roles & Responsibility of Senior Management & Team
  • Evaluating the risks and materiality of all existing and prospective outsourcing based on the framework approved by the Board;
  • Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
  • Reviewing periodically the effectiveness of policies and procedures;
  • Communicating information pertaining to material outsourcing risks to the Board in a timely manner;
  • Ensuring that contingency plans, based on realistic and probable disruptive scenarios of service provider, are in place and tested;
  • Ensuring that there is independent review and audit for compliance with set policies;
  • Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise and
  • Shall ensure to have a robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing.

3.   Risks in Outsourcing

The key risks in outsourcing are Strategic Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the service provider can lead to financial losses or loss of reputation for the Company.

The Company shall evaluate and guard against the following risks in outsourcing:

  • Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.
  • Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the Company.
  • Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.
  • Operational Risk- Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.
  • Legal Risk – Where the Company may be subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.
  • Exit Strategy Risk – Where the Company may be over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in- house and contracts that make speedy exits prohibitively expensive.
  • Counter party Risk – Where there is inappropriate underwriting or credit
  • Contractual Risk – Where the Company may not have the ability to enforce the
  • Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the Company may lack control over the service
  • Country Risk – Due to the political, social and legal climate creating added

4.  Evaluation & Selection of Service Provider

In considering or renewing an outsourcing arrangement, appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence shall take into consideration qualitative and quantitative, financial and operational factors.

TCPL shall consider whether the service provider’s systems are compatible with its own and also whether their standards of performance including in the area of customer service are acceptable to it. The Company shall also consider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Wherever possible, the Company shall obtain independent reviews and market feedback on the service provider to supplement its own findings.

Due diligence shall involve an evaluation of all available information about the service provider, including but not limited to the following:

  • Past experience and competence to implement and support the proposed activity over the contracted period;
  • Financial soundness and ability to service commitments even under adverse conditions;
  • Business reputation and culture, compliance, complaints and pending / potential litigations;
  • Security and internal control, audit coverage, reporting and monitoring environment, business continuity management and ensuring due diligence by service provider of its

Further if due diligence seems all right then the selection should be done as follows:

  • Service Provider’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
  • Compatibility of the practices and systems of the service provider with the TCPL’s requirements and objectives;
  • Market feedback of the prospective service provider’s business reputation and track record of their services rendered in the past;
  • Level of concentration of the outsourced arrangements with a single party;

5.  Outsourcing Contract

TCPL shall ensure that the terms and conditions governing the contract with the service provider are carefully defined in written agreements and vetted by TCPL’s legal team on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The agreement shall be sufficiently flexible to allow TCPL to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties- i.e. whether agent, principal or otherwise.

TCPL will consider some of the key provisions while entering into contract with the service provider, which are mentioned below:

  • The contract shall clearly define what activities are going to be outsourced including appropriate service and performance standards;
  • Ensure that TCPL has the ability to access all books, records and information relevant to the outsourced activity available with the service provider;
  • The contract shall provide for continuous monitoring and assessment by TCPL of the service provider so that any necessary corrective measure can be taken immediately;
  • Termination clause and minimum period to execute a termination provision, if deemed necessary, shall be included;
  • Controls to ensure customer data confidentiality and service providers liability in case of breach of security and leakage of confidential customer related information shall be incorporated;
  • There must be contingency plans to ensure business continuity;
  • The contract shall provide for the prior approval/ consent by TCPL of the use of subcontractors by the service provider for all or part of an outsourced activity;
  • It shall provide the Company with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the TCPL;
  • Outsourcing agreements shall include clauses to allow the Reserve Bank of India or persons authorized by it to access TCPL’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time;
  • Outsourcing agreement shall also include a clause to recognize the right of the Reserve Bank to cause an inspection to be made of a service provider of the Company and its books and account by one or more of its officers or employees or other persons;
  • The outsourcing agreement shall also provide that confidentiality of customer’s information shall be maintained even after the contract expires or gets terminated and that TCPL shall have necessary provisions to ensure that the service provider preserves documents as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

Further care shall be taken to ensure that the outsourcing contract:

  • Provides for mutual rights, obligations and responsibilities of the Company and the Service Provider, including indemnity by the parties;
  • Provides for the liability of the Service Provider to the Company for unsatisfactory performance/other breach of the contract;

6.  Confidentiality and Security

Public confidence and customer trust are prerequisites for the stability and reputation of the Company. Hence, TCPL shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. TCPL shall ensure that:

  • Access to customer information by staff of the service provider shall be on ‘need to know’ basis i.e. limited to those areas where the information is required in order to perform the outsourced
  • The service provider is able to isolate and clearly identify TCPL’s customer information, documents, records and assets to protect the confidentiality of the
  • In instances, where service provider acts as an outsourcing agent for multiple NBFCs, care shall be taken to build strong safeguards so that there is no commingling of information / documents, records and assets.
  • Regular review and monitoring of the security practices and control processes of the service provider and require the service provider to disclose security breaches.
  • Immediately notify RBI in the event of any breach of security and leakage of confidential customer-related information. In these eventualities, the Company would be liable to its customers for any damages.

7.  Responsibilities of Direct Sales Agents (DSA)/Direct Marketing Agent (DMA)/ Recovery Agents

  • TCPL shall ensure that the DSA/ DMA/ Recovery Agents are properly trained to handle their responsibilities with care and sensitivity, particularly aspects such as soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer, etc.
  • TCPL shall put in place a board approved Code of conduct for DSA/ DMA/ Recovery Agents, and obtain their undertaking to abide by the In addition, Recovery Agents shall adhere to extant instructions on Fair Practices Code for NBFCs as also their own code for collection of dues and repossession of security. It is essential that the Recovery Agents refrain from action that could damage the integrity and reputation of the Company and that they observe strict customer confidentiality.
  • The Company and their agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors’ family members, referees and friends, sending inappropriate messages either on mobile or through social media, making threatening and anonymous calls, persistently calling the borrower and/or calling the borrower before 8:00 a.m. and after 7:00 p.m. for recovery of overdue loans, making false and misleading representations, etc. – the Company shall ensure that there are no violations in this regard.

8.  Business Continuity and Management of Disaster Recovery Plan

  • The Company shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. TCPL shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.
  • In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the Company shall retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the Company and its services to the customers.
  • In establishing a viable contingency plan, TCPL shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in- house in an emergency and assess the costs, time and resources that would be involved.
  • TCPL will make sure that service providers are able to isolate the Company’s information, documents and records, and other assets so that in appropriate situations, all documents, records of transactions and information given to the service provider, and assets of TCPL, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

9.  Monitoring and Control of Outsourced Activities

  • The Company shall have in place a management structure to monitor and control its outsourcing It shall ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities.
  • A central record of all material outsourcing that is readily accessible for review by the Board and senior management of the Company shall be The records shall be updated promptly and half yearly basis reviews shall be placed before the Board or a Board designated Committee.
  • Regular audits would be done by either the internal auditors or external auditors of the Company to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement.
  • TCPL shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
  • In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be publicized by displaying at a prominent place in all the offices, posting it on the website, and informing the customers so as to ensure that the customers do not continue to deal with the service provider.
  • A robust system of internal audit of all outsourced activities shall also be put in place and monitored by the Board or the Audit Committee of the Board (ACB) of the Company.

10.       Reporting   of   transactions   to   FIU   or   other competent authorities

  • The Company would be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the Company’s customer related activities carried out by the service providers.

11.       Outsourcing within the group

In a group structure, the Company may have back-office and service arrangements/ agreements with group entities e.g. sharing of premises, legal and other professional services, and hardware and software applications, centralize back-office functions, outsourcing certain financial services to other group entities etc.

Before entering into such arrangements with group entities, the Company shall have an arrangement with their group entities which shall also cover demarcation of sharing resources i.e. premises, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or any cross selling observed.

While entering into such arrangements, TCPL shall ensure that:

  • Arrangements are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer’s data;
  • Such arrangement does not lead to any confusion to the customers on whose products/ services they are availing by clear physical demarcation of the space where the activities of TCPL and those of its other group entities are undertaken;
  • Such arrangements do not compromise the ability to identify and manage risk of the Company on a stand-alone basis;
  • Incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by the RBI in relation to the activities of TCPL;
  • TCPL shall ensure that their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable;
  • If the premises of TCPL are shared with the group entities for the purpose of cross- selling, the Company shall take measures to ensure that its identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in TCPL’s premises shall mention nature of arrangement of the entity with TCPL so that the customers are clear on the seller of the product.
  • TCPL shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group
  • The risk management practices expected to be adopted by the Company while outsourcing to a related party (i.e. party within the Group / Conglomerate) would be identical to those applicable for any other entity.

12.       Off-shore outsourcing of Financial Services

The engagement of service providers in a foreign country exposes a Company to country risk

– economic, social and political conditions and events in a foreign country that may adversely affect the Company. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with the Company. To manage the country risk involved in such outsourcing activities, TCPL shall take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified. 

The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of TCPL in a timely manner.

As regards the off-shore outsourcing of financial services relating to Indian Operations, the Company shall additionally ensure that:

  • Where the off-shore service provider is a regulated entity, the relevant off-shore regulator will neither obstruct the arrangement nor object to RBI inspection visits/ visits of the Company’s internal and external auditors.
  • The availability of records to management and the RBI will withstand the liquidation of either the offshore custodian or the Company in India.
  • The regulatory authority of the offshore location does not have access to the data relating to Indian operations of the Company simply on the ground that the processing is being undertaken there (not applicable if off shore processing is done in the home country of the Company).
  • The jurisdiction of the courts in the off shore location where data is maintained does not extend to the operations of the Company in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India and
  • All original records continue to be maintained in India.