Regulatory

This “Privacy Policy” provides the privacy practices of TapFin Capital Pvt Ltd and our affiliates (collectively “Company”, “We’, “Us” or “Our”) in connection with Our “Services” (each a “Service”) via our website, https://gogreencapital.in and its subdomains (collectively the “Website”) and our mobile applications (each a “Mobile App”) and via any other online means such as email, online drives and via any offline means such as physical paper document collection collectively known as “GoGreen Capital”, “Platform”. The Privacy Policy addresses the rights and choices available to “Users” or “You” (any Person and/or the business entity that the Person represents) with respect to their data and Our usage of customer’s data in the context of the Service.

This Privacy Policy has been prepared in compliance with, but not limited to:

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Guidelines on Digital Lending issued by the Reserve Bank of India (RBI), 2022
Other applicable acts, regulations and rules which require the publishing of a privacy policy for handling of or dealing in personal information including sensitive personal data or information and all applicable laws, regulations, guidelines provided by applicable regulatory authorities including but not limited to the RBI.

This Privacy Policy is incorporated into and at all times is subject to and is to be read in conjunction with the Terms and Conditions for Use of the Platform.

What do we collect

We collect various types of information, via the Platform or via other offline and online means, from and about Users of our Services including

“Personal Information” which includes any information concerning the personal or material circumstances of an identified or identifiable individual and is capable of uniquely identifying a person and/or the business entity that a person represents
Contact information, such as your full name (in its legal form), email, mobile number, phone number, IP address and contact address (permanent and/or temporary).
Business Entity Financial & Other Information (related to the business entity): including but not limited to Balance Sheet, Profit & Loss accounts, cashflow statements, Tax-related documents such as income tax return & GST returns, auditors reports, Company Bank Statements, Board Resolutions, Directors KYC amongst others
Content you choose to upload to the Services, whether or not specifically required by the Services, such as text, images, audio, and video, and information regarding your assets & liabilities, such as asset types and descriptions, and information regarding your Intended Recipients (defined below), such as full name (in its legal form), email, mobile number, phone number, IP address and contact address (permanent and/or temporary), and related notes, along with the metadata associated with the files you upload.
Profile information, such as your email address, mobile number, full name (in its legal form) and password that you may set to establish an online account with us, your photograph, and preferences.
Registration information, such as information that may be related to a Service or an account.
Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us online.
Demographic Information, such as your city, state, country of residence, postal code, and age.
Transaction information, such as information about payments to and from you and other details of Services you have purchased from us.
Usage information, such as information about how you use the Services and interact with us, including information associated with any content you upload to the Services or otherwise submit to us, and information you provide when you use any interactive features of the Services.
Marketing information, such as your preferences for receiving communications about our activities and publications, and details about how you engage with our communications.
Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

Information we obtain from social media platforms. We may maintain pages on social media platforms, such as Facebook, LinkedIn, Twitter, Google, YouTube, Instagram, and other third party platforms. When you visit or interact with our pages on those platforms, the platform provider’s privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

Information we obtain from other third parties. We may receive personal information about you from third-party sources. For example, a business partner may share your contact information with us if you have expressed interest in learning specifically about our Services. We may obtain your personal information from other third parties, such as marketing partners, publicly-available sources and data providers.

Cookies and Other Information Collected by Automated Means

We use cookies to recognize your browser and capture and maintain certain information including but not limited to about your session, device, browser type, geographic information among others. We may use cookies to help us understand and save preferences for current and future visits to our Website.

How We Use The Information Collected

We use the information collected for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

To verify and authenticate Your identity
To facilitate Your usage of our Services
To connect You with Our authorized third-parties/service partners/lending partners/merchant partners that help provide Our Services to You
provide, operate and improve the Services
provide information about our Services
establish and maintain your user profile
enable security features of the Services, such as by sending you security codes via email or SMS
communicate with you about the Services, including by sending you notifications, newsletters, updates, security alerts, and support and administrative messages
understand your needs and interests, and personalize your experience with the Services and our communications
provide support and maintenance for the Services
respond to your requests, questions and feedback
analyze your use of the Services to develop new products & Services
comply with applicable laws & legal processes
disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Services; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

Consent

Please note that by providing the Information (as defined above), You provide Your unconditional consent and authorize us to collect, use or disclose such Information for the business and research purposes and as stated in this Privacy Policy and as permitted or required by applicable law. By providing information to Us on our Platform or by any other means, You expressly confirm and consent to TapFin collecting, maintaining, using, processing and disclosing the Information provided by You in accordance with the terms set out in this Privacy Policy.

You understand and hereby consent that the Information may be transferred to any third party for the purpose of providing Services through the Platform or any other online or offline means. You provide consent for the use of Your data to conduct credit bureau checks, KYC checks on You and the Directors of the business entity that You represent, creditworthiness checks, financial health assessment, business viability and for Our authorized partners to collect and/or receive further Information from you to provide the Services.

You understand and hereby consent that the Information may be transferred to any third party providers for rendering Services, for any jointly developed or marketed services, for payment processing, for order fulfilment, customer services, data analysis, information technology services and such other services which enable us to provide Services through the Platform or otherwise

You understand and hereby consent that You may be required to sign further consent forms to avail the Services.

We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated or de-identified data by removing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.

Your submission of any additional contact information is considered as deemed approval and acceptance to share regular updates, information about our services, new products and other updates.

Under some conditions, we may specifically ask for your consent to collect, use and share your personal information for purposes beyond those mentioned in this document.

This Privacy Policy shall be enforceable against you in the same manner as any other written agreement. By visiting or accessing the Platform and voluntarily providing us with Information (including Personal Data), you are consenting to our use of the Information, in accordance with this Privacy Policy.

How do I withdraw my consent?

If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by informing us in writing over email at contact@gogreencapital.in

Under such circumstances, we may be unable to render Services.

Retention

We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.

How We Share your Personal Information

We do not share your personal information with third parties without your consent, except in the following circumstances or as described in this Privacy Policy:

Affiliates. We may share your personal information with our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.

Service providers. We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate the Services (such as customer support, hosting, analytics, email delivery, marketing, and database management services). These third parties may use your personal information only as directed or authorized by us and in a manner consistent with this Privacy Policy, and are prohibited from using or disclosing your information for any other purpose.

Provider of marketing services. We share your information with the provider of marketing services who may send you Company-related marketing communications in accordance with this Privacy Policy and as permitted by law.

Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.

For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above.

Business transfers. We may sell, transfer or otherwise share some or all of the Company’s business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of the Company’s assets, or in the event of bankruptcy or dissolution.

Transfer of Data

Your Information may be transferred to, and maintained on, computers located in India, and will be governed by the Indian Data Protection Laws.

If you are located outside India and choose to provide information to us, please note that we may transfer the data to India to process the Information.
Your consent to this Privacy Policy followed by your submission of such information represents your unconditional agreement to that transfer or use.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your data will take place to an organization or a country unless there are adequate controls in place including the security of your data.

Your Choices and Rights

In this section, we describe the rights and choices available to all users.

Access or Update Your Information. If you have registered for an account with us, you may review and update certain personal information in your account profile by logging into the account.

Opt out of marketing communications. You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email. You may continue to receive service-related and other non-marketing emails.

Cookies & Browser Web Storage. We may allow service providers and other third parties to use cookies and similar technologies to track your browsing activity over time and across the Services and third-party websites.

Targeted online advertising. Some of the business partners that collect information about users’ activities on or through the Service may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior or mobile application usage for purposes of targeted advertising.

In addition, your mobile device settings may provide functionality to limit our, or our partners’, ability to engage in ad tracking or targeted advertising using the Google Advertising ID or Apple ID for Advertising associated with your mobile device.

If you choose to opt-out of targeted advertisements, you will still see advertisements online but they may not be relevant to you. Even if you do choose to opt-out, not all companies that serve online behavioral advertising are included in this list, so you may still receive some cookies and tailored advertisements from companies that are not listed.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals.

Choosing not to share your personal information. Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our Services. We will tell you what information you must provide to receive the Services by designating it as required at the time of collection or through other appropriate means.

Other sites, mobile applications and services

The Service may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.

Security practices

The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information nor can we guarantee that the Information you supply will not be intercepted while being transmitted to us over the internet.

You agree and accept that your Information may be stored in third-party cloud service infrastructure providers. While all reasonable attempts have been taken from our end to ensure the safe and secure storage of your data, we shall not be liable for any data breach on the part of the third-party cloud service infrastructure provider that was beyond our control.

If you have any concerns, please feel free to contact us at contact@gogreencapital.in.

Cookies

We use session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

Children

As a general rule, children are not allowed to use the Services. The Services are not directed to, and we do not knowingly collect personal information from, anyone under the age of 18. If a parent or guardian becomes aware that his or her child has provided us with information without the parent’s or guardian’s consent, he or she should contact us. We will delete such information from our files as soon as reasonably practical. We encourage parents/guardians with concerns to contact us at contact@gogreencapital.in.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Any changes to the policy will be updated on the Website, though it may or may not be separately notified to you. We may, and if required by law will, also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through the Services.

Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on the Services (or as otherwise indicated at the time of posting). In all cases, your continued use of the Services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

Miscellaneous

The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any information other than the information collected by us through the platform. This Privacy Policy shall be inapplicable to any unsolicited information you provide us through the platform or through any other means. All unsolicited information shall be deemed to be non-confidential and we shall be free to use and/ or disclose such unsolicited information without any limitations. The rights and remedies available under this Policy may be exercised as often as necessary and are cumulative and not exclusive of rights or remedies provided by law. Rights under this policy may be waived only in writing. Delay in exercising or non-exercise of any such right or remedy does not constitute a waiver of that right or remedy, or any other right or remedy.

Grievance Redressal

Any discrepancies or grievances with regard to content and or comment or breach of the Terms and Conditions shall be taken up with the designated Grievance Officer as mentioned below via in writing or through email signed with the electronic signature to

Attention: Mr. Pramod Marar
Email ID: contact@gogreencapital.in
Address: 13th floor, WeWork, Embassy 247, LBS Road, Gandhi Nagar, Vikhroli West, Mumbai 400079

We assure you that we shall ensure implementation of the Privacy Policy and shall make the Privacy Policy available to Users. We will acknowledge each grievance that is received within 24 working hours and put our best efforts to redress the grievances of the User expeditiously within fifteen (15) working days from the date of receipt of the grievance. The User agrees and acknowledges that the Company shall address and attempt to resolve the complaint received in accordance with the standard policies and procedures adopted by the Company; the User’s disapproval/discontent with the outcome/mode of redressal shall not be deemed to mean non-redressal of the grievance by the Company. Any suggestions by the Company regarding use of the Service shall not be construed as a warranty.

Please feel free to reach out to us at contact@gogreencapital.in in case of any concerns, grievances, or questions relating to our privacy or data-related practices.

How to Contact Us

Please direct any questions or comments about this Privacy Policy or our privacy practices to contact@gogreencapital.in.

Governing Laws and jurisdiction

This Privacy Policy, the Services and the use of it is governed by the laws of India and the courts in Mumbai shall have exclusive jurisdiction over any disputes connected to our Privacy Policy, Platform or the Services and your use of it.

Your acceptance of these Terms

By using or visiting this platform, you signify your agreement to this policy. If you do not agree to any of these terms, please do not use our platform or services.

Terms and Conditions

Visit: Terms and Conditions – GoGreen Capital

Legal Disclaimer

This website is the online portal owned by TAPFIN CAPITAL PRIVATE LIMITED (GoGreen Capital) and is to be used for personal information purposes only. All the information displayed, transmitted or carried by the website including, but not limited to guides, news articles, external links, opinions, text, photographs, images, illustrations, trademarks, service marks and the like are provided on an ” as is” basis without warranties of any kind and stand protected by the copyright and other intellectual property laws. Any of the content published on the website shall not be reproduced, distributed, transmitted, modified, reused or published in whole or in part by the recipient hereof or any other person for any purpose without the prior written approval of the company.

While the content of the website may be updated periodically, we do not guarantee that it reflects the latest amendments/ information at any time.

All text, data, graphs and other pieces of information are presented with the best possible attempts to maintaining integrity, consistency and reliability of the same. However, none of the employees, directors, consultants, agents, representatives stand guarantors to any kind about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In the event that an inaccuracy or discrepancy is noticed by anyone who accesses the website, we would like you to inform us so that it can be corrected.

None of the company representative stands liable for any direct or indirect loss of profit or consequential damages that are alleged to have resulted from the use and/or inability to access or use the website features or misinterpretation or misrepresentation of information of any kind. The company does not become liable for any technical failure or malfunctioning of the software or the performance of any of our services. We are also not responsible for non-receipt of registration details or e-mails. Users shall bear all responsibility of keeping the password secure and we are not responsible for the loss or misuse of the same.

This website provides some link to other websites which are not under our direct control. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them and they are presented without any prior screening or review. While attempts are made at delivering only the relevant information to our users, no representative of the company holds any kind of liability as to the use of such content made available through those sites.

We strive at keeping the website up and running smoothly along with all its features and services. However, technical issues beyond our control may arise when the website becomes temporarily unavailable or some of the features may not work as they are expected to. The company does not take responsibility for such events and will not be liable for any financial or non-tangible losses arising due to the same. We do not warrant that the use of services, software or any other features available on the website will be uninterrupted, secure or error free or that any such defects in the services will be corrected.

RBI Disclaimer

Reserve Bank of India neither accepts any responsibility nor guarantees the present position as to the financial soundness of the company or for the correctness of any of the statements or representations made or opinions expressed by the company and for discharge of any liability by the company.

Neither there is any provision in law to keep, nor does the company keep any part of the deposits with the Reserve Bank of India and by issuing a Certificate of Registration to the company, the Reserve Bank of India, neither accepts any responsibility nor guarantees the payment of the deposits to any depositor or any person who has lent any sum to the company.

Ombudsman Scheme

RBI Integrated Ombudsman Scheme 2021: RBI Integrated Ombudsman Scheme 2021.pdf

Principal Nodal Officer, Nodal Officer and Ombudsman details: Principal Nodal Officer, Nodal Officer and Ombudsman details.pdf

RBI Ombudsman Complaint Form: RBI Ombudsman Complaint Form.pdf

Salient features of the Ombudsman Scheme 2021: Salient features of the Ombudsman Scheme 2021.pdf

Code of Conduct

Introduction

Tapfin Capital Private Limited, referred to as “Company” or “We” or “Us” or “Our”, is engaged in the business of loan provider services as defined under the RBI Guidelines. The Code of Conduct lays down the framework of qualities that the organization wishes to cultivate in its employees/representatives.

In pursuit of its mission, the Company follows a core set of values and belief including but not limited to the following:

Adherence to ethical norms and professional standards in all dealings with investors, employees, customers, suppliers, financial institutions and government.
Treating people with respect and fairness; providing opportunities to learn, contributing and advancing; recognizing and rewarding initiative, innovativeness and creativity.
Maintaining an organizational climate conducive to trust, open communication and team
Managing the business environment effectively for harnessing opportunities to grow in a manner that is consistent with its values and beliefs.

Company’s management practices and business conduct shall follow the highest standards and shall be in accordance with the laws of the land.

Towards this end, this Code of Conduct (“Code”) proposes to set out the standards of conduct expected from representatives and employees of the Company (such representatives and employees are hereinafter referred to as “Employees”).

Interpretation

Unless the context of this Code otherwise requires: (i) words of any gender are deemed to include the other gender, and (ii) words using the singular or plural number also include the plural or singular number,
The employee understands and agrees that this Code should be read in conjunction with the relevant and applicable policies of the company. In the event of any disparity or conflict between the provision of such policies and/or Code, the provision which is more protective of the company’s right and interests over the subject matter contained shall prevail.

Definitions

For the purpose of this code,

Third-party refers to any individual or organization(s), the company enters into a contractual agreement with. It refers to suppliers, distributors, agents, advisers, investors and government and public bodies of the
Employee refers to all employees (whether temporary, fixed-term, or permanent), consultants, contractors, trainees, seconded staff, home workers, casual workers, agency staff, volunteers, interns, agents, sponsors, or any other person or persons associated with the company (including third parties) located where the company has operations or has dealings with (within or outside of India)

Individual includes trustee, director, partner, manager agent, of the company; director, partner manager agent, etc. of any Group entity; employee, consultant or intern of the company or a Group entity and any other natural person whose services are placed at the disposal and under the control of the company.
Customer includes existing customers to whom the company is currently providing any service; potential clients to whom the company intends to provide any service; past clients of the company, if the company has any continuing obligations to that such client and any SPVs, where we are arrangers or providers of These SPVs are independent of originators (as customers) for the purpose of determining conflict of interest.

Regulatory Compliance

Employees of the Company, in their business conduct, shall comply with all applicable laws, regulations, internal policies and this Code, in letter and If the ethical and professional standards of applicable laws and regulations are below that of internal policies and this Code, then the standards of the internal policies and this Code shall prevail. In case of any doubt related to compliance with the law or standards (including those contained in internal policies or this Code), Employees are required to approach the

Company’s Compliance Officer (CO)/Chief Executive Officer (CEO) for clarification.

This Code applies to all employees, no matter where they are located (within or outside of India).
The Code also applies to Officers, Trustees, Board, and/or Committee members at any level
Directors of the Company (“Directors”) shall comply with applicable laws and regulations applicable to their

Equal Opportunities Employer

The Company is an equal opportunity employer. The Company encourage applications from candidates of all backgrounds and experience, during its hiring process. Hiring for all roles is only based on merit and the most suitable fitment of the candidate with the role.
Employees shall discharge their responsibilities without regard to the race, caste, religion color, ancestry, marital status, gender, sexual orientation, age, nationality, ethnic origin or disability of the people they work with or meet in the course of their employment.
Employees shall promote diversity and equality in the workplace, as well as compliance with all local labor
Employees of the Company shall treat everyone, including their colleagues, with dignity and in accordance with the policy of maintaining a work environment free of all forms of harassment, whether physical, verbal or Employee policies and practices shall be administered in a manner consistent with applicable laws, the provisions of this Code, respect for the right to privacy and the right to be heard. Professional merit, including compliance with this Code and all other policies, shall guide all decision- making, including in all performance management.

Safety and Work Environment

The Company shall provide a healthy and safe work environment for its The Company shall not discriminate against any employee on grounds of diseases or infections as long as it does not pose a threat to co-workers, with regard to promotions, training, and other privileges, and no employee shall discriminate against a colleague on such basis.
Any act by a third party (i.e. other than an employee), which would have been a violation of this Code had it been committed by an employee, must immediately be brought to the notice of the Compliance Officer (CO).
Failure to comply with the POSH (Prevention of Sexual Harassment) Policy of the Company shall be deemed to be a violation of this Code.

Employees shall prevent the wasteful use of resources and shall strive for economic, social and environmental sustainability at all times.

Public Representation of the Company

Employees shall honor the information sharing policy and requirements of the Company and its stakeholders, according to the provisions of the agreements executed with such In all its public appearances, with respect to disclosing company and business information to public constituencies and stakeholders such as the media, the financial community, employees, shareholders, agents, investors, clients, exchanges, regulators, brokers, rating agencies and arrangers, Company shall be represented only by the Chief Executive Officer (CEO) or such other person(s) as may be designated by the CEO. No other employee is entitled to publicly represent the Company.
Non-public interaction with third parties by employees in the course of their work must also strictly comply with the Code and other policies of the Company on the subject.
Employees in their personal interactions will not speak about the Company in a manner that conflicts with information sharing policy and the requirements of the Company and this Code.
Any breach of the same, in an official or personal capacity by employees in any public or non-public interaction will lead to disciplinary action against the employee by the Company.

Ethical Conduct

Every Employee of the Company, including full-time directors and the CEO shall deal on behalf of the Company with professionalism, honesty and integrity while conforming to high ethical standards. Such conduct shall be fair and In case of any doubt about the ethical implications of a given situation, employees are required to approach the Compliance Officer/Chief Executive Officer for clarification.
Every employee of the Company shall preserve the human rights of every individual and stakeholder (including persons covered by the mission) and shall strive to honor all professional commitments.

Financial Reporting and Records

Employees entrusted with preparation and maintenance of accounts shall do so fairly and accurately and in accordance with the accounting and financial reporting standards which represent the generally accepted guidelines, principles, standards (including Indian Accounting Standards), laws (including laws relating to money laundering) and regulations that apply.
Internal accounting and audit procedures shall reflect, fairly and accurately, all the Company’s business transactions and disposition of assets and shall have internal controls to provide assurance to the All required information shall be made available to company auditors, other parties authorized by the CEO or by the person (s) so designated by the CEO and government agencies acting under the authority of land.
Employees shall not be involved in the origination of unauthenticated market related news or a rumor, and employees shall not circulate any news or rumor to anyone in their public or non-public interactions, in an official or personal capacity.
Any wilful, material misrepresentation of and/or misinformation on the financial accounts and reports, by any employee, shall be regarded as a violation of the Code, apart from inviting appropriate civil or criminal action under the relevant laws, No Employee shall make, authorize, abet or collude in an improper payment, unlawful commission or bribing.

Gift, Donations and Entertainment

The Company and its employees shall be always guided by the Anti-Bribery and Corruption (ABC) policy and procedures of the Company.
The Company and its employees will neither receive nor offer or make, directly or indirectly, any illegal payments, remuneration, gifts, donations or comparable benefits that are intended, or perceived, to obtain uncompetitive favors for the conduct of its business, or for personal gain while employed with and/or representing the Company, or after separation from the Company to gain favors in the name of the
However, employees may, with full disclosure, accept and offer nominal gifts, provided, such gifts are customarily given or are of a commemorative nature and the value of such gift is in accordance with the ABC Policy of the Company.

Third Party Representation

Employees shall not authorize third parties to represent the Company without the written permission of the CEO or CEO’s designated delegate (s) for the purpose, or in contravention of the terms of the policies and procedures approved by the CEO of the company.
An employee shall not disclose information belonging to the Company, its stakeholders including but not limited to existing or potential investor(s), existing or potential customer (s), service partner(s), suppliers, distributors, agents etc. to any third parties except in the circumstances and in the manner approved by relevant policies or by the CEO of the Company.

Use of the Company’s Brand

The use of the Company’s name, logo and trademark (if any) or the name or trademark of any of any other entity or organization, shall be governed by the instructions and policies, if any, of the copyright holder. Employees using any such name, logo or trademark must familiarize themselves with the relevant instructions and policies.

Political non-alignment

In the course of their official duties, employees shall be committed to and support the constitution and governance systems of all jurisdictions in which the Company operates and conducts its business.
The Company shall not support any specific political party or candidate for political However, nothing contained herein shall restrict the right of the employees to do so in their personal capacity. Employees must be aware that involvement with political parties, activities and candidates may, in some cases, result in a conflict of interest between the political position of the employee and the Company’ mission. Where there is a potential for conflict of interest, the employee must disclose this to the company immediately and await further clarification from the Compliance Officer/Chief Executive Officer on the next course of action.

Group Policies

The Company may recommend to its Board of Directors the adoption of policies and guidelines periodically or appropriate modifications thereof. Further, the CEO of Holding Company or the person(s) designated by the CEO of Holding Company or the CO may, from time to time, issue specific policies for specific conduct and such policies must be placed before the board within 3 months of issuance and such policies and guidelines shall be binding on all employees.

Concurrent Employment

The terms of any concurrent employment or position of responsibility will be governed by the terms of the Employment Agreement signed by the employees of the company.

Conflict of Interest and Information Arbitrage

An Employee of the Company shall always act in the interest of the Company, and ensure that any business, professional association, personal association or activity of such employee does not involve a conflict of interest with the operations and the mission of the Company and their role therein.
The above shall not apply to (whether for remuneration or otherwise), for any exclusions permitted in the Employment Agreement executed between the Company and the employee.
The competent authority to decide any deviations, in the case of all other employees, shall be the Compliance Officer and/or the CEO or the person(s) designated by the CEO of the Company, who in turn shall report such exceptional cases, if any, to the Board of Directors on a quarterly basis.
A conflict of interest, actual or potential, may arise where, directly or indirectly when:
1. An employee of the Company personally engages in business, relationship or activity with anyone who is party to a transaction with any group entity of the Company;
2. An employee or any of his / her relative(s) (use of the term “relative” in this Code shall have the meaning ascribed to it in Section 2(77) the Companies Act, 2013) is in a position to derive any benefit (other than benefit arising to such employee directly out of employment with the Company in accordance with the other policies of the Company) by making or influencing decisions in the course of employment with the Company relating to any transaction.
When companies/entities within the Company or even teams within a single group entity act in different capacities, they often receive different confidential information. The use of information disclosed for one purpose, when used for any other purpose (“information arbitrage”) exposes individuals and the Company to potentially significant regulatory risks, reputational risks and civil In certain cases, like in the case of insider trading, criminal liability may also arise.
An indicative list of actual or potential conflicts has been listed under Annexure A of this code which all employees of the Company are urged to read and follow carefully;
Employees are obliged to take reasonable steps to identify if they (by themselves or through their relatives) are subject to any actual or potential conflict of interest or information Adequate and full disclosure of all actual or potential conflict of interest or information arbitrage shall be made by employees to the Compliance Officer/Chief Executive Officer.
If an employee fails to make the required disclosure and the Company otherwise becomes aware of an instance of conflict of interest that ought to have been disclosed by the employee, suitable disciplinary action may be taken against such employee.
Any individual who is unsure of whether a conflict of interest or information arbitrage situation exists, should approach their Line manager or the Compliance Officer/Chief Executive Officer for clarification. Nothing contained in this code is intended to limit in any way the liability attached to an individual, or a company, under any statute.
The term “Information”, as used here, refers to all information, whether oral or not, acquired from a non- public source in the course of employment with the company.
Each Individual must:
1. know the purpose for which any information has been disclosed to them and the source of such Information;
2. use any information disclosed to them only for the purpose for which it is disclosed to them;
3. determine if the information disclosed to them is relevant for any work they are doing apart from the purpose for which it was originally disclosed to them and if it is so relevant, bring this fact to the attention of the Compliance Officer/Chief Compliance Officer;
4. not further disclose the information (including within the organization) other as may be required for the purpose of disclosure;
5. avoid conflict of interest, and
6. consult the Compliance Officer/Chief Executive Officer in case of any doubts about the application of this policy to any information or purpose (for instance where the purpose requires the disclosure of information to a third party not covered by this policy or when any information is relevant for a purpose other than one for which it was disclosed).

It may be noted that Group entities may have functional access to information under other policies. In particular, use of information for academic analysis, statistical analysis, record-keeping and reporting in compliance with anti-money laundering laws, may permit or even require that information disclosed for one purpose to be used for another purpose. Such use of any information beyond the purpose for which it was disclosed may be permitted in compliance with the policies specifically addressing those functional access to information and in the absence of such policies, this policy must be followed.
Any instances of breach of this policy must be brought to the notice of the designated authority and/or Compliance Officer/Chief Executive Officer. In the absence of a Compliance Officer, the most senior available executive functionary of the Group Entity should be Please also note the provisions in the Code of Conduct relating to the protection of “whistle-blowers”;
Use of information for personal purposes by individuals, may lead to information arbitrage and conflict of interests, giving rise to material risk of damage to the interests of any one or more third party/ies, a customer of the Company and the Company.

Securities Transactions and Confidential Information

An employee and the relatives of such employee (s) shall not derive any benefit or permit others to derive any benefit (other than benefit arising directly out of employment with the Company in accordance with the other policies of the Company), from access to and possession of information about the Company or Group or its customers that is not in the public domain and, thus, constitutes unpublished insider information (whether price-sensitive or not).
Such insider information might include (without limitation) the following:
1. Acquisition and divestiture of businesses or business units;
2. Financial information such as profits, earnings and dividends;
3. Announcement of new product introductions or developments;
4. Asset revaluations;
5. Investment decisions/ plans;
6. Restructuring plans;
7. Borrowings and finance
An employee of the Company shall also respect and observe the confidentiality of information pertaining to other companies, their patents, intellectual property rights, trademarks and inventions.

Protecting Company Assets

The assets of the Company shall not be misused. They shall be employed primarily and judiciously for the purpose of conducting the business for which they are duly authorized. These include tangible assets such as equipment, systems, facilities, materials and resources, as well as intangible assets such as information technology and systems, proprietary information, Intellectual property, and relationships with customers and stakeholders. All employees shall comply with the Record Retention Policy and the IT Policy in force from time to time.

Personal Appearance

Professional Attire: Employees are expected to dress in a manner that is neat, clean, and appropriate for a professional business environment. Employees in non-customer facing roles, may dress in business casual attire. However, attire should still be professional and appropriate for a workplace setting.
Hygiene: Employees are expected to maintain good personal hygiene, including regular bathing, grooming, and oral care.
Tattoos and Piercings: Visible tattoos should be tasteful and not Facial piercings should be modest and inconspicuous.
Footwear: Closed-toe shoes are generally required for safety reasons for For women, while sandals or open-toe shoes are permitted, but they should be professional and clean.
Employees may request exceptions to the dress code for religious or medical Such requests should be made to Human Resources and will be considered on a case-by-case basis.
Employees who do not comply with the policy may be asked to address their appearance, and repeated violations may result in disciplinary action.

Absenteeism and Tardiness

The Company values the commitment and reliability of our employees. By avoiding absenteeism and tardiness, employees contribute to a positive work environment and ensure that our clients receive the highest level of service.
Attendance Expectations:
1. Regular Attendance: Employees are expected to report to work on time and as scheduled (as mentioned in their respective Employment Agreements) unless they have obtained prior approval for time off or are experiencing a valid reason for absence.
2. Punctuality: Employees are expected to arrive at their workstations and be ready to begin work at their designated start time. Punctuality is critical to meeting the Company’s needs and maintaining team
3. Tardiness is defined as arriving late to work or returning from breaks later than scheduled without prior authorization. Tardiness disrupts workflow and can impact team productivity. Employees who are consistently tardy may face disciplinary action, including verbal warnings, written warnings, and ultimately, termination if the behavior persists.
4. For clarity, employees in customer facing and customer support roles are expected to work from 9.30 am – 30 pm from Monday to Saturday. For all other roles, working hours are from 9.30 am – 6.30 pm from Monday to Friday, except on days designated as holidays by the Company (please refer to the Holiday calendar published by the Company from time to time) or on days approved as leaves for the employee by the Company. The working hours may change as per discretion of the Company and/or as per applicable laws and guidelines.

Employees are encouraged to request time off in advance for planned absences, such as vacations or personal appointments. Requests should be submitted through the company’s designated leave management system or to their supervisor for approval
In the event of an absence due to illness, emergency, or other unforeseen circumstances, employees must notify their immediate supervisor or the designated point of contact as soon as possible.
Employees may be required to provide appropriate documentation for absences that extend beyond a certain duration, such as medical certificates or other relevant documentation.

Social Media Conduct

The Company recognizes the importance of social media as a powerful tool for communication and
Expectations for responsible social media conduct by employees of the Company Name
1. Personal Responsibility: Employees are personally responsible for the content they post on social media platforms, whether using company-provided devices or personal accounts. Employee (s) should exercise good judgment and discretion when sharing content that could reflect on the Company or its reputation.
2. Confidentiality and Privacy: Employees are prohibited from disclosing confidential or proprietary information about the Company, its clients, partners, distributors, agents, Directors. Board, Trustees or employees on social media platforms.
3. Employees need to respect the privacy of colleagues, clients, and customers, at all Employees need to mandatorily obtain consent from the person(s) or entity/ies or delegate (s) designated by the CEO or the Compliance Officer of the Company or the respective organization (s), before posting their images, names, or any confidential information.
4. Professionalism and respect: Employees need to maintain a respectful tone and professional demeanor in all their social media Employees should not engage in discriminatory, harassing, defamatory, or offensive communications.
5. Conflict of Interest: Employees to avoid discussing topics related to the Company’s competitors, financial performance, or strategic initiatives without proper authorization from the person (s) designated by the CEO or Compliance Officer of the Company.
6. Employees cannot disclose any affiliation with the Company when discussing topics related to our industry or expertise.
7. Endorsements and Representations: Employees must clearly differentiate personal opinions from those of the Company, at all times. Employees use disclaimers such as “views are my own” when appropriate.
8. Employees are prohibited from making false or misleading statements about the Company, its products, services, or competitors.
9. Compliance with Laws and Policies: Employees to adhere to all applicable laws, including copyright, privacy, and defamation laws, when posting content on social media.
10. Employees to follow the Company’s Code of Conduct, IT policies, and any other relevant policies governing employee behavior.
11. Crisis Communication Protocol: In the event of a crisis or sensitive situation, employees are restricted from discussing or sharing information on social media All inquiries need to be mandatorily referred to the designated spokesperson or communications team.

Violations of these guidelines may result in disciplinary action, up to and including termination of employment or contract. The severity of the consequences will depend on the nature and impact of the violation.

Public Affairs

The involvement of an employee in public affairs shall be with express approval from the CEO of Holding Company or the person (s) designated by the CEO or Compliance Officer of the Company, subject to such involvement having no adverse impact on the business affairs of the Company.

Integrity of data furnished

Every employee shall ensure, at all times, the integrity of data or information furnished by them to the company or to any person in the course of his employment. The employee shall take reasonable steps to ensure the accuracy of such information and shall be entirely responsible in ensuring that the confidentiality of all data is maintained and in no circumstance is such data transferred to any outside person/party other than as permitted by policy or with the approval of the CEO or the person(s) designated by the CEO or Compliance Officer.

Reporting Concerns

Every employee is obliged to promptly report to their Line Manager and the Compliance Officer/Chief Executive Officer, when they become aware of any actual or possible violation of the Code or an event of misconduct, act of misdemeanor or any act not in the Company’s Such reporting should be made for activities of lenders, clients and investors and other third parties as well;
Any employee can choose to make a protected & confidential disclosure, in writing, at confidential@gogreencapital.in in relation to matters concerning the Company. The Whistle-blower policy of the Company provides a mechanism for its employees to raise concerns. For more details, refer to the procedure for reporting and dealing with disclosures under the Whistle-blower policy of the Holding Company that is also applicable to its subsidiaries;
The Company shall ensure protection of the whistle-blower and any attempts to intimidate such whistle- blowers in relation to such whistleblowing, shall be treated as a serious violation of the It may be noted that a frivolous, protected and confidential disclosure may itself be a violation of this Code.
While recognizing the importance of healthy inter-personal relationships at the workplace, the Company is also committed to ensuring that certain kinds of inter-personal relationships among our employees do not interfere with the work environment we endeavor to foster.
Accordingly, any personal relationship between employees of the Group that gives rise to a situation of conflict of interest (whether actual, potential or perceived) shall be strictly prohibited.
For the purpose of this Code, the following personal relationships shall be deemed to give rise to a conflict of interest and shall be strictly prohibited:
1. A personal relationship between two employees who are professionally in a supervisory or reporting
2. A personal relationship between two employees, one of whom is otherwise in a professional position to determine or affect the compensation, promotion or benefits that the other employee is eligible for;
3. any other personal relationship that gives rise to a situation of conflict with the professional responsibilities of the employee(s).

It is further clarified that a personal relationship shall include a relationship that is of a spousal, familial or sexual nature.

All such pre-existing personal relationships mandatorily need to be disclosed by the employee(s) to the CEO and the Compliance Officer. Approvals will need to be sought from the Management regarding the employment of the employee(s) with Company and/or continuity of the employee(s) in the assigned role(s). The decision of the Company shall be final and binding on all parties involved.

Investigation and Disciplinary Procedure

Employees are encouraged to report any non-compliance with this Code of Conduct. The Company takes matters of non-compliance seriously and will not tolerate retaliation. If an employee suspects any team member may be violating this Code of Conduct, they should report it to their immediate supervisor over phone or by The same can be escalated to the Compliance Officer/Chief Executive Officer by writing to confidential@gogreencapital.in
Breach of other applicable policies may be construed as breach of this Code, depending on the facts of the case. Action taken under this Code may be in addition to the action, if any, taken under other policies. Compliance with this Code does not exonerate an employee from compliance with any other Policy and vice
Any investigation and disciplinary proceedings relating to a violation of this Code shall be carried out under the directions of the Compliance Officer (in consultation with other relevant internal and/or external stake- holders on matters relating to the procedure to be followed, including the principles of natural justice). In the case of an investigation against the Directors and/or Founder employees, any action will be carried out as per the executed Director and Founder agreement(s) In the case of an investigation against the non-founder CEO, investigation will be referred to the Board of the Company and their decision will be binding and final. In the case of an investigation against the non-founder CO, the CEO may refer matters relating to procedure to external legal counsel, as approved by the Board

Roles and Responsibilities

Board of Directors
1. The Board of Directors of the Company shall have oversight of governance and compliance with this Code of Conduct in conjunction with other ESG related policies.
2. The Directors of the Company shall be responsible for performing the duties specified in relevant laws specially prescribed in the Companies Act 2013.
3. Independent Directors of the Company shall ensure due performance of their duties inter- alia as prescribed in Schedule IV of the Companies Act 2013 and Company’s Code of Independent

Compliance Officer
1. Collaborate with Management to conduct relevant training and communication of this Code of Conduct to all individuals working with the Company.
2. Will prepare an annual report on the implementation of this Code of Conduct for the Board of Directors and promptly report any non-compliance to them.

Employees
1. Read and understand this Code of
2. Comply with this Code of
3. Provide full cooperation for any inquiry or investigation pertaining to this Code of
4. Employees should read and adhere to the requirement(s) under this Code along with all the other Policies of the Company and their executed Employment Agreement(s).

Communication and Training

This Code of Conduct will be communicated to all employees on a regular basis. It will also be disclosed through Company’s website/intranet as applicable. All individuals are expected to keep themselves up to date by reading this Code of Conduct at regular intervals or each time when it is updated by the Company.
Regular training and awareness sessions shall be made available in relation to this Code of Conduct, Company procedures and measures by the Company. Employees may be expected to acknowledge having read and understood the Code of Conduct, as determined by the Company, from time to time.

Documentation/Maintaining Records

Accurate and complete record-keeping is essential to the successful operation of Company, as well as to our ability to meet our legal and regulatory All documents generated in compliance with this Code of Conduct will be retained as per the statutory requirements and/or internal requirements of the Company.

Questions and Clarifications

For questions regarding the Code or assistance with any queries, employees should can send in their questions to HR@gogreencapital.in

Review and update

The Board of Directors will review the implementation of this Code of Conduct on an annual basis, considering its suitability, adequacy and effectiveness. If more frequent revisions are deemed necessary, the updated Code of Conduct document will be presented to the Board of Directors for approval before implementation.

Note:

The Code does not provide a full, comprehensive and complete explanation of all the rules that employees are bound to follow. Employees have a continuing obligation to familiarize themselves with all applicable laws, company policies, procedures and work rules.

Annexure A

Indicative list of actual or potential conflicts and Frequently asked questions (FAQs):

1. Which parties’ interests may conflict?

Conflict of interest(s) may arise between the interests of:

The Company a customer (potential or existing);
An individual a customer (potential or existing);
A customer (potential or existing)) another customer (potential or existing);
An individual the Company; and
An individual or any Group entity any regulator in any jurisdiction.

2. Who is an individual for the purpose of this policy?

For the purpose of this code, individual includes any of the following:

A trustee, director, partner, manager agent, of the Company;
where applicable, a director, partner manager agent, of any Group entity;
an employee, consultant or intern of the Company or a Group entity;
any other natural person whose services are placed at the disposal and under the control of the

3. Who is a customer for the purpose of this policy?

For the purpose of this code, customers include:

Existing customers to whom the Company is currently providing any service;
potential clients to whom the Company intends to provide any service; and
past clients of the company, if the Company has any continuing obligations to that such
Please note that SPVs (where we are arrangers of calculation agents or structures, etc.), if any, are also customers and are independent of originators (as customers) for the purpose of determining conflict of

4. What are the obligations of each individual under this Policy in relation to conflict of interest?

Each individual is obliged to identify and address any of the following potential conflict of interests:

The individual or any other person that the individual is acting for/representing, is likely to make a financial gain, or avoid a financial loss, at the expense of the customer;
The individual or any person that the individual is acting for/representing, has an interest in the outcome of a service provided to the customer or of a transaction carried out on behalf of the customer, which is distinct from the customer’s interest in that outcome;
The individual or any person that the individual is acting for/representing, has a financial or other incentive to favour the interest of another customer or group of customers over the interests of the customer;
The individual carries on or has a relative (as relative is defined in the Companies Act, 2013) who carries on the same business as the customer; and/or
The individual or any person that the individual is acting for/representing, (other than the relevant Group entity formally acting for the Client) receives or will receive from a person other than the customer, any inducement in relation to a service provided to the customer.

5. When does a conflict of interest actually arise?

An actual conflict of interest can occur in a variety of ways. The exact facts of the conflict will determine the nature of liability under the law. The following is a list of indicative actual conflicts that are likely give rise to liability under the law (this list is not exhaustive and is in no particular order):

An individual puts her interest before that of the Company or any of the Group entities, he/ she is employed by or before that of the customer of the Company or any of the Group entities’ he/she is employed by;

A Group entity acting for a customer puts its own interest before that of its customer;
Group entities (or an individual) put the interest of one customer represented by any of them, before the interest of another customer represented by the same or any other Group entity;
An individual or Company or a Group entity puts the interest of a customer before any person (including an investor) who has been reasonably led to believe that the Company or the Group entity is taking into accounts its interests;
Information received by an individual or the Company or a Group entity for a particular purpose is used for another purpose (unless the law expressly permits the use of such information provided for the particular purpose to be used for the other purpose);
An individual or the Company or a Group entity puts the interest of any person (who has been reasonably led to believe that the Company or a Group entity is taking into account its interests) before the interest of a customer; and
unless obliged to do so by law, an individual or the Company or Group entity acts in any manner that may reasonably appear to be damaging to the reputation of the Company, any Group entity, any regulator, any customer, the financial system (and markets) in India, the financial system (and markets of a jurisdiction other than India) where the Company operate;
In certain circumstances, an individual who allows herself or himself to be placed in a potential conflict of interest situation may be treated as being conflicted merely by the virtue of allowing herself or himself to be placed in that situation.

6. What are Chinese Walls?

Any mechanism that is used to ensure that information is only used for its intended purpose and which reduces information arbitrage is called a “Chinese Wall”’. Chinese walls are used to reduce the potential for conflict of interest. However, if an individual is actually in a conflicted situation, the Chinese wall has already failed and will offer no protection to the individual or the Company or the concerned Group entity.

7. Are there any exemptions for senior management (persons above the Chinese wall)?

No, there are no exemptions for senior management and no one may consider themselves “above the Chinese wall”. Where any individual finds that such individual cannot avoid conflict, such individual must continue to keep all information confidential, disclose the conflict to reporting authority of the individual (the Board of Directors) and the CO and refrain from any decision making related to that information or the relevant conflict.

8. Who can provide more information on conflict of interest in a given situation?

Any queries related to conflict of interest may be raised with reporting managers and as per prescribed procedures defined by the Company. However, individuals are encouraged to bring any conflict of interest or potential conflict of interest to the notice of the CO.

9. What kind of legal liability does conflict of interest give rise to?

Conflict of interest can give rise to a wide variety of causes of action. These causes of action include criminal, tortious, contractual and statutory causes of action. If held liable, an individual may be imprisoned, fined, asked to pay compensation, censured by the regulator and barred from holding certain offices. Given the serious potential implications of situations involving conflict of interest, individuals must strive to avoid such situations involving conflict of interest.

Fair Practice Code

1. Introduction

This Fair Practices Code (FPC) for Tapfin Capital Private Limited is framed to ensure that the company adheres to fair, transparent, and ethical practices while dealing with customers. This policy is in line with the Reserve Bank of India (RBI) guidelines and is designed to protect the interests of customers and build long-term trust.

The objective of this code is to promote responsible lending, transparency in financial products, and to provide a grievance redressal mechanism for customers.

2. Scope of the Policy

This policy applies to all the financial products and services offered by the company, including:

Business loans
Term loans, including Asset purchase loans
Working Capital

3. Transparency in Loan and Credit Products

a. Pre-Contract Information:

Loan Documentation: The company shall provide clear and transparent information about the terms and conditions of loans before entering into a formal contract. This includes loan amount, tenor, applicable interest rate, processing fees, and any other
Interest Rates: The company will disclose the method used for calculating interest rates, whether on a reducing or flat-rate basis, and ensure that all customers understand how interest is applied to their loan.
Pre-closure and Early Repayment Terms: The company will disclose the conditions related to pre-payment or foreclosure, including charges, if any.
Other Charges: The company will inform customers upfront about any additional charges such as late-payment penalties, cheque bounce charges, administrative fees,

b. Application Process:

The company will ensure that the process of loan application is straightforward, and customers are provided with all necessary information to make an informed decision.
Customers shall be advised in writing about the required documentation that the Company requires to collect from the customer to fulfil its ‘Know Your Customer’

norms and to comply with legal and regulatory requirements in force from time to time and the time it will take to process the application.

c. Clear and Simple Language:

All loan-related documents, including application forms, loan agreements, and sanction letters, will be provided in clear, simple, and understandable language.
The customer will be informed about all aspects of the loan, including financial implications and rights and duties.

4. Disclosures During Loan Sanction and Disbursement

a. Loan Agreement:

A formal loan agreement will be executed with every customer detailing the agreed- upon terms and conditions.
The loan agreement must include all terms regarding:
- Loan amount
- Tenor
- Interest rate (fixed or variable)
- Repayment schedule
- Security/collateral, if any
- Processing fees and other charges
- Terms and conditions for pre-payment/foreclosure

b. Sanction Letter:

The company will provide a sanction letter detailing the above terms and ensure that customers receive a copy of the letter for their reference.
The customer will be asked to acknowledge receipt of the sanction

c. Timely Disbursement:

The company shall disburse the loan amount to the customer in a timely manner after approval, and customers will be notified in writing once the loan is disbursed.

d. Post Disbursement:

The company will release all securities on repayment of all dues or on realisation of the outstanding amount of loan subject to any legitimate right or lien for any other claim the company may have against borrower. As and when such right of set off is to be exercised, the borrower shall be given notice about the same with full particulars about the remaining claims and the conditions under which the company is entitled to retain the securities till the relevant claim is settled /paid.

The company shall ensure that the release of all the original movable / immovable property documents, if applicable, and removal of charges registered with any registry is completed within a period of 30 days after full repayment/settlement of the loan
In case of delay in releasing of original movable/immovable property documents or failing to file charge satisfaction form with relevant registry beyond 30 days from the date of full repayment/ settlement of loan, the Company shall communicate to the borrower reasons for such In case where the delay is attributable to the Company, it shall compensate the borrower at the rate of ₹5,000 for each day of delay.
The company shall provide an option to the borrowers for collecting such documents on full repayment, either from the banking outlet/branch where the loan account was serviced or any other office of the NBFC where the documents are available, as per her/his preference which shall be provided to her/him in the loan agreement along with the timeline of such loans.
In case of loss/damage to original movable/immovable property documents, either in part or in full, the Company shall assist the borrower in obtaining duplicate/certified copies of the movable/immovable property documents and shall bear the associated costs, in addition to paying compensation as indicated at clause (ii) However, in such cases, an additional time of 30 days will be available to the Company to complete this procedure and the delayed period penalty will be calculated thereafter (i.e., after a total period of 60 days). The compensation provided under these directions shall be without prejudice to the rights of a borrower to get any other compensation as per any applicable law.
In order to address the contingent event of demise of the sole borrower or joint borrowers, the company shall have a well laid out procedure for return of original movable/immovable property documents to the legal heirs. Such procedure shall be displayed on the website of the company.
In case of receipt of request for transfer of borrowal account, either from the borrower or from a lender which proposes to take over the account, the consent or otherwise e. objection of the company, if any, shall be conveyed within 21 days from the date of receipt of request. Such transfer shall be as per transparent contractual terms in consonance with law.
The company shall share/ make accessible to the borrowers, through appropriate channels, a statement at the end of each quarter which shall at the minimum, enumerate the principal and interest recovered till date, EMI/balance amount, number of EMIs/payments left and annualized rate of interest/Annual Percentage Rate (APR) for the entire tenor of the loan.

5. Interest Rates and Other Charges

a. Transparency in Pricing:

All charges, including interest rates, processing fees, administrative charges, and other costs, will be clearly communicated to the customer at the time of loan approval.
The company will ensure that interest rates are competitive and within the limits as prescribed in the applicable regulations and do not exceed what is reasonably fair based on market conditions.
Penalty, if charged, for non-compliance of material terms and conditions of loan contract by the borrower shall be treated as ‘penal charges’ and shall not be levied in the form of ‘penal interest’ that is added to the rate of interest charged on the loans.
There shall be no capitalisation of penal charges i.e., no further interest computed on such However, this will not affect the normal procedures for compounding of interest in the loan account.
The company shall not introduce any additional component to the rate of interest and company will ensure compliance to these guidelines in both letter and spirit.
The quantum of penal charges shall be reasonable and commensurate with the non- compliance of material terms and conditions of loan contract without being discriminatory within a particular loan / product category.
The quantum and reason for penal charges shall be clearly disclosed by the Company to the customers in the loan agreement and most important terms & conditions / Key Fact Statement (KFS) as applicable, in addition to being displayed on Company’s website under Schedule of Charges.
Whenever reminders for non-compliance of material terms and conditions of loan are sent to borrowers, the applicable penal charges shall be communicated. Further, any instance of levy of penal charges and the reason therefor shall also be communicated.

b. Disclosure of Changes:

In case of any change in interest rates or other charges during the tenor of the loan, the company shall inform customers well in advance – these changes would be prospective in nature.
The customer will be provided with a reasonable notice period prior to implementation of the changes.

6. Customer Grievance Redressal Mechanism

a. Grievance Redressal Officer:

The company will appoint a designated officer to handle customer complaints and ensure timely resolution.
The officer will be responsible for addressing grievances related to loan processing, repayment issues, and any discrepancies.

b. Grievance Redressal Process:

The company shall acknowledge customer complaints within 3 working
A resolution will be provided within 15 working
If the complaint cannot be resolved within this timeframe, the customer will be notified of the status and expected resolution date.

c. Escalation Procedure:

In case the customer is not satisfied with the resolution, the complaint can be escalated to senior management or the Nodal Officer.
A detailed escalation procedure will be outlined for customers to follow, ensuring that issues are handled at higher levels when necessary.

d. RBI Ombudsman Scheme:

If a customer is still dissatisfied with the resolution, the company will inform the customer about the availability of the RBI Ombudsman Scheme and the process of filing a complaint with the RBI.

The Board of Directors shall also provide for periodic review of the compliance of the Fair Practices Code and the functioning of the grievance’s redressal mechanism at various levels of management. A consolidated report of such reviews shall be submitted to the Board at regular intervals, as may be prescribed by it or by a separate Grievances Redressal Policy.

7. Recovery of Loans and Dues

a. Ethical Recovery Practices:

The company shall adopt ethical practices while recovering dues from customers and avoid practices that can be construed as harassment or intimidation.
Collection calls will be made at reasonable times, and collection agents must be professional and courteous.

b. Communication Regarding Defaults:

Customers will be notified in writing if they have missed payments, including information on late payment fees and penalties.
The company shall offer customers a reasonable period to rectify missed payments before initiating recovery actions.

c. No Harassment:

The company will not resort to any form of harassment, including verbal abuse or threats, for the recovery of dues.
Legal action, if required, will be taken after ensuring that all alternative means have been explored.

8. Confidentiality and Data Protection

a. Data Privacy:

The company will ensure the protection of customer data, and all personal, financial, and sensitive information will be kept confidential.
Customer data will not be shared with third parties without the customer’s explicit consent, except in cases where it is required by law or regulatory authorities.

b. Consent for Data Sharing:

The company will obtain customer consent for sharing data with credit bureaus, other financial institutions, or for marketing purposes.

c. Security of Data:

The company will ensure that all digital platforms and internal systems used to store customer data comply with best security practices to prevent data breaches.

9. Customer Education

a. Financial Literacy:

The company will promote financial literacy among customers, helping them understand the terms of their loans, repayment obligations, and the impact of loan products on their financial health.
The company may conduct customer education campaigns, seminars, and provide written materials to explain complex financial concepts.

b. Awareness of Rights:

Customers will be informed about their rights under the Fair Practices Code, including the right to file complaints, seek redressal, and get copies of loan documents.

10. Compliance with Regulatory Requirements

a. Adherence to RBI Guidelines:

The company will comply with all relevant RBI guidelines and regulations on fair practices, including the Non-Banking Financial Companies (NBFCs) Regulations.
Periodic reviews of this policy will be conducted to ensure continued compliance with any new or amended regulations issued by the RBI.

b. Internal Audit and Compliance Checks:

The company will conduct regular internal audits to ensure adherence to the Fair Practices Code.
Any deviations or non-compliance will be addressed promptly, and corrective actions will be taken.

11. Periodic Review of the Fair Practices Code

The company will review and update this Fair Practices Code at regular intervals, and atleast once annually, to ensure that it remains in line with the latest regulatory requirements, industry practices, and customer expectations.

12. Conclusion

The Fair Practices Code is designed to establish a framework for ensuring that the company’s relationship with its customers is based on transparency, fairness, and respect. By adhering to this code, the company aims to build long-lasting and trustworthy relationships with its customers, ensuring that their financial needs are met in a responsible and customer-friendly manner.

Grievance Redressal Mechanism

Introduction

Tapfin Capital Private Limited – a wholly owned subsidiary of Tapsys Private Limited is referred to as “Company” or “We” or “Us” or “Our”. The Grievance Redressal Mechanism Policy lays down the framework by which the Company will ensure highest standards of customer experience and responsiveness to customers, in a pre-agreed mannger.

Objective of the Policy

Customer service is extremely important for sustained business growth and as an organization, we strive to ensure that our customers receive exemplary service across different touch points.

Customer complaints constitute an important voice of customer, and this Policy details complaint handling through a structured grievance redressal framework. Complaint redressal is supported by a review mechanism, to minimize the recurrence of similar issues in future.

As per Fair Practices Code (FPC) followed by Tapfin Capital Private Limited (Company), the Company should have a Grievance Redressal Policy/Mechanism, that should be approved and mandated by the Board of Directors of the Company. The Company’s Grievance Redressal Policy fulfils the following principles:

Customers are informed of avenues to escalate their complaints within the organization, and their rights if they are not satisfied with the resolution of their complaints.
Customers shall be treated fairly at all
Ensures that all complaints are treated confidentially and investigated in a timely
Complaints raised by the customers shall be dealt with courtesy and resolved in a timely
Employees work in good faith and without prejudice, towards the interests of the

Scope and Applicability

A customer may have a genuine cause for complaint, although some complaints may be made as a result of a misunderstanding or an unreasonable expectation of a product or service.

The Company is committed to maintaining compliance with applicable laws, regulations and established policies. While this mechanism provides detailed information, it cannot address every potential grievance issue that may arise. If you encounter a specific situation and are unsure about what to do, please discuss it with your line manager or supervisor or the Compliance Officer (CO)or the Chief Executive Officer (CEO) of the Company. They will provide further guidance and clarification.

Regulatory Reference:

RBI/DoR/2023-24/106, DoR.FIN.REC.No.45/03.10.119/2023-24 Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 dated October 19, 2023.
Reserve Bank – Integrated Ombudsman Scheme, 2021

Ombudsman: The Reserve Bank of India (RBI) may appoint one or more of its officers in the rank of not less than General Manager to be known as Ombudsman to carry out the functions entrusted by or under the Ombudsman Scheme.

Definitions

“Complainant” means any customer- individual or entity, that has raised the grievance under the Grievance Redressal Policy.

“Customer” means any individual or entity availing of financial products and services, offered by the Company.

Designated officer, as may be identified by Senior management, as the Grievance Redressal Officer for the Company.

Grievance/Complaint: A “Grievance/Complaint” is an expression of dissatisfaction with a product or service offered by the Company, either orally or in writing.

“Reporting Manager” means a reporting manager of the Complainant employee as per the organization structure at the time of the Complaint/grievance.

Grievance Redressal Process

In order to effectively understand and address customer grievances, the Company shall open multiple channels of communication.

The customer may approach any of our service touch points given below to register a complaint and expect a response within defined time period from complaint registration. The policy covers grievances against the Company and its service providers. Service Touch points are as indicated below: These channels are:

Primary Level:

Email: Customer may email their grievances to the Company at contact@gogreencapital.in
Letter: Customers may also correspond with the Company at the below mentioned address: Customer Service Department, Tapfin Capital Private Limited, 13th Floor, Hindustan C, Bus Stop, 247 Park, Lal Bahadur Shastri Marg, Gandhi Nagar, Vikhroli West, Mumbai, Maharashtra 400079

Secondary Level

If the customer is not satisfied with the resolution received from above channels, or if the customer does not hear from the Company in 7 (seven) calendar days, the customer may write to the Designated Officer or the Grievance Redressal Officer (GRO). The GRO will be responsible for receiving and managing grievances.

Email: grievance@gogreencapital.in
Customers shall ensure that they quote their application no. / sanction no. / loan account no. in every correspondence with the Company regarding their complaint.
Customers are required to quote the complaint reference number provided to them in their earlier interaction, along with their loan account /application/Sanction number to help us understand and address their concerns.
GRO is available on all working days as well as non-public holidays between Monday to Friday from 09:30 AM to 06:30 PM.

In case the customer does not receive a response within the number of days indicated in the Policy for each level or if the customer is dissatisfied with the response received from the Company, the customer may escalate the complaint to the next level as indicated below:

Third Level:

If any customer is not satisfied with the response or resolution provided by the Grievance Redressal Officer, or does not hear from us in 14 (fourteen) calendar days, then the customer may escalate their grievance or complaint to Chief Executive Officer of the Company.
Email: grievance1@gogreencapital.in or,
Letter: to be sent to company at :

Chief Executive Officer, Tapfin Capital Private Limited, 13th Floor, Hindustan C, Bus Stop, 247 Park, Lal Bahadur Shastri Marg, Gandhi Nagar, Vikhroli West, Mumbai, Maharashtra – 400079

Customers shall ensure that they quote their application no. / sanction no. / loan account no. in every correspondence with the Company regarding their complaint.
Customers are required to quote the complaint reference number provided to them in their earlier interaction, along with their loan account /application/Sanction number to help us understand and address their concerns.

Fourth level

In case the customer is not satisfied by the response provided by Chief Executive Officer, or in case the grievance is not redressed within a period of 30 (thirty) calendar days from the date of its first submission, then the customer may reach out to RBI using the below channels, to lodge their complaint
- RBI CMS portal: https://cms.rbi.org.in
- Email: crpc@rbi.org.in
- Letter: Send their compliant using the complaint form (format available on the website under Ombudsman scheme 2021) to the below mentioned address:

The Officer- in- Charge

Reserve Bank of India, Department of Non-Banking Supervision, Reserve Bank of India, Post Bag No.901,

Main Building, Shahid Bhagat Singh Marg, Mumbai – 400001.

The above process will be applicable for any grievance related to Repossession and Sale of Asset as well, if applicable. The grievance will be investigated with the help of recovery team and a suitable response will be provided to the customer after investigation.

Time frame

Suitable timelines have been set for every complaint depending upon the investigations which would be involved in resolving the same.
Complaints are suitably acknowledged on receipt and the customers are informed of delays if any, in the resolution.
When the Company rejects any complaints wholly or partly, all such complaints will be escalated to Chief Executive Officer within 3 weeks of the receipt of the complaints
The Company and Chief Executive Officer will ensure that final decision is communicated to the complainant within 30 (Thirty) Calendar days from the date of receipt of the complaint by the Company.

Systems for resolution of Grievances

The Company shall develop a mechanism for resolution of the grievances to capture the complaints; follow TATs on the basis of the nature of the query and escalate issues on the basis of predefined TATs and as per the escalation matrix.

Once the complaint is captured, the Customer Care team is responsible for resolution of complaint/grievance to the customer’s satisfaction. Every attempt is made to offer the customer/s suitable and appropriate alternate solutions wherever possible.

However, if the customer continues to remain dissatisfied with the resolution, he/she can escalate the issue through the grievance redressal mechanism as referred above.

Internal Review and Monitoring of Grievances

Periodic review and monitoring of customer complaints is done to ensure that Company remains customer centric and trends are analysed to ensure best-in-class customer experience.

Periodic review shall include, but not limited to, the below parameters. The same shall be tabled for review and discussion during the Board meetings, on a quarterly basis:

Count of complaints
Nature of complaints,
TATs taken to resolve the complaints

Sample Categorization of Grievance

Nature of Complaints filed by Customers:

TDS refund / adjustment
Refund of excess amount post closure
Original invoice not received
Disbursement not received
EMI amount / date / tenor/ interest rate / other mismatch
Complaint – duplicate NOC – unable to trace details of old NOC handed over
Complaint – NOC issuance – RC pending cases
Complaint NOC issuance – discrepancy
EMI banking/NACH issues
Staff improper behaviour
Withdrawal of legal case
Repossession / disposal issues
CIBIL Updation
Return of PDCs
Complaint – legal notice – insurance claim not received
Loan agreement copy
Fraudulent guarantor / co-hirer / hirer
Fraud by outsider posing as Tapfin Capital employee
Payment collection not done
Payment Updation not done
Complaint – settlement – account not closed
Complaint against employee – fraud / cheating

Review of Policy

A consolidated report of periodical review of compliance of Fair Practice Code (FPC) and functioning of the grievances redressal mechanism shall be submitted to the Board of Directors or any Sub- Committee of the Board as designated, at quarterly intervals. The reviews shall consider the following:

Internal factors such as changes in organisational structure or products or services offered;
External factors such as changes in legislation or technological
The overall performance of the complaint management system, and
The results of audit, if any conducted during the year by internal / external auditors

Policy on Know Your Customer (KYC) and Anti-Money Laundering (AML)

1. Introduction The Reserve Bank of India (RBI) has issued comprehensive ‘Know Your Customer’(KYC) Guidelines to all Registered Entities (RE) including Non- Banking Financial Companies (NBFCs) in the context of the recommendations made by the Financial Action Task Force (FATF) and Prevention of Money Laundering (PML) standards and Combating Financing of Terrorism (CFT) policies, as these being used as the International Benchmark for framing the stated policies, by the regulatory authorities. In view of the same, Tapfin Capital (“The Company” or “TCPL”) has adopted the said KYC guidelines with suitable customizations depending on the activity undertaken by it. The Company has ensured that a proper policy framework on KYC and PML measures are formulated in line with the prescribed RBI guidelines and put in place, duly approved by its Board of Directors.

2. Objectives of the Policy The objective of the KYC framework is to prevent the Company from being used, intentionally or unintentionally, by unscrupulous elements for fraudulent and money laundering activities. KYC procedures are also envisaged to enable the Company to know/understand its customers and their financial dealings better, which in turn may help the Company manage its risks prudently. With this as the backdrop, the company has formulated its KYC and AML policies, which comprise of the following objectives: To monitor transactions of a suspicious nature and to put in place suitable systems and procedures to help

In controlling financial frauds
In identifying and reporting money laundering and suspicious activities
In safeguarding the company from being unwittingly used for transfer or deposit of funds derived from criminal activity or for financing of terrorism
To put in place systems and procedures for customer identification and verifying his/her identity and place of residence
To enable the Company to understand its customers and their financial dealings better which, in turn, would help the Company to manage risks prudently
To comply with applicable laws and regulatory guidelines with regards to KYC Guidelines and AML Standards
To ensure that the concerned employees/associates/agents etc. are adequately trained in KYC/AML/CFT procedures.

This Policy is comprised of the following key elements:

Customer Acceptance Policy (CAP)
Customer Identification Procedures (CIP)
Monitoring of Transactions
Risk management & Internal Control systems
Training Programme
Record Keeping & Preservation of records
Appointment of Designated Director
Appointment of Principal Officer
Reporting to FIU – India

3. Applicability of the Policy

This Policy is applicable to all branches/office premises of Tapfin Capital in India and is to be read in conjunction with related operational guidelines issued from time to time.

4. Compliance of the Policy

Senior Management of the Company comprising of Chief Executive Offer, and Chief Risk Officer under supervision of the Designated Director is responsible for compliance of KYC & AML guidelines and procedures
The Company shall ensure that decision-making functions of determining compliance with KYC norms are not outsourced
The company will conduct internal/concurrent audits periodically to verify the compliance with KYC/AML policies and procedures
Senior Management will submit quarterly audit notes and compliance to the Board.

5. Key Definitions

Terms bearing meaning assigned in terms of Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005:

“Aadhaar number” shall have the meaning assigned to it in clause (a) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016);
“Act” and “Rules” means the Prevention of Money-Laundering Act, 2002 and the Prevention of Money- Laundering (Maintenance of Records) Rules, 2005, respectively and amendments thereto.
“Authentication”, in the context of Aadhaar authentication, means the process as defined under sub- section (c) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
Beneficial Owner (BO)

Where the customer is a company, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical persons, has/have a controlling ownership interest or who exercise control through other means.

Explanation- For the purpose of this sub-clause-

“Controlling ownership interest” means ownership of/entitlement to more than 10 percent of the shares or capital or profits of the company.
“Control” shall include the right to appoint majority of the directors or to control the management or policy decisions including by virtue of their shareholding or management rights or shareholders agreements or voting agreements.

Where the customer is a partnership firm, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 10 percent of capital or profits of the partnership or who exercises control through other means.

Explanation – For the purpose of this sub-clause, “control” shall include the right to control the management or policy decision.

Where the customer is an unincorporated association or body of individuals, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 15 percent of the property or capital or profits of the unincorporated association or body of individuals.

Explanation: Term ‘body of individuals’ includes societies. Where no natural person is identified under (a), (b) or (c) above, the beneficial owner is the relevant natural person who holds the position of senior managing official.

Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 10 percent or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership.

“Certified Copy” – Obtaining a certified copy by the Company shall mean comparing the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the customer with the original and recording the same on the copy by the authorised officer of the Company, as per the provisions contained in the Act.

Provided that in case of Non-Resident Indians (NRIs) and Persons of Indian Origin (PIOs), as defined in Foreign Exchange Management (Deposit) Regulations, 2016 {FEMA 5(R)}, alternatively, the original certified copy, certified by any one of the following, may be obtained:

authorised officials of overseas branches of Scheduled Commercial Banks registered in India,
branches of overseas banks with whom Indian banks have relationships,
Notary Public abroad,
Court Magistrate,
Judge,
Indian Embassy/Consulate General in the country where the non-resident customer resides.

“Central KYC Records Registry” (CKYCR) means an entity defined under Rule 2(1) of the Rules, to receive, store, safeguard and retrieve the KYC records in digital form of a customer.
“Designated Director” means a person designated by the RE to ensure overall compliance with the obligations imposed under chapter IV of the PML Act and the Rules and shall include:

a. the Managing Director or a whole-time Director, duly authorized by the Board of Directors Explanation – For the purpose of this clause, the terms “Managing Director” and “Whole-time Director” shall have the meaning assigned to them in the Companies Act, 2013.

“Digital KYC” means capturing live photo of the customer and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by the authorised officer of the Company as per the provisions contained in the Act.
“Digital Signature” shall have the same meaning as assigned to it in clause (p) of sub-section (1) of section (2) of the Information Technology Act, 2000 (21 of 2000).
“Equivalent e-document” means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the customer as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.
“Group” – The term “group” shall have the same meaning assigned to it in clause (e) of sub-section (9) of section 286 of the Income-tax Act,1961 (43 of 1961).
“Know Your Client (KYC) Identifier” means the unique number or code assigned to a customer by the Central KYC Records Registry.
“Non-profit organisations” (NPO) means any entity or organisation, constituted for religious or charitable purposes referred to in clause (15) of section 2 of the Income-tax Act, 1961 (43 of 1961), that is registered as a trust or a society under the Societies Registration Act, 1860 or any similar State legislation or a company registered under Section 8 of the Companies Act, 2013 (18 of 2013).
“Officially Valid Document” (OVD) means the passport, the driving licence, proof of possession of Aadhaar number, the Voter’s Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government and letter issued by the National Population Register containing details of name and address.

Provided that,

where the customer submits his proof of possession of Aadhaar number as an OVD, he may submit it in such form as are issued by the Unique Identification Authority of India.
where the OVD furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be OVDs for the limited purpose of proof of address:-

utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
property or Municipal tax receipt;
pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;
letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation;

the customer shall submit OVD with current address within a period of three months of submitting the documents specified at ‘b’ above
where the OVD presented by a foreign national does not contain the details of address, in such case the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address.

Explanation: For the purpose of this clause, a document shall be deemed to be an OVD even if there is a change in the name subsequent to its issuance provided it is supported by a marriage certificate issued by the State Government or Gazette notification, indicating such a change of name. xv. “Offline verification” shall have the same meaning as assigned to it in clause (pa) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016). xvi. “Person” has the same meaning assigned in the Act and includes:

an individual,
a Hindu undivided family,
a company,
a firm,
an association of persons or a body of individuals, whether incorporated or not,
every artificial juridical person, not falling within any one of the above persons (a to e), and
any agency, office or branch owned or controlled by any of the above persons (a to f).

xvii. “Principal Officer” means an officer at the management level nominated by the RE, responsible for furnishing information as per rule 8 of the Rules. xviii. “Suspicious transaction” means a “transaction” as defined below, including an attempted transaction, whether or not made in cash, which, to a person acting in good faith:

gives rise to a reasonable ground of suspicion that it may involve proceeds of an offence specified in the Schedule to the Act, regardless of the value involved; or
appears to be made in circumstances of unusual or unjustified complexity; or
appears to not have economic rationale or bona-fide purpose; or
gives rise to a reasonable ground of suspicion that it may involve financing of the activities relating to terrorism.

Explanation: Transaction involving financing of the activities relating to terrorism includes transaction involving funds suspected to be linked or related to, or to be used for terrorism, terrorist acts or by a terrorist, terrorist organization or those who finance or are attempting to finance terrorism. xix. “Video based Customer Identification Process (V-CIP)”: an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the Company by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP for the purpose of this Master Direction. For the purpose of this KYC & AML policy, a “Customer” means a person as defined under the KYC guidelines issued by the Reserve Bank of India (and any amendment/changes incorporated from time to time), which are explained below;

A person or entity (includes individuals, companies, partnership firms, banks, mutual funds, Limited Liability Partnerships, unincorporated entities, trusts and or overseas corporate bodies and, its suppliers,vendors and consumers in any capacity, whether as an individual or otherwise as explained herein) that maintains an accountand or has a business relationship with the Company in respect of lending
One on whose behalf the account is maintained(i.e. the beneficial owner), of the above, said entities
Beneficiaries of transactions conducted by professional intermediaries such as Stockbrokers, Chartered Accountants, Solicitors etc. aspermittedunderthelaw
Any other person or entity connected with a financial transaction, which can pose significant reputational or other risks to the Company.

6. Customer Acceptance Policy (CAP) TCPL has formulated a robust CAP which aims to verify the identity and address of customers by using reliable, independent source documents, data or information. It will, however, be ensured that CAP does not lead to any customer harassment or leads to denial of financial service to customers. The guidelines in respect of the customer relationship are as follows:

No loan account will be opened, and / or money will be disbursed in a name which is anonymous or fictitious or appears to be a name borrowed only for opening the loan account i.e. Benami Account. The Company shall insist on sufficient proof about the identity of the customer to ensure his/her/its physical and legal existence at the time of accepting the application form from any customer
Accept customers only after verifying their identity, as laid down in Customer Identification Procedures.
Documentation requirements and other information to be collected, as per PMLA and RBI guidelines/instructions, to be complied with
Identity of a new customer to be checked so as to ensure that it does not match with any person with known criminal background
The Company will not give a loan to any applicant and shall close any existing loan where it is unable to apply appropriate customer due diligence measures i.e. where the Company is unable to verify the identity and/or obtain documents required as per the extant policies to the non-cooperation of the applicant/customer or non-reliability of the data/information furnished by such applicant/customer. The decision to close any existing loan account due to failure to meet CAP shall be taken the by Principal Officer
‘Optional’/additional information, will be obtained with the explicit consent of the customer.
The Company shall apply the CDD procedure at the Unique Customer Identification Code (UCIC) level. Thus, if an existing KYC compliant customer of the Company desires to open another account, there shall be no need for a fresh CDD exercise
The Company shall not open any account or give / sanction any loan or close an existing account where the Company is unable to apply appropriate due diligence measures arising due to any of the following circumstances:

The Company is unable to verify the identity of the customer
The customer without any valid or convincing reasons refuses to provide documents to the Company
Information furnished by the customer does not originate from the reliable sources or appears to be doubtful due to lack of supporting evidence.
Identity of the customer, directly or indirectly matches with any individual terrorist or prohibited / unlawful organizations, whether existing within the country or internationally, or if the customer or beneficiary is found, even remotely, to be associated with or affiliated to any illegal, prohibited or unlawful or terrorist organization as notified from time to time either by Govt. of India, State Govt. or any other national or international body / organization.

The Company may rely on third party verification subject to the conditions prescribed by Reserve Bank of India (RBI) in this regard.
The information collected from the customer shall be kept confidential.
Subject to the above-mentioned norms and caution, at the same time, the Company will also ensure that the above norms and safeguards do not result in any kind of harassment or inconvenience to bona fide and genuine customers who should not feel discouraged while dealing with the Company.

7. Risk Level Categorization The Company shall categorize its customers based on the risk perceived by the Company. The levels of categorization would be Low Risk, Medium Risk and High Risk. Risk categorization shall be undertaken based on parameters such as customer’s identity, social/financial status, nature of business activity, and information about the clients’ business and their location etc.
8. Customer Identification Procedure Customer identification means identifying the customer and verifying his/ her identity by using reliable, independent source documents, data or information. The Company needs to obtain sufficient information necessary to establish, to its satisfaction, the identity of each new customer, whether regular or occasional and the purpose of the intended nature of relationship. Being satisfied means that the Company must be able to satisfy the competent authorities that due diligence was observed in compliance with the extant guidelines in place. The Company will perform appropriate, specific and where necessary, Enhanced Due Diligence on its customers that is reasonably designed to know and verify the true identity of its customers and to detect and report instances of criminal activity, including money laundering or terrorist financing. The Customer Identification Procedure is to be carried out at different stages i.e.

While establishing an account-based relationship (or)
Carrying out a financial transaction (or)
Where the Company has a doubt about the authenticity/veracity (or)
Inadequacy of the previously obtained customer identification data if any.
When the Company feels it is necessary to obtain additional information from theexisting customers based on the conduct or behavior of the account.

For undertaking CDD, the list of documents that can be accepted as proof of identity and address from various customers across various products offered by the Company is given as Annexure I to this policy.
9. Customer Due Diligence Procedures for all customers The Company shall take reasonable measures to ascertain and verify the true identity of all customers. The Company shall ensure that relevant documents as listed in Annexure I are obtained from prospective individual customers in order to carry out the necessary due diligence for establishing their identity. For any corporates or other legal entities, the company will collect documents from the list given in Annexure II. If an existing KYC compliant customer desires to open another loan account, there is no need for submission of fresh proof of identity and/or proof of address for the purpose. However, if there is a change in the residential address of the customer, a self-declaration and new residential address proofs are taken before opening of the new account.
10. Risk Management The Company has put in place appropriate procedures to ensure effective implementation of KYC guidelines. The implementation procedure covers proper management oversight, systems and controls, segregation of duties, training and other related matters. The frontline staff members are aware that no loan accounts will be created unless the KYC procedures are adhered to completely. The Company, through its Internal Audit Team, will directly evaluate and ensure adherence to the KYC & AML policy and procedures, including legal and regulatory requirements. The Internal Audit department of the Company is tasked with checking the robustness of this Policy while carrying out their audits. Responsibility has also been explicitly allocated within the company for ensuring that the company’s policies and procedures are implemented effectively. The nature and extent of due diligence will depend on the risk perceived by the company. However, while preparing customer profile, frontline staff should take care to seek only such information from the customer which is relevant to the risk category and is not intrusive.
11. Enhanced Due Diligence The Company shall conduct Enhanced Due Diligence in connection with all customers or accounts that are determined to pose a potential high risk and are determined to warrant enhanced scrutiny. Enhanced Due Diligence shall be coordinated and performed by the Company, who may engage appropriate outside investigative services or consult appropriate vendors, when necessary. Business vertical shall establish procedures to decline to do business with or discontinue relationships with any customer when the Company cannot adequately complete necessary Enhanced Due Diligence or when the information received is deemed to have a significant adverse impact on reputational risk. The following are the indicative list where the risk perception of a customer may be considered higher:

Customers requesting for frequent change of address/contact details
Sudden change in the loan account activity of the customers
Frequent closure and opening of loan accounts by the customers

12. Cash Transaction Reports (CTR) All individual cash transactions in an account during a calendar month, where either debits or credit summation, computed separately, exceeding Rupees Ten Lakhs or its equivalent in foreign currency, during the month should be reported to FIU-IND. However, while filing CTR, details of individual cash transactions below Rupees Fifty Thousand may not be indicated. The Principal Officer should ensure submission of CTR for every month to FIU-IND before 15th of the succeeding month. CTR should contain only the transactions carried out by the Company on behalf of their clients/customers excluding transactions between the internal accounts of the Company.
13. Money Laundering and Terrorist Financing Risk Assessment The Company will carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise annually to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, geographic areas, products, services, transactions or delivery channels, etc. The internal risk assessment carried out by the Company should commensurate to its size, geographical presence, complexity of activities/structure, etc. and shall apply a Risk Based Approach for mitigation and management of the identified risks. Respective businesses shall have standard operating procedures for identification, mitigation, controls and procedures for management of the identified risk, if any. The risk assessment processes shall be reviewed annually to ensure its robustness and effectiveness. The outcome of the exercise shall be put up to the Risk Management Committee of the Board or the CEO, in the absence of the Risk Management Committee and should be available to competent authorities and self-regulating bodies.
14. Updation / Periodic Updation of KYC Updation of KYC shall be done at least every two years for high risk customers, every eight years for medium risk customers and every ten years for low risk customers from the date of opening of account/ last KYC updation. The company shall obtain self-declaration from Individual customers and non- Individual customers incase of no change in their KYC details. However, in case of change in address of individual customer a self-declaration of such change and proof of new address to be obtained and the declared address shall be verified through positive confirmation within two months, by means such as address verification letter, contact point verification, deliverables etc. In case of change in KYC information of non-individual customer, the Company shall undertake a KYC process which shall be equivalent to on-boarding a new customer.
15. Record Keeping Maintenance of records of transactions: the Company has a system of maintaining proper record of transactions prescribed Section 12 of the PMLA read with Rule 3 of the Prevention of Money Laundering Rules, 2005 (PML Rules) as mentioned below:

All cash transactions of the value of more than Rupees Ten Lakhs (Rs. 10,00,000/) or its equivalent in foreign currency, though by policy the Company neither accepts cash deposits nor transactions in foreign currency.
All series of cash transactions integrally connected to each other which have been valued below Rs. 10,00,000/- (Rupees Ten Lakhs) or its equivalent in foreign currency where such series of transactions have taken place within a month.
All transactions involving receipts by non-profit organizations of Rs. 10,00,000/- (Rupees Ten Lakhs) or its equivalent in foreign currency.
All cash transactions, where forged or counterfeit currency notes or bank notes have been used as genuine and where any forgery of a valuable security has taken place; any such transactions.
All suspicious transactions whether or not made in cash and in manner as mentioned in the PML Rules framed by the Government of India under PMLA. An illustrative list of suspicious transaction pertaining to financial services is given in

Annexure III. Records to contain the specified information: The Records referred to above in Rule 3 of PML Rules to contain the following information:

The nature of the transactions;
The amount of the transaction and the currency in which it was denominated;
The date on which the transaction was conducted;
The parties to the transaction.

Maintenance and preservation of records: The following steps shall be taken regarding maintenance, preservation and reporting of customer account information, with reference to provisions of PML Act and Rules:

maintain all necessary records of transactions between the Company and the customer, for at least five years from the date of transaction;
preserve the records pertaining to the identification of the customers and their addresses obtained during the course of business relationship, for at least five years after the business relationship is ended;
The above records shall be maintained either in hard or soft format and shall be made available to the competent authorities upon request;

16. Obligations under UAPA In terms of Section 51A of the Unlawful Activities (Prevention) (UAPA) Act, 1967 and amendments thereto, the Company shall ensure that it does not have any account in the name of individuals/entities appearing in the lists of individuals and entities, suspected of having terrorist links, which are approved by and periodically circulated by the United Nations Security Council (UNSC). The details of the two lists as available under the below links:

The “ISIL (Da’esh) &Al-Qaida Sanctions List”, established and maintained pursuant to Security Council resolutions 1267/1989/2253, which includes names of individuals and entities associated with the Al-Qaida is available at https://scsanctions.un.org/ohz5jen-alqaida.html
The “Taliban Sanctions List”, established and maintained pursuant to Security Council resolution 1988 (2011), which includes names of individuals and entities associated with the Taliban is available at https://scsanctions.un.org/3ppp1en-taliban.htm Details of accounts resembling any of the individuals/entities in the list shall be reported to FIU-IND apart from advising Ministry of Home Affairs as required under UAPA notification dated February 02, 2021.

The Company shall ensure verification every day w.r.t., the ‘UNSCR 1718 Sanctions List of Designated Individuals and Entities’, as available at https://www.mea.gov.in/Implementation-of- UNSC-Sanctions-DPRK.htm to take into account any modifications to the list by way of additions, deletions or other changes and also ensure compliance with the ‘Implementation of Security Council Resolution on Democratic People’s Republic of Korea Order, 2017’, as amended from time to time by the Central Government.
17. Appointment of Designated Director s Principal Officer Mr Pramod Marar, Director and CEO of the company, has been appointed as “Designated Director” and Ms Neelam Chaurasiya as the ‘Principal Officer’ in compliance with of the Prevention of Money laundering (Amendment) Act, 2012 in terms of RBI Circular No. DNBS (PD) CC.No. 378/03. 10.42/ 2012-13 dated May 29, 2014.
18. Reporting of information with the FIU-IND The Principal Officer will report information relating to cash and suspicious transactions if detected, to the Director, Financial Intelligence Unit-India (FIU-IND) as advised in terms of the PMLA rules, in the prescribed formats as designed and circulated by RBI. The employees of the Company shall maintain strict confidentiality of the fact of furnishing/ reporting details of suspicious transactions.
19. Secrecy Obligations and Sharing of Information

The Company shall maintain secrecy regarding the customer information which arises out of the contractual relationship between the Company and customer.
Information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer.
While considering the requests for data/information from Government and other agencies, the Company shall satisfy themselves that the information being sought is not of such a nature as will violate the provisions of the laws relating to secrecy in the transactions.
The exceptions to the said rule shall be as under:

Where disclosure is under compulsion of law
Where there is a duty to the public to disclose,
the interest of the Company requires disclosure and
Where the disclosure is made with the express or implied consent of the customer.

20. CDD Procedure and sharing KYC information with CKYCR The Company shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, RBI Direction issued from time to time, as required by the KYC templates prepared for ‘individuals’ and ‘Legal Entities’ as the case may be. Customer Education The Company may regularly educate the customer of the objectives of the KYC program. The Company on an ongoing basis will educate all its employees and the new joiners on the elements of KYC through training programs/e-mail. Hiring & Training of Employees: The Company should have adequate screening mechanism as an integral part of their personnel recruitment/ hiring process. As part of induction process, employees of the Company are trained in KYC guidelines through training module. The Company shall endeavor to ensure that the staff dealing with / being deployed for KYC/AML/CFT matters have:

high integrity and ethical standards,
sound understanding of extant KYC/AML/CFT standards,
effective communication skills and ability to keep up with the changing

KYC/AML/CFT landscape, nationally and internationally. The Company shall also strive to develop an environment which fosters open communication and high integrity amongst the staff updation and modifications, if any, in the guidelines are also cascaded to the entire team to keep them abreast of the changes. On-going employee training shall be provided to the employees to adequately train them in AML / CFT and KYC procedures, related policies, regulations and issues.
21. Assessment and Review The Company shall also undertake periodic assessment (atleast once annually) of KYC/AML policies and procedures to ensure that all units involved in KYC and AML processes continue to function effectively.

22. Annexure I – KYC documents to be verified for Individual customers

Proof of identity/existence

Voter ID
Passport
Driving License
Scheduled Bank passbook with applicant’s photograph on the same, duly attested by bank officials (Account should be active)
Letter issued by the Mandal Officer/Revenue Officer/Village Administrative Officer
KYC documents’ photocopies only need to be taken (Originals not required)
KYC documents must be self-attested by applicant and co-applicant respectively

Address proof

Voter ID
UID
Driving License
Passport
Electricity, Telephone, Water bills (not older than 90 days)
Other Utility Bills (not older than 90 days)
Life Insurance Policy or latest Premium receipt
Rent agreement
Consumer Gas Connection Card/Book
House Allotment letter from Government organizations
Bank statements / Passbook cover page with address mentioned
Photocopies of documents should be self-attested by the respective person

Frontline staff member should ensure that the address mentioned is matching with the current address of customer. If customer is living in a rented house, then ensure the proof is of their permanent address.

23. ANNEXURE II – KYC documents to be verified for Corporate Customers For opening an account of a company, certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained:

Certificate of incorporation
Memorandum and Articles of Association
Permanent Account Number of the company
A resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf
Documents, as specified in Section 16 of the Rules, relating to beneficial owner, the managers, officers or employees, as the case may be, holding an attorney to transact on the company’s behalf
the names of the relevant persons holding senior management position; and
the registered office and the principal place of its business, if these two are

For opening an account of a partnership firm, certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained:

Registration certificate
Partnership deed
Permanent Account Number of the partnership firm
Documents, as specified in Section 16 of the Rules, relating to beneficial owner, the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf
the names of all the partners and
the registered office and the principal place of its business, if these two are

For opening an account of a Trust, certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained:

Registration certificate
Trust deed
Permanent Account Number or Form 60, in the name of the Trust
Documents, as specified in Section 16 of the Rules, relating to beneficial owner, the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf
the names of all the partners and
the registered office and the principal place of its business, if these two are

For opening an account of an unincorporated association or a body of individuals, certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained:

Resolution of the managing body of such association or body of individuals
Power of attorney granted to transact on its behalf
Permanent Account Number or Form 60, in the name of the Trust
Documents, as specified in Section 16 of the Rules, relating to beneficial owner, the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf
Such information as may be required by the Company to collectively establish the legal existence of such an association or body of individuals.

24. Annexure III- Illustrative List; Of Suspicious Transaction Linked To Financial Services Broad Categories of Suspicious Transactions for Non-Banking Financial Companies

Identity of Client:
1. False identification documents
2. Identification documents which could not be verified within reasonable time
3. Accounts opened with names very close to other established business entities
Background of Client:Suspicious background or links with known criminals.
Multiple Accounts:
1. Large number of accounts having a common account holder, introducer or authorized signatory with no rationale
2. Unexplained transfers between multiple accounts with no rationale
Activity in Accounts:
1. Unusual activity compared with past transactions – Sudden activity in dormant accounts
2. Activity inconsistent with what would be expected from declared business
Nature of Transactions:
1. Unusual or unjustified complexity
2. No economic rationale or bonafide purpose
3. Frequent purchases of drafts or other negotiable instruments with cash
4. Nature of transactions inconsistent with what would be expected from declared business
Value of Transactions:
1. Value just under the reporting threshold amount in an apparent attempt to avoid reporting
2. Value inconsistent with the client’s apparent financial standing
Illustrative List of Suspicious Transactions:
1. Reluctance to part with information, data and documents
2. Submission of false documents, purpose of loan and detail of accounts
3. Reluctance to furnish details of source of funds of initial contribution
4. Reluctance to meet in person, representing through power of attorney
5. Approaching a distant branch away from own address
6. Maintaining multiple accounts without explanation
7. Payment of initial contribution through unrelated third-party account
8. Suggesting dubious means for sanction of loan
9. Where transactions do not make economic sense
10. Where doubts exist about beneficial ownership
11. Encashment of loan through a fictitious bank account
12. Sale consideration quoted higher or lower than prevailing area prices
13. Request for payment in favor of third party with no relation to transaction
14. Usage of loan amount for purposes other than stipulated in connivance with vendors or agent
15. Multiple funding involving NGO, Charitable organization, small and medium establishments, self-help groups, micro finance groups, etc.
16. Frequent request for change of address
17. Over-payment of installments with a request to refund the overpaid

Pricing Policy

INTRODUCTION

As per the Master Direction – Non-Banking Financial Company – Systemically Important Non Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016, dated September 1, 2016 and amended by RBI vide circular RBI/2023-24/55 DOR.MCS.REC/32/01.01.003/2023-24 dated Aug 18, 2023 on Guidelines pertaining to Fair Practice Code for reset of floating interest rate on EMI based Personal Loans and as updated from time to time, all the NBFCs shall adopt an interest rate model taking into account relevant factors such as cost of funds, margin and risk premium and determine the rate of interest charged for loans and advances. The rate of interest and the approach for gradations of risk and rationale for charging different rate of interest to different categories of borrowers shall be disclosed to the borrower or customer in the application form and communicated explicitly in the sanction letter.

Keeping view of the RBI Guidelines as cited above, the following internal guiding principles and interest rate model are therefore laid out by the board of Tapfin Capital Private Limited (“TCPL” or “The Company”). This policy should always be read in conjunction with RBI guidelines, directives, circulars and instructions. The Company will apply the best industry practices so long as such practice does not conflict with or violate RBI guidelines.

The rates of interest and the approach for gradation of risks shall also be made available on the website of the company or published in the relevant newspapers. The information published in the website or otherwise published shall be updated as and when there is a change in the rates of interest.

OBJECTIVE OF THE POLICY

To determine the benchmark rates to be used for arriving at the final rate to be charged to the borrowers/ customers for various products financed by the company.

DEFINITIONS

The definitions for the purpose of this policy as given as below:

“Tapcap Reference Rate” means the rate which is referred by the Company in the loan/credit facility agreements for arriving at the final interest rate to be charged to the borrower.

“Spread” means the risk premium which is applied for arriving at the final interest rate charged to the borrower.

“Floating Rate of Interest” means the sum of the Tapcap Reference Rate and Spread applied by the Company to the Loan/Credit Facility granted by the Company to the Borrower, as may be decided by the Company from time to time, pursuant to the terms of Loan / Credit Facility Agreement.

PRINCIPLES AND PROCEDURES FOR CHARGING SPREADS

The rate of interest for loans for various business segments and various schemes thereunder is arrived after adjusting for spread by the relevant business segment. Factors taken into account by businesses for calculating spreads are as follows:

Interest rate risk (fixed vs floating loan)
Credit and default risk in the related business segment
Historical performance of similar homogeneous clients
Profile of the borrower
Industry segment
Repayment track record of the borrower
Secured Vs unsecured loan
Nature and value of collateral security
Ticket size of loan
Bureau Score
Tenor of Loan
Location delinquency and collection performance
Customer Indebtness (other existing loans)

The rate of interest for the same product and tenor availed during same period by different customers need not to be standardized. It could vary for different customers depending upon consideration of any or combination of above factors.

ESTABLISHING INTEREST RATE MODEL

The Company may charge a different rate of interest for the same product and tenor availed during the same period by different customers, depending upon considerations of any or combination of a few or all factors listed out in the The rate of interest to be charged for loans and advances will be in the range of 12% -36% p.a.
Depending upon various products financed by the Company, the company lends money through both fixed and floating rate For loan tenors > 3 years the company will endeavor to offer Floating rate of interest to customers. Details of various products and nature of interest rates offered by the Company are as under:

Product Segment	Nature
Unsecured Business Loans	Fixed
Term Loan	Fixed
Secured Business Loan	Floating / Fixed
Supply Chain Finance	Fixed

The rate of interest shall be arrived at after taking into account relevant factors, such as cost of funds, margin and risk premium, including the following:
- Cost of funds: The rate of interest charged will be determined depending on the rate at which funds necessary to provide loan facilities to customers are sourced by the Company, normally referred to as internal cost of funds.
- Probability of Default (Risk Premium) — Interest rate offered to customers will be basis the risk premium associated with such similar pool of borrowers.
- Expected ROA: Expected Return on assets is the minimum return expected by the company on its income earning assets.
- Estimated Opex: It includes estimated fixed and variable operations cost including employee expenses, administration expenses, sales and marketing expenses etc.
The Interest rates shall be intimated to the customers at the time of sanction/ availing of the loan and the equated installments apportionment towards interest and principal dues shall be made available to the customer. Changes in the interest rate and other charges will take effect prospectively and such changes will be intimated to the customers in the manner as may be decided by the Company.

The business team shall have the authority to fix their internal pricing under the overall framework of this policy for deciding the spreads to arrive at final rate to be charged to the

PROCESSING FEES AND OTHER CHARGES

Processing fees represent the general costs incurred in rendering the services to the
The processing fees and other charges charged to the customers will be clearly stated in the loan
The fees/charges will vary based on the loan product, exposure limit, customer segment, and geographical location.
Other financial charges include origination fees, cheque bouncing charges, late payment charges, reschedulement charges, pre-payment / foreclosure charges, part disbursement charges, cheque swap charges, security swap charges, charges for issue of statement account etc., and these would be levied by the company wherever considered necessary.
Besides these charges, stamp duty, service tax and other cess would be collected at applicable rates from time to time.
Any changes in the processing fees / other charges will be taken into effect

PENAL INTEREST AND LATE PAYMENT CHARGES

In case of any delay or default in repayment of dues, the Company may collect penal interest / late payment charges from its customers.
The penal interest/late payment charges shall be decided by the Company from time to time and communicated to the customers in the sanction letters and loan A list of such charges will also be hosted on the Company’s website.

RATE RESET PROVISION FOR FLOATING RATE OF INTEREST

In case of floating rate of interest, the interest rate would be reviewed and reset on quarterly basis, subject to the approval from the Board or the Asset Liability Committee (ALCO), when it’s in place.

PROVISIONS

At the time of sanction, Company shall clearly communicate to the borrowers about the possible impact of change in benchmark interest rate on the loan leading to changes in EMI and/or tenor or both. Subsequently, any increase in the EMI/ tenor or both on account of the above shall be communicated to the borrower immediately through appropriate channels.
At the time of reset of interest rates, the Company shall provide the option to the borrowers to switch over to a fixed rate.
The borrower shall be allowed to switch over to a fixed rate for such maximum number of requests during the tenor of the loan as decided by the Board (or the ALCO, when it’s in place) depending on the maturity of the liabilities & specific applicable products.

The borrowers shall also be given the choice to opt for:
enhancement in EMI or elongation of tenor or for a combination of both options; and,
to prepay, either in part or in full, at any point during the tenor of the Levy of foreclosure charges/ pre-payment penalty shall be subject to extant instructions.
All applicable charges for switching of loans from floating to fixed rate and any other service charges/ administrative costs incidental to the exercise of the above options shall be transparently disclosed in the sanction letter and at the time of revision of such charges/ costs by the Company from time to time.
Company shall ensure that elongation of tenor in case of floating rate loan does not result in negative amortisation.
Company will share Statement of Account / any other document on a quarterly basis which will be covering the following details such as:
Repayments made till date (Principal & Interest),
EMI Amount & Nos of EMIs left,
Annualized ROI / Annual Percentage rate (APR) for the entire tenor of the loan The Statement / document will be in a simple manner and easy to
Apart from the equated monthly instalment loans, these principles would also apply, mutatis mutandis, to all equated instalment-based loans of different periodicities. In case of loans linked to an external benchmark under the External Benchmark Lending Rate (EBLR) regime, the Company shall follow extant instructions and also put in place adequate information systems to monitor transmission of changes in the benchmark rate to the lending rate.

AMENDMENTS TO THE PRICING POLICY
- The Policy shall be reviewed at such intervals as the Company may deem necessary unless statutorily otherwise required. Any other regulatory changes in this regard will stand updated in the policy from time to time.
- The Company shall abide by this Pricing Policy following the spirit of the same and in the manner, it may be applicable to its business.

Policy on Anti-Corruption and Bribery

Introduction

Tapfin Capital Private Limited, referred to as “Company” or “We” or “Us” or “Our”, is engaged in the business of loan provider services as defined under the RBI Guidelines.

The Anti-Bribery and Corruption (AB&C) policy exists to set out the responsibilities of the Company and its employees in regard to observing and upholding our zero-tolerance position on bribery and corruption.

Policy Statement

The Company is committed to conducting business in an ethical and honest manner and is committed to implementing and enforcing systems that ensure bribery is prevented. The Company has zero tolerance for bribery and corrupt activities. We are committed to acting professionally, fairly, and with integrity in all business dealings and relationships, wherever in the country we operate.

The Company will constantly uphold all laws relating to anti-bribery and corruption in all the jurisdictions in which we operate. We recognize that bribery and corruption are punishable by imprisonment and/or a penalty. If our company is discovered to have taken part in corrupt activities, we may face serious damage to our reputation. It is with this in mind that we commit to prevent bribery and corruption in our business and take our legal responsibilities seriously.

Who is covered by the policy?

This policy applies to all employees (whether temporary, fixed-term, or permanent), consultants, contractors, trainees, seconded staff, home workers, casual workers, agency staff, volunteers, interns, agents, sponsors, or any other person or persons associated with us (including third parties), or any of our subsidiaries or their employees, no matter where they are located (within or outside of India). The policy also applies to Officers, Trustees, Board, and/or Committee members at any level.

In the context of this policy, third-party refers to any individual or organization that the Company enters into a contractual agreement with. It refers to suppliers, distributors, business contacts, agents, advisers, potential and existing investors and government and public bodies.

Definition of bribery

Bribery refers to the act of offering, giving, promising, asking, agreeing, receiving, accepting, or soliciting something of value or of an advantage so to induce or influence an action or decision.

A bribe refers to any inducement, reward, or object/item of value offered to another individual in order to gain commercial, contractual, regulatory, or personal advantage. Bribery is not limited to the act of offering a bribe. If an individual is on receiving end of a bribe and they accept it, they are also breaking the law.

Bribery is illegal. Employees must not engage in any form of bribery, whether it be directly, passively (as described above), or through a third party (such as an agent or distributor). They must not bribe a public official anywhere in the world. They must not accept bribes in any degree and if they are uncertain about whether something is a bribe or a gift or act of hospitality, they must seek further advice from the Compliance Officer/Chief Executive Officer.

What is and what is NOT acceptable

a. Gifts and hospitality

The Company accepts normal and appropriate gestures of hospitality and goodwill (whether given to/received from customers and third parties) so long as the giving or receiving of gifts meets the following requirements:

It is not made with the intention of influencing the party to whom it is being given, to obtain or reward the retention of a business or a business advantage, or as an explicit or implicit exchange for favors or
It is not made with the suggestion that a return favor is

It is in compliance with local

It is given in the name of the company, not in an individual’s
It does not include cash or a cash equivalent (e.g. a voucher or gift certificate).
It is appropriate for the circumstances (e.g. giving small gifts around Diwali or Christmas or as a small thank you to a company for helping with a large project upon completion).

It is of an appropriate type and value and given at an appropriate time, taking into account the reason for the gift.
It is given/received openly, not

It is not selectively given to a key, influential person, clearly with the intention of directly influencing
It is not above a certain excessive value, as pre-determined by the Company (currently this amount cannot be in excess of INR 2,500 (Rs Two thousand and five hundred only). Deviations to be covered in the detailed SOP on the subject.
It is not offered to, or accepted from, a government official or representative or politician or political party, without the prior approval of the designated Compliance Officer/Chief Executive Officer of the

Where it is inappropriate to decline the offer of a gift (i.e. when meeting with an individual of a certain religion/culture who may take offence), the gift may be accepted so long as it is within the defined thresholds and declared in line with the procedures established by the Company. The Company recognizes that the practice of giving and receiving business gifts varies between regions, cultures, and religions, so definitions of what is acceptable and not acceptable will inevitably differ for each.

All gifts given and received should always be disclosed in line with the procedures defined by the Company. Gifts from suppliers should always be disclosed and recorded in the Gifts/Hospitality Register. The intention behind a gift being given/received should always be considered. If there is any uncertainty, advice should be sought in line with the procedures defined by the Company.

b. Facilitation Payments and Kickbacks

The Company does not accept and will not make any form of facilitation payments of any nature. We recognise that facilitation payments are a form of bribery that involves expediting or facilitating the performance of a public official for routine governmental action. We recognize that they tend to be made by low level officials with the intention of securing or speeding up the performance of a certain duty or action.

The Company does not allow kickbacks to be made or accepted. We recognize that kickbacks are typically

made in exchange for a business favour or advantage. The Company recognises that, despite our strict policy on facilitation payments and kickbacks, employees may face a situation where avoiding a facilitation payment or kickback may put their/their family’s personal security at risk. Under these circumstances, the employee should immediately report this incident to the Compliance Officer/Chief Executive Officer for further guidance and action.

c. Political Contributions

The Company will not make donations, whether in cash, kind, or by any other means, to support any political parties or candidates. We recognize this may be perceived as an attempt to gain an improper business advantage.

d. Charitable Contributions

The Company accepts (and indeed encourages) the act of donating to charities – whether through services, knowledge, time, or direct financial contributions (cash or otherwise) – and agrees to disclose all charitable contributions it makes.

We will ensure that all charitable donations made by the Company are legal and ethical under local laws and practices, and those donations are offered/made only in line with the defined procedures of the Company and the approval of the Compliance Officer/Chief Executive Officer.

Employees must be careful to ensure that charitable contributions are not used to facilitate and conceal acts of bribery.

Employee Responsibilities

As an employee of the Company, you must ensure that you read, understand, and comply with the information contained within this policy, and with any training or other anti- bribery and corruption information you are given.

All employees and those under our control are equally responsible for the prevention, detection, and reporting of bribery and other forms of corruption. They are required to avoid any activities that could lead to, or imply, a breach of this AB&C policy.

If you have reason to believe or suspect that an instance of bribery or corruption has occurred or will occur in the future that breaches this policy, you must notify the Compliance Officer/Chief Executive Officer or escalate the matter by writing to confidential@gogreencapital.in

If any employee breaches this policy, they will face disciplinary action and could face dismissal for gross misconduct. The Company has the right to terminate a contractual relationship with an employee if they breach this AB&C policy.

What happens if I need to raise a concern?

a. How to raise a concern

If you suspect that there is an instance of bribery or corrupt activities occurring in relation to the Company, you are encouraged to raise your concerns at as early a stage as possible. If you’re uncertain about whether a certain action or behavior can be considered bribery or corruption, you should speak to your line manager or the Compliance Officer/Chief Executive Officer. You may also write to confidential@gogreencapital.in

The Company will familiarize all employees with its whistleblowing procedures so employees can vocalize their concerns swiftly and confidentially.

b. What to do if you are a victim of bribery or corruption

You must inform your line manager and the Compliance Officer/Chief Executive Officer as soon as possible and follow procedures established by the Company, if you are offered a bribe by anyone, if you are asked to make one, if you suspect that you may be bribed or asked to make a bribe in the near future, or if you have reason to believe that you are a victim of another corrupt activity.

c. Protection

If you refuse to accept or offer a bribe or you report a concern relating to potential act(s) of bribery or corruption, the Company understands that you may feel worried about potential repercussions. The Company will support anyone who raises concerns in good faith under this policy, even if the investigation finds that they were mistaken.

The Company will ensure that no one suffers any detrimental treatment as a result of refusing to accept or offer a bribe or other corrupt activities or because they reported a concern relating to potential act(s) of bribery or corruption.

Detrimental treatment refers to dismissal, disciplinary action, treats, or unfavorable treatment in relation to the concern the individual raised.

If you have reason to believe you’ve been subjected to unjust treatment as a result of a concern or refusal to accept a bribe, you should inform your line manager or the Compliance Officer/Chief Executive Officer immediately.

Record keeping

The Company will keep detailed and accurate financial records and will have appropriate internal controls in place to act as evidence for all payments made. We will declare and keep a written record of the amount and reason for hospitality or gifts accepted and given and understand that gifts and acts of hospitality are subject to managerial review.

Policy on Related Party Transactions

1. Regulatory Framework & Background

Tapfin Capital Private Limited (“Company”) recognizes that related party transactions may have potential or actual conflicts of interest and may raise questions whether such transactions are consistent with the Company’s and its shareholders’ best interest and in compliance to the provisions of the Companies Act, 2013 (“Act”) and Master Direction – Non Banking Financial Company – Systemically Important Non- Deposit Taking Company and Deposit Taking Company (Reserve Bank) Directions, 2016 (“Directions”).

Amendments, from time to time, to the Policy, if any, shall be considered by the Board of Directors of the Company based on the recommendations of the Audit Committee, and till the time the Audit Committee is not in place, by the CEO of the company.

This Policy applies to transactions between the Company and one or more of its Related Parties. It provides a framework for governance and reporting of Related Party Transactions including material transactions.

2. Definitions

All words and expressions used herein, unless defined herein, shall have the same meaning as respectively assigned to them under the Act and Rules framed thereunder or any other applicable law, as amended, from time to time.

2.1. “Arm’s Length Transaction” means a transaction between two Related Parties that is conducted as if they were unrelated, so that there is no conflict of interest.

2.2. “Associate Company” in relation to another company, means a company in which that other company has a significant influence, but which is not a subsidiary company of the company having such influence and includes a joint venture company.

It is hereby clarified as follows:

a) the expression “significant influence” means control of at least 20% of total voting power, or control of or participation in business decisions under an agreement;
b) the expression “joint venture” means a joint arrangement whereby the parties that have joint control of the arrangement have rights to the net assets of the arrangement.

2.3. “Board of Directors” or “Board” in relation to a Company, means the collective body of Directors of the Company (Section 2(10) of the Companies Act, 2013)

2.4. “Holding Company” shall mean Tapsys Private Limited.

2.5. “Key Managerial Personnel” in relation to the Company, means—

(i) the Chief Executive Officer or the Managing Director or the Manager;
(ii) the Company Secretary;
(iii) the Whole-Time Director;
(iv) the Chief Financial Officer;
(v) such other officer, not more than one level below the directors who is in whole-time employment, designated as key managerial personnel by the Board as per articles of association of the Company;

(vi) such other officer as may be prescribed.

2.6. “Material Related Party Transaction” means transactions, with Related Parties, of following nature that are either not in the ordinary course of business or not on an arm’s length basis:

(i) sale, purchase or supply of any goods or materials, directly or through appointment of agent, amounting to 10% or more of the turnover of the Company or Rs. 1 crore, whichever is lower;
(ii) selling or otherwise disposing of, or buying, property of any kind directly or through appointment of agent, amounting to 10% or more of the net worth of the Company or Rs. 1 crore, whichever is lower;
(iii) leasing of property of any kind amounting to 10% or more of the net worth of the Company or 10% or more of the turnover of the Company or Rs. 1 crore, whichever is lower;
(iv) availing or rendering of any services directly or through appointment of agent, amounting to 10% or more of the turnover of the company or Rs. 1 crore, whichever is lower;

It is hereby clarified that the limits specified in sub-clause (i) to (iv) shall apply for transaction or transactions to be entered into either individually or taken together with the previous transactions during a financial year.

(v) such related party’s appointment to any office or place of profit in the company, its subsidiary company or associate company at a monthly remuneration exceeding Rs. 2,50,000/-; and
(vi) remuneration for underwriting the subscription of any securities or derivatives thereof, of the company exceeding 1% of the net worth.

It is hereby clarified as follows:

a) the expression “turnover” means the gross amount of revenue recognized in the profit and loss account from the sale, supply, or distribution of goods or on account of services rendered, or both, by a company during a financial year.
b) The expression “net worth” means the aggregate value of the paid-up share capital and all reserves created out of the profits and securities premium account and debit or credit balance of profit and loss account, after deducting the aggregate value of the accumulated losses, deferred expenditure and miscellaneous expenditure not written off, as per the audited balance sheet, but does not include reserves created out of revaluation of assets, write-back of depreciation and amalgamation.
c) The turnover or net worth referred in the above sub-rules shall be computed on the basis of the audited financial statement of the preceding financial year.

2.7. “Ordinary Course of Business” means transaction will be considered in ordinary course if they are germane to attainment of the main objects as set out in its Memorandum of Association, or is an activity generally undertaken by a non-banking financial company or is such other activity as may be permitted, from time to time by the Reserve Bank of India and includes the following transactions:

(i) Availing loan for the purpose of onward lending or general corporate purposes and payment of interest and other expenses thereof;
(ii) Granting working capital loan, whether by way of term loan or otherwise, and receipt of principal,

interest and other charges thereon;
(iii) Payment of license fee towards the use of software(s) and/or platform for the purpose of its operations; and royalty towards the usage of trademarks;
(iv) Payment of commission and/or referral bonus to channel partners of the Company for referring customers to the Company;
(v) Payment of salary, fee, commission, and incurrence of other expense required for availing the services required for day-to-day operations of the Company; and
(vi) Reimbursement of expenses received from or given to the holding company of the Company pursuant to common sharing expenses arrangement between the Company and the holding company.

2.8. “Policy” means this Policy, as amended from time to time.

2.9. “Related Party” means related party as defined under Section 2(76) of the Act.

2.10. “Related Party Transaction(s)” or “RPT” means a contract or arrangement with a Related Party as provided under the Act and the Rules made thereunder, as amended from time to time.

2.11. “Relative” means relative as defined under Section 2(77) the Companies Act, 2013 and includes anyone who is related to another, if

(i) They are members of a Hindu undivided family;
(ii) They are husband and wife; or
(iii) Father (including step-father)
(iv) Mother (including step-mother)
(v) Son (including step-son)
(vi) Son’s wife
(vii) Daughter
(viii) Daughter’s husband
(ix) Brother (including step-brother)
(x) Sister (including step-sister)

3. Objectives

This Policy is intended to ensure due and timely identification, approval, disclosure and reporting of transactions between the Company and any of its Related Parties in compliance with the applicable laws and regulations as may be amended from time to time.
The provisions of this Policy are designed to govern the approval process and disclosure requirements to ensure transparency in the conduct of Related Party Transactions in the best interest of the Company and its shareholders and to comply with the statutory provisions in this regard.

4. Identification of Related Parties & Transactions

The following process shall be followed to ensure all related parties are identified in order to obtain the requisite

approvals for any transaction with such related parties:

4.1. Every Director & Key Managerial Personnel shall at the first meeting of the Board in which he/she participates as a director/KMP or whenever there is any change in the disclosures already made, then at the first Board meeting held after such change, disclose his concern or interest in any company or companies or bodies corporate, firms, or other association of individuals, including his shareholding, shall furnish Form MBP–1 “Notice of Interest by Director” pursuant to Section 184(1) and Rule 9 of the Companies (Meeting of Board and its Powers) Rules, 2014 and also declare whether the Board of Directors, managing director or manager of any other body corporate is accustomed to act in accordance with his/her advice, directions or instructions (given otherwise than in a professional capacity).

4.2. Every Director and the Key Managerial Personnel will also be responsible to update the Company Secretary of any changes in the above relationships, directorships, holdings, interests and/or controls immediately on him/her becoming aware of such changes.

4.3. Every Director, Key Managerial Personnel, Functional / Business heads / Chief Financial Officer will be responsible for providing prior Notice to the Company Secretary of any potential Related Party Transaction. They will also be responsible for providing additional information about the transaction that the Board / Committee may request, for being placed before the Committee and the Board in Annexure 1.

4.4. Any transaction by the Company with a Related Party will be regulated as per this Policy.

4.5. The Company Secretary shall be responsible to maintain an updated database of information pertaining to Related Parties reflecting details of-
(i) All Directors and Key Managerial Personnel;
(ii) All individuals, partnership firms, Companies and other persons as declared and updated by Directors and Key Managerial Personnel;
(iii) Company’s holding Company, subsidiary Companies and associate Companies, if any;
(iv) Subsidiaries of holding Company, if any;
(v) Director or Key Managerial Personnel of the holding Company or their Relatives, if any; and
(vi) Any other entity which is a Related Party as defined under Section2(76) of the Companies Act, 2013.

The database shall be updated whenever necessary and shall be reviewed at least once a year jointly by the Company Secretary, Compliance Officer and Chief Financial Officer.

4.6. The functional/business heads; Chief Financial Officer; Company Secretary shall have access to the updated database.

5. Review and Approval of Related Party Transactions

5.1. Audit Committee

All the transactions which are identified as RPTs should be pre-approved by the Audit Committee before entering into such transaction whether at a meeting or by resolution by circulation or through electronic mode even if the transaction and/or subsequent modifications thereto is in the ordinary course of business and at arm’s length price.
Related Party Transactions that are not in ordinary course of business but on arm’s length basis cannot be entered into by the Company unless approved by Audit Committee. Where such Related Party Transactions fall under Section 188 (1) of the Act, the Audit Committee shall recommend the transaction for approval of the Board.
While considering any transaction, the Committee shall take into account all relevant facts and circumstances including the terms of the transaction, the business purpose of the transaction, the benefits to the Company and to the Related Party, and any other relevant matters.
The Audit Committee may also grant omnibus approval for related party transactions which are repetitive in nature and subject to such criteria/conditions as mentioned under the provisions of the Companies Act, 2013 and such other conditions as it may consider necessary in line with this Policy and in the interest of the Company. Such omnibus approval shall be valid for a period not exceeding one year and shall require fresh approval after the expiry of one year. The omnibus approval shall specify:

(i) The name(s) of the related party, nature of transaction, period of transaction, maximum amount of transactions that shall be entered into; and
(ii) The indicative base price / current contracted price and the formula for variation in the price if any.
(iii) Such other conditions as the audit committee may deem fit:

Omnibus approval shall not be made for transactions in respect of selling or disposing of the undertaking of the company.

Subject to the applicable laws, the Audit Committee shall have the power to ratify, revise or terminate the RPTs, which are not in accordance with this Policy.

In a situation, where the Audit Committee is not in place, then the CEO of the company is authorized to undertake the actions listed above, under the coverage of the Audit Committee.

5.2. Board of Directors

• Subject to the provisions of Section 188 (1) of the Act, the related party transactions which are required to be approved by the Board of the Company under the provisions of the Act shall be entered into and acted upon, only after such approval is accorded by the Board. The Act has specified the following transactions for which necessary approval will be required:

a. sale, purchase or supply of any goods or materials;
b. selling or otherwise disposing of, or buying, property of any kind;
c. leasing of property of any kind;
d. availing or rendering of any services;
e. appointment of any agent for purchase or sale of goods, materials, services or property;
f. such related party’s appointment to any office or place of profit in the company, its subsidiary

company or associate company; and
g. underwriting the subscription of any securities or derivatives thereof, of the company

• Any related party transaction mentioned above which is not in the ordinary course of business and/or not on arm’s length basis will require Board’s approval.

• The Board will consider such factors as, nature of the transaction, material terms, the manner of determining the pricing and the business rationale for entering into such transaction. On such consideration, the Board may approve the transaction or may require such modifications to transaction terms as it deems appropriate under the circumstances.
• Any member of the Board who has any interest in any related party transaction will recuse himself and abstain from discussion and shall not vote to approve the related party transaction.

5.3. Shareholders

If a related party transaction is not in the ordinary course of business, or not at arm’s length price and is a Material Related Party Transaction, it shall require shareholders’ approval by a resolution.

5.4. Investment Agreement(s)/Articles of association of the Company:

At time of entering related party transaction, the Company is required to take into the consideration the provisions related to related party transactions specified in the Article of Association of the Company and/or Investment Agreement(s) entered by the Company with various Investors from time to time.

5.5. Disclosure and Reporting of Related Party Transactions:

a) As per the Act:

• Pursuant to Section 134(4) of the Act read with Rule 8(2) of the Companies (Accounts) Rules, 2014, every Contract or arrangement entered with Related Parties in accordance with Section 188(1) of the Act shall be disclosed in the Board’s Report along with the justification for entering into such contract or arrangements in Form AOC – 2.
• In terms of Section 178(8) of the Act, where the Board has not accepted any recommendation of the Audit Committee (or the CEO, where the Audit Committee has not been constituted), the same shall be disclosed in the Boards’ report with reason thereof.
• Making necessary entries in the Register of Contracts required to be maintained under Section 189 of the Act.

b) As per the Indian Accounting Standard (Ind AS) 243:

In terms of IND AS 24, the following disclosures are required to be made in the financial statements:

i. Relationships between a parent and its subsidiaries shall be disclosed irrespective of whether there have been transactions between them. An entity shall disclose the name of its parent and if different, the ultimate controlling party. If neither the entity’s parent nor the ultimate controlling party produces consolidated financials.

ii. statements available for public use, the name of the next most senior parent that does so shall also be disclosed.
iii. Key management personnel compensation in total.
iv. Related party transactions during the periods covered by the financial statements, it shall disclose the nature of the related party relationship as well as information about those transactions and outstanding balances, including commitments, necessary for users to understand the potential effect of the relationship on the financial statements. At a minimum, disclosures shall include:
a) the amount of the transactions;
b) the amount of outstanding balances, including commitments, and: (i) their terms and conditions, including whether they are secured, and the nature of the consideration to be provided in settlement; and (ii) details of any guarantees given or received;
c) provisions for doubtful debts related to the amount of outstanding balances; and
d) the expense recognised during the period in respect of bad or doubtful debts due from related parties.

v. The Standard requires that the disclosures, shall be made separately for each of the following categories:
a) the parent;
b) entities with joint control of, or significant influence over, the entity;
c) As per the RBI Master Directions:

i. Details of all material transactions with related parties shall be disclosed in the annual report.
ii. The Company shall disclose the policy on its website and also in the Annual Report.

5.6. RPTs not previously approved

In the event the Company becomes aware of a RPT that has not been approved or ratified under this Policy, the transaction shall be placed as promptly as practicable before the Audit Committee (or the CEO, where the Committee has not been constituted) or Board or the Shareholders as may be required in accordance with this Policy and in compliance with the applicable laws and regulations as may be amended from time to time.
The Committee (or the CEO, where the Committee has not been constituted) or the Board or the Shareholders shall consider all relevant facts and circumstances respecting such transaction and shall evaluate all options available to the Company, including but not limited to ratification, revision, or termination of such transaction, and the Company shall take such action as the Committee or the Board or the Shareholders (as the case may be) deem appropriate under the circumstances.

6. Effective Date

This Policy is approved by the Board of Director of the of the Company on February 15, 2025.

7. Limitation and Amendments

7.1. The Policy is subject to review from time to time and at least once in every year.

7.2. The Board of Directors may in their discretion and on recommendation of the Audit Committee (or the CEO, where the Committee has not been constituted), make any changes/modifications and/or amendments to this Policy from time to time.

7.3. In the event of any conflict between the provisions of this Policy and of the Act or any other statutory enactments, rules, the provisions of such Act or statutory enactments, rules shall prevail over and automatically be applicable to this Policy and the relevant provisions of the Policy would be amended/modified in due course to make it consistent with the law.

Policy on Outsourcing of Technology Services

1. Objectives & Regulatory Framework
On April 10, 2023, the Reserve Bank of India (‘RBI’) issued the final Master Direction on Outsourcing of Information Technology Services (‘the Direction’) which has been finalized based on the feedback received on the draft Master Direction on Outsourcing of Information Technology (IT) Services released on 23 June 2022. The Directions have been formulated in an effort to regulate various risks arising from Regulated Entities leveraging on Information Technology (IT) and IT-enabled services (ITeS) in their business, products and services with increasing dependence on third parties.

Along with other Regulated Entities (ORE) specifically referred to in the Direction, this Direction is also applicable, inter alia, to Non-Banking Financial Companies as defined under clause (f) of Section 45I of the Reserve Bank of India Act, 1934 and included in the ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’ and ‘Base Layer’ as set out in the Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs.

The underlying principle of these Directions is to ensure that outsourcing arrangements neither diminish the company’s ability to fulfil its obligations to customers nor impede effective supervision by the RBI. The Directions shall apply to Material Outsourcing of Information Technology (‘IT’) services arrangements and shall come into effect from 15th February 2025.

2. Definitions
i) Material Outsourcing of IT Services: include those activities which
a) if disrupted or compromised shall have the potential to significantly impact the Company’s business operations; or
b) may have material impact on the Company’s customers in the event of any unauthorized access, loss or theft of customer information.
ii) Outsourcing of Information Technology (“IT”) Services: shall include outsourcing of the following activities:
• IT infrastructure management, maintenance and support (hardware, software or firmware);
• Network and security solutions, maintenance (hardware, software or firmware);
• Application Development, Maintenance and Testing; Application Service Providers (ASPs) including ATM Switch ASPs;
• Services and operations related to Data Centres;
• Cloud Computing Services;
• Managed Security Services; and
• Management of IT infrastructure and technology services associated with payment system ecosystem.

iii) Service Provider: The term “Service Provider” means the provider of IT or IT enabled services. Service Provider includes, but is not limited to, the vendors, agencies, consultants and / or representatives of the third parties. It also includes subcontractors to whom the third-party service providers may further outsource some activity.

3. Role of the Regulated Entity- TCPL
A) Regulatory and Supervisory requirements:
• The outsourcing of any activity shall not diminish TCPL’s obligations as also of its Board and Senior Management, who shall be ultimately responsible for the outsourced activity. The Company shall take steps to ensure that the service provider employs the same high standard of care in performing the services as would have been employed by the Company if the same activity was not outsourced. The Company shall not engage an IT service provider that would result in reputation of TCPL being compromised or weakened.
• Notwithstanding whether the service provider is located in India or abroad, the Company shall ensure that the outsourcing should neither impede nor interfere with the ability of the Company to effectively oversee and manage its activities. Further, the Company shall ensure that the outsourcing does not impede the RBI in carrying out its supervisory functions and objectives. TCPL shall ensure that the service provider, if not a group company, shall not be owned or controlled by any director, or key managerial personnel, or approver of the outsourcing arrangement of the Company, or their relatives. The terms ‘control’, ‘director’, ‘key managerial personnel’, and ‘relative’ have the same meaning as assigned under the Companies Act, 2013 and the Rules 6 framed thereunder from time to time. However, an exception to this requirement may be made with the approval of Board/ Board level Committee, followed by appropriate disclosure, oversight and monitoring of such arrangements. The Board shall inter-alia ensure that there is no conflict of interest arising out of third-party engagements.
• Additional requirements pertaining to usage of cloud computing services and outsourcing of Security Operations Center (SOC) services are outlined in Paragraph 13 and 14 of the Part B, respectively.
B) Comprehensive assessment of need for outsourcing and attendant risks :
The Company shall evaluate the need for Outsourcing of IT Services based on comprehensive assessment of attendant benefits, risks and availability of commensurate processes to manage those risks. TCPL shall consider important aspects, such as;
• Determining the need for outsourcing based on criticality of activity to be outsourced;
• Determining expectations and outcome from outsourcing;
• Determining success factors and cost-benefit analysis; and
• Deciding the model for outsourcing.

C) Compliance with all applicable statutory and regulatory requirements :
The Company shall consider all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration, when performing its due diligence in relation to outsourcing of IT services.
D) Grievance Redressal Mechanism :
• The Company shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of

customers’ grievances related to outsourced services shall rest with the Company.
• Outsourcing arrangements shall not affect the rights of a customer against the Company, including the ability of the customer to obtain redressal as applicable under relevant laws.

E) Inventory of Outsourced Services :
TCPL shall create an inventory of services provided by the service. Further, the Company shall map their dependency on third parties and periodically evaluate the information received from the service providers.

4. Governance Framework
The Company, intending to outsource any of its IT activities, shall put in place a comprehensive Board approved IT outsourcing policy. The policy shall incorporate, inter alia, the roles and responsibilities of the Board, Committees of the Board (if any) and Senior Management, IT function, business function as well as oversight and assurance functions in respect of outsourcing of IT services.

A) Role of the Board
The Board of the Company shall be responsible, inter alia, for:

• putting in place a framework for approval of IT outsourcing activities depending on risks and materiality;
• approving policies to evaluate the risks and materiality of all existing and prospective IT outsourcing arrangements; and
• setting up suitable administrative framework of Senior Management for the purpose of these Directions.

Further the Board may delegate the above responsibilities to IT Strategy Committee of the Company, as it may deem fit.
B) Role of the Senior Management
The Senior Management of the Company shall, inter alia, be responsible for:

• formulating IT outsourcing policies and procedures, evaluating the risks and materiality of all existing and prospective IT outsourcing arrangements based on the framework commensurate with the complexity, nature and scope, in line with the enterprise-wide risk management of the organisation approved by the Board and its implementation;

• prior evaluation of prospective IT outsourcing arrangements and periodic evaluation of the existing outsourcing arrangements covering the performance review, criticality and associated risks of all such arrangements based on the policy approved by the Board;
• identifying IT outsourcing risks as they arise, monitoring, mitigating, managing and reporting of such risks to the Board/ Board Committee in a timely manner;
• ensuring that suitable business continuity plans based on realistic and probable disruptive

scenarios, including exit of any third-party service provider, are in place and tested periodically;
• ensuring (i) effective oversight over third party for data confidentiality and (ii) appropriate redressal of customer grievances in a timely manner;
• ensuring an independent review and audit on a periodic basis for compliance with the legislations, regulations, Board-approved policy and performance standards and reporting the same to Board/ Board Committee; and
• creating essential capacity with required skillsets within the organization for proper oversight of outsourced activities.

C) Role of the IT Function
The responsibilities of the IT Function of the Company shall, inter alia, include:

• assisting the Senior Management in identifying, measuring, monitoring, mitigating and managing the level of IT outsourcing risk in the organisation;

• ensuring that a central database of all IT outsourcing arrangements is maintained and is accessible for review by Board, Senior Management, Auditors and Supervisors;

• effectively monitor and supervise the outsourced activity to ensure that the service providers meet the laid down performance standards and provide uninterrupted services, report to the Senior Management; co-ordinate periodic due diligence and highlight concerns, if any; and

• putting in place necessary documentation required for contractual agreements including service level management, monitoring of vendor operations, key risk indicators and classifying the vendors as per the determined risk.

5. Evaluation and Engagement of Service Providers
• In considering or renewing an Outsourced IT Services arrangement, appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis. Due diligence shall take into consideration qualitative, quantitative, financial, operational, legal and reputational factors. The Company shall also consider, while evaluating the capability of the service provider, risks arising from the concentration of outsourcing arrangements with a single/ few service provider/s. Where possible, the Company shall obtain independent reviews and market feedback on the service provider to supplement its own assessment.

• A risk-based approach shall be adopted in conducting such due diligence activities.

• Due diligence shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:

a. past experience and demonstrated competence to implement and support the proposed IT activity over the contract period;

b. financial soundness and ability to service commitments even under adverse conditions;

c. business reputation and culture, compliance, complaints and outstanding or potential litigations;
d. conflict of interest, if any;

e. external factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance;

f. details of the technology, infrastructure stability, security and internal control, audit coverage, reporting and monitoring procedures, data backup arrangements, business continuity management and disaster recovery plan;

g. capability to identify and segregate the Company’s data;

h. quality of due diligence exercised by the service provider with respect to its employees and sub- contractors;

i. capability to comply with the regulatory and legal requirements of the Outsourcing of IT Services arrangement;
j. information/ cyber security risk assessment;

k. ensuring that appropriate controls, assurance requirements and possible contractual arrangements are in place to ensure data protection and the Company’s access to the data which is processed, managed or stored by the service provider;

l. ability to effectively service all the customers while maintaining confidentiality, especially where a service provider has exposure to multiple entities; and

m. ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality.

6. Outsourcing Agreement
• The Company shall ensure that its rights and obligations and those of each of its service providers are clearly defined and set out in a legally binding written agreement. In principle, the provisions of the agreement should appropriately reckon the criticality of the outsourced task to the business of the Company, the associated risks and the strategies for mitigating or managing them.

• The terms and conditions governing the contract shall be carefully defined and vetted by the Company’s legal counsel for their legal effect and enforceability. The agreement shall be sufficiently flexible to allow the Company to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations.

• The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent, principal or otherwise.

• Some key areas that should be covered by the agreement (as applicable to the scope of Outsourcing of IT Services) are as follows :

a. details of the activity being outsourced, including appropriate service and performance

standards including for the sub-contractors, if any;

b. effective access by the Company to all data, books, records, information, logs, alerts and business premises relevant to the outsourced activity, available with the service provider;

c. regular monitoring and assessment of the service provider by the Company for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately; including termination clause and minimum period to execute such provision, if deemed necessary;

d. type of material adverse events (e.g., data breaches, denial of service, service unavailability, etc.) and the incidents required to be reported to the Company to enable the Company to take prompt risk mitigation measures and ensure compliance with statutory and regulatory guidelines;

e. compliance with the provisions of Information Technology Act, 2000, other applicable legal requirements and standards to protect the customer data;

f. the deliverables, including Service-Level Agreements (SLAs) formalizing performance criteria to measure the quality and quantity of service levels;

g. storage of data only in India as per extant regulatory requirements;
h. clauses requiring the service provider to provide details of data (related to the Company and its customers) captured, processed and stored;

i. controls for maintaining confidentiality of data of the Company and its customers’, and incorporating service provider’s liability to the Company in the event of security breach and leakage of such information;

j. types of data/ information that the service provider (vendor) is permitted to share with the Company’s customer and / or any other party;

k. specifying the resolution process, events of default, indemnities, remedies, and recourse available to the respective parties;

l. contingency plan(s) to ensure business continuity and testing requirements;
m. right to conduct audit of the service provider (including its sub-contractors) by the Company, whether by its internal or external auditors, or by agents appointed to act on its behalf, and to obtain copies of any audit or review reports and findings made about the service provider in conjunction with the services performed for the Company;

n. right to seek information from the service provider about the third parties (in the supply chain) engaged by the former;

o. recognizing the authority of regulators to perform inspection of the service provider and any of its sub-contractors. Adding clauses to allow RBI or person(s) authorized by it to access the Company’s IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the service provider and/ or its sub-contractors in relation and as applicable to the scope of the outsourcing arrangement;
p. including clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors;

q. obligation of the service provider to comply with directions issued by the RBI in relation to the activities outsourced to the service provider, through specific contractual terms and conditions specified by the Company;

r. clauses requiring prior approval/ consent of the Company for use of sub-contractors by the service provider for all or part of an outsourced activity;

s. termination rights of the company, including the ability to orderly transfer the proposed IT- outsourcing arrangement to another service provider, if necessary or desirable;

t. obligation of the service provider to co-operate with the relevant authorities in case of insolvency/ resolution of the Company;

u. provision to consider skilled resources of service provider who provide core services as “essential personnel” so that a limited number of staff with back-up arrangements necessary to operate critical functions can work on-site during exigencies (including pandemic situations);

v. clause requiring suitable back-to-back arrangements between service providers and the OEMs; and

w. clause requiring non-disclosure agreement with respect to information retained by the service provider.

x. The Company has the right to extend the above clauses of the agreement to any agencies to which the service provider sub-contracts any activity related to IT services outsourced by the Company.

7. Risk Management
• TCPL shall put in place a Risk Management framework for Outsourcing of IT Services that shall comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements.

• The risk assessments carried out by the Company shall be suitably documented with necessary approvals in line with the roles and responsibilities for the Board of Directors, Senior Management and IT Function. Such risk assessments shall be subject to internal and external quality assurance on a periodic basis as determined by the Board-approved policy.

• TCPL shall be responsible for the confidentiality and integrity of data and information pertaining to the customers that is available to the service provider.

• Access to data at the Company’s location / data centre by service providers shall be on need-to- know basis, with appropriate controls to prevent security breaches and/or data misuse.

• Public confidence and customer trust in the Company is a prerequisite for their stability and reputation. Hence, the Company shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. Access to customer information by staff of the service provider shall be on need-to-know basis.

• In the event of multiple service provider relationships where two or more service providers collaborate to deliver an end-to-end solution, the Company remains responsible for understanding and monitoring the control environment of all service providers that have access to the Company’s data, systems, records or resources.

• In instances where service provider acts as an outsourcing agent for multiple Company, care shall be taken to build adequate safeguards so that there is no combining of information, documents, records and assets. The Company shall ensure that a Non-Disclosure Agreement (“NDA”) is in place even after the contract expires/is terminated.

• The Company shall ensure that cyber incidents are reported to the Company by the service provider without undue delay, so that the incident is reported by the Company to the RBI within 6 hours of detection by the service provider.

• TCPL shall review and monitor the control processes and security practices of the service provider to disclose security breaches. The Company shall immediately notify RBI in the event of breach of security and leakage of confidential customer-related information. In these eventualities, the Company shall adhere to the extant instructions issued by RBI from time to time on Incident Response and Recovery Management.

• The Company shall effectively assess the impact of concentration risk posed by multiple outsourcings to the same service provider and/or the concentration risk posed by outsourcing critical or material functions to a limited number of service providers.

8. Business Continuity Plan and Disaster Recovery Plan
• The Company shall require their service providers to develop and establish a robust framework for documenting, maintaining and testing Business Continuity Plan (“BCP”) and Disaster Recovery Plan (“DRP”) commensurate with the nature and scope of the outsourced activity as per extant BCP/ DR requirements.

• In establishing a viable contingency plan, the Company shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time and resources that would be involved.

• In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency/ liquidation of the service provider, the Company shall retain an appropriate level of control over its IT-outsourcing arrangement along with right to intervene, with appropriate measures to continue its business operations.

• The Company shall ensure that service providers are able to isolate the Company’s information, documents and records and other assets. This is to ensure that in adverse conditions and/or termination of the contract, all documents, record of transactions and information with the service provider and assets of the Company can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

9. Monitoring and Control of Outsourced Activities
• TCPL shall have in place a management structure to monitor and control its Outsourced IT activities. This shall include (as applicable to the scope of Outsourcing of IT Services) but not limited to monitoring the performance, uptime of the systems and resources, service availability,

adherence to SLA requirements, incident response mechanism, etc.
• The Company shall conduct regular audits (as applicable to the scope of Outsourcing of IT Services) of service providers (including sub-contractors) with regard to the activity outsourced by it. Such audits may be conducted either by the Company’s internal auditors or external auditors appointed to act on the Company’s behalf.
• While outsourcing various IT services, more than one Regulated Entity (RE) may be availing services from the same third-party service provider. In such scenarios, in lieu of conducting separate audits by individual REs of the common service provider, they may adopt pooled (shared) audit. This allows the relevant Companies to either pool their audit resources or engage an independent third-party auditor to jointly audit a common service provider. However, in doing so, it shall be the responsibility of the Company in ensuring that the audit requirements related to their respective contract with the service provider are met effectively.

• The audit shall assess the performance of the service provider, adequacy of the risk management practices adopted by the service provider, compliance with laws and regulation, etc. The frequency of the audit shall be determined based on the nature and extent of risk and impact to the Company from the outsourcing arrangements. Reports on the monitoring and control activities shall be reviewed periodically by the Senior Management and in case of any adverse development, the same shall be put up to the Board for information.

• The Company, depending upon the risk assessment, may also rely upon globally recognized third- party certifications made available by the service provider in lieu of conducting independent audits. However, this shall not absolve the Company of their responsibility in ensuring assurance on the controls and procedures required to safeguard data security (including availability of systems) at the service provider’s end.

• The Company shall periodically review the financial and operational condition of the service provider to assess its ability to continue to meet its Outsourcing of IT Services obligations. The Company shall adopt risk-based approach in defining the periodicity. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience preparedness.

• In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers of the Company, the same shall be given due publicity by the Company so as to ensure that the customers stop dealing with the concerned service provider.

• The Company shall ensure that the service provider grants unrestricted and effective access to
a) data related to the outsourced activities; b) the relevant business premises of the service provider; subject to appropriate security protocols, for the purpose of effective oversight use by the Company, their auditors, regulators and other relevant Competent Authorities, as authorized under law.

10. Outsourced within a Group /Conglomerate
• TCPL may outsource any IT activity/ IT enabled service within its business group/ conglomerate, provided that such an arrangement is backed by the Board-approved policy and appropriate service level arrangements/ agreements with its group entities are in place.

• The selection of a group entity shall be based on objective reasons that are similar to selection of a third-party, and any conflicts of interest that such an outsourcing arrangement may entail shall be appropriately dealt with.
• The Company, at all times, shall maintain an arm’s length relationship in dealings with their group entities. Risk management practices being adopted by the Company while outsourcing to a group entity shall be identical to those specified for a non-related party.

11. Additional requirements for Cross- Border Outsourcing
• The engagement of a service provider based in a different jurisdiction exposes the Company to country risk. To manage such a risk, the Company shall closely monitor government policies of the jurisdiction in which the service provider is based and the political, social, economic and legal conditions on a continuous basis, as well as establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. Further, it shall be ensured that availability of records to the Company and the RBI will not be affected even in case of liquidation of the service provider.

• The governing law of the arrangement shall also be clearly specified. In principle, arrangements shall only be entered into with parties operating in jurisdictions upholding confidentiality clauses and agreements.

• The right of the Company and the RBI to direct and conduct audit or inspection of the service provider based in a foreign jurisdiction shall be ensured.

• The arrangement shall comply with all statutory requirements as well as regulations issued by the RBI from time to time.

12. Exit Strategy
• The Outsourcing of IT Services policy shall contain a clear exit strategy with regard to outsourced IT activities/ IT enabled services, while ensuring business continuity during and after exit. The strategy should include exit strategy for different scenarios of exit or termination of services with stipulation of minimum period to execute such plans, as necessary. In documenting an exit strategy, the Company shall, inter alia, identify alternative arrangements, which may include performing the activity by a different service provider or the Company itself.
• The Company shall ensure that the agreement has necessary clauses on safe removal/ destruction of data, hardware and all records (digital and physical), as applicable. However, service provider shall be legally obliged to cooperate fully with both the Company and new service provider(s) to ensure there is a smooth transition. Further, agreement shall ensure that the service provider is prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the regulator/ concerned Company.

13. Storage, Computing and Movement of Data in Cloud Environments- Usage of Cloud Computing Services
The Company shall adopt the following requirements for storage, computing and movement of data in cloud environments:

• While considering adoption of cloud solution, it is imperative to analyze the business strategy and goals adopted to the current IT applications footprint and associated costs. Cloud adoption ranges from moving only non-business critical workloads to the cloud to moving critical business applications such as SaaS adoption and the several combinations in-between, which should be based on a business technology risk assessment.

• In engaging cloud services, the Company shall ensure, inter alia, that the Outsourcing of IT Services policy addresses the entire lifecycle of data, i.e., covering the entire span of time from generation of the data, its entry into the cloud, till the data is permanently erased/ deleted. The Company shall ensure that the procedures specified are consistent with business needs and legal and regulatory requirements.

• In adoption of cloud services, the Company shall take into account the cloud service specific factors, viz., multi-tenancy, multi-location storing/ processing of data, etc., and attendant risks, while establishing appropriate risk management framework. Cloud security is a shared responsibility between the Company and the Cloud Service Provider (CSP). The Company may refer to some of the cloud security best practices, for implementing necessary controls, as per applicability of the shared responsibility model in the adoption of cloud services.

• Cloud Governance: TCPL shall adopt and demonstrate a well-established and documented cloud adoption policy. Such a policy should, inter alia, identify the activities that can be moved to the cloud, enable and support protection of various stakeholder interests, ensure compliance with regulatory requirements, including those on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification. The policy should provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs.
• Cloud Service Providers (CSP)
Considerations for selection of CSP: The Company shall ensure that the selection of the CSP is based on a comprehensive risk assessment of the CSP. TCPL shall enter into a contract only with CSPs subject to jurisdictions that uphold enforceability of agreements and the rights available thereunder to the Company, including those relating to aspects such as data storage, data protection and confidentiality.

• Cloud Services Management and Security Considerations

a. Service and Technology Architecture: TCPL shall ensure that the service and technology architecture supporting cloud-based applications is built in adherence to globally recognized architecture principles and standards. The Company shall prefer a technology architecture that provides for secure container-based data management, where encryption keys and Hardware Security Modules are under the control of the Company. The architecture should provide for a standard set of tools and processes to manage containers, images and releases. Multi- tenancy environments should be protected against data integrity and confidentiality risks, and against co-mingling of data. The architecture should be resilient and enable smooth recovery in case of failure of any one or combination of components across the cloud architecture with minimal impact on data/ information security.

b. Identity and Access Management (IAM): IAM shall be agreed upon with the CSP and ensured for providing role-based access to the cloud hosted applications, in respect of user- access and privileged-access. Stringent access controls, as applicable for an on-premise application, may be established for identity and access management to cloud-based applications. Segregation of duties and role conflict matrix should be implemented for all kinds of user- access and privileged-access roles in the cloud-hosted application irrespective of the cloud service model. Access provisioning should be governed by principles of ‘need to know’ and ‘least privileges’. In addition, multi-factor authentication should be implemented for access to cloud applications.

c. Security Controls: TCPL shall ensure that the implementation of security controls in the cloud-based application achieves similar or higher degree of control objectives than those achieved in/ by an on-premise application. This includes ensuring – secure connection through appropriate deployment of network security resources and their configurations; appropriate and secure configurations, monitoring of the cloud assets utilized by the Company and necessary procedures to authorize changes to cloud applications and related resources.

d. Robust Monitoring and Surveillance: TCPL shall accurately define minimum monitoring requirements in the cloud environment. The Company should ensure to assess the information/ cyber security capability of the cloud service provider, such that, the

i. CSP maintains an information security policy framework commensurate with its exposures to vulnerabilities and threats;
ii. CSP is able to maintain its information/ cyber security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment;
iii. nature and frequency of testing of controls by the CSP in respect of the outsourced services is commensurate with the materiality of the services being outsourced by the Company and the threat environment; and
iv. CSP has mechanisms in place to assess the sub-contractors with regards to confidentiality, integrity and availability of the data being shared with the sub- contractors, where applicable.

e. Appropriate integration of logs, events from the CSP into the Company’s SOC (Security Operations Center), wherever applicable and/ or retention of relevant logs in cloud shall be ensured for incident reporting and handling of incidents relating to services deployed on the cloud.

f. The Company’s own efforts in securing its application shall be complemented by the CSP’s cyber resilience controls. The CSP and the Company shall ensure continuous and regular updates of security-related software including upgrades, fixes, patches and service packs for protecting the application from advanced threats/ malware.

g. Vulnerability Management: TCPL shall ensure that CSPs have a well-governed and structured approach to manage threats and vulnerabilities supported by requisite industry-specific threat intelligence capabilities.

• Disaster Recovery & Cyber Resilience

a. The Company’s business continuity framework shall ensure that, in the event of a disaster affecting its cloud services or failure of the CSP, the Company can continue its critical operations with minimal disruption of services while ensuring integrity and security.

b. TCPL shall ensure that the CSP puts in place demonstrative capabilities for preparedness and readiness for cyber resilience as regards cloud services in use by them. This should be systematically ensured, inter alia, through robust incident response and recovery practices including conduct of Disaster Recovery (DR) drills at various levels of cloud services including necessary stakeholders.

• The following points may be evaluated while developing an exit strategy

a. the exit strategy and service level stipulations in the SLA shall factor in, inter alia,
i) agreed processes and turnaround times for returning the Company’s service collaterals and data held by the CSP;
ii) data completeness and portability;
iii) secure purge of the Company’s information from the CSP’s environment;
iv) smooth transition of services; and
v) unambiguous definition of liabilities, damages, penalties and indemnities.
b. monitoring the ongoing design of applications and service delivery technology stack that the exit plans should align with.
c. contractually agreed exit / termination plans should specify how the cloud- hosted service(s) and data will be moved out from the cloud with minimal impact on continuity of the Company’s business, while maintaining integrity and security.

d. All records of transactions, customer and operational information, configuration data should be promptly taken over in a systematic manner from the CSP and purged at the CSP-end and independent assurance sought before signing off from the CSP.
• Audit and Assurance
The audit/ periodic review/ third-party certifications should cover, as per applicability and cloud usage, inter alia, aspects such as roles and responsibilities of both TCPL and CSP in cloud governance, access and network controls, configurations, monitoring mechanism, data encryption, log review, change management, incident response, and resilience preparedness and testing, etc.

14. Outsourcing of Security Operations Centre (SOC)
Outsourcing of SOC operations has the risk of data being stored and processed at an external location and managed by a third party (Managed Security Service Provider -MSSP) to which the Company have lesser visibility. To mitigate the risks, in addition to the controls prescribed in these Directions, the Company shall adopt the following requirements in the case of outsourcing of SOC operations:

a. unambiguously identify the owner of assets used in providing the services (systems, software, source code, processes, concepts, etc.);
b. ensure that the Company has adequate oversight and ownership over the rule definition, customisation and related data/ logs, meta-data and analytics (specific to the Company);
c. assess SOC functioning, including all physical facilities involved in service delivery, such as

the SOC and areas where client data is stored / processed periodically;
d. integrate the outsourced SOC reporting and escalation process with the Company’s incident response process; and
e. review the process of handling of the alerts / events.

15. Services not considered under Outsourcing of IT Services
a. Corporate Internet Banking services obtained by the Company as corporate customers/ sub members of another regulated entity
b. External audit such as Vulnerability Assessment/ Penetration Testing (VA/PT),
c. Information Systems Audit, security review
d. SMS gateways (Bulk SMS service providers)
Procurement of IT hardware/ appliances
a. Acquisition of IT software/ product/ application (like CBS, database, security solutions, etc.,) on a licence or subscription basis and any enhancements made to such licensed third-party application by its vendor (as upgrades) or on specific change request made by the Company.
b. Any maintenance service (including security patches, bug fixes) for IT Infra or licensed products, provided by the Original Equipment Manufacturer (OEM) themselves, in order to ensure continued usage of the same by the Company.
c. Applications provided by financial sector regulators or institutions like CCIL, NSE, BSE, etc.
d. Platforms provided by entities like Reuters, Bloomberg, SWIFT, etc.
e. Any other off the shelf products (like anti-virus software, email solution, etc.,) subscribed to by the Company wherein only a license is procured with no/ minimal customization.
f. Services obtained by the Company as a sub-member of a Centralized Payment Systems (CPS) from another Company.
g. Business Correspondent (BC) services, payroll processing, statement printing
• Vendors / Entities who are not considered as Third-Party Service Provider

a. Vendors providing business services using IT. Example – BCs
b. Payment System Operators authorised by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007 for setting up and operating Payment Systems in India
c. Partnership based Fintech firms such as those providing co-branded applications, service, products (would be considered under outsourcing of financial services)
d. Services of Fintech firms for data retrieval, data validation and verification services such as (list is not exhaustive):
(a). Bank statement analysis
(b). GST returns analysis
(c). Fetching of vehicle information
(d). Digital document execution
(e). Data entry and Call centre services
e. Telecom Service Providers from whom leased lines or other similar kind of infrastructure are availed and used for transmission of the data
f. Security/ Audit Consultants appointed for certification/ audit/ VA-PT related to IT infra/ IT services/ Information Security services in their role as independent third-party auditor/ consultant/ lead implementer.

Policy on Outsourcing of Financial Services

1. Objectives & Regulatory Framework
TCPL may outsource any of its financial activities at any point of time in future and shall put in place a comprehensive outsourcing policy approved by its Board, which incorporates, inter alia criteria for selection of such activities as well as service providers, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities.
The objective of having a policy in place for outsourcing activity is to protect the interest of the customers and investors of TCPL and to ensure that the Company and the Reserve Bank of India have access to all relevant books, records and information available with service provider and to ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and RBI nor impede effective supervision by RBI.

TCPL therefore shall take steps to ensure that the service provider employs the same high standard of care in performing the services as is expected to be employed by TCPL, as if the activities were conducted within TCPL and not outsourced. Accordingly, TCPL shall not engage in outsourcing that would result in the Company’s internal control, business conduct or reputation being compromised or weakened.

A. RBI Directions
RBI has issued directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs. The directions are applicable to material outsourcing arrangements which may be entered into by an NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the NBFC belongs or an unrelated party.
These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities which are not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc.
B. Activities that shall not be outsourced
TCPL, if and when it chooses to outsource financial services, shall not outsource the following services:

Core management functions including internal audit, strategic and compliance functions.
Decision-making functions such as determining compliance with KYC norms.
Sanction of loans.
Management of investments
However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions elaborated below in outsourcing within the group.

C. Material Outsourcing
For the purpose of these directions, material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on various factors mentioned below:

the level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by outsourced activity;
the potential impact of the outsourcing activity on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
the likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, if the service provider fails to perform the services;
the cost of the outsourcing activity as a proportion of total operating costs of the NBFC;
the aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider and
the significance of activities outsourced in context of customer service and protection.

2. Roles & Responsibility
A. Roles & Responsibility of Board of Directors

Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing activities and the policies that apply to such arrangements.
Deciding on business activities of a material nature to be outsourced and approving such arrangements;
Laying down appropriate approval authorities for outsourcing depending on risks and materiality;
Setting up suitable administrative framework of senior management for the purpose of these directions;
Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, safety and soundness;
Responsibility for the actions of their service provider
Responsibility to maintain the confidentiality of information pertaining to the customers that is available with the service provider;
Shall ensure that the service provider, if not a group company of the TCPL, shall not be owned or controlled by any director of the Company or their relatives. These terms have the same meaning as assigned under Companies Act, 2013.

B. Roles & Responsibility of Senior Management & Team

Evaluating the risks and materiality of all existing and prospective outsourcing based on the framework approved by the Board;
Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
Reviewing periodically the effectiveness of policies and procedures;
Communicating information pertaining to material outsourcing risks to the Board in a timely manner;
Ensuring that contingency plans, based on realistic and probable disruptive scenarios of service provider, are in place and tested;
Ensuring that there is independent review and audit for compliance with set policies;
Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise and
Shall ensure to have a robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing.

3. Risks in Outsourcing
The key risks in outsourcing are Strategic Risk, Compliance Risk, Operational Risk, Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk, Concentration and Systemic Risk. The failure of a service provider in providing a specified service, a breach in security/ confidentiality, or non-compliance with legal and regulatory requirements by the service provider can lead to financial losses or loss of reputation for the Company.
The Company shall evaluate and guard against the following risks in outsourcing:

Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.
Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the Company.
Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.
Operational Risk- Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.
Legal Risk – Where the Company may be subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.
Exit Strategy Risk – Where the Company may be over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in- house and contracts that make speedy exits prohibitively expensive.
Counter party Risk – Where there is inappropriate underwriting or credit assessments.
Contractual Risk – Where the Company may not have the ability to enforce the contract.
Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the Company may lack control over the service provider.
Country Risk – Due to the political, social and legal climate creating added risk.

4. Evaluation & Selection of Service Provider
In considering or renewing an outsourcing arrangement, appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence shall take into consideration qualitative and quantitative, financial and operational factors.
TCPL shall consider whether the service provider’s systems are compatible with its own and also whether their standards of performance including in the area of customer service are acceptable to it. The Company shall also consider, issues relating to undue concentration of outsourcing arrangements with a single service provider. Wherever possible, the Company shall obtain independent reviews and market feedback on the service provider to supplement its own findings.
Due diligence shall involve an evaluation of all available information about the service provider, including but not limited to the following:

Past experience and competence to implement and support the proposed activity over the contracted period;
Financial soundness and ability to service commitments even under adverse conditions;
Business reputation and culture, compliance, complaints and pending / potential litigations;
Security and internal control, audit coverage, reporting and monitoring environment, business continuity management and ensuring due diligence by service provider of its employees.

Further if due diligence seems all right then the selection should be done as follows:

Service Provider’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
Compatibility of the practices and systems of the service provider with the TCPL’s requirements and objectives;
Market feedback of the prospective service provider’s business reputation and track record of their services rendered in the past;
Level of concentration of the outsourced arrangements with a single party;

5. Outsourcing Contract
TCPL shall ensure that the terms and conditions governing the contract with the service provider are carefully defined in written agreements and vetted by TCPL’s legal team on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The agreement shall be sufficiently flexible to allow TCPL to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties- i.e. whether agent, principal or otherwise.
TCPL will consider some of the key provisions while entering into contract with the service provider, which are mentioned below:

The contract shall clearly define what activities are going to be outsourced including appropriate service and performance standards;
Ensure that TCPL has the ability to access all books, records and information relevant to the outsourced activity available with the service provider;
The contract shall provide for continuous monitoring and assessment by TCPL of the service provider so that any necessary corrective measure can be taken immediately;
Termination clause and minimum period to execute a termination provision, if deemed necessary, shall be included;
Controls to ensure customer data confidentiality and service providers liability in case of breach of security and leakage of confidential customer related information shall be incorporated;
There must be contingency plans to ensure business continuity;
The contract shall provide for the prior approval/ consent by TCPL of the use of subcontractors by the service provider for all or part of an outsourced activity;
It shall provide the Company with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the TCPL;
Outsourcing agreements shall include clauses to allow the Reserve Bank of India or persons authorized by it to access TCPL’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time;
Outsourcing agreement shall also include a clause to recognize the right of the Reserve Bank to cause an inspection to be made of a service provider of the Company and its books and account by one or more of its officers or employees or other persons;
The outsourcing agreement shall also provide that confidentiality of customer’s information shall be maintained even after the contract expires or gets terminated and that TCPL shall have necessary provisions to ensure that the service provider preserves documents as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.
Further care shall be taken to ensure that the outsourcing contract:
Provides for mutual rights, obligations and responsibilities of the Company and the Service Provider, including indemnity by the parties;
Provides for the liability of the Service Provider to the Company for unsatisfactory performance/other breach of the contract;

6. Confidentiality and Security
Public confidence and customer trust are prerequisites for the stability and reputation of the Company. Hence, TCPL shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider. TCPL shall ensure that:

Access to customer information by staff of the service provider shall be on ‘need to know’ basis i.e. limited to those areas where the information is required in order to perform the outsourced function.
The service provider is able to isolate and clearly identify TCPL’s customer information, documents, records and assets to protect the confidentiality of the information.
In instances, where service provider acts as an outsourcing agent for multiple NBFCs, care shall be taken to build strong safeguards so that there is no commingling of information / documents, records and assets.
Regular review and monitoring of the security practices and control processes of the service provider and require the service provider to disclose security breaches.
Immediately notify RBI in the event of any breach of security and leakage of confidential customer-related information. In these eventualities, the Company would be liable to its customers for any damages.

7. Responsibilities of Direct Sales Agents (DSA)/Direct Marketing Agent (DMA)/ Recovery Agents

TCPL shall ensure that the DSA/ DMA/ Recovery Agents are properly trained to handle their responsibilities with care and sensitivity, particularly aspects such as soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer, etc.
TCPL shall put in place a board approved Code of conduct for DSA/ DMA/ Recovery Agents, and obtain their undertaking to abide by the code. In addition, Recovery Agents shall adhere to extant instructions on Fair Practices Code for NBFCs as also their own code for collection of dues and repossession of security. It is essential that the Recovery Agents refrain from action that could damage the integrity and reputation of the Company and that they observe strict customer confidentiality.
The Company and their agents shall not resort to intimidation or harassment of any kind, either verbal or physical, against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors’ family members, referees and friends, sending inappropriate messages either on mobile or through social media, making threatening and anonymous calls, persistently calling the borrower and/or calling the borrower before 8:00
a.m. and after 7:00 p.m. for recovery of overdue loans, making false and misleading representations, etc. – the Company shall ensure that there are no violations in this regard.

8. Business Continuity and Management of Disaster Recovery Plan

The Company shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. TCPL shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.
In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the Company shall retain an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the Company and its services to the customers.
In establishing a viable contingency plan, TCPL shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in- house in an emergency and assess the costs, time and resources that would be involved.
TCPL will make sure that service providers are able to isolate the Company’s information, documents and records, and other assets so that in appropriate situations, all documents, records of transactions and information given to the service provider, and assets of TCPL, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

9. Monitoring and Control of Outsourced Activities

The Company shall have in place a management structure to monitor and control its outsourcing activities. It shall ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities.
A central record of all material outsourcing that is readily accessible for review by the Board and senior management of the Company shall be maintained. The records shall be updated promptly and half yearly basis reviews shall be placed before the Board or a Board designated Committee.
Regular audits would be done by either the internal auditors or external auditors of the Company to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement.
TCPL shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be publicized by displaying at a prominent place in all the offices, posting it on the website, and informing the customers so as to ensure that the customers do not continue to deal with the service provider.
A robust system of internal audit of all outsourced activities shall also be put in place and monitored by the Board or the Audit Committee of the Board (ACB) of the Company.

10. Reporting of transactions to FIU or other competent authorities

The Company would be responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of the Company’s customer related activities carried out by the service providers.

11. Outsourcing within the group
In a group structure, the Company may have back-office and service arrangements/ agreements with group entities e.g. sharing of premises, legal and other professional services, and hardware and software applications, centralize back-office functions, outsourcing certain financial services to other group entities etc.
Before entering into such arrangements with group entities, the Company shall have an arrangement with their group entities which shall also cover demarcation of sharing resources i.e. premises, personnel, etc. Moreover, the customers shall be informed specifically about the company which is actually offering the product/ service, wherever there are multiple group entities involved or any cross selling observed.
While entering into such arrangements, TCPL shall ensure that:

Arrangements are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer’s data;
Such arrangement does not lead to any confusion to the customers on whose products/ services they are availing by clear physical demarcation of the space where the activities of TCPL and those of its other group entities are undertaken;
Such arrangements do not compromise the ability to identify and manage risk of the Company on a stand-alone basis;
Incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by the RBI in relation to the activities of TCPL;
TCPL shall ensure that their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable;
If the premises of TCPL are shared with the group entities for the purpose of cross- selling, the Company shall take measures to ensure that its identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in TCPL’s premises shall mention nature of arrangement of the entity with TCPL so that the customers are clear on the seller of the product.
TCPL shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities.
The risk management practices expected to be adopted by the Company while outsourcing to a related party (i.e. party within the Group / Conglomerate) would be identical to those applicable for any other entity.

12. Off-shore outsourcing of Financial Services
The engagement of service providers in a foreign country exposes a Company to country risk
– economic, social and political conditions and events in a foreign country that may adversely affect the Company. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with the Company. To manage the country risk involved in such outsourcing activities, TCPL shall take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified.

The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of TCPL in a timely manner.

As regards the off-shore outsourcing of financial services relating to Indian Operations, the Company shall additionally ensure that:

Where the off-shore service provider is a regulated entity, the relevant off-shore regulator will neither obstruct the arrangement nor object to RBI inspection visits/ visits of the Company’s internal and external auditors.
The availability of records to management and the RBI will withstand the liquidation of either the offshore custodian or the Company in India.
The regulatory authority of the offshore location does not have access to the data relating to Indian operations of the Company simply on the ground that the processing is being undertaken there (not applicable if off shore processing is done in the home country of the Company).
The jurisdiction of the courts in the off shore location where data is maintained does not extend to the operations of the Company in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India and
All original records continue to be maintained in India.