OUTSOURCING POLICY
Introduction: K.M. Global P2P Finance Private Limited (herein referred to as “the Company”) is a Non-Banking Finance Company (NBFC-ND) registered with RBI. The company provides unsecured personal loans to individuals.
'Outsourcing' is defined as the NBFC’s use of a Third-Party hereafter referred as (“Service Provider”) to perform activities on continuing basis that would normally be undertaken by the NBFC itself, now or in the future. ‘Continuing basis' includes agreements for a limited period.
Typically, ‘Outsourced financial services’ includes applications processing (loan origination), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.
Objectives & Regulatory Framework
RBI Directions
'Outsourcing' is defined as the NBFC’s use of a Third-Party hereafter referred as (“Service Provider”) to perform activities on continuing basis that would normally be undertaken by the NBFC itself, now or in the future. ‘Continuing basis' includes agreements for a limited period.
Typically, ‘Outsourced financial services’ includes applications processing (loan origination), document processing, marketing and research, supervision of loans, data processing and back office related activities, besides others.
RBI has issued directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs. The directions are applicable to material outsourcing arrangements which may be entered into by an NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the NBFC belongs or an unrelated party.
These directions are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities which are not related to financial services, such as usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc.
Activities that shall not be outsourced:
The Company if choose to outsource financial services shall not outsource the following services:
- Core management functions including internal audit, strategic and compliance functions
- Decision-making functions such as determining compliance with KYC norms
- Sanction of loans
- Management of investment portfolio
However, for NBFCs in a group/ conglomerate, these functions may be outsourced within the group subject to compliance with instructions elaborated below in outsourcing within the group.
Material Outsourcing Means
For the purpose of these directions, material outsourcing arrangements are those which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service. Materiality of outsourcing would be based on various factors mentioned below:
- The level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by outsourced activity
- The potential impact of the outsourcing activity on the NBFC on various parameters such as earnings, solvency, liquidity, funding capital and risk profile
- The likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, if the service provider fails to perform the services
- The cost of the outsourcing activity as a proportion of total operating costs of the NBFC
- The aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider and
- The significance of activities outsourced in context of customer service and protection.
Roles & Responsibility
Roles & Responsibility of Board of Directors
- Approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing activities and the policies that apply to such arrangements
- Deciding on business activities of a material nature to be outsourced and approving such arrangements
- Setting up suitable administrative framework of senior management for the purpose of these directions
- Undertaking regular review of outsourcing strategies and arrangements for their continued relevance, safety and soundness
- Shall take the responsibility for the actions of their service provider
- Shall take the responsibility to maintain the confidentiality of information pertaining to the customers that is available with the service provider.
- Shall ensure that the service provider, if not a group company of the Company, shall not be owned or controlled by any director of the Company or their relatives. These terms have the same meaning as assigned under Companies Act, 2013.
Roles & Responsibility of Senior Management & Team
- Evaluating the risks and materiality of all existing and prospective outsourcing based on the framework approved by the Board
- Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity
- Reviewing periodically the effectiveness of policies and procedures
- Communicating information pertaining to material outsourcing risks to the Board in a timely manner
- Ensuring that contingency plans, based on realistic and probable disruptive scenarios of service provider, are in place and tested
- Ensuring that there is independent review and audit for compliance with set policies.
- Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise and
- Shall ensure to have a robust grievance redress mechanism, which in no way shall be compromised on account of outsourcing.
The Company shall evaluate and guard against the following risks in outsourcing
- Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.
- Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.
- Operational Risk- Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.
- Legal Risk – Where the Company may be subjected to fines, penalties, or punitive damages resulting from supervisory actions
- Exit Strategy Risk – Where the Company may over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in-house and contracts that make speedy exits prohibitively expensive.
- Counter party Risk – Where there is inappropriate underwriting or credit assessments.
- Contractual Risk – Where the Company may not have the ability to enforce the contract.
- Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the Company may lack control over the service provider.
Evaluation & Selection Of Service Provider
In considering or renewing an outsourcing arrangement, appropriate due diligence shall be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence shall take into consideration qualitative and quantitative, financial and operational factors.
The company shall conduct due diligence which shall involve an evaluation of all available information about the service provider, including but not limited to the following
- Past experience and competence to implement and support the proposed activity over the contracted period.
- Financial soundness and ability to service commitments even under adverse conditions.
- Business reputation and culture, compliance, complaints and pending / potential litigations.
- Security and internal control, audit coverage, reporting and monitoring environment, business continuity management and ensuring due diligence by service provider of its employees
Further if due diligence seems all right then the selection will be done as per the following criteria:
- Service Provider’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed
- Compatibility of the practices and systems of the service provider with the Company’s requirements and objectives
- Market feedback of the prospective service provider’s business reputation and track record of their services rendered in the past
- Level of concentration of the outsourced arrangements with a single party
Outsourcing Contract
The service provider may either be a member of the group/ conglomerate to which the NBFC belongs, or an unrelated party (collectively to be referred to as “Service Provider”)
- Third Parties
- Group Companies
The Company shall ensure the terms and conditions governing the contract with the service provider are carefully defined in written agreements and vetted by the Company’s legal team on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The agreement shall be sufficiently flexible to allow the Company to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties.
The service provider agrees to the below:
- Ensure that appropriate service and performance standards and code of conduct (example no harassment where the outsourced service is collections) are adhered to as defined in the Agreement
- Have adequate financial capacity to fulfil obligations and/ or to provide remedies to the Company in the event of technology failure, fraud, error on part of Service Provider
- Ensure that the Company has the ability to access all books, records and information relevant to the outsourced activity available with the service provider
- The Company can continuous monitor and assess the service provider so that any necessary corrective measure can be taken immediately
- Both parties have the right to terminate the Agreement as defined in the Termination clause of the agreement. In case of any material breach of any of the terms & conditions of the agreement, the agreement shall be terminated with immediate effect at the option of the non-defaulting party.
- It shall implement all necessary controls to ensure customer data confidentiality and it shall be service provider’s liability in case of breach of security and leakage of confidential customer related information.
- The Service Provider shall review and monitor on regular basis and immediately disclose any breaches of security practice/processes and controls and leakage of Information to the Company. The Company shall also be entitled to review and monitor the security practices and control processes of the Service Provider on regular basis after providing reasonable prior notice.
- The service provider shall take prior approval/ consent of the Company for the use of subcontractors for all or part of an outsourced activity
- It shall provide the Company with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the Company
- The Company's documents, records of transactions, and other necessary information given to, stored or processed by the service provider shall be subject to on-site/off- site monitoring and inspection/scrutiny by the Reserve Bank of India or persons authorized by it. The service provider agrees to provide its books & accounts, records and information within 7 days upon receipt of notice from RBI.
- The confidentiality of customer's information shall be maintained even after the contract expires or gets terminated. The service provider shall preserve documents related to the Company and the customer as required by law and shall refrain from disclosing any information to unrelated third parties either implicitly or explicitly.
- The Company’s Grievance Redressal Machinery will also deal with the issue relating to services provided by the service provider. Hence, the service provider shall respond to the grievances within the time frame fixed by the Company.
Confidentiality And Security
Public confidence and customer trust are prerequisites for the stability and reputation of the Company. Hence the Company shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider
In this regard, the service provider shall ensure that:
- Access to customer information by staff of the service provider shall be on 'need to know' basis i.e. limited to those areas where the information is required in order to perform the outsourced function.
- The service provider is able to isolate and clearly identify the Company's customer information, documents, records and assets to protect the confidentiality of the information.
- The Company shall be entitled to regular review and monitoring of the security practices and control processes of the service provider and the service provider shall disclose security breaches to the Company.
- The service provider shall immediately notify to the Company and RBI in the event of any breach of security and leakage of confidential customer related information.
Business Continuity And Management Of Disaster Recovery Plan
The service provider agrees to the following:
- Develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. The service provider should periodically test the Business Continuity and Recovery Plan and allow the Company to test it too.
- The service providers should isolate the Company’s information, documents and records, and other assets so that in appropriate situations, all documents, records of transactions and information given to the service provider, and assets of the Company, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.
Monitoring And Control Of Outsourced Activities
The service provider agrees to the following:
- The Company shall be entitled to at least on annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
- The Company, in the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, shall publicize by displaying at a prominent place in all the offices, posting it on the website, and informing the customers of the same so as to ensure that the customers do not continue to deal with the service provider.
