SUMMARY OF THE POLICY
OUTSOURCING OF FINANCIAL SERVICES
Issue and Effective date
28, April 2022
Date of next review
Within in 12 months from effective date
Periodicity of review
Owner / Contact
Board of Directors
TABLE OF CONTENTS
Role of the Company, Regulatory and Supervisory Requirements
Role of the Board and Senior Management
Indicative List of Activities that can be Outsourced
Activities not to be Outsourced
Assessment and Due Diligence of the Service Providers – Selection, Verification and Renewal
Service Level Agreement / Outsourcing Agreement (SLA)
Comprehensive Risk Management Program to address the outsourced activities
Grievance Redressal Mechanism
Confidentiality and Security
Business Continuity and Management of Disaster Recovery Plan
Monitoring and Control of Outsourced Activities
Reporting of transactions to FIU or other competent authorities
Outsourcing within a Group/ Conglomerate
Maintenance of Records
Review of Policy
This Policy shall be termed as Outsourcing Policy of SHIVAKARI FINANCE PRIVATE LIMITED (“The Company” or “SFPL”). The terms in this policy shall be considered as defined by the Reserve Bank of India in its Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs and other various directions, guidelines as issued and may be issued from time to time and, or as defined herein below.
Outsourcing involves transferring financial activities to the third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future.
The outsourcing of activities falls within the purview of guidelines of the Reserve Bank of India (“RBI”) on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs” issued on November 9, 2017 (Including amendment thereof) which requires the non-banking financial companies to formulate an outsourcing policy. In compliance with these RBI guidelines, this outsourcing policy (“Policy”) has been framed by the Company duly approved by its Board of Directors.
Outsourcing always involves a considerable degree of two-way information exchange, coordination and trust. Outsourced financial services include applications processing (loan origination), document processing, marketing and research, supervision of loans, collection activities, data processing and back office related activities etc. Outsourcing business is often characterized by expertise not inherent to the core of the client organization.
The outsourcing of financial activities with in regulatory preview with an objective to:
- Protect the interest of the customers of NBFCs, and
- To ensure that the NBFC concerned and the Reserve Bank of India have access to all relevant books, records and information available with service provider.
SFPL has aim to serve credit facilities to all peoples of society in fair, transparent, and speedy manner in keeping its mission “to bridge the gap between the financial requirements in an easy, quick, and hassle-free manner. At Shivakari Finance, we aim to cater to the needs of the people by offering a wide variety of financial products so that it ultimately leads to economic growth of country.”, to achieve our mission and to maintain lean operations, several business-critical processes are required to be outsourced to external service providers (“the Service Provider”). Needless to say, the Company’s service delivery may get significantly hampered if these Service Providers do not deliver their services as per agreed norms.
The main objectives of this Policy are to provide guiding principles for:
- To provide credit facilities in a fair transparent and speedy manner to customers.
- To provide cutting-edge high standard technical facilities to the customers.
- Assessment and due diligence of the Service Providers – selection, verification, and renewal.
- Negotiating terms & conditions of the Service Level Agreement (SLA).
- Negotiating financial terms of the engagement.
- Comprehensive risk management program to address the outsourced activities.
- Half-yearly and annual rating of the Service Providers.
- Speedy Redressal of Grievance.
- Confidentiality and security.
- Responsibilities of Direct Sales Agent/ Direct Marketing Agents/ Recovery Agents/ Lending service provider.
- Business continuity and management of disaster recovery plan.
- Monitoring and control of the outsourced activities.
- Reporting of certain transactions to Financial Intelligence Unit (FIU) or other competent authorities.
- Outsourcing within group companies.
- Maintenance of records.
- Offshore outsourcing of the financial services.
This Policy is concerned with managing risks in outsourcing of financial services and is not applicable to technology-related issues and activities not related to financial services, such as usage of couriers, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records, etc.
This Policy shall be assessed/reviewed by the board of the Company on annual basis considering the inputs (if any) of the respective Head of Departments and shall be modified as per the applicable directions/guidelines of the RBI.
In this Policy, unless expressly defined otherwise in this Policy, the capitalized terms shall have the following meanings:
“Arrangement” means an agreement with a service provider wherein such service provider agrees/ promises to provide necessary services using its own staff and equipment, and usually at its own facilities;
“Board of Directors” or “Board” in relation to the Company, means the collective body of the Directors of the Company;
“Business-critical Processes” means the processes essential for carrying out operations of the Company which does not include its core management functions”
“Code of Conduct” means a set of rules outlining the rules and responsibilities of the Board, Senior Management, Direct Sales Agents (DSA), Direct Marketing Agents (DMA) and/or Recovery Agents and Lending service provider;
“Continuing basis” includes agreements for a limited period;
“Material Outsourcing” means such arrangements which, if disrupted, have the potential to significantly impact the business operations, reputation, profitability or customer service, and the materiality of outsourcing would be determined based on
- the level of importance of the activity being outsourced, and significance of the risk posed by the same, to the Company;
- the potential impact of the outsourcing on the Company on various parameters such as earnings, solvency, liquidity, funding capital and risk profile;
- the likely impact on the Company’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the Service Provider fail to perform the service;
- the cost of the outsourcing as a proportion of total operating costs of the Company;
- the aggregate exposure to that particular Service Provider, in cases where the Company outsources various functions to the same Service Provider; and
- the significance of activities outsourced in context of customer service and protection.
“Outsourcing” means the Company’s use of a third party (either an affiliated entity within a Company group or an entity that is external to the Company group) to perform activities on a continuing basis that would normally be undertaken by the Company itself, now or in the future;
“Senior Management” comprises of the Key Managerial Personnel of the Company, Business/Unit Heads and such other employees as authorized by the Company from time to time;
“Service Level Agreement” or “Outsourcing Agreement” means a contract between a service provider (either internal or external) and the Company that defines the level, terms & conditions of service expected from the Service Provider.
“Service Provider” means any third party (either an affiliated entity within SFPL group or an entity that is external to SFPL group) that performs business-critical services on the continuing basis (includes arrangements for a limited period) that would normally be undertaken by the Company itself, now or in the future. The services provided must be necessary for continuity of business processes and include, inter alia, the following:
- Services that aid in credit appraisal such as tele-verification, providing credit reports, field investigation, title search, etc.;
- Services that aid in customer file verification, storage and in-warding and resolution of customer queries;
- Services that aid in the collection of payments from the customers, legal services, repossession services, etc;
- IT services including both software (owned and as a service) and hardware; and
- Such other services which are essential to business continuity as per the Company from time to time, unless otherwise specified in this Policy.
4. Role of the Company, Regulatory and Supervisory Requirements
The Company, through the Senior Management or the respective Head of Departments, Business/Unit heads shall ensure that:
- Outsourcing arrangement of any activity by the Company does not diminish its obligations and/or ability to fulfill its obligations to customers and RBI, and those of its Board and Senior Management who have the ultimate responsibility for the outsourced activity.
- Outsourcing arrangement does not impede effective supervision of the RBI over such activities.
- Outsourcing arrangement shall not affect the rights of a customer against the Company, including ability of the customer to obtain redressal of his/her grievance as per the provisions of this Policy or the applicable laws.
- Ultimate control of the outsourced activity remains with the Company as it is responsible for confidentiality of the customers’ information available with its Service Providers and it may also be held responsible for the actions of its Service Providers including Direct Sales Agents, Direct Marketing Agents, Recovery Agents, and Lending Service provider;
- Applicable provisions of the relevant laws, regulations, guidelines and conditions of approval, licensing and registration are considered while doing due diligence of the Service Provider in relation to outsourcing;
- The Service Provider including its location, whether in India or abroad, shall not impede or interfere with the ability of the Company to effectively oversee and manage its activities and shall also not impede the RBI in carrying out its supervisory functions and objectives;
- Clause shall be incorporated in the product literature/ brochures, etc., stating that the Company may use the services of agents in sales and marketing, etc. of the products, and if possible, role of such agents may be indicated in broad terms;
- The Service Provider (other than Group Company) is not owned or controlled by any director of the Company or their relatives (as defined in the Companies Act, 2013).
5. Role of the Board and Senior Management
Role of Board: The Board of Directors of the Company shall prepare/review/approve an outsourcing policy, in accordance with the applicable laws and the RBI guidelines.
Role of the Board:
The Board shall be responsible for:
- approval of framework for evaluation of the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements;
- approval of authority matrix and administrative framework for the Senior Management in respect of outsourcing depending on risks and materiality;
- regular review of outsourcing strategies and arrangements for their continued relevance, safety and soundness; and
- Approving material business activities to be outsourced and such arrangements.
Role of Senior Management:
The Senior Management of the Company shall be responsible for:
- Preparation and implementation of sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing, in accordance with the applicable laws and the guidelines prescribed by RBI;
- Preparation of framework for evaluation of the risks associated with outsourcing of the business-related activities;
- Evaluation of the risks and materiality of all existing and prospective outsourcing, based on the policy and the evaluation framework approved by the Committee;
- Periodic review of effectiveness of the policies and procedures;
- Communicating information pertaining to the Material Outsourcing risks to the Board in a timely manner;
- Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
- Ensuring that there is independent review and audit for compliance with set policies; 8. Undertaking periodic review of outsourcing arrangements to identify new Material Outsourcing risks as they arise.
6. Indicative List of Activities that can be Outsourced
An indicative list of activities that may be considered for outsourcing is as under:
- Lead sourcing activity
- Digital Marketing services
- Other Marketing services
- Application processing (loan origination)
- Document processing
- Documents quality check
- Storage of documents
- Credit Underwriting support
- Research and marketing
- Supervision of loans
- Recovery and repossession
- Call Centre
- Data processing
- Back office-related activities
- Field Investigation
- Information Technology
- Risk Control Unit
The above list is indicative only and not exhaustive. Additional activities within the definition of outsourcing can also be outsourced by the Company.
7. Activities not to be Outsourced
The respective Head of Departments and board of directors shall ensure that
- the Company is not entering into any outsourcing arrangement which would result in compromising or weakening of internal control, business conduct or reputation of the Company;
- the Company is not outsourcing its core management functions including Internal Audit, Strategic and Compliance functions and decision-making functions such as determining compliance with KYC norms for opening high risk loan accounts, according sanction for loans (including retail loans,) and management of investment portfolio. However, Internal Auditor can be appointed on a contract basis.
8. Assessment and Due Diligence of the Service Providers – Selection, Verification and Renewal
One of the objectives of this Policy, in keeping with the values of the Company, is to recognize and enlist suitable service providers commensurate with their capabilities and to provide all service providers equitable opportunities. This ensures consistency, fair play and transparency in selection of service providers who are quality conscious.
The respective Head of Departments must exercise due care, skill and diligence in the selection of the Service Providers in order to ensure that the Service Provider has the ability and capacity to undertake the provision of the services effectively. Due diligence shall take into consideration qualitative and quantitative, financial, operational and reputational factors which are as follows:
Enquiries may be made related to
- How long has the Service Provider been in business years in handling the outsourcing business?
- Description of the Service Provider’s business model.
- Scale of operations of the Service Provider.
- Service Provider’s financial condition.
- Service Provider’s areas of expertise.
- Service Provider’s onshore and offshore capabilities.
- Factual proofs that the Service Provider has a background in projects similar to the Company.
Therefore, due diligence will also involve an evaluation of all the available information about the Service Provider, including but not limited to:
- Past experience and competence to implement and support the proposed activity over the contracted period;
- Financial soundness and ability to service commitments even under adverse conditions;
- Business reputation and culture, compliance, complaints and outstanding or potential litigation;
- Security and internal control, audit coverage, reporting and monitoring environment, Business continuity management; and
- Ensuring due diligence of its employees by the Service Provider.
The Service Provider, if not a SFPL group company, should not be owned or controlled by any director of the Company or their relatives.
In considering renewal of an outsourcing arrangement, the concerned Head of Department shall perform appropriate due diligence to assess the capability of the Service Provider to comply with obligations in the outsourcing agreement. Apart from considering the qualitative, quantitative, financial, operational and reputational factors as mentioned above, they should consider compatibility of the Service Provider’s system with the Company’s system, issues relating to undue concentration of outsourcing arrangements with a single Service Provider, reviews and market feedback on the Service Provider (if available).
9. Service Level Agreement / Outsourcing Agreement (SLA)
All Service Providers, prior to selection, must be given clarity on the level of service that the Company expects from them. The terms of the Service Level Agreement (“SLA”) shall be decided by the board and mutually agreed upon by the Service Provider. For Service Providers providing same or similar services, the terms of the SLA shall be identical to ensure equity and parity amongst the Service Providers.
Every SLA shall include the following provisions:
- Nature of Legal relationship between the parties i.e.; whether agent, principal or otherwise;
- What activities are going to be outsourced? (including appropriate service and its performance standards);
- Determining the ability to access all books, records and information relevant to the outsourced activity available with the Service Provider;
- Ability for continuous monitoring and assessment of the Service Provider by the Company so that any necessary corrective measure can be taken immediately;
- Controls to ensure customer data confidentiality and the Service Provider’ liability in case of breach of security and leakage of confidential customer related information;
- there must be contingency plans to ensure business continuity;
- Termination clause and minimum period to execute a termination provision (Notice Period);
- Limited access of data to the employees of the Service Provider only on a “need to know” basis and availability of adequate checks and balances at the end of the Service Provider to ensure the same;
- Requirement of prior approval/ consent from the Company for use of sub-contractors by the Service Provider for all or part of an outsourced activity and includes, where necessary, conditions of sub-contracting by the Service Provider in order to maintain a similar control over the risks by the Company;
- Must have a confidentiality clause to ensure protection and confidentiality of customer data even after the SLA expires or gets terminated;
- Provides for the Company with the right to conduct audits on the Service Provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the Service Provider in conjunction with the services performed for the Company;
- Provides for the RBI or persons authorized by it to access the Company’s documents, records of transactions, and other necessary information given to, stored or processed by the Service Provider within a reasonable time;
- Provides for right of the RBI to cause an inspection to be made of a Service Provider of the Company and its books and account by one or more of its officers or employees or other persons;
- Requirement of the Service Provider to preserve documents as required by law and take suitable steps to ensure that the Company’s interests are protected in this regard even post termination of the services.
10. Comprehensive Risk Management Program to address the outsourced activities
This Policy shall be communicated to all vertical/functional heads and other concerned persons of the Company who shall evaluate and guard against the following risks in outsourcing by the Company:
- Strategic Risk – Where the Service Provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.
- Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the Company.
- Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the Service Provider.
- Operational Risk – Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and / or to provide remedies.
- Legal Risk – Where the Company is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the Service Provider.
- Exit Strategy Risk – Where the Company is over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in-house and where the Company has entered into contracts that make speedy exits prohibitively expensive.
- Counter party Risk – Where there is inappropriate underwriting or credit assessments.
- Contractual Risk – Where the Company may not have the ability to enforce the contract.
- Concentration and Systemic Risk – Where the overall industry has considerable exposure to one Service Provider and hence the Company may lack control over the Service Provider.
- Country Risk – Due to the political, social or legal climate creating added risk.
The risks and materiality of all the existing and prospective outsourcing shall be reviewed by the Head of Departments and by the Board/Committee (if required) from time to time as may be necessary. In the Outsourcing Agreement, the Company shall be provided with a right to conduct audits on the Service Provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the Service Provider in conjunction with the services performed for the Company.
11. PROCESS TO HANDLE CUSTOMER COMPLAINTS / GRIEVANCES
All disputes / complaints arising out of the decisions of the Company’s functionaries would be heard and disposed of at least at the next higher level after it is brought to their notice. Therefore, the following ‘Grievances Redressal Mechanism’ is put in place.
Level 1: Branch / Place where Business is transacted Level Review
A customer should either make a written complaint addressed to the relevant Branch Manager (contact details for the Company’s branches/ places where business is transacted are on the Company’s website), call the Company at 01145517612, or email the Company at [email protected].
The Branch / places where business is transacted will strive to provide an initial response to the customer’s complaint within 7 days of the complaint being lodged.
Level 2: Grievance Redressal Officer
In case the customer is not satisfied with the response received at Step 1, i.e., the Branch, he /she can escalate the complaint to SFPL Grievance Redressal Officer, whom the Company has appointed for the implementation of customer service and complaint handling. The Grievance Redressal Officer’s complete contact details are given on the following page:
Name of the Grievance Redressal Officer
Mr. Mukesh Arora
01145517612 / 93154 99246
Once the complaint is escalated, the complaint will receive a response within 7 working days of it reaching the Grievance Redressal Officer.
Level-3: Compliance officer
In case the customer is still not satisfied with the response or has not received a response from the Company within 15 days from the date of his/her initial complaint, he/she may contact the Company’s Compliance officer at the email id [email protected] or phone number 011 45517612.
Name of the Compliance officer
011 45517612 / 011 68228064
Once the complaint is escalated, the complaint will receive a response within 7 working days of it reaching the Compliance officer
12. ESCALATION OF COMPLAINT TO RESERVE BANK OF INDIA
In case the complainant does not receive a response from the Company within reasonable time or if a customer is dissatisfied with the response received at all levels, the complainant may approach the Reserve Bank of India at the following address:
If the complaint does not receive a response from the Company within a period of 1 month or if a customer is dissatisfied with the response received at all levels, the complainant may approach the Reserve Bank of India at the following address:
6, Sansad Marg,
New Delhi – 110001, India.
Email: [email protected]
13. Confidentiality and Security
Public confidence and customer trust in the Company are a pre-requisite for the stability and reputation, and therefore, the respective Head of the Departments shall ensure that
- Outsourcing Arrangement shall ensure preservation and protection of the security and confidentiality of customer information in the custody or possession of the Service Provider;
- Access of customer information to the staff of the Service Provider shall be on ‘need to know’ basis i.e. limited to those areas where information is required in order to perform the outsourced function;
- The Service Provider shall isolate and clearly identify the Company’s customer information, documents, records and assets to protect the confidentiality of the information. In Instances, where the Service Provider acts as an outsourcing agent for multiple companies, care shall be taken to build strong safeguards so that there is no comingling of information/documents, records and assets;
- Security practices and control processes of the Service Provider shall be reviewed and monitored on a regular basis and the Service Providers shall be required to disclose security breaches;
- Any breach of security and leakage of confidential customer related information shall be notified to RBI.
14. Business Continuity and Management of Disaster Recovery Plan
The Company, through the concerned Head of Departments, shall ensure that:
- The Service Providers have developed and established a robust documented and tested framework for business continuity and recovery procedures which shall be reviewed on annual basis;
- A notice period is incorporated in the Outsourcing Arrangement in order to mitigate the risk of unexpected termination thereof or liquidation of the Service Provider. To deal with such situation, an appropriate level of control and right to intervene shall be retained in the Outsourcing Arrangement with appropriate measures to continue the business operations of the Company without incurring prohibitive expenses and without any break in services to the customers of the Company;
- Alternative Service Providers are available or there is a possibility of bringing the outsourced activity back in-house in case of emergency.
- The Service Providers are able to isolate the Company’s information, documents and records, and other assets, and to ensure this, a clause may be incorporated in the Outsourcing Arrangement that after the termination of the contract, the Company can take back all the documents, records of transactions and information given to the Service Provider in order to continue its business operations, or otherwise delete, destroy or render unusable the same.
15. Monitoring and Control of Outsourced Activities
The Head of Departments shall monitor and control the outsourcing activities of the Company and shall ensure that outsourcing agreements with the Service Provider contain provisions to monitor and control the outsourced activities. The Head of Departments shall meet on a half-yearly basis for the following purposes:
- To review the central record of all Material Outsourcing maintained by the Company. The said records shall be updated promptly and half yearly reviews will be placed before the board or Committee.h
- To review, on annual basis, the financial and operational condition of the Service Provider so as to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which will be based on all available information about the Service Provider will highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
The respective Head of Departments shall ensure that:
- In the event of termination of the outsourcing agreement for any reason in cases where the Service Provider deals with the customers, the same shall be publicized by displaying at a prominent place in the branch, posting it on the web-site and informing the customers, so as to ensure that the customers do not continue to deal with the Service Provider.
- Reconciliation of transactions between the Company and the Service Provider (and/or its sub-contractor) are carried out in a timely manner in case of outsourcing arrangements requiring reconciliation of transactions, for example, outsourcing of cash management. An ageing analysis of entries pending reconciliation with the Service Providers shall be placed before the Committee of the Board and the efforts shall be made to reduce the old outstanding items therein at the earliest.
- A robust system of internal audit of all the outsourced activities is in place and monitored by the board/Committee of the Company.
- Regular audits are conducted by senior management of the Company to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the Company’s compliance with its risk management framework and the requirements of the RBI guidelines.
16. Reporting of transactions to FIU or other competent authorities
The respective Head of Departments shall provide the Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in pursuance of prevention of money laundering act read prevention of money laundering rules 2005 with the in respect of the Company’s customer-related activities carried out by the Service Providers.
17. Outsourcing within a Group/ Conglomerate
In case of outsourcing of any activity within the group companies, the respective Head of Departments shall ensure that
- Arm’s length distance is maintained in such outsourcing in terms of premises, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests between the Company and such Service Provider and accordingly necessary disclosures in this regard shall be made as part of the outsourcing agreement;
- The customers are informed specifically about the company which is actually offering the product/ service in case of involvement of multiple group entities involved or cross selling of products;
- The outsourcing agreement shall address the provisions including scope of services, charges for the services and maintaining confidentiality of the customer’s data;
- The arrangement shall not lead to any confusion to the customers on whose products/ services they are availing.
- The arrangement does not compromise the ability to identify and manage risk of the Company on a stand-alone basis;
- The arrangement does not prevent the RBI from being able to obtain information required for the supervision of the Company or pertaining to the group as a whole;
- The outsourcing agreement must have a clause that there is a clear obligation for any service provider to comply with directions given by the RBI in relation to the activities of the Company;
- Their ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable;
- If the premises of the Company are shared with the group entities for the purpose of crossselling, the Company shall take measures to ensure that the entity’s identification is distinctly visible and clear to the customers;
- The marketing brochure used by the group entity and verbal communication by its staff / agent in the Company premises shall mention nature of arrangement of the entity with the Company so that the customers are clear about the seller of the product;
- The Company shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities.
- The risk management practices expected to be adopted by the Company while outsourcing to a related party (i.e. party within the Group / Conglomerate) would be identical to those specified above.
18. Maintenance of Records
The records relating to all the activities outsourced shall be preserved centrally either at the registered office of the Company or such other location as may be approved by the Board, so that these records are readily accessible for review by the Board and Senior Management of the Company, as and when required. Such records shall be updated promptly by any person authorized by the Board and/or its committee and half yearly reviews shall be placed before the Committee.
19. Review of Policy
This Policy shall be reviewed at regular intervals or as and when considered necessary by the Board of Directors/Committee of the Company.