This Policy on Outsourcing of Activities (Outsourcing Policy) lays down a framework for outsourcing of activities by Infomerics as advised by Securities and Exchange Board of India (SEBI), vide its circular No. CIR/MIRSD/24/2011 dated December 15, 2011.
The Outsourcing Policy has been devised to ensure safeguarding the interest of Infomerics and the issuers/investors by adopting sound and responsive management practices through due diligence and management of risks arising out of outsourcing of activities. The guidelines are applicable to outsourcing arrangements entered into by Infomerics with the service providers located in India. The policy incorporates the criteria for selection of the activities that may be outsourced, risks arising out of outsourcing, management of these risks, delegation of powers etc.
As defined by SEBI, ‘Outsourcing’ means the use of one or more than one third party – either within or outside the group - by an entity to perform the activities associated with services which the entity offers.
As such, for the purpose of this policy, Outsourcing shall refer to Infomerics’ use of a third party (either an affiliated entity within the group or an entity that is external to the group) to perform activities on a continuing basis or for a limited period, that would normally be undertaken by Infomerics, at present or in future.
As a SEBI registered Credit Rating Agency, Infomerics is bound to render, at all times, high standards of service and exercise due diligence and ensure proper care in its operations. Accordingly, it shall not outsource its core business activities and compliance functions. Presently, the activities shall refer to sourcing and verification/validation services only.
Indicative List of Activities that can be outsourced
Sourcing and verification/validation services that can be outsourced by Infomerics may include client approach, telephonic follow up for data or fees and follow-up for sourcing of data or other information, document verification/validation etc. Additional activities within the definition of outsourcing can also be outsourced by Infomerics as permitted under the regulations for credit rating agencies.
Activities that should not be outsourced
Core business activities related to rating process like analysis, site visit, report preparation, industry research, development of rating criteria and methodologies and rating committee functions viz. assignment and review of ratings shall not be outsourced by Infomerics.
Check List for Outsourcing
While outsourcing any activity, Infomerics shall consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration. Infomerics shall retain ultimate control of the outsourced activity, as outsourcing of any activity by Infomerics does not diminish its obligations, and those of its Board and Senior Management, who have responsibility for the outsourced activity. Infomerics shall therefore remain responsible for the actions of its service providers including Direct Sales Agents/ Direct Marketing Agents and the confidentiality of information pertaining to the customers that is available with the service providers.
Appraisal of A Service Provider
While outsourcing or renewing contract of outsourcing of an activity with a service provider, Infomerics shall take into consideration the regulatory status and capability of the service provider to comply with obligations as per the outsourcing agreement, past experience and competence to implement and support the proposed activity over the contracted period and financial soundness and ability to service commitments.
Infomerics shall carry out assessment of risks related to outsourcing.
The risks associated with outsourcing may be operational risk, reputational risk, legal risk, strategic risk, exit-strategy risk, counter party risk, concentration risk and systemic risk.
The risk will depend on the scope and materiality of the outsourced activity.
In managing the risk, Infomerics shall take into consideration factors like:
In case any of the activities are outsourced to a group entity or an associate entity, Infomerics shall ensure arm’s length distance in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests.
Infomerics shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators.
The Outsourcing Agreement
The terms and conditions governing the contract between Infomerics and the service providers shall be carefully defined in written agreements and vetted by Infomerics’ legal counsel on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The contract would clearly define the activities that are being outsourced, including appropriate service and performance standards. The contract shall enable Infomerics to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations.
Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information provide that the confidentiality of customer’s information shall be maintained even after the contract expires or gets terminated. The contract shall provide for seeking prior approval/consent from Infomerics for the use of sub-contractors by the service provider for all or part of an outsourced activity.
The Contract shall also provide for mutual rights, obligations and responsibilities of Infomerics and the third party, including indemnity by the parties.
A termination clause and minimum period to execute a termination provision, if deemed necessary, shall also be included in the contract.
Powers For Approving Outsourcing Activities
Powers for approving outsourcing activities and reviewing the same shall remain with the Board of Directors of Infomerics.
The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Senior Management or Board of Directors as and when required.
Review of the Policy
The policy will be reviewed at least once in two years or as and when considered necessary by the Board of Directors of Infomerics in the wake of changing business environment.
Updated after Board Meeting dated 27.08.2021