OUTSOURCING OF ACTIVITIES

Objective

This Policy on Outsourcing of Activities (Outsourcing Policy) lays down a framework for outsourcing of activities by Infomerics as advised by Securities and Exchange Board of India (SEBI), vide its circular No. CIR/MIRSD/24/2011 dated December 15, 2011.

Scope

The Outsourcing Policy has been devised to ensure safeguarding the interest of Infomerics and the issuers/investors by adopting sound and responsive management practices through due diligence and management of risks arising out of outsourcing of activities. The guidelines are applicable to outsourcing arrangements entered into by Infomerics with the service providers located in India. The policy incorporates the criteria for selection of the activities that may be outsourced, risks arising out of outsourcing, management of these risks, delegation of powers etc.

Definition

As defined by SEBI, ‘Outsourcing’ means the use of one or more than one third party – either within or outside the group - by an entity to perform the activities associated with services which the entity offers.

As such, for the purpose of this policy, Outsourcing shall refer to Infomerics’ use of a third party (either an affiliated entity within the group or an entity that is external to the group) to perform activities on a continuing basis or for a limited period, that would normally be undertaken by Infomerics, at present or in future.

However, the following activities shall not be considered as outsourcing and hence shall not be under the purview of this policy:  

  1. Hiring professionals as consultants to perform a part of an activity where such associates are fully supervised by Infomerics management and are provided Infomerics’ email IDs and work on Infomerics’ computer systems; and
  2. Housekeeping, security, catering, transport and other such services which are not related/ associated with credit rating services.

As a SEBI registered Credit Rating Agency, Infomerics is bound to render, at all times, high standards of service and exercise due diligence and ensure proper care in its operations. Accordingly, it shall not outsource its core business activities and compliance functions.

Indicative List of Activities that can be outsourced

“Non-core” activities that can be outsourced by Infomerics may include client approach, telephonic follow up for data or fees and follow-up for sourcing of data or other information, document verification/validation, Legal, Finance, IT, Admin, HR related services etc. Additional activities within the definition of outsourcing can also be outsourced by Infomerics as permitted under the regulations for credit rating agencies.

Activities that cannot not be outsourced

Core business activities related to rating process like analysis, site visit, Rating Committee Note or Press Release preparation, industry research, development of rating criteria and methodologies and rating committee functions viz. assignment and review of ratings shall not be outsourced by Infomerics.

Check List for Outsourcing

While outsourcing any activity, Infomerics shall consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration. Infomerics shall retain ultimate control of the outsourced activity, as outsourcing of any activity by Infomerics does not diminish its obligations, and those of its Board and Senior Management, who have responsibility for the outsourced activity. Infomerics shall therefore remain responsible for the actions of its service providers including Direct Sales Agents/ Direct Marketing Agents and the confidentiality of information pertaining to the customers that is available with the service providers.

Appraisal of a Service Provider

While outsourcing or renewing contract of outsourcing of an activity with a service provider, Infomerics shall take into consideration the regulatory status and capability of the service provider to comply with obligations as per the outsourcing agreement, past experience and competence to implement and support the proposed activity over the contracted period and financial soundness and ability to service commitments.

The service provider may be allowed to use the infrastructure, network and IT assets owned by and software licensed to Infomerics. The same restrictions that apply to a full-time on-roll employee using the IT assets of Infomerics shall be applicable to such service providers.

Risk Management

Infomerics shall carry out assessment of risks related to outsourcing.

The risks associated with outsourcing may be operational risk, reputational risk, legal risk, strategic risk, exit-strategy risk, counter party risk, concentration risk and systemic risk.

The risk will depend on the scope and materiality of the outsourced activity.

In managing the risk, Infomerics shall take into consideration factors like:

In case any of the activities are outsourced to a group entity or an associate entity, Infomerics shall ensure arm’s length distance in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests.

Infomerics shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators.

The Outsourcing Agreement

The terms and conditions governing the contract between Infomerics and the service providers shall be carefully defined in written agreements and vetted by Infomerics’ legal counsel on their legal effect and enforceability. Every such agreement shall address the risks and risk mitigation strategies. The contract would clearly define the activities that are being outsourced, including appropriate service and performance standards. The contract shall enable Infomerics to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations.

Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information provide that the confidentiality of customer’s information shall be maintained even after the contract expires or gets terminated. The contract shall provide for seeking prior approval/consent from Infomerics for the use of sub-contractors by the service provider for all or part of an outsourced activity.

The Contract shall also provide for mutual rights, obligations and responsibilities of Infomerics and the third party, including indemnity by the parties.

A termination clause and minimum period to execute a termination provision, if deemed necessary, shall also be included in the contract.

Monitoring and Review of Outsourced Activities

Periodic monitoring and review of activities outsources shall be undertaken by Infomerics to ensure that the same are in compliance with the policy.

Internal auditors of Infomerics may be required to review the outsourcing contracts from the perspective of compliance with the policy, risk management system and regulatory requirements.

Powers for Approving Outsourcing Activities

Powers for approving outsourcing activities and reviewing the same within the Board approved policy shall be vested with a committee consisting of the Chairman/WTD/CEO of Infomerics.

An activity can be outsourced only after written consent for the same is obtained from the Chief Executive Officer (CEO).

The Compliance Officer shall periodically review all the outsourcing arrangements to ensure that the same are in compliance with the policy.

Record Keeping

The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Senior Management or Board of Directors as and when required.

Activities which are presently being outsourced by Infomerics

Activities presently being outsourced by Infomerics include services of Software vendors, Legal services, managing certain associates for business development, services of recruitment consultants and payroll processing.  

Review of the Policy

The policy will be reviewed at least once in two years or as and when considered necessary by the Board of Directors of Infomerics in the wake of changing business environment.

[Last reviewed on July 2023]

                                                                                               *****************

Policy Version History

Version

Date

Description Approved By
1.0  

Initial Policy Draft

Board

2.0 August 2021

Revised Policy Draft

Board

3.0 July 2023

Revised Policy Draft

Board

 

Archive