Policy on Outsourcing of Activities
Last Reviewed On: October 08, 2022 (Version 5)
Overview
This document constitutes a policy framework, containing, inter alia, guidelines according to which all outsourcing activities shall be carried out by Acuité Ratings & Research Limited (hereinafter referred to as ARRL). This policy is consistent with the "Guidelines on Outsourcing of Activities by Intermediaries” issued by the Securities and Exchange Board of India (SEBI) vide their circular CIR/MIRSD/24/2011 dated December 15, 2011.
For the purposes of this policy, the term Outsourcing shall have the following meaning: The use of a third party – a different legal entity other than ARRL - by ARRL to perform the activities associated with the services which ARRL offers on behalf of ARRL. Such activities when performed by ARRL subsidiaries shall also be considered as outsourcing and this policy shall be applicable on such arrangements.
- General Principles
- ARRL shall always render high standards of service and exercise due diligence and ensure proper care in its operations. It is possible that outsourcing of certain activities may be resorted to from time to time with a view to, among others, reduce costs, and for strategic reasons.
- Principles for Outsourcing – There could be a variety of risks associated with outsourcing. These may include operational risk, reputational risk, legal risk, strategic risk, counter party risk, concentration risk and systemic risk. To address the concerns arising from the outsourcing of activities by ARRL the principles mentioned in this policy have been formulated for governing its outsourcing activities.
- Activities that shall not be Outsourced – ARRL will not outsource its core business activities and compliance functions.A few examples of core business activities may be:
- assignment of credit ratings
- surveillance of assigned credit
ratings
- development of rating criteria
- quality
control activities
- rating
note preparation
- rating
recommendation to rating committee
- administration
of & secretarial activities pertaining to rating committee
- Reporting to Financial Intelligence Unit (FIU) - ARRL shall be responsible for reporting of any suspicious transactions / reports which come to its notice to FIU or any other competent authority in respect of activities carried out by the third parties with which it has any outsourcing arrangements.
- Policy
- This comprehensive policy shall guide the assessment of whether and how relevant activities can be appropriately outsourced. The Board of Directors of ARRL (hereinafter referred to as the Board) shall approve the policy and have the responsibility for the policy and related overall responsibility for activities undertaken under the policy. The Board of Directors shall review this policy periodically and make amendments as necessary, from time to time.
- The activities or the nature of activities that can be outsourced are as follows:
Activities which are not a core part of assigning credit ratings may be outsourced. The activities that may be outsourced are:
- business development
- tele-calling for following up for data or fees and follow-up for
sourcing of data or other information
- public data (financial and
non-financial) aggregation
- data entry
- sales back office operations
- An activity shall not be outsourced if it would impair the supervisory authority’s right to assess, or its ability to carry out supervisory activities at ARRL.
- If there is a doubt about whether a particular activity can be outsourced or not, the clarification regarding the same may be obtained from Chief Rating Officer.
- Activities which do not come under the definition of "outsourcing” as defined in this policy, may also be delegated to third parties.
- Any decision to outsource an activity and selection of the service provider shall require approval of appropriate authority.
- Any process that leads to
services being provided to the Rating Analytical Department shall require
approval of Chief Rating Officer
- Any process that leads to
services being provided to business development department shall require
approval of Group Chief Executive Officer
- The agreements between Acuité and
the service provider shall be approved by VP – Compliance & Group Company Secretary
- Before a decision is made to outsource an activity, the following aspects need to be considered - evaluation of risk concentrations, limits on the acceptable overall level of outsourced activities and risks arising from outsourcing multiple activities to the same entity.
- The Board shall also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by ARRL, and the activities undertaken by the relevant third-party, are in keeping with this policy. This may be facilitated by including the formulation and implementation of this policy as a part of the scope of internal audit and a presentation of the audit report to the Board.
- Risk Management
- ARRL shall have a mechanism to assess outsourcing risk it is subjected to. This will depend on factors like the scope and materiality of the outsourced activity. The factors that could help in considering materiality in a risk management programme include:
- The impact of failure of a third party to adequately perform the activity on the financial, reputational, and operational performance of ARRL and on its clients / investors
- Ability of ARRL to cope up with the work, in case of non-performance or failure by a third party by having suitable back-up
- Regulatory status of the third party, including its fitness and probity status
- Situations involving conflict of interest between ARRL, and the third party and the measures put in place by ARRL to address such potential conflicts
- While there shall not be any prohibition on a group entity / associate of ARRL to act as the third party, if outsourcing were to happen to such an entity, systems shall be put in place to have an arm’s length distance between ARRL and the third party in terms of infrastructure, manpower, decision making, record keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard shall be made as part of the contractual agreement. It shall be kept in mind that the risk management practices expected to be adopted by ARRL while outsourcing to a related party or an associate would be identical to those followed while outsourcing to an unrelated party.
- The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board and / or ARRL’s senior management, as and when needed. These records should be preserved for a period of at least five years after the cessation of the respective outsourcing arrangements. Such records shall be regularly updated and may also form part of the corporate governance review by the management of ARRL.
- Regular reviews by internal or external auditors of the outsourcing policy, risk management system and other requirements of the regulator, if any, shall be mandated by the Board wherever felt necessary. ARRL shall review the financial and operational capabilities of the third party to assess its ability to continue to meet the outsourced obligations.
- Undiminished Ability to Fulfil Obligations
- ARRL shall be fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house.
- The facilities / premises / data that are involved in carrying out the outsourced activity by the third party shall be deemed to be those of ARRL by the Regulator. ARRL and the Regulator or the persons authorized by it shall have the right to access the same at any point of time.
- Outsourcing arrangements shall not impair the ability of Regulators, SEBI/RBI or auditors to exercise its regulatory responsibilities such as supervision / inspection of ARRL.
- Appropriate Due Diligence to be Conducted
- ARRL shall conduct appropriate due diligence in selecting the third party and in the monitoring of its performance.
- It is important that ARRL exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the relevant service effectively.
- The due diligence undertaken by ARRL shall include assessment of:
- third party’s resources and capabilities, including financial soundness, to perform the outsourced work within the timelines fixed
- compatibility of the practices and systems of the third party with ARRL’s requirements and objectives
- market feedback of the prospective third party’s business reputation and track record of their services rendered in the past
- level of concentration of the outsourced arrangements with a single third party.
- ARRL will annually review each outsourced important operational function to assess the third party’s current performance of – and continued ability to appropriately perform – the outsourced activity so as not to risk the quality, integrity, or continuity of the services offered by ARRL.
- Existence of Written Contracts
- Outsourcing relationships shall be governed by written contracts / agreements / terms and conditions (as deemed appropriate) {hereinafter referred to as "contract”} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities, and expectations of the parties to the contract, client confidentiality issues, termination procedures, etc.
- Care shall be taken to ensure that the outsourcing contract:
- clearly defines what activities are going to be outsourced, including appropriate service and performance levels
- provides for rights, obligations, and responsibilities of ARRL and the third party, including indemnity by that third party in favour of ARRL.
- provides for the liability of the third party to ARRL for unsatisfactory performance/other breach of the contract
- provides for the continuous monitoring and assessment by ARRL of the third party so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable ARRL to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations
- includes, where necessary, conditions of sub-contracting by the third-party, i.e., the contract shall enable ARRL to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing
- has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and after the expiry of the contract
- specifies as appropriate the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.
- provides for preservation of the documents and data by the third party
- provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract
- provides for termination of the contract, termination rights, transfer of information and exit strategies
- neither prevents nor impedes ARRL from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers
- provides for ARRL and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records, and information relevant to the outsourced activity with the third party
- Contingency Plans
- ARRL and its third parties shall appropriately establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.
- Specific contingency plans shall be separately developed for each outsourcing arrangement.
- ARRL shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third-party level. Notably, it shall consider contingency plans at the third party; co-ordination of contingency plans at both ARRL and the third party; and contingency plans of ARRL in the event of non-performance by the third party.
- To ensure business continuity, robust information technology security is a necessity. A breakdown in the IT capacity may impair the ability of ARRL to fulfil its obligations to other market participants/clients/regulators and could undermine the privacy interests of its customers, harm ARRL’s reputation, and may ultimately impact on its overall operational risk profile. ARRL shall, therefore, seek to ensure that the third party maintains appropriate IT security and disaster recovery capabilities.
- Periodic tests of the critical security procedures and systems and review of the backup facilities shall be undertaken by ARRL to confirm the adequacy of the third party’s systems.
- Confidentiality Protection
- ARRL shall take appropriate steps to require that third parties protect confidential information of both ARRL and its customers from intentional or inadvertent disclosure to unauthorised persons.
- ARRL shall take appropriate steps to protect proprietary and confidential information of ARRL / its customers and ensure that it is not misused or misappropriated.
- 3. ARRL shall prevail upon the third party to ensure that the employees of the third party have limited access to the data handled and that too only on a "need to know” basis and the third party shall have adequate checks and balances to ensure the same.
- 4. In cases where the third party is providing similar services to multiple entities, that third party should ensure that adequate care is taken by it to build safeguards for data security and confidentiality of the information of ARRL and its customers.
- Concentration Risk
- There could be potential risks posed where the outsourced activities of multiple intermediaries like ARRL are concentrated with a limited number of third parties.
- In instances, where the third-party acts as an outsourcing agent for multiple intermediaries like ARRL, it is the duty of the third party and ARRL to ensure that strong safeguards are put in place so that there is no co-mingling of information /documents, records, and assets.
- Application of Outsourcing Policy with Other Policies and Procedures
The Outsourcing Policy is intended to be complementary to all other policies and procedures adopted by ARRL.
ARRL’s personnel who have questions on interpretation or application of this policy should contact the Chief Rating Officer who will coordinate on the appropriate response. Any exceptions to this policy must be given by the Group Chief Executive Officer of ARRL on the recommendation of the Chief Rating Officer and must be formally documented.
- Criteria to be used while adhering to the SEBI guidelines on Outsourcing
- To identify activities to be identified as "core” under the SEBI Guidelines for Outsourcing for Intermediaries, ARRL will consider services offered by its credit ratings division for products and services which fall within the purview of SEBI (Credit Rating Agencies) Regulations.
- Within the credit ratings division, activities which influence the decision of the management in the process of offering services to clients would be termed as "core”. These activities will not be outsourced by ARRL.
- ARRL will also not outsource its compliance function in line with the above-mentioned SEBI guidelines.
- Activities which are not "core” may involve the engagement of one or more than one third party by ARRL to perform the activities associated with services which ARRL offers.
- Activities in which services are performed by a third party not on a continuous basis but as a one-off activity would not be considered as "outsourcing”.
- Activities coming under the purview of the departments of corporate functions such as Finance, IT, Admin, HR, marketing, economic research, legal opinion etc. would not be classified as "Outsourcing” as they are not involved in delivering the services offered by ARRL to its clients.
- Arrangements with entities only for the purposes of hiring associates to perform a part of an activity where such associates are fully supervised by ARRL employees will not be classified as "outsourcing”.