| Name of the Document | Policy for Outsourcing Financial Services |
|---|---|
| Approving Authority | Board of Directors |
| Created by | <<to be added>> |
| Reviewed by | <<to be added>> |
| Last Reviewed on | <<to be added>> |
| Next Due Date for Review | <<to be added>> |
| Version | 1.0 |
| Sr. No. | Version | Revision Summary | Approving Authority | Effective Date |
|---|---|---|---|---|
| 1 | <<to be added>> | <<to be added>> | <<to be added>> | <<to be added>> |
| 2 | <<to be added>> | <<to be added>> | <<to be added>> | <<to be added>> |
| 3 | <<to be added>> | <<to be added>> | <<to be added>> | <<to be added>> |
| 4 | <<to be added>> | <<to be added>> | <<to be added>> | <<to be added>> |
Gandra Fincorp Private Limited (‘Gandra’ or ‘the Company’) is a non-deposit taking Non-Banking Financial Company (NBFC) - Investment and Credit Company registered with the Reserve Bank of India (‘RBI’). Gandra is currently categorized as base layer NBFC. The Company is engaged in the business of extending business and corporate loans.
The RBI has issued the Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025 (‘Directions’), which has advised NBFCs to put in place a Board approved outsourcing policy which shall, inter alia, cover the framework for the criteria for selection of outsourced financial services and service providers, delegation of authority depending on risks, and materiality, and systems to monitor and review such activities. Therefore, the Company has adopted this Policy for Outsourcing Financial Services (‘the Policy’) in line with requirements, standards, and guidelines issued by the RBI from time to time.
The primary objective of this Policy is to establish a robust framework for managing risks associated with third-party service providers while improving operational efficiency. It ensures that outsourcing does not impede regulatory compliance, customer service, or data confidentiality.
Key definitions
‘Outsourcing’ means use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) by an NBFC to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future. 'Continuing basis' shall include agreements for a limited period.
‘Group’ shall be as defined in the Reserve Bank of India (Commercial Banks - Concentration Risk Management) Directions, 2025, as amended from time to time, for the purpose of intragroup transactions and exposures.
‘Material Outsourcing’ means arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability or customer service. ‘Materiality’ of outsourcing shall be based on the:
(i) level of importance to the NBFC of the activity being outsourced as well as the significance of the risk posed by the same;
(ii) potential impact of the outsourcing on the NBFC on various parameters such as earnings, solvency, liquidity, funding, capital, and risk profile;
(iii) likely impact on the NBFC’s reputation and brand value, and ability to achieve its business objectives, strategy, and plans, should the service provider fail to perform the service;
(iv) cost of the outsourcing as a proportion of total operating costs of the NBFC;
(v) aggregate exposure to that particular service provider, in cases where the NBFC outsources various functions to the same service provider; and
(vi) significance of activities outsourced in the context of customer service and protection.
Role of the Board
With respect to outsourcing of financial services, the board shall be responsible for:
(i) approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements and the policies that apply to such arrangements;
(ii) laying down appropriate approval authorities for outsourcing depending on risks and materiality;
(iii) setting up suitable administrative framework of Senior Management (defined in this Policy);
(iv) undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness;
(v) deciding on business activities of a material nature to be outsourced, and approving such arrangements;
(vi) approving a policy for outsourcing financial services to a group entity; and
(vii) reviewing records of all material outsourcing on half yearly basis, in which case the delegation should be to Risk Management Committee only.
Role of the Audit Committee of the Board (ACB)
The ACB shall:
(i) monitor the system of internal audit of all outsourced activities; and
(ii) review the ageing analysis of entries pending reconciliation with outsourced vendors and make efforts to reduce the old outstanding items therein at the earliest.
Senior management shall consist of the Chief Executive Officer and any director on the board of the Company.
The Senior Management shall, inter alia, be responsible for:
(i) evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board or a Committee of the Board;
(ii) developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope, and complexity of the outsourcing;
(iii) reviewing periodically the effectiveness of policies and procedures;
(iv) communicating information pertaining to material outsourcing risks to the Board in a timely manner;
(v) ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested;
(vi) ensuring that there is independent review and audit for compliance with set policies; and
(vii) undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks as they arise.
Activities that can be outsourced
Financial services that can be outsourced by the Company shall include financial services like applications processing (loan origination, credit card), document processing, marketing and research, supervision of loans, data processing and back office related activities.
An indicative list of activities that may be considered for outsourcing shall be as under:
Lead sourcing activity
Recovery and repossession
Document collection and quality check
Storage of documents
Accounting and data recording
The above list is indicative only and not exhaustive. Additional activities within the definition of outsourcing can also be outsourced by the Company.
Activities that shall not be outsourced
The Company shall not outsource core management functions including Internal Audit, strategic and compliance functions, and decision-making functions such as determining compliance with KYC norms for giving sanction for loans (including retail loans) and management of investment portfolio.
Note: While internal audit function itself is a management process, the internal auditors can be on contract.
The Company shall not require prior approval from RBI for outsourcing financial services. However, such arrangements would be subject to on-site / off-site monitoring and inspection / scrutiny by RBI.
The outsourcing of any activity by the Company shall not diminish its obligations including to its customers and RBI, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. The Company shall, therefore, be responsible for the actions of its service provider including Direct Sales Agents (DSAs) / Direct Marketing Agents (DMAs) and recovery agents and the confidentiality of information pertaining to the customers that is available with the service provider. The Company shall retain ultimate control of the outsourced activity.
Regulatory Authorisation and Oversight
The Company shall ensure that:
(i) all relevant laws, regulations, rules, guidelines and conditions of approval, licensing or registration have been considered when performing due diligence in relation to outsourcing;
(ii) outsourcing, whether the service provider is located in India or outside, does not impede RBI in carrying out its supervisory functions and objectives, or diminish the ability of the Company to fulfil its obligations to the regulator / supervisor;
(iii) outsourcing, whether the service provider is located in India or outside, does not impede or interfere with the ability of the Company to effectively oversee and manage its activities, and fulfil its obligations;
(iv) outsourcing would not result in the compromise or weakening of the Company’s internal control, business conduct, or reputation;
(v) the service provider employs the same high standard of care in performing the services as would be employed by the Company, if the activities were conducted within the Company and not outsourced; and
(vi) the service provider, if not a group company of the Company, shall not be owned or controlled by any director of the Company, or their relatives having the same meaning as assigned under Companies Act, 2013 and the Rules framed thereunder, as amended from time to time.
Reporting of Suspicious Activity of Service Providers
The Company shall be responsible for making Currency Transactions Reports (CTRs) and Suspicious Transactions Reports (STRs) to the Financial Intelligence Unit-India (FIU-IND) or any other competent authority in respect of its customer related activities carried out by the service providers.
Evaluation of Risks
The Company shall evaluate and guard against the following key risks when entering into outsourcing arrangement:
(i) Strategic Risk – such as where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.
(ii) Reputation Risk – such as where the service provider delivers poor service, or its customer interactions are inconsistent with the overall standards of the Company.
(iii) Compliance Risk – such as where, owing to outsourcing, the privacy, consumer, and prudential laws are not adequately complied with.
(iv) Operational Risk – which may arise due to technology failure, fraud, error, or inadequate financial capacity of the service provider to fulfil obligations or to provide remedies.
(v) Legal Risk – where the Company is subjected to, inter alia, fines, penalties, or punitive damages resulting from supervisory actions, or private settlements due to omissions and commissions by the service provider.
(vi) Exit Strategy Risk – may arise when the Company becomes over reliant on one service provider, loses relevant internal skills preventing it from bringing the activity back in-house, or enters into contracts that make speedy exits prohibitively expensive.
(vii) Counterparty Risk – such as where the service provider engages in inappropriate underwriting or credit assessments.
(viii) Country Risk – where the political, social, or legal climate creates added risk in the outsourcing arrangement.
(ix) Contractual Risk – where the Company may not have the ability to enforce the contract with the service provider.
(x) Concentration and Systemic Risk – where there is a lack of control of the Company over a service provider, more so when overall industry has considerable exposure to one service provider.
The Company shall abide by the following risk evaluation measures:
Comprehensive due diligence on the nature, scope and complexity of the outsourcing activity to identify the key risks and risk mitigation strategies.
Analysis of the impact of such arrangement on the overall risk profile of the Company, and whether adequate internal expertise and resources exist to mitigate the risks identified.
Analysis of risk-return on the potential benefits of outsourcing and the vulnerabilities that may arise.
All outsourced information systems and operations shall be subject to risk management and security and privacy policies that meet the Company’s own standards and those mentioned in the RBI issued guidelines.
In order to ensure effective risk management of outsourced activities, the Company will also ensure the following:
Shortlist the service providers through predefined evaluation parameters.
Undertake periodic oversight on the operations of the service providers.
Business continuity planning in case of termination /discontinuation of outsourced services with any of the service providers.
Confidentiality and Security of Information
The Company shall seek to ensure the confidentiality, security, preservation, and protection of the customer information in the custody or possession of the service provider.
Access to customer information by a service provider or its staff shall be on a ‘need to know’ basis, i.e., limited to those areas where the information is required in order to perform the outsourced function.
The Company shall review and monitor the security practices and control processes of its service providers on a regular basis and require the service provider to disclose security breaches.
In instances, where a service provider acts as an outsourcing agent for multiple entities, the Company shall take care to build strong safeguards so that there is no comingling or combining of information, documents, records, and assets.
The Company shall ensure that a service provider is able to isolate and clearly identify the Company’s customer information, documents, records and assets to protect the confidentiality of the information.
The Company shall immediately notify RBI in the event of breach of security and leakage of confidential customer-related information. In these eventualities, the Company shall be liable to its customers for any damage.
The Company shall perform appropriate due diligence while considering or renewing an outsourcing arrangement, to assess the capability of the service provider to comply with obligations in the outsourcing agreement on an ongoing basis. The due diligence shall involve an evaluation of all available information, as applicable, about the service provider, including but not limited to:
(i) qualitative, quantitative, financial, operational, legal, and reputational factors;
(ii) risks arising from undue concentration, if outsourcing to a single service provider, or a limited number of service providers;
(iii) past experience, and demonstrated competence to implement and support the proposed activity over the contracted period;
(iv) financial soundness and ability to service commitments even under adverse conditions;
(v) business reputation and culture, compliance, complaints and outstanding or potential litigation;
(vi) quality of due diligence exercised by the service provider of its employees and sub-contractors;
(vii) security and internal control, audit coverage, reporting, and monitoring procedures, and business continuity management; and
(viii) external factors like political, economic, social, and legal environment of the jurisdiction in which the service provider operates and other events that may impact data security and service performance.
Where possible, the Company shall obtain independent reviews and market feedback on the service provider to supplement the findings of its own due diligence.
The Company shall also evaluate whether the systems of its service provider are compatible with those of the Company, and the acceptability of their standards of performance including in the area of customer service.
The Company shall ensure that the terms and conditions governing the outsourcing arrangement are carefully defined in written agreements and vetted by the Company’s legal counsel on their legal effect and enforceability. The agreement shall appropriately reckon the associated risks and the strategies for mitigating or managing them. The Company shall ensure that such an agreement is sufficiently flexible to allow it to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e., whether agent-principal or otherwise.
Some of the key provisions of the outsourcing agreement shall include:
(i) details of the activity being outsourced, including appropriate service and performance standards;
(ii) the Company’s access to all books, records, and information relevant to the outsourced activity available with the service provider;
(iii) regular and continuous monitoring and assessment by the Company of the service provider for continuous management of the risks holistically, so that any necessary corrective measure can be taken immediately;
(iv) prior approval or consent by the Company for the use of subcontractors by the service provider for all or part of an outsourced activity;
(v) controls for maintaining confidentiality of data including of its customers, and incorporating service provider’s liability in the event of security breach and leakage of such confidential information;
(vi) contingency plans to ensure business continuity;
(vii) the Company’s right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the Company;
(viii) right of RBI or persons authorised by it to access the Company’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time;
(ix) right of RBI to cause an inspection to be made of the service provider of the Company and its books and account by one or more of its officers, employees or other authorised persons;
(x) a termination clause and minimum period for executing termination, if deemed necessary;
(xi) provision that confidentiality of customers’ information shall be maintained even after the contract expires or gets terminated; and
(xii) provisions to ensure that the service provider preserves documents and data in accordance with legal and regulatory obligations of the Company and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.
Monitoring and Control of Outsourced Activities
The Company shall implement a management structure to monitor and control outsourced activities and shall ensure that outsourcing agreements with its service provider contain provisions to address the same.
The Company shall maintain a central record of all material outsourcing of financial services for review by its Board and Senior Management. The records shall be updated promptly, and half yearly reviews shall be placed before the Board or Risk Management Committee.
Regular audits, by either the internal auditors or external auditors of the Company shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the Company’s compliance with its risk management framework, and the requirements of these Directions.
The Company shall, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which shall be based on all available information about the service provider, shall highlight any deterioration or breach in performance standards, confidentiality, and security, and in operational resilience or business continuity preparedness.
Certain services, viz., outsourcing of cash management, might involve reconciliation of transaction between the Company, and the service provider (or its subcontractors). In such cases, the Company shall ensure that reconciliation of transactions between itself and the service provider (or its subcontractors) is carried out in a timely manner.
Business Continuity and Management of Disaster Recovery Plan
The Company shall require the service provider to develop and establish a robust framework for documenting, maintaining, and testing business continuity and recovery procedures. The Company shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider.
In establishing a viable contingency plan, the Company shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time, and resources that would be involved.
The Company shall ensure that its service providers are able to isolate the Company’s information, documents, and records, and other assets so that in adverse conditions or termination of the agreement, all documents, records of transactions and information given to the service provider, and assets of the Company, can be removed from the possession of the service provider (in order to continue its business operations); or deleted, destroyed or rendered unusable.
In order to mitigate the risk of unexpected termination of the outsourcing agreement or insolvency or liquidation of its service provider, the Company shall retain an appropriate level of control over its outsourcing arrangement along with the right to intervene with appropriate measures to continue its business operations without incurring prohibitive expenses and disruption in the operations of the NBFC and its services to the customers.
Termination of an Outsourcing Arrangement
In the event of termination of an outsourcing agreement for any reason, the Company shall publicise the same by displaying such details at a prominent place in the branch, posting it on the website, and informing the customers so as to ensure that the customers do not continue to deal with the service provider.
Outsourcing within a Group / Conglomerate
In a group structure, the Company may have back-office and service arrangements or agreements with group entities such as sharing of premises, legal and other professional services, hardware and software applications and centralized back-office functions; outsourcing certain financial services to other group entities. Before entering into such arrangements with group entities, the Company shall have Service Level Agreements (SLAs) with its group entities, which shall also cover demarcation of sharing resources, e.g., premises, and personnel.
In such arrangements, the Company shall inform the customers specifically about the company which is actually offering the product / service, wherever there are multiple group entities involved, or any cross selling observed.
While entering into such arrangements, the Company shall ensure that these:
(i) are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer's data;
(ii) do not lead to any confusion to the customers on whose products / services they are availing by clear physical demarcation of the space where the activities of the Company and those of its group entities are undertaken;
(iii) do not compromise the ability of the Company to identify and manage risk on a stand-alone basis;
(iv) do not prevent RBI from being able to obtain information required for the supervision of the Company or pertaining to the group as a whole; and
(v) incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by RBI in relation to the activities of the Company.
The Company shall ensure that its ability to carry out its operations in a sound fashion would not be affected, if premises or other services (such as IT systems and support staff) provided by the group entities become unavailable.
If the premises of the Company are shared with the group entities for the purpose of cross-selling, the Company shall take measures to ensure that the entity's identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in the Company’s premises shall mention nature of arrangement of the entity with the Company so that the customers are clear on the seller of the product.
The Company shall not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that it is in any way responsible for the obligations of its group entities.
The risk management practices to be adopted by the Company while outsourcing to a related party (i.e., party within the group / conglomerate) shall be identical to those for a non-related party.
Offshore outsourcing
Outsourcing arrangements shall only be entered into with parties operating in jurisdictions that uphold confidentiality agreements and clauses.
While engaging with service provider(s) in a foreign country, the Company shall:
(i) closely monitor government policies of the jurisdiction in which the service provider is based and political, social, economic, and legal conditions, both during the risk assessment and on a continuous basis, and establish sound procedures for dealing with country risk. This includes having appropriate contingency and exit strategies;
(ii) clearly specify the governing law of the outsourcing arrangement;
(iii) ensure that the availability of records to the Company and RBI will not be affected even in the case of liquidation of the service provider or offshore custodian;
(iv) ensure activities outsourced outside India are conducted in a manner so as not to hinder efforts to supervise or reconstruct the activities of the Company in a timely manner;
(v) ensure that, where the offshore service provider is a regulated entity, the relevant offshore regulator will neither obstruct the arrangement nor object to the RBI’s inspections, or visits of the Company’s internal or external auditors;
(vi) ensure that the regulatory authority of the offshore location does not have access to the data relating to Indian operations of the Company simply on the ground that the processing is being undertaken there;
(vii) ensure that the jurisdiction of the courts in the offshore location where data is maintained does not extend to the operations of the Company in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and
(viii) ensure that all original records continue to be maintained in India.
Redressal of Grievances related to Outsourced Services
Outsourcing arrangements entered into by the Company shall not affect the rights of its customers against the Company, including the ability of the customers to obtain redressal as applicable under relevant laws.
In cases where customers are required to deal with a service provider in the process of dealing with the Company, the Company shall incorporate a clause in the corresponding product literature and brochures, stating that services of the service provider, including in sales, and marketing of the products, may be used. The role of the service provider may be indicated in broad terms.
The Company shall have a robust grievance redressal mechanism that shall not be compromised in any manner on account of outsourcing, i.e., responsibility for redressal of customers’ grievances related to outsourced services shall rest with the Company. In case of microfinance loans, a declaration that, (i) the Company shall be accountable for inappropriate behaviour of the employees of the service provider and (ii) shall provide timely grievance redressal, shall be made in the loan agreement, and Fair Practices Code (FPC) displayed in its office, branch premises and its website.
In addition to the above,
(1) the Company shall constitute a Grievance Redressal Policy;
(2) the Company shall display the name and contact details (Telephone / Mobile Nos. as also email address) of the Grievance Redressal Officer prominently at its branches / places where business is transacted. The designated officer shall ensure that genuine grievances of customers are redressed promptly without involving delay. It shall be clearly indicated that the Company’s Grievance Redressal Machinery will also deal with the issue relating to services provided by the outsourced agency;
(3) the Company shall give a time limit of 30 days to the customers for preferring their complaints or grievances. The grievance redressal procedure of the Company and the time frame fixed for responding to the complaints shall be placed on the Company 's website; and
(4) if a complaint is rejected wholly or partly by the Company and the complainant is not satisfied with the reply or does not get any reply within 30 days, after the Company received the complaint, the complainant shall have approach the Consumer Education and Protection Cell (CEPC) of respective Regional Office of RBI.
Review of the Policy
The Board of Directors shall review this Policy annually or on a need-basis i.e., in the event of change in regulatory framework or for business or operational need (whichever is earlier). Such updates / changes to the Policy will be communicated to the relevant staff /personnel (both in-house or outsourced) and relevant stakeholders across the Company.
Notwithstanding anything contained in this Policy, in case of any contradiction of the provision of this Policy with any existing laws, rules, regulations, guidelines, or modification thereof or enactment of a new applicable law, the provisions under such laws, rules, regulations, guidelines, or enactment shall prevail over this Policy.