India Ratings & Research Private

Limited (IRR)

Policy on Outsourcing

Effective Date: 28 June 2021

Version: 2

Author: Compliance

Approved by the Board of Directors on June 28, 2021

Definitions
i. Outsourcing
In line with the Securities & Exchange Board of India (SEBI) circular bearing No.
CIR/MIRSD/24/2011 dated December 15, 2011 (“guidelines”), in this policy, “outsourcing”
means the use of one or more than one third party – either within or outside the Fitch
Group - by India Ratings & Research Private Limited (IndRa/ India Ratings/ Company) to
perform the activities associated with the credit rating services which IndRa offers.

Activities such as Cleaning Staff Services, Security Personnel Services and such other
services which are not related/ associated with credit rating services shall not be subject
to this policy

ii. Third Party(ies)

Third Party means the entity to which an activity is outsourced by IndRa including other
Fitch Group companies

1. Statement of Policy:

IndRa shall render at all times high standards of service and exercise due diligence and ensure
proper care in its operations. It is possible that outsourcing of certain activities may be resorted
to from time to time with a view to, amongst others, reduce costs, and for strategic reasons. There
could be a variety of risks associated with outsourcing. These may include operational risk,
reputational risk, legal risk, strategic risk, counter party risk, concentration risk and systemic risk.

India Ratings – Policy on Outsourcing – June 28, 2021 1

 In order to address the concerns arising from the outsourcing of activities by IndRa, the principles
mentioned in this policy have been formulated for governing its outsourcing activities. All
outsourcing activities of IndRa shall be carried out in compliance with this policy.

2. No outsourcing of Core Functions:

IndRa shall not outsource its core business activity pertaining to Credit Rating and the
Compliance function.

India Ratings provides rating services to entities in India. India Ratings has identified services
offered by the credit ratings department as “core” for the purpose of identifying activities as “core”
under the said SEBI Guidelines.

The following activities of rating divisions are “core” and shall not be outsourced. These are
predominantly in the domain of “analytical” activities.

1. assignment of ratings;

2. surveillance of assigned credit ratings’

3. development of criteria and methodologies.

Additionally, Compliance function shall not be outsourced in line with the said guidelines.

3. Activities that can be outsourced:

Activities which are not a core part of assigning credit ratings can be outsourced and these include
activities like business development, tele-calling for following up for data or fees and follow-up for
sourcing of data or other information.
Arrangements with entities only for the purpose of hiring associates to perform a part of an activity
where such associates are fully supervised by the company employees would not be treated as
prohibited outsourcing under this policy.

However, an activity shall not be outsourced if it would impair India Rating’s right to assess, or its
ability to carry out supervisory activities.

For the avoidance of doubt, activities which do not come under the definition of “outsourcing” as
defined in this policy, may be delegated to third parties.

In case of doubt as to whether a particular activity can be outsourced or not, clarification should
be obtained by way of e-mail from the relevant Group Head and from Compliance.

India Ratings – Policy on Outsourcing – June 28, 2021 2

4. Approval for Outsourcing activities:

The activities which are to be outsourced may be done only after written approval of the same is
obtained from Group Head and Compliance, as applicable. The Group Head and Compliance
shall only after reviewing the Contract/ agreement of outsourcing (in accordance with this policy)
approve and submit the same to the Board for approval.

The Board of Directors (Board) of India Ratings shall have overall responsibility for ensuring that
all ongoing outsourcing decisions taken by the IndRa and the activities undertaken by the third-
party, are in line with this Outsourcing Policy. Hence, all the outsourcing arrangement(s) shall be
first placed before the Board for its approval.

5. Selection of Third Party and Due Diligence:

IndRa shall conduct appropriate due diligence in selecting the third party and in monitoring of its
performance.

IndRa shall exercises due care, skill and diligence in the selection of the third party to ensure that
the third party has the ability and capacity to undertake the provision of the service effectively.

The due diligence undertaken by IndRa shall include assessment of:

a. third party’s resources and capabilities, including financial soundness, to perform the
outsourcing work within the timelines fixed;
b. compatibility of the practices and systems of the third party with the Indra’s requirements
and objectives;
c. market feedback of the prospective third party’s business reputation and track record of their
services rendered in the past;
d. level of concentration of the outsourced arrangements with a single third party; and
e. the environment of the foreign country where the third party is located.

IndRa shall review the financial and operational capabilities of the third party in order to assess its
ability to continue to meet its outsourcing obligations.

The list above is indicative and is not exhaustive. Additional details may be required on a case to
case basis.

India Ratings – Policy on Outsourcing – June 28, 2021 3

6. Entering into Written Contracts:

IndRa’s outsourcing relationships shall be governed by written contracts / agreements / terms and
conditions (as deemed appropriate) {hereinafter referred to as “contract”} that clearly describe all
material aspects of the outsourcing arrangement, including the rights, responsibilities and
expectations of the parties to the contract, client confidentiality issues, termination procedures,
etc.

Outsourcing arrangements shall be governed by a clearly defined and legally binding written
contract between IndRa and each of the third parties, the nature and detail of which shall be
appropriate to the materiality of the outsourced activity in relation to the ongoing business of IndRa.

The outsourcing contract shall:

a. clearly define what activities are going to be outsourced, including appropriate service and
performance levels;

b. provide for mutual rights, obligations and responsibilities of IndRa and the third party,
including indemnity by the parties;

c. provide for liability of the third party to IndRa for unsatisfactory performance/other breach of
the contract;

d. provide for continuous monitoring and assessment by IndRa of the third party so that any
necessary corrective measures can be taken up immediately, i.e., the contract shall enable
the IndRa to retain an appropriate level of control over the outsourcing and the right to
intervene with appropriate measures to meet legal and regulatory obligations;

e. include where necessary, conditions of sub-contracting by the third-party, i.e. the contract
shall enable IndRa to maintain a similar control over the risks when a third party outsources
to further third parties as in the original direct outsourcing;

f. have unambiguous confidentiality clauses to ensure protection of proprietary and customer

data during the tenure of the contract and also after the expiry of the contract;

g. specify the responsibilities of the third party with respect to the IT security and contingency
plans, insurance cover, business continuity and disaster recovery plans, force majeure
clause, etc.;

h. provide for preservation of the documents and data by the third party ;

India Ratings – Policy on Outsourcing – June 28, 2021 4

 i. provide for the mechanism to resolve disputes arising from implementation of the
outsourcing contract;

j. provide for termination of the contract, termination rights, transfer of information and exit
strategies;

k. address additional issues arising from country risks and potential obstacles in exercising
oversight and management of the arrangements when IndRa outsources its activities to any
foreign third party. For example, the contract shall include choice-of-law provisions and
agreement covenants and jurisdictional covenants that provide for adjudication of disputes
between the parties under the laws of a specific jurisdiction;
l. neither prevent nor impede IndRa from meeting its respective regulatory obligations, nor the
regulator from exercising its regulatory powers; and
m. provide for IndRa and /or the regulator or the persons authorized by it to have the ability to
inspect, access all books, records and information relevant to the outsourced activity with
the third party.

7. Outsourcing within the Group:

There shall not be any prohibition on a group entity / associate of IndRa to act as the third party,
systems subject to the condition that transactions have been undertaken at arm’s length distance
between IndRa and the third party in terms of infrastructure, manpower, decision-making, record
keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard
shall be made as part of the contractual agreement. It shall be kept in mind that the risk
management practices expected to be adopted by IndRa while outsourcing to a related party or
an associate would be identical to those followed while outsourcing to an unrelated party.

8. Risk Management Programme:

IndRa shall assess its outsourcing risk, depending on factors like the scope and materiality of the
outsourced activity. The factors that could help in considering materiality in a risk management
programme include:

a. The impact of failure of a third party to adequately perform the activity on the financial,
reputational and operational performance of IndRa and on its clients / investors;

b. Ability of IndRa to cope up with the work, in case of non-performance or failure by a third
party by having suitable back-up arrangements;

India Ratings – Policy on Outsourcing – June 28, 2021 5

 c. Regulatory status of the third party, including its fitness and probity status;

d. Situations involving conflict of interest between the intermediary and the third party and the
measures put in place by the intermediary to address such potential conflicts, etc.

9. Contingency Plans:

a. IndRa shall establish and maintain a contingency plan for each outsourcing arrangement,
including a plan for disaster recovery and periodic testing of backup facilities.

b. IndRa shall take appropriate steps to assess and address the potential consequence of a
business disruption or other problems at the third-party level. Notably, it shall consider
contingency plans at the third party; co-ordination of contingency plans at both IndRa and
the third party; and contingency plans of IndRa in the event of non-performance by the third
party.

c. To ensure business continuity, robust information technology security is a necessity. A

breakdown in the IT capacity may impair the ability of the intermediary to fulfill its obligations
to other market participants/clients/regulators and could undermine the privacy interests of
its customers, harm the intermediary’s reputation, and may ultimately impact on its overall

operational risk profile. IndRa shall, therefore, seek to ensure that third party maintains
appropriate IT security and robust disaster recovery capabilities.

d. Periodic tests of the critical security procedures and systems and review of the backup
facilities shall be undertaken by IndRa to confirm the adequacy of the third party’s systems.

10. Confidentiality:

a. IndRa shall take appropriate steps to require that third parties protect confidential information
of both IndRa and its customers from intentional or inadvertent disclosure to unauthorised
persons.

b. IndRa shall take appropriate steps to protect its proprietary and confidential customer
information and ensure that it is not misused or misappropriated.

c. IndRa shall prevail upon the third party to ensure that the employees of the third party have
limited access to the data handled and only on a “need to know” basis and the third party shall
have adequate checks and balances to ensure the same.

India Ratings – Policy on Outsourcing – June 28, 2021 6

 d. In cases where the third party is providing similar services to multiple entities, the intermediary
shall ensure that adequate care is taken by the third party to build safeguards for data security
and confidentiality.

11. Concentration Risk:

a. There could be potential risks posed where the outsourced activities of multiple
intermediaries are concentrated with a limited number of third parties.

b. In instances, where the third party acts as an outsourcing agent for multiple intermediaries
like IndRa, it is the duty of the third party and IndRa to ensure that strong safeguards are put
in place so that there is no co-mingling of information /documents, records and assets.

12. Record Maintenance:

The records relating to all activities outsourced shall be preserved centrally at the Company’s
office by Compliance so that the same is readily accessible for review by the Board of IndRa
and / or its senior management, as and when needed. Such records shall be regularly updated
and may also form part of the corporate governance review by the management of IndRa.

13. Review of Contracts and Policy:

The Board of the Company may direct from to time, annual reviews by internal auditors of the
outsourcing policies, risk management system and requirements as prescribed by SEBI from
time to time.

The Board of the Company shall review this policy at least once in every two years and as and
when required / deemed fit and necessary.

14. Right of Inspection:

a. The facilities / premises / data that are involved in carrying out the outsourced activity by
the service provider shall be deemed to be those of IndRa. IndRa itself and Regulator or the
persons authorized by it shall have the right to access the same at any point of time.

b. IndRa shall have the ability to inspect, access all books, records and information relevant
to the outsourced activity with the third party.

India Ratings – Policy on Outsourcing – June 28, 2021 7

15. IndRa’s Obligation:

a. IndRa shall ensure that outsourcing arrangements neither diminish its ability to fulfill its
obligations to customers and regulators, nor impede effective supervision by the regulators.

b. IndRa shall be fully liable and accountable for the activities that are being outsourced to the
same extent as if the service were provided in-house.

c. IndRa shall ensure that outsourcing arrangements shall not affect the rights of an investor
or client against IndRa in any manner. IndRa shall be liable to the investors for the loss
incurred by them due to the failure of the third party and also be responsible for redressal of
the grievances received from investors arising out of activities rendered by the third party.

d. IndRa Shall ensure that outsourcing arrangements shall not impair the ability of any
regulatory authority or auditors to exercise its regulatory responsibilities such as
supervision/inspection of the intermediary

e. IndRa shall report of any suspicious transactions / reports to FIU or any other competent
authority in respect of activities carried out by the third parties

India Ratings – Policy on Outsourcing – June 28, 2021 8