CFM ASSET RECONSTRUCTION PRIVATE LIMITED

OUTSOURCING POLICY

Valid up to March 31, 2024

Date of approval: March 30, 2023

 Table of Contents
Sr. Particulars Page
No. No.
1 Introduction 2
2 Background 2
3 Regulatory and Supervisory Requirements 2
4 Outsourced Activities 3
5 Objectives of the Policy 4
6 Material Outsourcing 4
7 Criteria for Selection of Activities and Service Providers 4
8 Process of Appointment of Service Providers 5
9 Risk Management Practices 6-10
9.1 Evaluation of the Risks 6
9.2 Evaluating the Capability of the Service Provider 6
9.3 Outsourcing Agreement 7
9.4 Protection of the Confidentiality of Customer Information 8
9.5 Responsibilities of RSAs/RAs 9
9.6 Monitoring and Control of Outsourced Activities 9
9.7 Redressal of Grievances related to Outsourced Services 10
10 Review of the Policy 10
11 Annexure on Amendments, Renewal of Policies, etc. 10

Page 1 of 11
1. Introduction
1.1. CFM Asset Reconstruction Private Limited (CFM ARC), a company limited by
shares having its registered office at Block no. A/1003, West Gate, Near YMCA Club,
Sur No. 835/1+3, S. G. Highway, Makarba, Ahmedabad-380051, Gujarat and
corporate office at 1st Floor, Wakefield House, Sprott Road, Ballard Estate, Mumbai-
400 038 has been incorporated under Companies Act, 2013 on July 30, 2015.
1.2. The company has been issued a Certificate of Registration (CoR) bearing
No.019/2016 dated August 3, 2016, by Reserve Bank of India (RBI) to commence the
business of securitization or asset reconstruction under section 3 of The Securitization
and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002
(hereinafter referred to as the SARFAESI Act).

2. Background
RBI vide para 5 of its circular DOR.ARC (ARC). CC.No.9/26.03.001/2020-21 dated
July 16, 2020, has advised that the Asset Reconstruction Companies (ARC) intending
to outsource any of their activity shall:
(i) put in place a comprehensive outsourcing policy, approved by the Board, which
incorporates, inter alia, criteria for selection of such activities as well as services to be
outsourced to such services providers and delegate authority to them depending on
risks and materiality by establishing systems to monitor and review the operations of
these outsourced activities/service providers.
(ii) ensure that outsourcing arrangements neither dilute its responsibility, diminish its
ability to fulfil its obligations towards customers and the Regulators, nor impede
effective supervision by RBI.
(iii) disclose the outsourced agency, if any, owned/controlled by a director of the ARC,
as specified in the Master Circular on Disclosure Norms.

3. Regulatory and Supervisory Requirements

3.1. ARCs have been outsourcing various activities, and are, therefore, exposed to
various risks viz., Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk,
Legal Risk, Exit Strategy Risk, Counterparty Risk, Country Risk, Contractual Risk,
Access Risk, Concentration and Systemic Risk.
3.2. The outsourcing of any activity by ARCs does not diminish its obligations, and
those of its Board and senior management, who have the ultimate responsibility for
Page 2 of 11
the outsourced activity. The ARCs would, therefore, be responsible for the actions of
their service provider including direct sales/marketing agents and recovery agents and
the confidentiality of information pertaining to the customers that are available with the
service providers. The ARCs shall retain ultimate control of the outsourced activities.
3.3. It is imperative for the ARCs, when performing its due diligence in relation to
outsourcing, to consider all relevant laws, regulations, guidelines and conditions of
approval, licensing, or registration.
3.4. The outsourcing arrangements shall not affect the rights of a customer against the
ARCs, including the ability of the customer to obtain redress as applicable under
relevant laws. In cases where the customers are required to deal with the service
providers in the process of dealing with the ARCs, it shall incorporate a clause in the
relative product literature/brochures, etc., stating that they may use the services of
agents in sales/ marketing etc. of the products. The role of agents may be indicated in
broad terms.
3.5. The service providers shall not impede or interfere with the ability of the ARC to
effectively oversee and manage its activities nor shall it impede RBI in carrying out its
supervisory functions and objectives.
3.6. The ARCs need to have a robust grievance redress mechanism, which in no way
shall be compromised on account of outsourcing.
3.7. The service providers, if not group company of the ARC, shall not be owned, or
controlled by any director of the ARC or their relative, these terms have the same
meaning as assigned under Companies Act, 2013.

4. Outsourced Activities
4.1. Outsourcing is defined as the ARC’s use of a third party, either an affiliated entity
within a corporate group or an entity that is external to the corporate group, to perform
activities on a continuing basis or for a limited period as per the agreements, that would
normally be undertaken by the ARC itself, now or in the future.
4.2. The company is in the business of acquisition and resolution of financial assets
on pan-India basis. The activities that may be outsourced to service providers are
given below:
(i) conducting due diligence-site visits, verification of underlying financial assets, etc.
(ii) valuation of financial assets,
(iii) maintenance and preservation of underlying assets,
Page 3 of 11
(iv) recovery of dues with the help of resolution service/recovery agents,
(v) other such activities, as considered necessary.

5. Objectives of the Policy

The objectives of this policy are as follows:
(i) To identify activities of the company, which needs to be outsourced to the service
providers
(ii) To delegate authority to the management of the company and service providers
depending on the materiality and risks associated with the outsourced activities
(iii) To monitor/review the operations of the outsourced activities and service providers.

6. Material Outsourcing
The material outsourcing arrangements are the services which, if disrupted, have the
potential to significantly impact the business operations, reputation, profitability, or
customer service. The materiality of outsourcing is based on the followings:
(i) the level of importance to the company of the activity being outsourced as well as
the significance of the risk posed by the same
(ii) the likely impact on the company’s reputation and brand value, and ability to
achieve its business objectives, strategy, and plans, should the service provider fail to
perform the service
(iii) the cost of the outsourcing as a proportion of total operating costs of the company
(iv) the aggregate exposure to that service provider, in cases where the company
outsources various functions to the same service provider and

7. Criteria for selection of activities as well as service providers

The company shall not outsource core management functions, including strategic and
compliance functions, and decision-making functions. However, these functions may
be outsourced within the group companies of the company, subject to the following
conditions:
(i) The company shall have a Board approved policy and service level
agreements/arrangements with the group entities, which shall cover demarcation of
sharing resources viz., back-office activities, premises, legal and other professional
services, hardware and software applications, certain financial services, etc.

Page 4 of 11
(ii) While entering such arrangements with the group companies, the company shall
ensure that these activities:
(a) are appropriately documented in written agreements with details like scope of
services, charges for the services and maintaining confidentiality of the customer's
data
(b) do not lead to any confusion to the customers on whose products/services they are
availing by clear physical demarcation of the space, where the activities of the
company and those of its other group entities are undertaken
(c) do not compromise the ability to identify and manage risk of the company on a
stand-alone basis
(d) do not prevent RBI from being able to obtain information required for the
supervision of the company or pertaining to the group, and
(e) incorporate a clause under the written agreements that there is a clear obligation
for any service provider to comply with directions given by RBI in relation to the
activities of the company.
(iii) The company shall ensure that their ability to carry out their operations in a sound
fashion would not be affected, if premises or other services viz., IT systems, support
staff, etc. provided by the group entities become unavailable.
(iv) The company shall not publish any advertisement or enter into any agreement
stating or suggesting or giving tacit impression that they are in any way responsible
for the obligations of its group entities.
(v) The risk management practices expected to be adopted by the company, while
outsourcing to a related party i.e., party within the group, shall be identical to the entity
that is external to the corporate group.

8. Process of Appointment of Service Providers

The process of appointment of service providers for the company is as follow:
(i) The dealing officers shall undertake the required due diligence for the service
provider, as mentioned in the policy and submit the note for approval to the concerned
President for recommendation to the CEO for approval.
(ii) The service providers are required to sign the code of conduct and the outsourcing
agreement, including the non-disclosure clause, as mentioned in the policy with the
company, prior to undertaking the assigned jobs.

Page 5 of 11
(iii) The dealing officers shall take approval from the concerned authorities, as per the
Authority Matrix

9. Risk Management practices

9.1. Evaluation of the Risks
The company shall evaluate and guard against the following risks in outsourcing:
(i) Strategic Risk: The risk of the service provider conducts business on its own behalf,
inconsistent with the overall strategic goals of the company.
(ii) Reputation Risk: The risk of the poor service provided by service provider and
customer interaction is not consistent with the overall standards expected of the
company.
(iii) Compliance Risk: The risk of the privacy, consumer and prudential laws are not
adequately complied with by the service provider.
(iv) Operational Risk: The risk arising out of technology failure, fraud, error, inadequate
financial capacity to fulfil obligations and/ or to provide remedies.
(v) Legal Risk: The risk of the company is subjected to fines, penalties, or punitive
damages resulting from supervisory actions, as well as private settlements due to
omissions and commissions of the service provider.
(vi) Exit Strategy Risk: The risk of the company is over-reliant on one firm, the loss of
relevant skills in the company itself preventing it from bringing the activity back in-
house and company has entered contracts that make speedy exits prohibitively
expensive.
(vii) Counterparty Risk: The risk of the inappropriate underwriting or credit
assessments.
(viii) Contractual Risk: The risk of the company may not have the ability to enforce the
contract.
(ix) Concentration and Systemic Risk: The risk of the overall industry has considerable
exposure to one service provider and hence the company may lack control over the
service provider.
(x) Country Risk: The risk due to the uncertainties in political, social, or legal climate.

9.2. Evaluating the Capability of the Service Provider

9.2.1. Prior to enter or renewing an outsourcing arrangement, appropriate due
diligence shall be performed to assess the capability of the service provider to comply
Page 6 of 11
with obligations in the outsourcing agreement. Due diligence shall take into
consideration qualitative and quantitative, financial, operational, and reputational
factors.
9.2.2. The company shall consider whether the service providers' systems are
compatible with their own and whether their standards of performance, including in
customer service are acceptable to it.
9.2.3. The company shall also consider, while evaluating the capability of the service
provider, issues relating to undue concentration of outsourcing arrangements with a
single service provider. Where possible, the company shall obtain independent
reviews and market feedback on the service provider to supplement its own findings.
9.2.4. The due diligence shall involve an evaluation of all available information about
the service provider, including the followings:
(i) experience and competence to implement and support the proposed activity over
the contracted period
(ii) financial soundness and ability to service commitments even under adverse
conditions
(iii) business reputation and culture, compliance, complaints and outstanding or
potential litigation

9.3. The Outsourcing Agreement

The terms and conditions governing the contract between the company and the
service provider shall be carefully defined in written agreements and vetted by
company's legal counsel on their legal effect and enforceability. Every such agreement
shall address the risks and risk mitigation strategies. The agreement shall be
sufficiently flexible to allow the company to retain an appropriate level of control over
the outsourcing and the right to intervene with appropriate measures to meet legal and
regulatory obligations. The agreement shall also bring out the nature of legal
relationship between the parties i.e. whether agent, principal or otherwise. Some of
the key provisions of the contract shall be the following:
(i) the contract shall clearly define what activities are going to be outsourced including
appropriate service and performance standards
(ii) the company must ensure it has the ability to access all books, records and
information relevant to the outsourced activity available with the service provider

Page 7 of 11
(iii) the contract shall provide for continuous monitoring and assessment by the
company of the service provider so that any necessary corrective measure can be
taken immediately
(iv) a termination clause and minimum period to execute a termination provision, if
deemed necessary, shall be included.
(v) controls to ensure customer data confidentiality and service providers' liability in
case of breach of security and leakage of confidential customer related information
shall be incorporated
(vi) there must be contingency plans to ensure business continuity
(vii) the contract shall provide for the prior approval/ consent by the company of the
use of sub-contractors by the service provider for all or part of an outsourced activity
(viii) it shall provide the company with the right to conduct audits on the service
provider whether by its internal or external auditors, or by agents appointed to act on
its behalf and to obtain copies of any audit or review reports and findings made on the
service provider in conjunction with the services performed for the company
(ix) outsourcing agreements shall include clauses to allow RBI or persons authorised
by it to access the company's documents, records of transactions, and other
necessary information given to, stored or processed by the service provider within a
reasonable time
(x) outsourcing agreement shall also include a clause to recognise the right of the
Reserve Bank to cause an inspection to be made of a service provider of the company
and its books and account by one or more of its officers or employees or other persons
(xi) the outsourcing agreement shall also provide that confidentiality of customer's
information shall be maintained even after the contract expires or gets terminated, and
(xii) the company shall have necessary provisions to ensure that the service provider
preserves documents as required by law and take suitable steps to ensure that its
interests are protected in this regard even post termination of the services.

9.4. Protection of the security and confidentiality of customer information

9.4.1. Public confidence and customer trust in the company is a prerequisite for the
stability and reputation of the company. Hence, the company shall seek to ensure the
preservation and protection of the security and confidentiality of customer information
in the custody or possession of the service provider.

Page 8 of 11
9.4.2. Access to customer information by staff of the service provider shall be on 'need
to know' basis i.e., limited to those areas where the information is required to perform
the outsourced function.
9.4.3. The company shall ensure that the service provider is able to isolate and clearly
identify the company's customer information, documents, records, and assets to
protect the confidentiality of the information. In instances, where service provider acts
as an outsourcing agent for multiple companies, care shall be taken to build strong
safeguards so that there is no comingling of information/documents, records and
assets.
9.4.4. The company shall immediately notify RBI in the event of any breach of security
and leakage of confidential customer related information. In these eventualities, the
company would be liable to its customers for any damages.

9.5. Responsibilities of Resolution Service Agents (RSAs) and Recovery Agents

(RAs)
9.5.1. The company shall ensure that the RSAs and RAs are properly trained to handle
their responsibilities with care and sensitivity, particularly aspects such as soliciting
customers, hours of calling, privacy of customer information and conveying the correct
terms and conditions of the products on offer, etc.
9.5.2 The company shall put in place a board approved Code of conduct for the RSAs
and RAs and obtain their undertaking to abide by the code. In addition, the RSAs and
RAs shall adhere to extant instructions on Fair Practices Code for the company and
also their own code for collection of dues and repossession of security. The RSAs and
RAs shall refrain from action that could damage the integrity and reputation of the
company and that they observe strict customer confidentiality.
9.5.3. The company and their agents shall not resort to intimidation or harassment of
any kind, either verbal or physical, against any person in their debt collection efforts,
including acts intended to humiliate publicly or intrude the privacy of the debtors' family
members, referees, and friends, making threatening and anonymous calls or making
false and misleading representations.

9.6. Monitoring and Control of Outsourced Activities

9.6.1. The company shall have in place a management structure to monitor and control
its outsourcing activities. It shall ensure that outsourcing agreements with the service

Page 9 of 11
provider contain provisions to address their monitoring and control of outsourced
activities.
9.6.2. A central record of all material outsourcing that is readily accessible for review
by the Board and senior management of the company shall be maintained. The
records shall be updated promptly, and half yearly reviews shall be placed before the
Risk Management Committee.
9.6.3. The internal auditors or external auditors of the company shall assess the
adequacy of the risk management practices adopted in overseeing and managing the
outsourcing arrangement, the company’s compliance with its risk management
framework and the requirements of these directions.
9.6.4. A robust system of internal audit of all outsourced activities shall also be put in
place and monitored by the ACB of the company.

9.7. Redressal of Grievances related to Outsourced Services

The company shall constitute Grievance Redressal Machinery as contained in RBI
circular on Grievance Redressal Mechanism vide DNBS. CC. PD. No. 320/03. 10.
01/2012-13 dated February 18, 2013. At the operational level, the company shall
display the name and contact details (telephone/mobile nos. as also email address) of
the grievance redressal officer prominently at their branches/ places where business
is transacted. The designated officer shall ensure that genuine grievances of
customers are redressed promptly without involving delay. It shall be clearly indicated
that the company’s grievance redressal machinery will also deal with the issue relating
to services provided by the outsourced agency.

10. Review of the Policy

10.1. The Board shall review the policy at least once every year. However, the policy
may be reviewed by the Board from time to time, keeping in view the changes in
Regulations.
10.2. The validity of this policy may be extended with the approval of CEO for a period
not exceeding 3 months or till the policy is reviewed by the Board, whichever is earlier.
However, endeavour must be made to ensure timely review / renewal of the Policy.

Page 10 of 11
11. Annexure on Amendments, Renewal of Policies, etc.
Sr.No. Framing/Amendment/Renewal Date Approved by
1. Framing of the policy December 29,2020 Board of Directors
2. Extended by 3 months December 28, 2021 MD & CEO
3. Amended & renewed March 26, 2022 Board of Directors
4. Amended & renewed March 30, 2023 Board of Directors

Page 11 of 11