Professional Documents
Culture Documents
CFMARC - Outsourcing Policy - March 2023
CFMARC - Outsourcing Policy - March 2023
CFMARC - Outsourcing Policy - March 2023
OUTSOURCING POLICY
Page 1 of 11
1. Introduction
1.1. CFM Asset Reconstruction Private Limited (CFM ARC), a company limited by
shares having its registered office at Block no. A/1003, West Gate, Near YMCA Club,
Sur No. 835/1+3, S. G. Highway, Makarba, Ahmedabad-380051, Gujarat and
corporate office at 1st Floor, Wakefield House, Sprott Road, Ballard Estate, Mumbai-
400 038 has been incorporated under Companies Act, 2013 on July 30, 2015.
1.2. The company has been issued a Certificate of Registration (CoR) bearing
No.019/2016 dated August 3, 2016, by Reserve Bank of India (RBI) to commence the
business of securitization or asset reconstruction under section 3 of The Securitization
and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002
(hereinafter referred to as the SARFAESI Act).
2. Background
RBI vide para 5 of its circular DOR.ARC (ARC). CC.No.9/26.03.001/2020-21 dated
July 16, 2020, has advised that the Asset Reconstruction Companies (ARC) intending
to outsource any of their activity shall:
(i) put in place a comprehensive outsourcing policy, approved by the Board, which
incorporates, inter alia, criteria for selection of such activities as well as services to be
outsourced to such services providers and delegate authority to them depending on
risks and materiality by establishing systems to monitor and review the operations of
these outsourced activities/service providers.
(ii) ensure that outsourcing arrangements neither dilute its responsibility, diminish its
ability to fulfil its obligations towards customers and the Regulators, nor impede
effective supervision by RBI.
(iii) disclose the outsourced agency, if any, owned/controlled by a director of the ARC,
as specified in the Master Circular on Disclosure Norms.
4. Outsourced Activities
4.1. Outsourcing is defined as the ARC’s use of a third party, either an affiliated entity
within a corporate group or an entity that is external to the corporate group, to perform
activities on a continuing basis or for a limited period as per the agreements, that would
normally be undertaken by the ARC itself, now or in the future.
4.2. The company is in the business of acquisition and resolution of financial assets
on pan-India basis. The activities that may be outsourced to service providers are
given below:
(i) conducting due diligence-site visits, verification of underlying financial assets, etc.
(ii) valuation of financial assets,
(iii) maintenance and preservation of underlying assets,
Page 3 of 11
(iv) recovery of dues with the help of resolution service/recovery agents,
(v) other such activities, as considered necessary.
6. Material Outsourcing
The material outsourcing arrangements are the services which, if disrupted, have the
potential to significantly impact the business operations, reputation, profitability, or
customer service. The materiality of outsourcing is based on the followings:
(i) the level of importance to the company of the activity being outsourced as well as
the significance of the risk posed by the same
(ii) the likely impact on the company’s reputation and brand value, and ability to
achieve its business objectives, strategy, and plans, should the service provider fail to
perform the service
(iii) the cost of the outsourcing as a proportion of total operating costs of the company
(iv) the aggregate exposure to that service provider, in cases where the company
outsources various functions to the same service provider and
Page 4 of 11
(ii) While entering such arrangements with the group companies, the company shall
ensure that these activities:
(a) are appropriately documented in written agreements with details like scope of
services, charges for the services and maintaining confidentiality of the customer's
data
(b) do not lead to any confusion to the customers on whose products/services they are
availing by clear physical demarcation of the space, where the activities of the
company and those of its other group entities are undertaken
(c) do not compromise the ability to identify and manage risk of the company on a
stand-alone basis
(d) do not prevent RBI from being able to obtain information required for the
supervision of the company or pertaining to the group, and
(e) incorporate a clause under the written agreements that there is a clear obligation
for any service provider to comply with directions given by RBI in relation to the
activities of the company.
(iii) The company shall ensure that their ability to carry out their operations in a sound
fashion would not be affected, if premises or other services viz., IT systems, support
staff, etc. provided by the group entities become unavailable.
(iv) The company shall not publish any advertisement or enter into any agreement
stating or suggesting or giving tacit impression that they are in any way responsible
for the obligations of its group entities.
(v) The risk management practices expected to be adopted by the company, while
outsourcing to a related party i.e., party within the group, shall be identical to the entity
that is external to the corporate group.
Page 5 of 11
(iii) The dealing officers shall take approval from the concerned authorities, as per the
Authority Matrix
Page 7 of 11
(iii) the contract shall provide for continuous monitoring and assessment by the
company of the service provider so that any necessary corrective measure can be
taken immediately
(iv) a termination clause and minimum period to execute a termination provision, if
deemed necessary, shall be included.
(v) controls to ensure customer data confidentiality and service providers' liability in
case of breach of security and leakage of confidential customer related information
shall be incorporated
(vi) there must be contingency plans to ensure business continuity
(vii) the contract shall provide for the prior approval/ consent by the company of the
use of sub-contractors by the service provider for all or part of an outsourced activity
(viii) it shall provide the company with the right to conduct audits on the service
provider whether by its internal or external auditors, or by agents appointed to act on
its behalf and to obtain copies of any audit or review reports and findings made on the
service provider in conjunction with the services performed for the company
(ix) outsourcing agreements shall include clauses to allow RBI or persons authorised
by it to access the company's documents, records of transactions, and other
necessary information given to, stored or processed by the service provider within a
reasonable time
(x) outsourcing agreement shall also include a clause to recognise the right of the
Reserve Bank to cause an inspection to be made of a service provider of the company
and its books and account by one or more of its officers or employees or other persons
(xi) the outsourcing agreement shall also provide that confidentiality of customer's
information shall be maintained even after the contract expires or gets terminated, and
(xii) the company shall have necessary provisions to ensure that the service provider
preserves documents as required by law and take suitable steps to ensure that its
interests are protected in this regard even post termination of the services.
Page 8 of 11
9.4.2. Access to customer information by staff of the service provider shall be on 'need
to know' basis i.e., limited to those areas where the information is required to perform
the outsourced function.
9.4.3. The company shall ensure that the service provider is able to isolate and clearly
identify the company's customer information, documents, records, and assets to
protect the confidentiality of the information. In instances, where service provider acts
as an outsourcing agent for multiple companies, care shall be taken to build strong
safeguards so that there is no comingling of information/documents, records and
assets.
9.4.4. The company shall immediately notify RBI in the event of any breach of security
and leakage of confidential customer related information. In these eventualities, the
company would be liable to its customers for any damages.
Page 9 of 11
provider contain provisions to address their monitoring and control of outsourced
activities.
9.6.2. A central record of all material outsourcing that is readily accessible for review
by the Board and senior management of the company shall be maintained. The
records shall be updated promptly, and half yearly reviews shall be placed before the
Risk Management Committee.
9.6.3. The internal auditors or external auditors of the company shall assess the
adequacy of the risk management practices adopted in overseeing and managing the
outsourcing arrangement, the company’s compliance with its risk management
framework and the requirements of these directions.
9.6.4. A robust system of internal audit of all outsourced activities shall also be put in
place and monitored by the ACB of the company.
Page 10 of 11
11. Annexure on Amendments, Renewal of Policies, etc.
Sr.No. Framing/Amendment/Renewal Date Approved by
1. Framing of the policy December 29,2020 Board of Directors
2. Extended by 3 months December 28, 2021 MD & CEO
3. Amended & renewed March 26, 2022 Board of Directors
4. Amended & renewed March 30, 2023 Board of Directors
Page 11 of 11