Outsourcing Policy

Introduction

This Policy on Outsourcing Activities establishes a framework for assessing and executing all outsourcing activities by Brickwork Ratings Pvt. Ltd. (BWR). These ancillary activities fall outside the core business functions like credit rating, research and compliance. Therefore, they can be efficiently outsourced to third parties. BWR will guarantee that the outsourcing agreements do not compromise its ability to meet commitments to clients and regulators, nor hinder effective supervision by regulatory bodies.

This document establishes a policy framework that includes guidelines for the execution of all outsourcing activities by BWR. This policy aligns with the "Guidelines on Outsourcing of Activities by Intermediaries" outlined by the Securities and Exchange Board of India (SEBI) in the Master Circular for Credit Rating Agencies - SEBI/HO/DDHS/DDHS-POD2/P/CIR/2023/111 issued on July 03, 2023. This circular is available on the SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.

Applicability

This policy shall apply to all outsourcing arrangements (as defined under this policy), entered by BWR with any third-party service provider.

Definitions

For the purposes of this policy, the terms below shall have the following meanings:

1. Outsourcing: The use of one or more than one, third party – either, within or outside the BWR group (referring to BWR India Pvt Ltd and its subsidiaries and group companies) by BWR to perform the activities associated with the credit ratings services on a continuous basis.
2. Third Party: The entity to which an activity is outsourced by BWR.
3. Regulator: Securities and Exchange Board of India (SEBI).

Statement of Purpose

This Outsourcing Policy ensures that:

1. BWR shall render at all times high standards of service and exercise due diligence and ensure proper care in their operations.
2. BWR follows prudent and responsive practices on the management of risks arising out of outsourcing with a view to preventing negative systematic impact and protecting the interests of investors.
3. This policy document establishes the framework, procedures, and limitations that will oversee all outsourcing activities conducted by BWR. It aims to guide BWR in evaluating non-core outsourcing needs that can be outsourced to third parties effectively.

Activities that cannot be Outsourced

BWR shall not outsource any of its core business activities pertaining to Credit Rating, Monitoring i.e. assignment and surveillance of ratings; compliance functions, research and criteria development.

Activities that can be Outsourced

Activities that are not “core” and that may be outsourced include business development, tele-calling for follow-up of data or fees, follow-up for sourcing data or other activities like Legal, Finance, IT, Admin, HR, and any other activities that are not involved in delivering services to BWR clients.

Third Parties that are not Governed by this Policy

The below situations will not be considered as “outsourcing” and hence shall not be governed by this policy:

1. Services of a third party engaged on a one-time basis.
2. Hiring professionals as consultants to perform a part of an activity where such associates are fully supervised by BWR employees and are provided BWR email IDs and work on BWR computer systems.
3. Housekeeping, catering, cab/transport and other such services that are part of the facilities and administration department.

Risk Management Practices for Outsourced Services

1. Risk Assessment

   BWR shall assess the outsourcing risks which depend on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include:

   1. The impact of the failure of a third party to adequately perform the activity on the financial, reputational and operational performance of BWR and the investors/clients;
   2. The ability of BWR to cope with the work, in case of non-performance or failure by a third party by having suitable backup arrangements.
   3. The regulatory status of the third party, including its fitness and probity status.
   4. Situations involving conflict of interest between BWR, and the third party and the measures put in place by BWR to address such potential conflicts. BWR has established comprehensive policies for managing conflicts. For details, please refer to BWR’s Policy on Managing Conflicts.

2. Due Diligence of Service Provider

   BWR shall be fully liable and accountable for all outsourced activities and ensure that the rights of an investor or client are not impacted in any way. BWR shall conduct appropriate due diligence in selecting and monitoring the third party, ensuring that outsourcing arrangements neither diminish BWR’s ability to fulfil its obligations to customers and regulators nor impede the supervision by the regulators.

   This due diligence should evaluate:

   1. The resources and capabilities of the third party, including financial stability, to complete the outsourced work within specified timelines.
   2. Alignment of the third party's practices and systems with BWR's requirements and objectives.
   3. Market feedback regarding the prospective third party's business reputation and past track record of service delivery.
   4. The degree of reliance on a single third party for outsourced arrangements.

3. Third-Party Outsourcing Guidelines for BWR Group

   While the BWR group and its subsidiaries are permitted to engage third parties for outsourcing activities, it is imperative to maintain a clear separation to avoid potential conflicts of interest. Any transactions between BWR and its group entities will adhere to an arm’s length approach in terms of infrastructure, staffing, decision-making processes, and record-keeping practices. BWR will ensure full compliance with legal disclosure requirements regarding contractual agreements with third parties.

   Furthermore, BWR will mandate that third-party partners establish and maintain comprehensive contingency plans for each outsourcing arrangement, including robust disaster recovery protocols in case of service disruptions. Regular testing of critical security procedures, system evaluations, and backup facility reviews will be conducted to verify the effectiveness of third-party systems.

4. Third-Party Outsourcing Guidelines for International Vendors

   When BWR outsources activities to an international vendor, it will conduct thorough due diligence as outlined above. Additionally, BWR will evaluate the regulatory and business environment in the foreign country where the vendor operates. The Outsourcing Agreement, as described in Section 8.5 will address country-specific risks and potential challenges in overseeing arrangements when outsourcing to foreign entities. The contract shall include clauses on the choice of law, agreement covenants, and jurisdictional matters for dispute resolution.

5. The Outsourcing Agreement

   BWR will engage in a formally documented and legally binding contract with any third party before initiating outsourcing activities. The outsourcing agreement must cover the following key aspects:

   1. Clear delineation of outsourced tasks along with defined service levels and performance benchmarks.
   2. Explicit delineation of the responsibilities and obligations of third parties, including, provisions for indemnity.
   3. Stipulation of third-party liability for inadequate performance or contract breaches.
   4. Implementation of ongoing monitoring and evaluation by BWR to promptly address any corrective actions required by the third party. BWR retains the right to intervene as necessary, to meet legal and regulatory mandates.
   5. Terms governing subcontracting by third parties whenever The contract shall ensure that BWR retains similar control over the risks when a third party outsources work to further third parties as in the original direct outsourcing.
   6. Inclusion of robust confidentiality clauses to safeguard proprietary and customer data throughout and post-contract.
   7. Specification of third-party responsibilities concerning IT security, contingency planning, insurance coverage, business continuity, disaster recovery, force majeure events, etc.
   8. Preservation of documents and data by third parties.
   9. Establishment of dispute resolution mechanisms arising from outsourcing contract implementation.
   10. Provisions for contract termination, transfer of information, and exit strategies.
   11. Ensuring the agreement does not hinder BWR's regulatory compliance or regulatory authorities' ability to exercise oversight.
   12. Providing access to BWR or authorized regulatory entities to inspect relevant records, books, and information related to outsourced activities.

6. Confidentiality and Security

   BWR shall take appropriate steps to ensure that third parties protect the confidential information of both BWR and its customers from intentional or inadvertent disclosure to unauthorised persons, and do not in any way misuse or misappropriate such confidential information. BWR shall prevail upon the third party to ensure that the employees of the third party have limited access to the data and only on a “need to know” basis, and the third party shall have adequate checks and balances to ensure the same. Wherever the third party acts as an outsourcing agent for multiple CRAs, BWR shall ensure that strong safeguards are put in place by the third party to avoid co-mingling of information, documents, records and assets.

7. Business Continuity and Management and Disaster Recovery Plan

   BWR and its third parties shall establish and maintain contingency plans at the third party or at BWR in the event of non-performance by the third party and ensure that the third party maintains appropriate IT security and robust disaster recovery capabilities.

8. Conflict of Interest

   BWR may use one of its group companies or subsidiaries as a third party. However, to avoid any potential conflict of interest, systems shall be put in place to have an arm’s length distance between BWR and the third party in terms of infrastructure, manpower, decision-making, record keeping, etc., as well as risk management practices that are identical to those followed while outsourcing to an unrelated party. The Board shall be kept informed of all relevant disclosures in this regard.

   The facilities/premises/data that are involved in carrying out the outsourced activity by the third party shall be deemed to be those of BWR. BWR and the Regulator or the persons authorized by it shall have the right to access the same at any time.

9. Record Keeping

   The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the BWR Board and/or its senior management, as and when needed. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the BWR.

Reporting Requirements

BWR is obligated to promptly report any suspicious transactions or reports that it becomes aware of to the Financial Intelligence Unit (FIU) or other competent authorities. This applies specifically to activities conducted by third parties with whom BWR has outsourcing arrangements.

Monitoring and Review of Outsourced Activities

BWR is obligated to promptly report any suspicious transactions or reports that it becomes aware of to the Financial Intelligence Unit (FIU) or other competent authorities. This applies specifically to activities conducted by third parties with whom BWR has outsourcing arrangements.

1. A Committee consisting of the Compliance Officer and Finance Manager shall approve any outsourcing activity and selection of the third party. The Compliance Officer can provide any clarification about the policy.
2. Annual reviews by the company auditors of the outsourcing policies, risk management system, and requirements of the regulator, shall be done to assess the third parties’ ability to continue to meet their outsourcing obligations. This report shall be presented to the Board if any violations/discrepancies are observed/noticed.
3. The Compliance Officer/Finance Manager should present the note to the BWR Board for review if necessary, and the BWR Board shall ensure that the Policy align with the changing business It shall have the overall responsibility for ensuring that all outsourcing decisions made by BWR, and the activities conducted by the third parties comply with this Policy.