1.The Company has the responsibility for the outsourcing and related overall responsibility for activities undertaken under that.

Only those activities which will, if outsourced, would not impair the supervisory authority’s right to assess, or its ability to supervise the business of the Company shall be outsourced.

The Company mandates a regular review of outsourced activities. It will also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by the Company and the activities undertaken by the third-party, are in keeping with its outsourcing policy.

2.The Company establishes a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the third party.

The Company makes an assessment of outsourcing risk which depends on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include

a. The impact of failure of a third party to adequately perform the activity on the financial, reputational and operational performance of the Company and on the investors / clients;

b. Ability of the Company to cope up with the work, in case of non-performance or failure by a third party by having suitable back-up arrangements;

c. Regulatory status of the third party, including its fitness and probity status;

d. Situations involving conflict of interest between the Company and the third party and the measures put in place by the Company to address such potential conflicts, etc.

While there are no prohibitions on a group entity / associate of the Company to act as the third party, systems is put in place to have an arm’s length distance between the Companyand the third party in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests.

Necessary disclosures in this regard will be made as part of the contractual agreement. Risk management practices expected to be adopted by the Company while outsourcing to a related party or an associate would be identical to those followed while outsourcing to an unrelated party.

The records relating to all activities outsourced are preserved centrally so that the same is readily accessible for review by theCompany and / or its senior management, as and when needed. Such records are regularly updated and may also form part of the corporate governance review by the management of the Company.

The Company reviews the financial and operational capabilities of the third party in order to assess its ability to continue to meet its outsourcing obligations.

3.The Company ensures that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators.

The Company is fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house.

Outsourcing arrangements does not affect the rights of an investor or client against the Company in any manner. The Company would be liable to the investors for the loss incurred by them due to the failure of the third party and also be responsible for redressal of the grievances received from investors arising out of activities rendered by the third party.

Outsourcing arrangements does not impair the ability of SEBI/SRO or auditors to exercise its regulatory responsibilities such as supervision/inspection of the intermediary.

4.The Company conducts appropriate due diligence in selecting the third party and in monitoring of its performance.

The Company exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the service effectively.

The due diligence undertaken by the Company includes assessment of:

a) Third party’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;

b) Compatibility of the practices and systems of the third party with the intermediary’s requirements and objectives;

c) Market feedback of the prospective third party’s business reputation and track record of their services rendered in the past;

d) Level of concentration of the outsourced arrangements with a single third party;

5.Outsourcing relationships governed by written contracts / agreements /terms and conditions (as deemed appropriate) {hereinafter referred to as “contract”} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of the parties to the contract, client confidentiality issues, termination procedures, etc.

Outsourcing arrangements governed by a clearly defined and legally binding written contract between the Company and each of the third parties

Outsourcing contract:

a) Clearly defines what activities are going to be outsourced, including appropriate service and performance levels;

b) Provides for mutual rights, obligations and responsibilities of the Company and the third party, including indemnity by the parties;

c) Provides for the liability of the third party to the Company for unsatisfactory performance/other breach of the contract

d) Provides for the continuous monitoring and assessment by the Company of the third party so that any necessary corrective measures can be taken up immediately.

e) Includes, where necessary, conditions of sub-contracting by the third-party, i.e. the contract shall enable The Company to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing;

f) Has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract;

g) Specifies the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.;

h) Provides for preservation of the documents and data by third party;

i) Provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract;

j) Provides for termination of the contract, termination rights, transfer of information and exit strategies;

k) Addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when intermediary outsources its activities to foreign third party.

l) Neither prevents nor impedes the Company from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers;and

m) Provides for the Company and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records and information relevant to the outsourced activity with the third party.

6.The Company and its third parties establishes and maintains contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.

Specific contingency plans are separately developed for each outsourcing arrangement, as is done in individual business lines.

The Company takes appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third party level.

The Company ensures that third party maintains appropriate IT security and robust disaster recovery capabilities.

7.The Company takes appropriate steps to require that third parties protect confidential information of both the Company and its customers from intentional or inadvertent disclosure to unauthorised persons.

The Company takes appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated.

The Company prevails upon the third party to ensure that the employees of the third party have limited access to the data handled and only on a “need to know” basis and the third party have adequate checks and balances to ensure the same.

In cases where the third party is providing similar services to multiple entities, the Company ensures that adequate care is taken by the third party to build safeguards for data security and confidentiality.

8.Potential risks posed where the outsourced activities of multiple intermediaries are concentrated with a limited number of third parties

In instances, where the third party acts as an outsourcing agent for multiple stock brokers, it is the duty of the third party and the Company to ensure that strong safeguards are put in place so that there is no co-mingling of information /documents, records and assets.