OUTSOURCING POLICY

This Outsourcing Policy of Ramchandra Leasing and Finance Limited being a regulated Non-Banking Financial Company – Investment and Credit Company (NBFC-ICC), Non-Deposit Taking, Non-Systemically Important (NDNSI), has been duly approved by the Board of Directors.

1. PREAMBLE

Ramchandra Leasing and Finance Limited (“the Company”), being an NBFC-ICC ND-NSI regulated under the Master Direction – NBFC – Scale Based Regulation (SBR), 2023, recognises that responsible, compliant and wellgoverned outsourcing of financial and non-financial activities is critical for maintaining operational integrity, ensuring customer protection, and upholding regulatory expectations.

The Company acknowledges that the act of outsourcing does not diminish its obligations to customers or dilute the standards of conduct demanded by the Reserve Bank of India (“RBI”). The Company remains entirely responsible, at all times, for outsourced operations and for the conduct, competence and integrity of all service providers acting on its behalf.

This Policy establishes the principles, governance systems, internal controls, oversight mechanisms, and riskmanagement framework governing every outsourcing arrangement undertaken by the Company. It reflects the Company’s adherence to the RBI Master Direction on Outsourcing of Financial Services, the RBI Digital Lending Guidelines (2022 onwards), the Consumer Protection Framework for Regulated Entities, and all related circulars, notifications, and supervisory expectations.

2. PURPOSE AND SCOPE OF THE POLICY

The primary objective of this Outsourcing Policy is to ensure that any outsourced activity is conducted in a manner that fully preserves the Company’s regulatory compliance, operational standards, customer rights, data confidentiality obligations, and the supervisory authority of the RBI.

This Policy governs all outsourcing relationships, including but not limited to Loan Service Providers (LSPs), Digital Lending Applications (DLAs), technology vendors, tele-calling partners, collection agencies, data processing entities, KYC partners, field verification agencies, and any other service provider engaged in activities that may affect customers, compliance, risk, operations, or governance.

The Policy applies uniformly to all functions outsourced by the Company, irrespective of whether the outsourcing is domestic or digital, internal or external, front-end or back-end, customer-facing or support-oriented.

3. FUNDAMENTAL PRINCIPLE: NO DILUTION OF REGULATORY RESPONSIBILITY

TELEFAX. 0265 - 3268100

CIN. L65910GJ1993PLC018912

Email. rlandfl@gmail.com

Web. www.ramchandrafinance.in

Regd. Office. 201, Rudra Plaza Complex, Dandia Bazar Main Road, Dandia Bazar, Vadodara - 390 001

Branch. Ashok Stores, Khot Chawi, L.T. Road, Opp. Goyal Shopping Centre. Borivali (W), Mumbai - 400092.

The Company recognises that outsourcing is an operational arrangement and not a transfer of responsibility. All regulatory, supervisory and fiduciary obligations remain solely with Ramchandra Leasing and Finance Limited, irrespective of the extent, nature, or manner of outsourced activity.

Every outsourced service shall be subject to direction, oversight, audit and control by the Company, and the Company shall always retain the right to intervene, inspect, modify or terminate the arrangement in the interest of regulatory compliance or customer protection.

At all times, the Company shall ensure that outsourcing does not:

  • impair its ability to meet obligations to customers
  • compromise its financial soundness
  • hinder the RBI’s ability to supervise its operations or
  • expose the Company to unmanaged operational, legal, reputational, strategic or cybersecurity risks.

4. ACTIVITIES ELIGIBLE AND INELIGIBLE FOR OUTSOURCING

The Company may outsource operational, administrative, technological or customer-facing functions, provided such outsourcing does not contravene any statutory or regulatory restriction.

Core decision-making functions involving credit sanction, risk acceptance, pricing decisions, regulatory reporting, or strategic management shall always remain with the Company and shall never be outsourced, directly or indirectly.

Any activity which may create a conflict of interest, compromise internal controls, distort risk oversight, or impede the Company’s ability to comply with law shall not be outsourced.

5. GOVERNANCE AND APPROVAL MECHANISM

All outsourcing proposals shall be evaluated through a structured review process assessing their impact on operational resilience, data security, regulatory compliance and risk exposure. The Board of Directors shall approve the Policy and shall receive periodic reports on significant outsourcing arrangements.

The senior management of the Company shall be responsible for ensuring that outsourcing contracts are aligned with regulatory expectations, that due diligence is conducted prior to engagement of service providers, and that adequate oversight is maintained throughout the duration of the arrangement.

The Risk Management Committee, constituted under Regulation 21 of SEBI (LODR) Regulations, 2015, shall periodically review outsourced arrangements as part of the Company’s enterprise risk framework.

The Risk Management Committee and Compliance Department shall continuously supervise outsourced functions to ensure conformity with RBI’s prudential and conduct norms.

Any arrangement involving Default Loss Guarantee (DLG/FLDG), if undertaken, shall strictly comply with RBI’s DLG Guidelines including 5% cap, fixed DLG set, and mandatory Board approval.

6. DUE DILIGENCE AND SELECTION OF SERVICE PROVIDERS

Before entering into any outsourcing agreement, the Company shall undertake detailed due diligence of the service provider’s competence, experience, financial soundness, governance practices, data handling protocols, cybersecurity framework, compliance history, human resource standards, and operational resilience.

The due diligence shall include verification of legal standing, reputation, regulatory track record, and the service provider’s ability to meet business continuity expectations under adverse conditions. In cases involving LSPs, DLAs, tele-calling agencies or recovery partners, additional due-diligence relating to behavioural conduct, customer interaction protocols, and adherence to RBI’s Digital Lending Guidelines shall be undertaken

Service providers lacking appropriate risk controls, data protection standards, or ethical safeguards shall not be engaged.

7. CONTRACTUAL SAFEGUARDS AND LEGAL DOCUMENTATION

Every outsourcing arrangement shall be governed by a written, legally enforceable agreement clearly defining responsibilities, service standards, data protection obligations, confidentiality requirements, audit rights, termination rights, contingency provisions, indemnities, and compliance obligations.

Contracts shall firmly establish that the service provider acts under the direction and control of the Company, and that no element of the arrangement creates a principal–agent shift of regulatory obligations. All agreements shall explicitly restrict the service provider from sub-contracting critical activities without the prior written consent of the Company.

The Company shall retain unrestricted right to audit the operations, systems, personnel and records of the service provider at any time.

8. OVERSIGHT, MONITORING AND PERFORMANCE REVIEW

Outsourced activities shall be continuously supervised to ensure performance in accordance with regulatory and contractual standards. The Company shall maintain oversight through MIS reporting, compliance reviews, surprise checks, call audits, data security validations, and risk-based monitoring.

For LSPs and DLAs, the Company shall ensure adherence to RBI’s Digital Lending norms, including limitations on data collection, prohibition on direct customer charges, and restrictions on access to customer devices or contact lists.

The Company shall periodically evaluate the performance, conduct and compliance status of each service provider and shall take corrective action, including termination, if deviations are observed.

9. CUSTOMER PROTECTION AND CONDUCT REQUIREMENTS

Where an outsourced service is customer-facing, the Company shall ensure that the service provider maintains the same high standards of fairness, courtesy, transparency and professionalism as are expected of the Company’s own employees.

The Company shall ensure that outsourcing does not compromise grievance mechanisms, turnaround times, quality of communication, data confidentiality, or behavioural norms expected under the regulatory framework.

LSPs, recovery agents, tele-calling agencies and digital platforms acting on behalf of the Company shall be expressly bound to follow the Company’s Fair Practices Code, Collection Policy, Digital Guidelines Policy and Privacy Policy. Under no circumstances shall any LSP, DLA or outsourced entity charge any fee, commission or amount to the customer. All charges to the customer shall only be levied directly by the Company.

Issuance of the Key Fact Statement (KFS), loan documents, and sanction letters shall remain the exclusive responsibility of the Company and shall not be delegated to any LSP or service provider

10. Prohibition on Unauthorised Debits and Payment Initiations

No service provider, including any LSP, DLA, payment partner, technology vendor or outsourced agency, shall initiate or facilitate any automatic debit, e-mandate, UPI collect request, NACH mandate, or any other form of electronic payment instruction on behalf of the Company without the borrower’s prior, explicit and verifiable consent, in full compliance with applicable RBI regulations.

All payment instructions must originate strictly through customer-authorised channels, and any deviation or attempt to initiate an unauthorised debit shall constitute a material breach of the outsourcing arrangement and may result in immediate termination, disciplinary action, and regulatory reporting where required.

11. CONFIDENTIALITY AND DATA SECURITY

All service providers handling sensitive information shall be bound by stringent confidentiality commitments aligned with the Information Technology Act, SPDI Rules, and RBI Digital Lending data governance framework.

Customer data shall not be misused, stored in unapproved locations, shared with unauthorised entities, or accessed for any purpose other than the execution of the outsourced task. The Company shall adopt continuous monitoring to ensure data integrity, cybersecurity readiness, and protection from breaches.

DLAs and LSPs shall not access customer mobile resources such as contact lists, media files, call logs or telecommunication details, except as permitted expressly by RBI for KYC with one-time explicit consent.

In the event of any data compromise, incident or breach, the service provider shall immediately notify the Company, and the Company shall take necessary remedial, reporting and containment actions.

12. Business Continuity and Disaster Recovery

The Company shall ensure that each service provider maintains an appropriate Business Continuity Plan (BCP) and Disaster Recovery (DR) capability. Outsourcing arrangements shall be structured to preserve continuity of critical services even in situations of operational disruption.

The Company shall maintain alternative arrangements or fallback options for critical outsourced activities to ensure that operations are not impaired and that customers do not suffer prejudice.

13. RBI ACCESS, SUPERVISORY RIGHTS AND REGULATORY REPORTING

All outsourced activities shall remain fully accessible to the RBI for inspection, audit, supervision or enquiry. Service providers shall be contractually obligated to cooperate fully with the RBI and to make available all records, systems, and documents required by the regulator.

The Company shall disclose outsourcing arrangements in any regulatory return, compliance submission or supervisory process when mandated.

14.GRIEVANCES AND CUSTOMER SUPPORT

Customers shall not experience any dilution of rights or delays in grievance handling as a consequence of outsourcing. All customer grievances arising from outsourced functions shall be treated as grievances of the Company itself and processed in accordance with the Company’s Grievance Redressal Mechanism. The Company shall ensure that outsourcing never becomes a barrier between the customer and the Company’s obligation to redress complaints, provide transparency, or maintain service quality

15. AUDIT, CONTROL AND INTERNAL REVIEW

Internal Audit shall independently assess the risk, strength and adequacy of outsourced arrangements and shall report deviations or vulnerabilities to senior management and the Board.

The Company shall maintain complete documentation and audit trails for each outsourced activity, including due diligence records, agreements, compliance reports and monitoring outcomes.

16. POLICY REVIEW AND AMENDMENTS

This Policy shall be reviewed at least annually, or earlier if required by regulatory updates, supervisory observations, operational developments or changes in risk profile. Amendments shall take effect only upon approval by the Board of Directors.

The most recent version of this Policy shall be made available at the Company’s Corporate Office at Noida and provided to relevant stakeholders and regulators upon request.