Avanti Finance Customer Service Policy

1. Introduction

1. Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has framed the Customer Service Policy (hereafter referred to as “Customer Service Policy” or “the Policy”) in accordance with the regulatory requirements specified by the Reserve Bank of India (RBI).
2. In pursuit of our mission to make financial services accessible and affordable in a timely manner to the un/underserved households, we constantly endeavour to deliver quality services to our users.
3. As a financial inclusion platform, providing quality customer service and ensuring customer satisfaction are of prime importance to Avanti. This policy document aims at minimizing instances of customer complaint and grievances through proper service delivery, a robust review mechanism and prompt redressal of any customer complaint grievances that still may arise.

2. Objectives of the Policy

The objective of the Customer Service Policy is to ensure all customers are treated fairly and without bias; issues raised by customers are attended and dealt with utmost care and resolved within a reasonable time; customers are made aware of their rights and alternative remedies if they are not satisfied with the response or resolution to their complaint.

3. Categories of Customer’s Communications

1. Query - General inquiries, primarily relating to loans, interest rates, repayment terms, eligibility norms, categories of loans, eligibility criteria, terms of financing / refinancing etc.‍
2. Request – Requests for obtaining any valid services including financing or refinancing support by the customers directly.‍
3. Grievance – A communication by prospective / existing customers that expresses dissatisfaction because of lack of action, inadequate quality of services.‍
4. Complaint – Related to staff misbehaviour, cheating / fraud, false commitments, misconduct with the customers.‍
5. Suggestion / Feedback – suggestions / feedback with respect to its operations, policies or practices.

4. Mechanism for Grievance

The customer grievance redressal policy shall adhere to the following principles

• 1. Customers shall be treated fairly at all times
  2. Complaints raised by customers shall be dealt with courtesy and on time.
  3. Customers shall be fully informed of avenues to escalate their complaints/ grievances to the organization and their rights to alternative remedy, if they are not fully satisfied with the response of Avanti to their complaints.
  4. Customer can lodge his / her grievance through any of the following channels:
• I. Walk-in at Branch
  1. Each Partner Branch has a complaints register. Any customer is free to walk into the branch and register a complaint in the complaint register.
  2. The Partner will immediately scan the details of the complaints and share it with Avanti along with their inputs on the complaint. Avanti employees or the officer of Field monitoring partner team visiting the Partner branch must check the Complaints register for any open complaint.
  3. In case of any pending complaints or any discrepancy noted in the registering or closing the complaint(s) the visiting Avanti officer or officer of partner monitoring team should escalate the same to the Partnership team at Avanti Head office.
• II. Remotely
  1. Customers can submit their Complaints through post to the below address by giving full disclosures and details of the complaint and giving specific instances of the cause of complaint.
•          ⇒ Address: Avanti Finance Private Limited, #456, Ground, 1st and 2nd floor, 4th block, BDA              layout , Koramangala , Bengaluru 560034, Karnataka, India
• • 1. Customers can also submit their grievances through email at customerservice@avantifinance.in by giving full disclosures and details of the complaint and giving specific instances of the cause of complaint.
    2. Customers can also lodge their complaints and grievance by calling the customer Service contact of Avanti on the toll-free number 1800 309 5021. The timings of Customer Service Contact shall be made available in the branch display and SMS sent by Avanti to its customers.

5. Recording and tracking of Complaints

All the complaints received is recorded and tracked for end-to-end resolution in a spreadsheet format. Complaint MIS is published and shared to the management on quarterly basis for review and feedback.

6. Resolution of Complaints

1. Any complaint through e-mail / letters / walk-in or any other mode shall be acknowledged promptly after receipt, at the Head Office or Partner Branch Offices as and when received.
2. The Complaints shall be registered in the Customer Grievance Register (CGR) maintained electronically and / or physically, and shall include full details of the complainant (name, address and contact details), date of receipt, fact of the complaint, category of complaint etc

1. The company has appointed Mr. Saurabh Kumar (Nodal.officer@avantifinance.in) as its authorized Grievance Redressal Officer (‘GRO’). The GRO will take steps to redress the grievances with care and diligence, normally within the period of 21 working days from the date of receipt of the complaints.

1. If the complainant is not satisfied with the reply / action / resolution given by Grievance Redressal Officer (GRO) , the complainant can approach other escalation

        levels such as -

        ⇒ RBI: Reserve Bank of India: If the complaints/ disputes are not redressed within a period of             one month, the customer may appeal to the Officer in Charge of Regional Office of DNBS             of RBI. Complete contact details are as below:

            The Reserve Bank of India (RBI), Department of Non-Banking Supervision St. Martha's             Hospital, 10/3/8, Nrupathunga Rd, Opp St, Nunegundlapalli, Ambedkar Veedhi, Bengaluru,             Karnataka 560001

1. The company will acknowledge the receipt of the complaint and will generate a complaint reference number and will ensure that a resolution is provided within prescribed turnaround time (TAT) of 10 working days or more depending on the category of complaint, not exceeding a period of 30 days across all levels, the details of time frame is mentioned below. In the unlikely event of a customer not receiving a response within one month from the date of lodgement of the initial complaint, he/she may approach the NBFC Ombudsman.
2. The details of the NBFC Ombudsman are available as below and also in the company’s website

1. The final communication sent to the customer regarding redressal of the complaint shall mention about the option to the customer to approach the concerned RBI Ombudsman in case he/she is not satisfied with the redressal of the complaint.

7. Tracking and Reporting

1. All complaints will be registered in a central complaints management system of the company. Complaints will be assigned a unique reference number which will be communicated to the complainant along with an appropriate turnaround time.
2. In case the resolution needs additional time, an interim response shall be sent to the complainant.

1. All complaints shall be monitored at appropriate levels and marked as closed only after resolution of the customer grievance and due communication to customer.

1. Reports on complaints received and status will be presented to the Board on a quarterly basis.

8. Sensitizing Avanti and Partner employees on handling complaints

1. The company shall impart training on an ongoing basis to all employees on handling complaints/ redressal of grievances/ customer counselling.

1. The Principal Nodal Officer of the company shall ensure that internal mechanism for handling complaints/ grievances operates smoothly and efficiently at all levels.

9. Recovery Process

1. The staff shall be trained in proper etiquette for recovery process as elaborated in the Fair Practice Code adopted by the company.

10. Policy Review and Updates

The implementation of this policy shall be monitored and reviewed periodically by the Board of the Company.

This Policy was:

(i) Drafted on behalf of the Company by: Ms. Sharmila Kunguma, Chief Audit Officer

(ii) Internally reviewed by: Mr. Rahul Gupta, CEO

(iii) Approved by the Board of the Company on: Adopted on September 12, 2018, revised on September 30, 2022.

This revised Policy comes into effect from date of approval of the Board.

11. Time Frame

1. The Complaints received will be analyzed from all possible angles. All efforts will bemade to resolve each complaint received generally within the stipulated time as per the following escalation matrix:
2. Customer Service Contact (CSC) or Partner engagement manager will address the complaint within 10 working days of receipt of the complaint.
3. Grievance Redressal Officer (GRO) will address the complaint within 20 working days of receipt of the complaint.

There may be some complaints which require deeper analysis from all possible angles which may cause delayed resolution of the complaint. In such cases, the company will try to resolve the grievances at the earliest depending on the nature of the case. Such delay in addressing the complaint beyond the prescribed time limit shall be conveyed to the complainant along with reasons for the same.

12. Reporting to Board of Directors

Summary of the customer grievance reports along with actions initiated would be reported to the Board at least once in a year. The report shall contain information like, the total no. of complaints received, Status of complaints such as closed and open and reason for open complaints thereof, which will be placed before the Board for information / guidance.

13. Regulatory References

This policy is framed as per the following regulatory references and in accordance with leading industry practice: RBI circular on Master Direction - Non-Banking Financial Company –Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016.

1. Review of the policy: This policy shall be reviewed annually.

Display format at Branches

For any queries, feedback and grievances, clients may please feel free to contact the Customer Support Service at Toll Free Contact Number 1800 309 5021 between 9.30 to 6 pm on Monday to Friday except on holidays.

The customer feels that He/ She is not getting resolution from the company’s officials, she can also contact the MFI industry Association / SRO – MFIN and Sa-Dhan. If the complaints/disputes are not redressed within a period of one month, the borrower may appeal to the Officer in Charge of Regional Office of DNBS of RBI.

Interest Rate Policy

1.Introduction

Avanti Finance Private Limited(herein after referred to as ‘the Company’) has framed the Interest Rate Policy(hereafter referred to as “Interest Rate Policy” or “the Policy”) in accordance with the regulatory requirements specified by the Reserve Bank of India (RBI).

2. Objectives of the Policy

This document aims to establish a framework for determining interest rates, processing charges and other charges.(All charges and rates mentioned herein are exclusive of Goods and Service Tax(GST) or any other applicable tax and the company shall charge and collect such taxes wherever applicable over and above mentioned charges and rates).

3. Methodology for determining an Interest Rate

The guiding principles for determining interest rate are as follows:

The Board of the company shall adopt an interest rate model taking into account relevant factors such as cost of funds, margin and risk premium and determine the rate of interest to be charged for loans and advances. The rate of interest and the approach for gradations of risk and rationale for charging different rate of interest to different categories of borrowers shall be disclosed to the borrower or customer in the electronic application form and communicated explicitly through electronic means.

 The rate of interest to be charged for loans and advances will be based on the product offered

● Livelihood loans: Typically collateral free small ticket loans with end use mostly for agri, dairy or allied activities.

Interest Rate Range: 12% to 29% p.a.

● Individual Business Loans: collateral free, short term business loans to individuals. Exclusive focus on micro enterprises, new businesses operating out of authorised marketplaces or clusters of shops organised under a traders association. End use towards asset creation or meeting working capital requirements

Interest Rate Range: 12% to 36% p.a.

The rate of interest shall be arrived at after taking into account relevant factors, such as cost of funds, margin and risk premium, including the following.

●       Tenor of the Loan – The rate of interest charged will depend on the term of the loan;

●       Internal and External Costs of Funds – The rate of interest charged will also be determined depending on the rate at which funds necessary to provide loan facilities to customers are sourced by the Company, normally referred to as internal cost of funds. From an external cost of funds perspective, the benchmark interest rate that may be used by the Company could be the 10 year Government of India bond rate or any other generally acceptable benchmark rate as adjusted for the rating spreads available in the markets.

●       Internal Cost Loading – The interest rate charged will also take into account costs of doing business. Factors such as the complexity of the transaction, the size of the transaction and other factors that affect the costs associated with a particular transaction will also be taken into account before arriving at the final rate of interest quoted to a customer.

●       Credit Risk– As a matter of prudence, bad debt provision cost should also be factored into all transactions. This cost is then reflected in the final rate of interest quoted to a customer. The amount of bad debt provision applicable to a particular transaction will depend on the credit strength of the customer and the nature of the product being offered

●       Fixed rate versus Floating rate – The applicable rate of interest shall also be commensurate from the perspective of the fixed versus floating interest rate requirements of the customers.

●       Periodicity of Interest – Interest will be charged for the period as stipulated in the loan agreement, subject to any modifications thereto as may be agreed by and between the Company and the customer electronically.

The rate of interest is an annualised rate so that the borrower is aware of the exact rates that would be charged to the account.

Table below illustrates the ranges of the various components that drive the interest rate charged to the customer

Livelihood Loans

Individual Business Loans

‍

4.General Provisions

Changes in Terms – The Company shall give electronic notice to the borrower in English language with an option to choose a vernacular language as understood by the borrower of any change in the terms and conditions of the loan, including disbursement schedule, interest rates, service charges, prepayment charges etc. Further, any changes in the rate of interest shall be effected only prospectively and the electronic loan agreement shall contain the necessary provisions in this regard.

Grace Period - Interest will be payable by the customer / borrower on or before the due date stipulated therefor in the loan agreement entered into by the customer/ borrower with the Company. However, the Credit Committee of Executives shall have discretionary power to grant a considered grace period to any customer /borrower.

Moratorium- The Company may consider necessary moratorium for payment of interest and repayment of principal amount with proper built in pricing, on a case to case basis.

Additional Interest and other Charges - Besides the normal interest, the Company levies additional interest for delays in payment of dues by the customer / borrower or additional interest on other facilities etc. (annualised interest on the outstanding balance). The Company may charge other financial charges including processing fees, cheque bouncing charges, pre-payment / foreclosure charges, RTGS or such other remittance charges, commitment fees, charges for services like issuance of “no due certificate”, security swap charges etc. along with relevant taxes.

The Company shall not charge foreclosure charges/ pre-payment penalties on all floating rate term loans sanctioned to individual borrowers.

Communication of Interest Rate to the Customer – The Company shall convey electronically to the borrower in English language with an option to choose a vernacular language as understood by the borrower, by digital means, the amount of loan sanctioned along with the terms and conditions including annualized rate of interest and method of application thereof and shall keep an electronic record of the acceptance of these terms and conditions by the borrower. The loan agreement shall expressly stipulate the penal interest chargeable for late payment /repayment of dues by the borrower, in bold. The apportionment of the equated monthly instalments (“EMI”) amount towards the principal and interest will also be communicated by the Company to the customer / borrower by way of the repayment schedule.

Waiver of Additional Interest / Financial Charges – Requests by the customer for waiver of additional interest / financial charges would normally not be entertained by the Company and such waiver will be at sole and absolute discretion of the Credit Head or a person of equivalent position, exercised on a case to case basis or any other person that the Board deems fit.

Annualised Rates - The rate of interest shall be annualised rates so that the borrower is aware of the exact rates that would be charged to the account.

Pre-Payment- Pre-payment options available to the customer and the penalty / charges payable for exercise of such option shall be mutually agreed to on a case-to-case basis and communicated to the customer. There will be no pre-payment penalty / charges on Microfinance Loans.

Company Website- The rates of interest and the approach for gradation of risks shall be made available on the web-site of the company and literature issued by it. The information published in the website or otherwise published shall be updated whenever there is a change in the rates of interest.

Though the primary mode of all operations, processes or procedures set in this Policy are electronic or digital in nature the company may at its discretion decide to use physical/written means for all or any points covered in this Policy.

5. Regulatory Reference

This policy is framed as per the following regulatory references and in accordance with leading industry practice:

Master Direction - Non-Banking Financial Company –Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016

Master Direction – Reserve Bank of India (Regulatory Framework for Microfinance Loans)Directions, 2022

6. Policy Review and Updates

The implementation of this policy shall be monitored and reviewed periodically by the Board of the Company.

This Policy was:

(i)        drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO

(ii)       internally reviewed by: Mr. Rahul Gupta, CEO

(iii)     approved by the Board of the Company on: September 12, 2018, Revision 1 on: March 31, 2022,Revision 2 on September 30, 2022, Revision 3 on August 10, 2023.

This Policy comes into effect from date of Board Approval

‍

Annexure – I

Interest rate and other charges framework:

Whistle blower policy

1. Introduction

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) strongly believes in conducting all affairs of its constituents in a fair and transparent manner by adopting the highest standards of honesty, inclusiveness, professionalism, integrity and ethical behaviour. 

The whistle blower policy has been formulated as part of corporate governance norms and transparency where the employees, customers or stakeholders are encouraged to refer any complaints which have not been resolved or satisfactorily resolved within the usual applicable protocols. The employees may refer any complaints covering areas such as corruption, misuse of office, criminal offences, suspected / actual fraud, failure to comply with existing rules and regulations, conflicts of interest, related party transactions and acts resulting in financial loss/ operational risk, loss of reputation, etc.

This policy shall provide a channel to the employees (including directors) and other stakeholders to report to the management or the board about unethical behaviour, actual or suspected fraud or violation of the Code of Business ethics or legal or regulatory requirements, incorrect or misrepresentation of any financial statements and reports and such other matters.

2. Objectives of the Policy

The key objectives of the policy are as under:

1.  Promote a culture of speaking up/ raising red flags on matters relating to breaches/ violations of the Company’s Code of Business ethics or fraudulent transactions.

2.  Provide a platform and mechanism for the employees and relevant stakeholders to voice genuine concerns of grievances about unprofessional conduct without the fear of reprisal to the employee raising the concern.

3.  Provide a non-threatening environment to employees to discuss matters relating to the Code of Business ethics.

4.  Adhere to the highest standards of ethical, moral and legal conduct of business operations.

5.  Promote clean business transactions, professionalism, productivity, promptness and transparent practices and ensures putting in place systems and procedures to curb opportunities for corruption.

6.  Sustain, strengthen and encourage a culture of integrity & compliance

7.  Institutionalize a mechanism for protection of employees from reprisals or victimization, for whistle blowing in good faith as the Company strictly follows No Retaliation Policy.

8.  Provide an assurance to external stakeholders that there is internal cordiality and transparency.

9.  Treat the violations/ breaches/ non-compliance at various levels of the Company with vigour and due care and accordingly realign processes and take corrective actions as part of its corporate governance.

The Policy shall help the Company to create an environment where employees and relevant stakeholders feel free and secure to raise the alarm where they see a problem. It shall also ensure that whistleblowers are protected from retribution, whether within or outside the Company.

3. Applicability of the Policy

The Policy applies to all the Company’s employees. The policy shall also apply to any complaints made by other stakeholders of the Company such as outsourced agents, customers and members of public.

4. Governance Structure

Avanti Finance Private Limited has devised an effective whistle blower mechanism enabling stakeholders, including individual employees to freely communicate their concerns about illegal or unethical practices.

4.1 Nominated Director

A Director nominated by the Company’s Board of Directors (or the audit committee when legally required to be setup) will review the effectiveness of the vigil mechanism and implementation of the Whistle Blower Policy to provide adequate safeguards against victimization of employees and relevant stakeholders. The details of establishment of Vigil mechanism shall be disclosed by the Company on the website, if any, and in the Board’s Report to the stakeholders.

In case of repeated frivolous complaints being filed by a director or an employee, the Audit committee (when it is formed) or a director to be nominated by the Board  {(As required under Section 177 of the Companies Act, 2013 read along with Rule 7 of The Companies (Meetings of Board and its Powers) Rules, 2014} shall take suitable action against the concerned director or employee.

4.2 Whistle blowers Committee

The Whistle-blower committee shall comprise Mr. Rahul Gupta, Mr. Manish Thakkar and Mr. Sunil Kumar Tadepalli. The Committee shall look into the complaints report prepared by the nominated officer Mr. Saikrishnan Srinivasan and can suo moto institute further investigation / call for additional documentary evidence before submitting its findings on the matter. 

The findings of the whistleblower committee shall be suggested to the nominated Director for his / her decision (or the audit committee when required to be setup)

5. Scope

This Policy intends to cover serious complaints that could have grave impact on the operations and performance of the business of the Company. Receipt of information about corruption, malpractice or misconduct on the part of employees, from whatever source, would be termed as a complaint. Complaints may be received from any of the following sources:

1. Complaints received from employees of the organisation or from the public
2. Departmental inspection reports
3. Scrutiny of transactions reported under the Code of Business ethics
4. Reports of irregularities in accounts detected in the routine audit of accounts, e.g. tampering with records, over-payments, misappropriation of money or materials, etc.
5. Audit reports of the accounts of the Company
6. Complaints and allegations appearing in the press, etc.
7. Source information, if received verbally from an identifiable source, to be reduced in writing.
8. Intelligence gathered by agencies like CBI, local bodies etc.

Under the Policy, employees and relevant stakeholders of the Company having sufficient grounds for a concern can lodge complaints. 

The Policy intends to cover the following types of complaints:

1. Fraudulent activities or activities in which there is suspected fraud
2. Intentional or deliberate non-compliance with laws, regulations and policies
3. Questionable accounting practices including misappropriation of monies
4. Illegal activities
5. Corruption and deception
6. Misuse/ Abuse of authority
7. Violation of the Company’s rules, manipulations and negligence
8. Breach of contract
9. Pilferation of confidential/proprietary information
10. Deliberate violation of law/regulation
11. Wastage/misappropriation of Company’s funds/assets
12. Malpractices/ events) causing danger to public health and safety.

The following nature of complaints shall not be covered in the policy:

1. Complaints those are frivolous in nature.
2. Issues relating to personal grievance (increment, promotion, etc.)

6. Guiding Principles

To ensure that this Policy is adhered to, and to assure that the concerns raised under this Policy will be acted upon seriously, the Company will:

1. Ensure that the Whistle Blower and/or the person processing the Protected Disclosure is not victimized
2. Ensure complete confidentiality of the identity of the WhistleBlower
3. Not attempt to conceal evidence of the Protected Disclosure
4. Take disciplinary action, if any one destroys or conceals evidence of the Protected Disclosure made/to be made
5. Provide an opportunity of being heard to the persons involved, especially to the subject
6. Provide protection to Whistle Blower under this Policy provided that Protected Disclosure is made in good faith, the WhistleBlower has reasonable information or documents in support thereof and not for personal gain or animosity against the subject
7. Ensure that the Whistle Blowers, who make any Protected Disclosures, which have been subsequently found to be mala fide, frivolous or malicious be liable to Disciplinary Action.
8. Take Disciplinary Action for event covered under this Policy or upon victimizing Whistle Blower or any person processing the Protected Disclosure or if any one destroys or conceals evidence of the Protected Disclosure made/to be made.
9. Ensure that any other Director/ Employee or other stakeholders assisting in the said investigation or furnishing evidence, is protected to the same extent as the Whistleblower. 

7. Procedure 

7.1 Lodging of Complaints

The Protected Disclosure shall be submitted in a closed and secured envelope and shall be super scribed as “Protected disclosure under the Whistle Blower policy”. Alternatively, the same can also be sent through email or any other acceptable mode of communication with the subject “Protected disclosure under the Whistle Blower policy” to a functional email id of the company who’s access is only with the whistle-blower committee. If the complaint is not super scribed and closed as mentioned above, it will not be possible for the Board to protect the complainant and the protected disclosure will be dealt with as if a normal disclosure. 

In order to protect identity of the complainant, the nominated officer (or designated equivalent officer) will not issue any acknowledgement to the complainants and they are advised neither to write their name/address on the envelope nor enter into any further correspondence with the nominated officer. The nominated officer shall assure that in case any further clarification is required he will get in touch with the complainant.

The Company shall not entertain anonymous / pseudonymous disclosures except of such disclosures have merit shall be entertained.

The Protected Disclosure shall be forwarded under a covering letter signed by the complainant. The nominated officer shall detach the covering letter bearing the identity of the WhistleBlower and process only the Protected Disclosure.  

All Protected Disclosures shall be addressed to the nominated officer or Director of the Company or to the audit committee (when the committee is required to be legally setup).

The Protected Disclosures shall be addressed to the following address:

The Nominated officer OR the nominated Director 

‍Avanti Finance Private Limited,

Floor-3rd, 10, Elphinstone Building, 

Veer Nariman Road, Horniman Circle, Fort, Mumbai

Maharashtra 400001

E-mail: whistleblower@avantifinance.in

7.2 Receipt of Complaint

On receipt of the protected disclosure the nominated officer shall maintain and preserve records of the Protected Disclosure and also ascertain from the complainant whether he / she was the person who made the protected disclosure or not. The record will include:

1. Brief facts
2. whether the same Protected Disclosure was raised previously on the same subject and if so, the outcome thereof
3. Details of actions taken by the nominated officer (or equivalent department) or CEO for processing the complaint
4. Findings of the Audit Committee (or the whistle-blower committee duly approved by the board), the recommendations of the Committee/ other action(s).

An exclusive e-mail ID under the control of the whistle-blower committee has been set up to which any Wrongful Conduct can be reported by any WhistleBlower. The said email id is: - whistleblower@avantifinance.in

The nominated officer will carry out a preliminary analysis as to whether the complaint pertains to Wrongful Conduct or not or there is a prima-facie case and shall then refer the matter to the Whistleblower committee. 

The Whistleblower Committee, if deems fit, may call for further information or particulars from the complainant. 

7.3 Investigation Report

All Protected Disclosures reported under this Policy will be thoroughly investigated by the nominated officer of the Company who will investigate / oversee the investigations under the authorization of the Audit Committee. The nominated officer may at its discretion consider involving any investigators for the purpose of investigation.

The decision to conduct an investigation taken into a Protected Disclosure by itself is not an acceptance of the accusation by the Authority. It is to be treated as a neutral fact-finding process because the outcome of the investigation may or may not support accusation; unless there are compelling reasons not to do so, subjects will be given reasonable opportunity for hearing their side during the investigation. No allegation of wrongdoing against a subject shall be considered as maintainable unless there is good evidence in support of the allegation.

The subject shall have right to access any document/ information for their legitimate need to clarify/ defend themselves in the investigation proceedings.

The nominated officer shall normally complete the investigation within 45 days of the receipt of protected disclosure.

Based on a thorough examination of the findings, the nominated officer shall submit a report to the Whistleblower Committee on a regular basis about all Protected Disclosures referred to him/her since the last report together with the results of investigations, if any.

The Committee shall look into the complaints report prepared by the nominated officer and can suo moto institute further investigation / call for additional documentary evidence before submitting its findings on the matter. The findings of the whistleblower committee shall be suggested to the nominated Director for his / her decision (or the audit committee when required to be setup). The findings of the whistleblower committee shall be suggested to the nominated Director for his / her decision (or the audit committee when required to be setup).

7.4 Appeal and Decision

If an investigation leads the nominated officer to conclude that an improper or unethical act has been committed which would result in suggested disciplinary action, including dismissal, if applicable; the nominated officer shall recommend to the WhistleBlower Committee of the Company to take such disciplinary or corrective action as he may deem fit. All discussions would be documented and the final report will be recommended by the whistleblower committee and duly approved by the Nominated Director.  

If the report of investigation is not to the satisfaction of the complainant, the complainant has the right to report the event to the appropriate legal or investigating agency. A complainant who makes false allegations of unethical & improper practices or about alleged wrongful conduct of the subject shall be subject to appropriate disciplinary action in accordance with the rules, procedures and policies of the Company.

7.5 Confidentiality

Every effort will be made to protect the identity of the complainant, subject to legal constraints except in cases where the complainant turns out to be vexatious or frivolous and action has to be initiated against the complainant. In the event of the identity of the complainant being disclosed, the nominated officer  can initiate appropriate action against the person making such disclosure.

7.6 Protection 

The Company, as a policy, condemns any kind of discrimination, harassment, victimization or any other unfair employment practice being adopted against WhistleBlowers. Complete protection will therefore be given to WhistleBlowers against any unfair practice like retaliation, threat or intimidation of termination / suspension of service, disciplinary action, transfer, demotion, refusal of promotion or the like including any direct or indirect use of authority to obstruct the Whistle Blower’s right to continue to perform his duties / functions including making further Protected Disclosure.

A WhistleBlower may report any violation of the above clause to the Chairman of the Audit Committee, who shall investigate into the same and recommend suitable action to the Internal Complaint Committee. 

8. Record Keeping

All documentation pertaining to the complaint including the investigation report, corrective action taken and evidence will be maintained for a period of 8 years or such other period as specified by any other law in force, whichever is more.

9. Reporting Requirements

The following are the reporting requirements -

1. The details of establishment of Vigil mechanism shall be disclosed by the Company on the website, if any, and in the Board’s Report.
2. Whistle blower policy, and affirmation that no personnel has been denied access to the Board for reporting actions under the whistle blower policy.

10. Policy Review and Updates

The Board approved policy shall be reviewed as and when required for incorporating regulatory updates and changes, if any. 

11. Definitions

1. Audit Committee: A Committee constituted by the Board of Directors of the Company in accordance with Companies Act, 2013.

2. Protected Disclosure: a concern raised by a written communication made in good faith that discloses or demonstrates information that may evidence unethical or improper activity. Protected Disclosures should be factual and not speculative in nature

3. Subject: a person against or in relation to whom a Protected Disclosure has been made or evidence gathered during the course of an investigation

4. Whistle Blower/Complainant: an Employee making a Protected Disclosure under this Policy. An employee making a disclosure under this process is commonly referred to as a complainant. The complainant is not expected to prove the truth of an allegation, the complainant needs to demonstrate that there are sufficient grounds for concern and expected to provide the complete details/evidences in his possession.

CODE OF CONDUCT

1. SCOPE AND PURPOSE OF THIS CODE

1.1 In this Code of Conduct Policy (“Code”), “we” or “us” or “our”  means Avanti Finance Private Limited (“Company”), and includes our executive directors, officers, employees and those who

work with us, as the context may require.

1.2 This Code sets out how we behave with:

(i) our employees, or those who work with us;

(ii) our customers;

(iii) the communities and the environment in which we operate;

(iv) our value-chain partners, including suppliers and service providers, distributors, sales representatives, contractors, channel partners, consultants, intermediaries and agents;

(v) our joint-venture partners or other business associates;

(vi) our financial stakeholders; and

(vii) the governments of the regions where we operate.

1.3 This Code sets out our expectations of all those who work with us. We also expect those who deal with us to be aware that this Code underpins everything we do, and in order to work with us they need to act in a manner consistent with this Code.

1.4 This Code applies to following activities undertaken by us:

(i) providing credit services to clients individually or in groups;

(ii) recovery of credit provided to clients;

(iii) collection of thrift from clients, where ever applicable;

(iv) providing insurance and pension services, remittance services or any other products and services permitted under applicable law, that will reduce vulnerability of our clients;

(v) formation of any type of community collectives including self-help groups, joint liability groups and their federations; and

(vi) business development services including marketing of products or services made or extended by the eligible clients or for any other purpose for the welfare and benefit of clients.

‍

2. OUR CORE VALUES

2.1 The core values that underpin the way we conduct our business activities are:

1. INTEGRITY: We are fair, honest, transparent and ethical in our conduct; everything we do must stand the test of public scrutiny. Our primary mission is to service financially excluded individuals and families by providing them access to financial services, which are client focused, designed to enhance their well-being, and delivered in an ethical, dignified, transparent, equitable and cost-effective manner.

2. QUALITY OF SERVICE: We are committed to ensure quality services to our clients, appropriate to their needs and delivered efficiently in a convenient and timely manner. While doing so, we agree to maintain high standards of professionalism based on honesty, equality and dedication to serve the poor.

3. TRANSPARENCY: We shall provide our clients complete and accurate information and educate them about the terms of financial services offered by us such as interest rates and all other charges as well as our policies and procedures in a manner that is understandable by them.

4. PIONEERING: We will be bold and agile, courageously taking on challenges, using deep customer insight to develop innovative solutions.

5. PRIVACY OF CLIENT INFORMATION: We will safeguard personal information of clients, only allowing disclosures and exchange of such information to others who are authorised to see it, with the knowledge and consent of clients.

6. RESPONSIBILITY: We will integrate environmental and social principles in our businesses, ensuring that what comes from the people goes back to the people many times over.

‍

3. OUR CORE PRINCIPLES

3.1 We are committed to operating our businesses by conforming to the highest moral and ethical standards. We do not tolerate bribery or corruption in any form. This commitment underpins everything that we do.

3.2 We are committed to good corporate citizenship. We treat social development activities, which benefit the communities we operate in as an integral part of our business plan.

3.3 We seek to contribute to the economic development of the communities in regions we operate, with due respect to their culture, norms and heritage. We seek to avoid any project or activity that is detrimental to the wider interests of the communities in which we operate.

3.4 We shall not compromise safety in the pursuit of commercial advantage. We shall strive to provide a safe, healthy and clean working environment for our employees and all those who work with us.

3.5 When representing the Company, we shall act with professionalism, honesty and integrity, and conform to the highest moral and ethical standards. Our conduct shall be fair and transparent and be perceived as fair and transparent by third parties.

3.6 We shall respect the human rights and dignity of all our stakeholders.

3.7 We shall strive to balance the interests of our stakeholders, treating each of them fairly and avoiding unfair discrimination of any kind.

3.8 The statements that we make to our stakeholders shall be truthful and made in good faith.

3.9 We shall not engage in any restrictive or unfair trade practices.

3.10 We shall provide avenues for our stakeholders to raise concerns or queries in good faith, or report instances of actual or perceived violations of our Code.

3.11 We shall strive to create an environment free from fear of retribution to deal with concerns that are raised, or cases reported in good faith. No one shall be punished or made to suffer fo raising concerns or making disclosures in good faith or in the public interest.

3.12 We expect the leaders of our businesses to demonstrate their commitment to the ethical standards set out in this Code through their own behavior and by establishing appropriate processes.

3.13 We shall comply with the laws of the countries in which we operate and any other laws which apply to us. With regard to those provisions of the Code that are explicitly dealt with under an applicable law or employment terms, the law and those terms shall take precedence. In the event that the standards prescribed under any applicable law are lower than that of the Code, we shall conduct ourselves as per the provisions of the Code.

‍

4. OUR EMPLOYEES

4.1 Equal opportunity employer

4.1.1 We provide equal opportunities to all our employees and to all eligible applicants for employment in our Company. We do not unfairly discriminate on any ground, including race, caste, religion, colour, ancestry, marital status, gender, sexual orientation, age, nationality, ethnic origin, disability or any other category protected by applicable law.

4.1.2 When recruiting, developing and promoting our employees, our decisions will be based solely on performance, merit, competence and potential.

4.1.3 We shall have fair, transparent and clear employee policies which promote diversity and equality, in accordance with applicable law and other provisions of this Code. These policies shall provide for clear terms of employment, training, development and performance management.

4.2 Dignity and respect

4.2.1 Our leaders shall be responsible for creating a conducive work environment built on tolerance, understanding, mutual cooperation and respect for individual privacy.

4.2.2 Everyone in our work environment must be treated with dignity and respect. We do not tolerate any form of harassment, whether sexual, physical, verbal or psychological.

4.2.3 We have clear and fair disciplinary procedures, which necessarily include an employee’s right to be heard.

4.2.4 We respect our employees’ right to privacy. We have no concern with their conduct outside our work environment, unless such conduct impairs their work performance, creates conflicts of interest or adversely affects our reputation or business interests.

4.3 Collection, Use and Disclosure of personal information of Employees

4.3.1 Purpose of collection: In the course of conducting our business and complying with various applicable law relating to employment, tax, insurance, etc., we collect certain personal information from our Employees (“Employee Personal Information”). The nature of the Employee Personal Information collected varies for each employee and depends upon employee’s responsibilities, citizenship, work location, and other factors. The purpose of collecting and using Employee Personal Information is limited to the business purposes, including those related directly to employee’s employment with the Company, and any other such requirement as per applicable law. We will not retain Employee Personal Information for longer than is required for the purpose herein.

4.3.2 Types of information collected: Employee Personal Information includes, without limitation, the following:

• Name

• Phone numbers

• Email address

• Mailing addresses

• Banking and other financial data

• Date of birth

• Gender, race, and ethnicity

• Health and disability data

4.3.3 Usage: The primary purposes for collection, storage and/or use of your Personal Information include, but are not limited to:

4.3.3.1 Human Resources Management: We collect, store, analyze, and may share (internally) Employee Personal Information in order to attract, retain and motivate a highly qualified workforce. This includes recruiting, compensation planning, succession planning, reorganization needs, performance assessment, training, employee benefit administration, compliance with applicable legal requirements, and communication with employees and/or their representatives.

4.3.3.2 Business Processes and Management: Employee Personal Information is used to run our business operations including, for example, scheduling work assignments, managing company assets, reporting and/releasing public data (e.g., Annual Reports, etc.); and populating employee directories.

4.3.3.3 Safety and Security Management: We use such Employee Personal Information as appropriate to ensure the safety and protection of employees, assets, resources, and communities.

4.3.3.4 Communication and Identification: We use Employee Personal Information to identify you and to communicate with the employees.

4.3.4 Disclosure: We stive to protect Employee Personal Information and ensure that unauthorized individuals do not have access to such information by using adequate security measures. We will not knowingly disclose, sell or otherwise distribute Employee Personal Information to any third party without the relevant employee’s knowledge and, where appropriate, your express written permission, except under the following circumstances:

4.3.4.1 Legal requests and investigations: We may disclose Employee Personal Information when such disclosure is reasonably necessary (i) to prevent fraud; (ii) to comply with any applicable law; or (iii) to comply with an order by a competent court.

4.3.4.2 Third-party vendors and service providers: We may, from time to time, outsource services, functions, or operations of our business to third-party service providers. When engaging in such outsourcing, it may be necessary for us to disclose Employee Personal Information to those service providers (for example, payroll service providers). In some cases, the service providers may collect Employee Personal Information directly from the employee on our behalf. Our relationship with such service providers will be governed by such commercial, operational and other terms as negotiated under valid contract.

4.3.4.3 Business Transfers: During the term of employment, we may buy other companies, create new subsidiaries or business units or sell part or all of our assets. It is likely that, as part of such process, some or all of Employee Personal Information will be transferred to another company as part of any such the transaction.

4.3.4.4 Reserved Matters: We may release Employee Personal Information when we believe release is necessary to comply with the law; enforce or apply our policies and other agreements; or protect the rights, property, or safety of Company, our employees, or others. This disclosure will never, however, include selling, renting, sharing or otherwise disclosing Employee Personal Information for commercial purposes in violation of the commitments set forth in this Code.

4.3.5 Security Practices

4.3.5.1 We employ commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of Employee Personal Information. These include internal reviews of our collection, storage and processing practices and security measures, such as appropriate encryption and physical security measures to guard against unauthorized access to systems where we store such information.

4.3.5.2 Only authorized employees have access to Employee Personal Information.

4.3.5.3 Paper and other hard copy containing Employee Personal Information (or any other confidential information) is secured in a locked location when not in use.

4.3.5.4 Computers and other access points should be secured when not in use by logging out or locking. Passwords should be guarded and not shared.

4.3.5.5 Electronic files containing Employee Personal Information should only be stored on secure computers and not copied or otherwise shared with unauthorized individuals within or outside of Company.

4.3.5.6 All Employee Personal Information shall be maintained by Company for such time period as may be required as per applicable law.

4.3.6 The Employees, as and when requested by them, may review the information provided and ensure that the Employee Personal Information found to be inaccurate or deficient is correct or amended as feasible.

4.4 Human rights

4.4.1 We do not employ children at our workplaces.

4.4.2 We do not use forced labour in any form. We do not confiscate personal documents of our employees or force them to make any payment to us or to anyone else in order to secure employment with us, or to work with us.

4.5 Bribery and corruption

4.5.1 Our employees and those representing us including agents and intermediaries shall not, directly or indirectly, offer or receive any illegal or improper payments or comparable benefits that are intended or perceived to obtain undue favours for the conduct of our business.

4.6 Gifts and hospitality

4.6.1 Business gifts and hospitality are sometimes used in the normal course of business activity. However, if offers of gifts or hospitality (including entertainment or travel) are frequent or of substantial value, they may create the perception of, or an actual conflict of interest or an ‘illicit payment’. Therefore, gifts and hospitality given or received should be modest in value and appropriate, and in compliance with our Company’s gifts and hospitality policy.

4.6.2 As a general rule, we can accept gifts or hospitality from a business associate, only if such a gift:

(a) has modest value and does not create a perception (or an implied obligation) that the giver is entitled to preferential treatment of any kind;

(b) would not influence, or appear to influence, our ability to act in the best interest of our Company; and/ or

(c) would not embarrass our Company or the giver if disclosed publicly.

4.6.3 The following gifts are never appropriate and should never be given or accepted:

(d) gifts of cash or gold or other precious metals, gems or stones;

(e) gifts that are prohibited under applicable law;

(f) gifts in the nature of a bribe, payoff, kickback or facilitation payment*;

(g) gifts that are prohibited by the gift giver’s or recipient’s organization; and

(h) gifts in the form of services or other non-cash benefits (e.g. a promise of employment).

(*Facilitation payment is a payment made to secure or speed up routine legal government actions, such as issuing permits or releasing goods held in customs.)

4.7 Freedom of association

4.7.1 We recognise that employees may be interested in joining associations or involving themselves in civic or public affairs in their personal capacities, provided such activities do not create an actual or potential conflict with the interests of our Company. Our employees must notify and seek prior approval for any such activity as per the ‘Conflicts of Interest’ clause of this Code and in accordance with applicable Company policies and law.

4.8 Working outside employment with us

4.8.1 Taking employment, accepting a position of responsibility or running a business outside employment with our Company, in your own time, with or without remuneration, could interfere with your ability to work effectively at our Company or create conflicts of interest. Any such activity must not be with any customer, supplier, distributor or competitor of our Company. Our employees must notify and seek prior approval for any such activity as per the ‘Conflicts of Interest’ clause of this Code and in accordance with applicable Company policies and law.

4.9 Integrity of information and assets

4.9.1 Our employees shall not make any willful omissions or material misrepresentation that would compromise the integrity of our records, internal or external communications and reports, including the financial statements.

4.9.2 Our employees and directors shall seek proper authorization prior to disclosing Company or business-related information, and such disclosures shall be made in accordance with our Company’s media and communication policy. This includes disclosures through any forum or media, including through social media.

4.9.3 Our employees shall ensure the integrity of personal data or information provided by them to our Company. We shall safeguard the privacy of all such data or information given to us in accordance with applicable Company policies or law.

4.9.4 Our employees shall respect and protect all confidential information and intellectual property of our Company.

4.9.5 Our employees shall safeguard the confidentiality of all third party intellectual property and data. Our employees shall not misuse such intellectual property and data that comes into their possession and shall not share it with anyone, except in accordance with applicable Company policies or law.

4.9.6 Our employees shall promptly report the loss, theft or destruction of any confidential information or intellectual property and data of our Company or that of any third party.

4.9.7 Our employees shall use all Company assets, tangible and intangible, including computer and communication equipment for the purpose for which they are provided and in order to conduct our business. Such assets shall not be misused. We shall establish processes to minimize the risk of fraud, and misappropriation or misuse of our assets.

4.9.8 We shall comply with all applicable anti-money laundering, anti-fraud and anti-corruption laws and we shall establish processes to check for and prevent any breaches of such laws.

4.10 Insider Trading

4.10.1 Our employees must not indulge in any form of insider trading nor assist others, including immediate family, friends or business associates, to derive any benefit from access to and possession of price sensitive information that is not in the public domain. Such information would include information about our Company, our clients and our suppliers.

4.11 Prohibited drugs and substances

4.11.1 Use of prohibited drugs and substances creates genuine safety and other risks at our workplaces. We do not tolerate prohibited drugs and substances from being possessed, consumed or distributed at our workplaces, or in the course of Company duties.

4.12 Conflict of interest

4.12.1 Our employees and executive directors shall always act in the interest of our Company and ensure that any business or personal association including close personal relationships which they may have, does not create a conflict of interest with their roles and duties in our Company or the operations of our Company. Further, our employees and executive directors shall not engage in any business, relationship or activity, which might conflict with the interest of our Company.

4.12.2 Should any actual or potential conflict of interest arise, the concerned person must immediately report such conflicts and seek approvals as required by applicable law and Company policy. The competent authority shall revert to the employee within a reasonable time as defined in our Company’s policy, so as to enable the concerned employee to take necessary action as advised to resolve or avoid the conflict in an expeditious manner.

4.12.3 In the case of all employees other than executive directors, the Chief Executive Officer / Managing Director shall be the competent authority, who in turn shall report such cases to the Board of Directors on a quarterly basis. In case of the Chief Executive Officer / Managing Director and executive directors, the Board of Directors of our Company shall be the competent authority.

4.12.4 Notwithstanding such or any other instance of conflict of interest that exists due to historical reasons, adequate and full disclosure by interested employees shall be made to our Company’s management. At the time of appointment in our Company, our employees and executive directors shall make full disclosure to the competent authority, of any interest leading to an actual or potential conflict that such persons or their immediate family (including parents, siblings, spouse, partner, children) or persons with whom they enjoy close personal relationships, may have in a family business or a company or firm that is a competitor, supplier, customer or distributor of, or has other business dealings with, our Company.

4.13 Examples of Potential Conflict of Interest

4.13.1 A conflict of interest, actual or potential, arises where, directly or indirectly, an employee or executive director:

(i) engages in a business, activity or relationship with anyone who is party to a transaction with our Company;

(ii) is in a position to derive an improper benefit, personally or for any family member or for any person in a close personal relationship, by making or influencing decisions relating to any transaction;

(iii) conducts business on behalf of our Company or is in a position to influence a decision with regard to our Company’s business with a supplier or customer where a relative of, or a person in close personal relationship with, an employee or executive director is a principal officer or representative, resulting in a personal benefit or a benefit to the relative;

(iv) is in a position to influence decisions with regard to award of benefits such as increase in salary or other remuneration, posting, promotion or recruitment of a relative or a person in close personal relationship employed in our Company;

(v) undertakes an activity by which the interest of our Company can be compromised or defeated; or

(vi) does anything by which an independent judgement of our Company’s best interest cannot be exercised.

4.13.2 A conflict of interest could be any known activity, transaction, relationship or service engaged in by an employee, his/her immediate family (including parents, siblings, spouse, partner, and children), relatives or a close personal relationship, which may cause concern (based upon an objective determination) that the employee could not or might not be able to fairly perform his/her duties to our Company.

4.13.3 If there is a failure to make the required disclosure and our management becomes aware of an instance of conflict of interest that ought to have been disclosed by an employee or executive director, our management shall take a serious view of the matter and consider suitable disciplinary action as per the terms of employment. In all such matters, we shall follow clear and fair disciplinary procedures, respecting the employee’s right to be heard.

4.13.4 Acceptance of a position of responsibility (whether for remuneration or otherwise) in the following cases would typically be permitted, provided the time commitments these demand do not disturb or distract from the employee’s primary duties and responsibilities in our Company, and are promptly disclosed to the relevant competent authority:

(i) directorships on the Boards of any of our joint ventures or associate companies;

(ii) memberships/positions of responsibility in educational/professional bodies, where such association will promote the interests of our Company; or

(iii) memberships or participation in government committees/bodies or organizations.

5. OUR CLIENTS AND CUSTOMERS

5.1  Transparency: To ensure that the Company maintains transparency in its operations and communications vis-à-vis its clients, Company will adhere to the following:

(i)  disclose to clients all the terms and conditions (including changes if any) of our financial services offered in the language understood by the client;

(ii)  provide loan sanction letter or any other document clearly indicating the rate of interest, mode of charging interest, levy of any other charges, terms of repayment to the client against his/her acknowledgement;

(iii)  provide information to clients on the rate of interest offered on the thrift services, wherever applicable;

(iv)  provide information to clients related to the premium and other fees being charged on insurance services;

(v)  provide a valid receipt for every payment received from the borrower;

(vi)  provide periodical statements of their accounts by means of a passbook or any other mechanism to the clients; and

(vii)  all the above disclosures to the client may be made digitally.

5.2  Client Protection: In protecting the interest of the clients/borrowers, the Company is committed to following fair practices built on dignity, respect, fair treatment, persuasion and courtesy to clients.

5.3  Avoiding over-indebtedness: Company will take reasonable steps to ensure that credit services are based on the need and repayment capacity of the client and that this service will not put the client / borrowers at significant risk of over-indebtedness. Accordingly, the Company will:

(i)  undertake appropriate interaction and collection practices;

(ii)  interact with the clients in an acceptable language and dignified manner and spare no efforts in fostering clients’ confidence and long-term relationship;

(iii)  have a clearly defined and phased procedure in case of client default;

(iv)  maintain decency and decorum during the visit to the clients’ place for collection of dues;

(v)  avoid inappropriate occasions such as bereavement in the family or such other calamitous occasions for making calls/visits to collect dues; and

(vi)  avoid any demeanor that would suggest any kind of threat or violence.  

5.4  Privacy of client information: Company is committed to keep personal client information strictly confidential except in the following circumstances:

(i)  client has been informed about such disclosure and permission has been obtained;

(ii)  it is legally required to do so;

(iii)  the party in question has been authorized by the client; or

(iv)  this practice is customary amongst financial institutions and available for a close group on reciprocal basis (such as a credit bureau).

6. Identification, Prioritization and Engagement of Stakeholders

6.1 The Company integrates stakeholder engagement within its governance, strategies, and operational plans. The engagement process includes:

• Identification of Purpose, Scope, Ownership and Mandate

• Profiling and prioritization of stakeholders

• Settling of Engagement Levels and methods

• Definition and Communication of Boundaries of disclosure

• Drawing up an Engagement Plan

• Choosing Indicators for measuring engagement activities

• Identification and Mitigation of Engagement risks - through inviting, informing, and briefing the stakeholders

• Evaluation of stakeholder capacity

• Carefully listening to the stakeholders during the engagement

• Documenting the engagement

• Enhancing our engagement activities, review the outcomes of the engagement and report on engagement results.

6.2 To have a systematic approach with all stakeholders, we classify our stakeholders into the following categories:

• Customers / Borrowers

• Employees

• Partners

• Investors

• Management Functions

• Grievance management

• Non-Profit Organizations

• Regulatory bodies

• Communities we operate in (including vulnerable communities such as indigenous tribal communities, below poverty line communities or other marginalized communities)

• Media

6.3 The stakeholder identification process is based on the following phases:

• Analysis of business processes.

• For each process, identification of all interested, and impacted groups.

• Grouping stakeholders in homogenous categories (according to relevance to the company or to the stake they hold)

• Identification of priority groups within each category.

6.4 The above process helps in identification of stakeholders

• who are directly or indirectly dependent on Companies activities, products or services and associated performance, or on whom Company is dependent in order to operate, or

• to whom Company has, or in the future may have, legal, commercial, operational, or ethical/moral responsibilities or,

• who can influence or have impact on Companies strategic or operational decision-making Stakeholders are further prioritized according to either the relevance of the stakeholders to the core business of the company, or because the company’s impact is high on a particular stakeholder for, e.g., supporting the economical or cultural growth.

6.5 Company engages with the stakeholders in the following ways:

• Digital engagements.

• Seek periodic advise through questionnaire

• Discussion on process problems and setbacks

‍

7. OUR COMMUNITIES AND THE ENVIRONMENT

7.1 Communities: We are committed to good corporate citizenship and shall actively assist in the improvement of the quality of life of the people in the communities in which we operate.

7.1.1 We engage with the community and stakeholders to obtain their input, review the past processes and identify the techniques and strategies that will minimize any adverse impact that our business operations may have on the local community and the environment.

7.1.2 We encourage our workforce to volunteer on projects that benefit the communities in which we operate, provided the principles of this Code, where applicable, and in particular the ‘Conflicts of Interest’ clause is followed.

7.2 The environment: In the production and sale of our products and services, we strive for environmental sustainability and comply with all applicable laws and regulations.

7.2.1 We seek to prevent the wasteful use of natural resources and are committed to improving the environment, particularly with regard to the emission of greenhouse gases, consumption of water and energy, and the management of waste and hazardous materials. We shall endeavor to offset the effect of climate change in our activities.

‍

8. OUR VALUE-CHAIN PARTNERS

8.1 We shall select our suppliers and service providers fairly and transparently.

8.2 We seek to work with suppliers and service providers who can demonstrate that they share similar values. We expect them to adopt ethical standards comparable to our own.

8.3 Our suppliers and service providers shall represent our Company only with duly authorized written permission from our Company. They are expected to abide by the Code in their interactions with, and on behalf of us, including respecting the confidentiality of information shared with them.

8.4 We shall ensure that any gifts or hospitality received from, or given to, our suppliers or service providers comply with our Company’s gifts and hospitality policy.

8.5 We respect our obligations on the use of third-party intellectual property and data.

‍

9. OUR FINANCIAL STAKEHOLDERS

9.1 We are committed to enhancing shareholder value and complying with laws and regulations that govern shareholder rights.

9.2 We shall inform our financial stakeholders about relevant aspects of our business in a fair, accurate and timely manner and shall disclose such information in accordance with applicable law and agreements.

9.3 We shall keep accurate records of our activities and shall adhere to disclosure standards in accordance with applicable law and industry standards.

‍

10. GOVERNMENTS

10.1 Political non-alignment: We shall act in accordance with the constitution and governance systems of the regions/countries where we operate. We do not seek to influence the outcome of public elections, nor to undermine or alter any system of government. We do not support any specific political party or candidate for political office. Towards this end:

10.1.1 Our conduct must preclude any activity that could be interpreted as mutual dependence/favour with any political body or person, and we do not offer or give any Company funds or property or other resources as donations to any specific political party, candidate or campaign.

10.1.2 Any financial contributions considered by our Board of Directors in order to strengthen democratic forces through a clean electoral process shall be extended only through the Progressive Electoral Trust in India, or by a similar transparent, duly-authorized, nondiscriminatory and nondiscretionary vehicle outside India.

10.2 Government engagement: We conduct our interactions with them in a manner consistent with our Code.

10.2.1 We engage with the government and regulators in a constructive manner in order to promote good governance.

10.2.2 We do not impede, obstruct or improperly influence the conclusions of, or affect the integrity or availability of data or documents for any government review or investigation.

‍

11. RAISING CONCERNS

11.1 We encourage our employees, customers, suppliers and other stakeholders to raise concerns or make disclosures when they become aware of any actual or potential violation of our Code, policies or law. We also encourage reporting of any event (actual or potential) of misconduct that is not reflective of our values and principles.

11.2 Avenues available for raising concerns or queries or reporting cases could include:

(i) immediate line manager or the Human Resources department of our Company;

(ii) designated ethics officials of our Company;

(iii) the ‘confidential reporting’ third party ethics helpline (if available); or

(iv) any other reporting channel set out in our Company’s ‘Whistleblower’ policy.

11.3 We do not tolerate any form of retaliation against anyone reporting legitimate concerns. Anyone involved in targeting such a person will be subject to disciplinary action.

11.4 If you suspect that you or someone you know has been subjected to retaliation for raising a concern or for reporting a case, we encourage you to promptly contact your line manager, the Company’s Ethics Counsellor, the Human Resources department or the MD/CEO.

‍

12. ACCOUNTABILITY

12.1 This Code is more than a set of prescriptive guidelines issued solely for the purpose of formal compliance. It represents our collective commitment to our value system and to our core principles.

12.2 Every person employed by us, directly or indirectly, should expect to be held accountable for his/her behavior. Should such behavior violate this Code, they may be subject to action according to their employment terms and relevant Company policies.

12.3 When followed in letter and in spirit, this Code is ‘lived’ by our employees as well as those who work with us. It represents our shared responsibility to all our stakeholders, and our mutual commitment to each other.

‍

13. NOTE

13.1 The Code does not provide a comprehensive and complete explanation of all expectations from a Company standpoint or obligations from a stakeholder standpoint.

13.2 Our employees have a continuing obligation to familiarize themselves with all applicable law, Company-level policies, procedures and work rules as relevant. For any guidance on interpretation of the Code, we may seek support from our Company’s Ethics Counsellor.

13.3 For any query or clarification on the Code, please contact the office of the Company’s Chief Ethics Officer via email at: Sunil.kumar.t@avantifinance.in

13.4 For further information on the Code please contact: The Ethics Office, Email: Sunil.kumar.t@avantifinance.in

‍

14. POLICY REVIEW UPDATED

This document shall be reviewed by the COO, and shall be reviewed at least once a year. Reviews

shall also account for any significant business changes and/or any regulatory requirements.

This Policy was:

I. Drafted on behalf of the Company by: Mr Nagaraj Subrahmanya, CRO

II. Internally reviewed by: Mr Manish Thakkar, COO

III. Approved by the Board of the Company on: June 25, 2019, Revision 1 on: March 22,

2021,Revision 2 on : March 13, 2023 and Revision 3 on : October 31, 2023

Co-lending Policy

1. Introduction

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has drafted the Co-lending Policy (hereafter referred to as “Co-Lending Policy” or “the Policy”) in accordance with the Reserve Bank of India (“RBI”) notification for the Co-Lending model - RBI/2020-21/63, FIDD.CO.Plan.BC.No.8/04. 09.01 /2020- 21 dated November 05, 2020 (“CLM”).

2. Objectives of the Policy

This document covers the general principles and practices to be followed by the Company when entering into co-lending arrangements with partner institutions. The Policy will be applicable to all the categories of products and services offered by the Company under the co-lending model and apply to related operations such as customer sourcing, loan processing, loan servicing and collection activities.

3. Co-Lending Arrangement Modes

The Master Agreement entered into with partner institutions (Banks/NBFCs) for implementing the co-lending model could be one of 2 (two) options:

(i)  Where the Company and the partner Bank/NBFC jointly originate the loan and take it on their respective books basis a pre-determined share (“Co-Origination”); or

(ii)  Where the Company originates the loan and subsequently transfers it to the partner Bank/NBFC (“Originate and Transfer”) with the partner institution retaining the right to reject certain loans subject to its due diligence.

If the co-lending model chosen is Option (ii) above, this arrangement will be akin to a direct assignment transaction. Accordingly, the taking over Bank/NBFC shall ensure compliance with all the requirements in terms of Guidelines on Transactions Involving Transfer of Assets through Direct Assignment of Cash Flows and the Underlying Securities issued vide RBI/2011-12/540 DBOD.No.BP.BC-103/21.04.177/2011-12 dated May 07, 2012 and RBI//2012- 13/170  DNBS.  PD.  No.  301/3.10.01  /2012-13  dated  August  21,  2012

respectively, as updated from time to time, with the exception of Minimum Holding Period (MHP) which shall not be applicable in such transactions undertaken in terms of the co-lending arrangement. The MHP exemption shall be available only in cases where the prior Master Agreement between the Company (on the one hand) and Banks / NBFCs (on the other hand) contains a back-to-back basis clause and complies with all other conditions stipulated in the guidelines for direct assignment.‍

4. Roles & Responsibilities

(i)  Origination / Loan Sanction:

The Company will source leads of applicants who meet the eligibility criteria as per the credit policy agreed in terms of each co-lending arrangement.

In the case of a “Co-Origination” arrangement, a joint loan agreement will be executed with the borrower wherein both the Company and the partner Bank /NBFC will be parties as lenders in the agreement.

In the case of a “Originate & Transfer” arrangement, the Company will enter into the agreement with the borrower and the partner Bank/NBFC shall then choose to take over its share on back-to-back basis.

(ii)  Interest Rate:

The Company and the co-lending partner would have the flexibility to price their part of the exposure in a manner found fit as per their respective risk appetite/ assessment of the borrower and the RBI regulations issued from time to time.

Based on the respective interest rates and proportion of risk sharing, a single blended interest rate will be offered to the ultimate borrower in case of fixed rate loans. In the scenario of floating interest rates, a weighted average of the benchmark interest rates in proportion to the respective loan contribution, will be offered.

Company shall provide all information such as loan details including interest rate and other charges, details of risk sharing arrangement, etc., as and when called for by the RBI.

(iii)  Know Your Customer (KYC):

The Company and the co-lending partner shall adhere to all applicable KYC/ AML guidelines, as prescribed in the Master Directions - Know Your Customer (KYC) Direction, 2016, issued vide RBI/DBR/2015-16/18 Master Direction DBR.AML.BC.No.81/14.01.001/2015-16 dated February 25, 2016 and updated from time to time.

(iv)  Borrower Agreement

The borrower loan agreement shall clearly contain the features of the arrangement and the roles and responsibilities of Company and the partner Bank/NBFC. All the details of the arrangement shall be disclosed to the customers upfront and their explicit consent shall be taken.

(v)  Common Account

 The Company and its partner Bank/NBFC shall open an escrow type common account for pooling respective loan contributions for disbursal as well as to appropriate loan repayments from borrowers, without holding the funds for usage of float. All transactions between the co-lending partners relating to the co-lending shall be routed through this escrow account.

The Company and partner Bank/NBFC shall maintain their share of the individual borrower’s accounts but should also be able to generate and share a single unified statement to the customer, through appropriate sharing of required information between the two entities.

(vi)  Customer Communication & Grievance Redressal

 The Company will be the single point of interface with the borrower for the purpose of the loan provided and will be responsible for providing a detailed explanation to the borrower regarding the co-lending arrangement and the roles and responsibilities of the co-lending entities. The Company will also be primarily responsible for providing the required customer service and grievance redressal to the borrower that will be in line with the customer grievance redressal policy approved by the Board of the Company.

However, any complaint registered by a borrower with the Company and/or partner Bank / NBFC, shall also be shared with the Bank/ NBFC / Company and in case, the complaint is not resolved within 30 days, the borrower would have the option to escalate the same with concerned Banking Ombudsman/ Ombudsman for the Company or the Customer Education and Protection Cell (CEPC) in RBI as laid out in the Fair Practices Code adopted by the Company.

(vii)  Reporting / Provisioning

Each of the Company and partner Bank/NBFC shall follow its respective and independent provisioning requirements including declaration of account as NPA, as per the regulatory guidelines respectively applicable to each of them. Each of the two entities shall carry out their respective reporting requirements including reporting to Credit Information Companies, under respectively applicable law and regulations.

(viii)  Outsourcing of services

The Company will adhere to extant guidelines on outsourcing of financial services and the Outsourcing Policy approved by the Board. The outsourcing policy may be accessed at: [Outsourcing Policy].

(ix)  Other policies & guidelines

Company will ensure that it adheres to the regulations prescribed by the RBI/any other relevant regulatory body. Subject to the relevant Master Agreement, Company’s policies shall continue to apply on loans disbursed under the co-lending arrangement.

(viii)  Other Operational Aspects

 (a)  The co-lenders shall establish a framework for monitoring and recovery of the loan, as  mutually agreed upon.

(b)  The co-lenders shall arrange for creation of security and charge as per mutually agreeable terms.

(c)  The loans under the CLM shall be included in the scope of internal/statutory audit the banks and NBFCs to ensure adherence to their respective internal guidelines, of the agreement and extant regulatory requirement

(d)  Any assignment of a loan by a co-lender to a third party can be done only with the consent of the other lender

5. Policy Review and Updates

The implementation of this policy shall be monitored and reviewed periodically by the Board of the Company.

Co-lending Disclosure

‍

Default Loss Guarantee (DLG)

‍

‍

Frequently Asked Questions on Moratorium during of Covid -19

Based on the recommendation from RBI to grant Moratorium on the subject of Covid -19 Regulatory package (Circular dated RBI/2019-20/186 DOR.No.BP.BC.47/21.04.048/2019-20), Avanti has decided to grant all borrowers a moratorium for EMI deferment falling due between the period March 01, 2020 to May 31, 2020(upto 92 days).    Frequently Asked Questions  

1.  What is Avanti’s response to the RBI announcement of EMI deferment?

Res) In line with the RBI’s suggestion, Avanti has decided to grant moratorium for 3 months starting 1st March 2020.  Accordingly -

1. Loan tenure of all active loans will increase by 3 months (at least).
2. Borrowers have the option of making repayment during this 3 month period and accordingly their interest will be calculated. (Some borrowers have already paid their March EMI).
3. Non-payment of EMI in these 3 months will not affect the DPD and hence will not be reported as delay/default to credit bureaus.
4. Interest will continue to accrue on the outstanding portion of the loans during the moratorium period

2.  What does granting moratorium for EMI deferment mean?

Res) Moratorium for EMI deferment means -  A2.1 - Borrowers whose EMI was due in March 2020 will be due now in June 2020, A2.2 - Borrowers whose EMI was due in April 2020 will be due now in July 2020  A2.3 - Borrowers whose EMI was due in May 2020 will be due now in August 2020.  The original schedule of these borrowers will be accordingly adjusted. Any borrowers who are not able to pay as per their original schedule i.e., in March, April and May 2020 will not be reported as “default” to the credit bureaus.  

3.  Will the borrowers pay interest for this period of March 2020 to May 2020?

Res) Interest will continue to accrue (accumulate in simple terms) based on the outstanding balance on a daily basis for these loans. This additional interest will be paid along with the last instalment.  

4.  Can borrowers make repayments during this period till May 2020?

Res) Yes. Borrowers can continue making repayments during this moratorium period. Avanti encourages all borrowers whose income is less affected to continue making the repayment during this period.  This will help borrowers avoid paying additional interest at the end of the loan period.  

5.  What are the avenues for repayment available for the borrowers during the coming 2 months?

Res) Borrowers can make payment through digital modes like UPI, NEFT, IMPS, Banking correspondents to their Loan numbers (e-collect numbers).  

6.  Should the partner and agents continue collection on the field?

 Res) Considering the lockdown imposed by the Central government, Avanti strongly recommends all partners and agents not to go out for collections. However, you can reach out to the borrowers through tele-calling to educate them on the advantages of repayments, modes of digital payment, moratorium granted by Avanti etc. Continuous contact with borrowers will be crucial for you to ensure the collections effort is minimal from June 2020.  

7.  Should the borrowers/Partners inform Avanti through any official mode to avail this moratorium benefit?

 Res) Avanti, in consultation with its partners, has granted the moratorium to all loans due to the impact of COVID-19 on various livelihoods.  However, the borrowers can continue to make repayments to  their respective e-collect numbers, if they want to.  

8.  What about the overdue amount from previous months (Before March 2020)?

Res) The overdue amount will need to be paid by the borrower and there is no relief. Borrowers are strongly advised to use the digital modes of repayment to pay the overdue amount and thereby not accrue additional interest on them.  

9.  What if the borrowers have already paid their March 2020 due? Will this be refunded?

Res) Considering that the borrower has made their March 2020 due, it will be considered that they have made their June 2020 due amount (prepayment of due and hence lesser interest). However, Avanti strongly recommends the borrowers to continue making payments in June 2020 also. Thereby, they can pre-close the loan in a shorter period and pay lesser interest.

‍

‍

Data Privacy and Security Policy

This document is an electronic record interms of Information Technology Act, 2000 and rules there under as applicable. This electronic record is generated by a computer/electronic system and does not require any physical or digital signatures.

1. Introduction

a)  Avanti Finance Private Limited(“Company” / “Us” / “We” / “Our”) has entered into business relationships with various partners (“Partners”) under the respective partner engagement agreement or master services agreement (each of which is referred as “Agreement”) where by We appoint respective Persons (as defined below) as Partners (terms of the relevant Agreement) and engage them for the provision of certain services more particularly described in the Schedule of Services of the respective Agreement. In order to increase the efficiency of provision of services, the Partner maybe provided access and usage to Our Website (as defined below) on the terms as given under the respective Agreement.

b)  Moreover, access to Our Website is provided to any other Person who is not appointed as a Partner as mentioned in the paragraph above. Both classes of Persons (appointed Partners and other Persons) may have access and usage to Our Website and are recognized as Users in the manner as defined below.

c)  We consider User relationship and data security to be an important component of Our service offerings through Our Website. We are committed to maintaining the confidentiality, integrity and security of any Personal Information (as defined below) of Our Users. We are proud of Our privacy practices and the strength of Our Website security and want the User (as defined below) to know how We protect information of User and use it to provide Our products and services to User.

d)  This Data Privacy and Security Policy (“Policy”) gives a broad outline as to how We protect information provided by Users during the course of access and usage of Website. We constantly re-evaluate this Policy and adapt it to meet data security standards and to deal with new challenges.

e)  Where applicable, this Policy shall be read in conjunction with the respective Agreement for the respective User under which such User may have been given access to Our Website (including the App).

f)  By accessing or using Our Website, User consents and authorizes Us to collect, store, process, handle and use User Information (as defined below), in accordance with this Policy and any other terms and conditions of use of Website (as amended from time to time).

2. Definitions

In this Policy: (i) capitalized terms defined by inclusion in quotations and / or parenthesis have the meanings so ascribed; and (ii) the following terms shall have the following meanings assigned to them herein below:

“Applicable Law” includes all applicable Indian statutes, enactments, acts of the state legislature or parliament, laws, ordinances, rules, bye-laws, regulations, notifications, guidelines, directions, directives and orders of any governmental authority, statutory authority, board, as may be applicable including but not limited to Reserve Bank of India and in each case, any implementing regulation or interpretation issued thereunder including any successor Applicable Law;  

“Non-Personal Information” shall have the meaning as provided under Paragraph 3(e) of this Policy;

“Person” shall mean any individual (including personal representatives, executors or heirs of a deceased individual) or legal entity, including but not limited to, any partnership, joint venture, corporation, trust, unincorporated organisation, limited liability company, limited liability partnership or governmental authority;

“Personal Information” shall mean certain personally identifiable information of the User as specified under Paragraph 3(a) of this Policy;

“User”/ “You” / “Your” shall mean any natural or legal person who has access to and is using Website;

“User Information” shall have the meaning as provided under Paragraph 3(h) of this Policy; and “Website” shall mean and include https://avantifinance.in, mobile application of

Company including with the name Avanti Early Access (“App”), any success or website/ applications, any website of related entity or any other channel facilitated and permitted by Company including but not limited to App, any other digital medium including phone, displays, emails, social media interfaces, messaging interfaces, wallet, payment intermediaries using Company’s interface.

3. Collection, Storage and Use of Information Personal Information:

a)  We may collect Your Personal Information when You voluntarily and successfully submit information against relevant fields on Our Website. Personal Information is the data that, alone or in combination with other information, can be used to uniquely identify You (“Personal Information”). Personal Information may include, without limitation, the following:

(i)  Name

(ii)  User ID(s)

(iii)  Phone numbers

(iv)  Email address (es)

(v)  Mailing addresses

(vi)  Banking and other financial data

(vii)  Government identification numbers, eg., driver’s license number

(viii)  Date of birth

(ix)  Gender

(x)  Health and disability data

(xi)  Family information

(xii)  Financial and asset information

b)  In particular, if You register/log in to Our Website through any social media platform (for example, Google), then We may collect the following information:

(i)  The email/phone number used on the social media platform to register/ log in;

(ii)  The display name connected to the relevant social media account used; and

(iii)  The profile image (if any)connected to the relevant social media account used.

c)  Please note that the information We obtain from such social media accounts also depends on the privacy policies of the social media platforms and Your respective settings therein. Please check the respective policies to understand the privacy practices of those social media platforms.

d)  In case of Partners, We may request such additional Personal Information as may be specified in or as part of the respective Agreement.

e)  Purpose of Collection of Personal Information: Your Personal Information is collected when You voluntarily submit such information. It is used, handled and stored by Us for the purposes of Your identification/ verification and/or creation of Your account on Our Website. Accordingly, such information shall be retained by Us till the time You have access and use of Our Website or You communicate to Us Your decision to withdraw Your permission to store and retain such information. We will not retain Your Personal Information for longer than is required for the purpose herein. Non-Personal Information:

f)  When You visit the Website, We may collect certain non-personal information for the purpose of enhancing You ruse of the Website (“Non-Personal Information”). This Non-Personal Information is in the nature of technical and navigational information generated each time You visit the Website, which are saved in Our server logs. The Non-Personal Information may include, without limitation, the following details in respect of:

(i)  the server (Internet Protocol)from where the Website is being accessed;

(ii)  the browser and operating system used to browse the Website;

(iii)  links clicked, scrolled and pages visited;

(iv)  details of Your last visit to the Website, including time, date and the duration of Your session on the Website, etc.; and/or (v) cookies as per Paragraph4 of this Policy.

g)  Purpose of Collection of Non-Personal Information: Non-Personal Information is in the form of encrypted statistics, which helps Us in improving the efficiency of the Website by giving Us information relating to Your use of the Website.

h)  Personal Information and Non-Personal Information are together referred to as “User Information” in this Policy.

i)  By using Website, You consent and authorize Us to collect, store, process, handle and use such User Information, in accordance with this Policy and any other terms and conditions of use of Website (as amended from time to time).

j)  We reserve the right to retain such User Information that forms part of anonymized and aggregated data derived from User Information which may be used for improvement of Our Website, to produce analytical reports, marketing, advertising or such other activities asWe may deem fit.

4. Cookies

a)  Like most other sites, We use data collection devices known as “cookies” to collect and store information of Users visiting the Website. A cookie is an alpha-numeric identifier, which is small amount of data that is sent to a User’s browser from a web server and is eventually

stored on a User’s computer hard drive. Cookies are a reliable mechanism to remember the activities of the User on the Website and help in improving Your experience on the Website.

b)  We may set and access cookies on Your computer to track and store preferential information about You. We may gather information about You through cookie technology. This anonymous information is maintained distinctly and is not linked to the Personal Information You submit to Us. The option of accepting cookies is up to You, however certain features of the Website including Content and the forms may not be accessible without accepting cookies. If You choose to eliminate cookies, the full functionality of the Website may be impaired for You.

c)  Most cookies are session cookies that are automatically deleted from Your device’s hard drive when You close the browser/App. Additionally, You may encounter cookies or other similar devices on certain pages of the Website that are placed by third parties. We do not control the use of cookies by third parties and shall not be liable for any reason whatsoever for these third- party cookies.

d)  We may use third party service providers to help Us analyse certain online activities. For example, these service providers may help us measure the performance of Our online campaigns or analyse visitor activity on the Website. We may permit these service providers to use cookies and other technologies to perform these services for Company. We do not share any Personal Information with these third party service providers, and these service providers do not collect such information on Our behalf.

5. User Rights

a)  Review:

To ensure the accuracy and adequacy of the Personal Information provided by You, You shall at all times have the option of reviewing the same by requesting Us in the manner as provided under Paragraph 10 of this Policy.

b)  Withdrawal of Consent:

You shall at all times have the option of refusing / withdrawing Your consent for the collection, storage and retention of Your Personal Information. In case of Partners, their right to refuse /withdraw consent shall also be subject to the respective Agreement.

c)  Please note that Your refusal /withdrawal of consent may result in restriction/revocation of access and/or usage of Our Website. Please further refer to Paragraph10 of this Policy for the manner of communication with Us.

d)  Account Deletion:

You may choose to delete Your account at any time You like by requesting Us in the manner as provided under Paragraph 10. Please note that it may take up to 30 days to delete all of Your information, like the data stored in our backup systems. However, We may also preserve such information/data as required for legal reasons or to prevent harm. To delete your account, please click here.

6. Disclosure of User Information

a)  We do not share Your User Information with any third parties for commercial use or revenue generation. However, We may share User Information with third party service appointed by Us who may be located in India or outside India:

(i)  for sending SMS/ Email communications to You in relation to Website and Our products and services; and

(ii)  to improve and personalize Our products and services. This may involve, for example, activities such as troubleshooting and protection against errors; data analysis and testing; and developing new features.

b)  We ensure that such third-party service providers maintain strict confidentiality (ensuring the same level of confidentiality as maintained by Us) in respect of User Information. Our third party service providers are required to comply fully with this Policy.

c)  Further, We reserve the right to utilize, share and/or disclose User Information if:

(i)  required to do so to comply with orders of governmental authorities that have jurisdiction over it or as otherwise required by Applicable Law after providing You a written intimation prior to such disclosure; and/or

(ii)  We determine, in Our sole discretion that disclosure of User Information is necessary to identify, contact, or bring legal action against You.

7. Indemnification

You agree to indemnify, defend and hold harmless Us and Our parent, subsidiaries, affiliates, partners, officers, directors, agents, contractors, licensors, service providers, subcontractors, suppliers, interns and employees, harmless from any claim or demand, including reasonable attorneys’ fees, made by any third-party due to or arising out of Your breach of this Policy or the documents they incorporate by reference(including the respective Agreement, where applicable for use of Website), or Your violation of any law or the rights of a third party.

8. Security Precautions

To prevent any form of unlawful interception or misuse of User Information, We use reasonable physical, electronic and managerial procedures to safeguard and secure User Information collected. We use reasonable secure and technologically appropriate measures, in compliance with the Information Technology Act, 2000 and the rules related there to to protect You against loss or misuse of Your User Information including internal reviews of data collection, storage and processing practices and other reasonable security measures which are equivalent to security measures that We use to protect Our own confidential information. However, as You are aware, no internet website or online platform is completely free of security risks and We do not make any representation in respect of the same.

9. Change in Privacy Policy

We reserve the right to update, modify and amend any of the terms of this Policy, at any time without prior intimation to You. These changes will become effective immediately on posting. We shall not be liable for any failure or negligence on Your part to review the updated Policy before accessing Website. Your continued access to Website, following changes to this Policy, will constitute Your acceptance of those changes.

10. Contacting Us

If You have any queries regarding: (i)this Policy; (ii) information and/or services available on Website, or (iii)Your dealings with Us or believe that We have not adhered to it, You may contact Us at Urvashi Bahirsheth, Company Secretary at urvashi@avantifinance.in.

11. Email Opt-Out

You can opt out of receiving Our marketing and update emails. To stop receiving Our promotional emails, please email at info@avantifinance.in. It may take about ten days to process Your request. Please note that Your opting out of getting marketing messages would still enable You to receive transactional messages through email and SMS in relation to Your usage/access of Website.

12. Policy Review and Updates

The implementation of this policy shall be monitored and reviewed periodically by the Board of the Company.

This Policy was:

(i)  Drafted on behalf of the Company by: Mrs. Urvashi Bahirsheth, Company Secretary

(ii)  Internally reviewed by: Mr.Manish Thakkar, COO

(iii)  Approved by the Board of the Company on: June 04, 2021, Revision 1 on : March 13, 2023

This revised Policy comes into effect from date of approval of the Board.

Repayment Moratorium Policy of Avanti Finance Private Limited

Reserve Bank of India (RBI) has released the Statement of Developmental and Regulatory Policies on March 27, 2020 that directly addresses the stress in financial conditions caused by COVID-19. One of the policies relates to easing financial stress caused by COVID-19 disruptions by relaxing repayment pressures and improving access to working capital. In this area, RBI has permitted all lending institutions including NBFCs to grant a moratorium of three months on payment of all instalments falling due between March 1, 2020 and May 31, 2020. RBI has permitted to shift the repayment schedules and all subsequent due dates, as also the tenor for such loans across the board by three months. RBI has also asked all the lending institutions to put in place a Board approved policy in this regard. Our company being a Non-Banking Finance Company registered with RBI has framed the following policy after considering the policy guidelines issued by RBI vide circular no. RBI/2019-20/186 DOR. No. BP. BC. 47 / 21.04.048 /2019-20 dated March 27, 2020: Approved by the Board of Directors of Avanti Finance Private Limited on April 03, 2020 Relief measures approved by the Board for the retail loans outstanding as on March 31, 2020

1. All borrowers will be given the option of a moratorium for EMI falling due between the period March 01, 2020 to May 31, 2020 (upto 92 days) without a change in the EMI amount.

1. All borrowers will be given an option to continue making repayments falling due between the moratorium period in case their cash flows permit & they are not in favour of extending their loan tenure & paying additional accrued interest for the moratorium period.
2. Interest will continue to accrue on the outstanding portion of the term loans during the moratorium periodand will be collected along with the last EMI or additional installment.
3. The revised asset classification of the loans will be on the basis of revised due dates and the revised repayment schedule. The same will be shared with the Credit Information Companies (Regulatory requirement).

Relief measures approved by the Board for the institutional loans outstanding as on March 31, 2020 All institutional borrowers will be provided an option to opt for moratorium. However, decision pertaining to grant of moratorium will be solely made by Avanti, on a case to case basis. For further details, you may click here for FAQs related to moratorium under Covid-19. In case you seek any clarification, you may write to us at info@avantifinance.in.

Client Privacy Policy

_{1. SCOPE AND PURPOSE OF THIS POLICY}

1. 1.1 In this Client Privacy Policy (“Policy”), “we” or “us” or “our” means Avanti Finance Private Limited (“Company”), and includes its executive directors, officers, employees, as the context may require.
2. 1.2 The scope of this Policy is to ensure the protection of interests of Clients (as defined below) of Company in respect of personal information shared by Clients with Company and provide a broad-level mechanism to regulate the use of such information by the Company.
3. 1.3 This Policy has been framed and adopted by us in line with our commitments under the Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules,2011 and other applicable laws of India.
4. 1.4 This Policy applies to all persons (natural or juristic) who seek to or have availed loan from Company or from any other financial institution wherein Company acts in the capacity of business correspondent or any other similar capacity (“Clients”), and have, in the process, shared their personal information with Company (“Client Information”).

1. 1.5 This Policy delineates various measures that we shall endeavour to take in operationalising our commitment.
2. 1.6 By agreeing to avail the services offered by Company, Client agrees to the collection and use of Client Information by Company.

‍

‍_{2. TYPES OF CLIENT INFORMATION COLLECTED}

2.1 Company may, for the purpose of providing services to Clients, collect the following types of Client Information:

1. 2.1.1 Personal Information: Includes any information collected from the Client that is about his/her family, health, consumption behaviour, personal preferences, attitudes, beliefs or living conditions. It may include the following:

         (i) Name, gender, residential / correspondence address, telephone number, date of birth,          marital status, size of family, details of family members, email address or other contact          information; and/or

         (ii) PAN, KYC Status, signature and/or photograph.

         No biometric data is stored/ collected in the systems, unless allowed under extant statutory          guidelines

1. 2.1.2 Financial Information: Includes any information collected from the Client regarding his/her businesses, income, expenses, immoveable assets, moveable assets, loans outstanding, repayment history, guarantors, or collateral Bank account or other payment instrument details; or any other detail which may be required by us for providing services.

2.2 Client Information is collected from Client on a voluntary basis and is necessary in order for the Client to avail services from Company. Client is not required to provide the Client Information that the Company requests, and, if Client chooses not to do so, Company may not be able to provide Client with services or respond to any queries Client may have. Company and its affiliates may share this Client Information with each other and use it consistent with this Policy. They may also combine it with other information to provide and improve Company products, services, content, and advertising.

2.3 To ensure the accuracy and adequacy of the Client Information, Client shall at all times have the option of reviewing the same by requesting Us in the manner as provided under paragraph 7.2 of this Policy.

‍

_{3. PURPOSE OF COLLECTION}

3.1 Company collects, retains, and uses Client Information in order to provide financial and other services to Clients. Accordingly, such information is collected for specified business purposes, such as:

1. 3.1.1 to process financial and non-financial transaction request;
2. 3.1.2 to undertake research and analytics for offering or improving Company services;
3. 3.1.3 to check and process Client’s applications which may be submitted for availing any financial services;
4. 3.1.4 to share any updates/changes to the services and their terms and conditions with Client;
5. 3.1.5 to take up and investigate any complaints/claims/disputes;
6. 3.1.6 to respond to Client’s queries and feedback submitted by Client;
7. 3.1.7 for verification of Client’s identity and other parameters; and
8. 3.1.8 to fulfil the requirements of applicable laws / regulations and / or court orders /regulatory directives.

‍

_{4. DISCLOSURE OF CLIENT INFORMATION}

4.1 Company may disclose Client Information only under the following circumstances (List available at https://www.avantifinance.in/policies#digital-lending-complaince):

1. 4.1.1 RBI/SEBI/ NSE/ BSE/ MCX /Asset Management Companies of Mutual Funds /Registrar and transfer Agents / Collecting Banks / KYC Registration Agencies and other such agencies, solely for the purpose of processing your transaction requests for serving you better;
2. 4.1.2 To process loans with any other bank/non-banking financial company/other financial institution where Company is acting as agent/banking correspondent or in any similar capacity under a valid contract;
3. 4.1.3 As part of valid contracts with service providers such as Credit bureaus, NSDL,etc; as required for the purpose of loan processing and any research agencies/ external consultants, etc.
4. 4.1.4 Where Client has permitted Company to disclose Client Information to a third party located in India or outside India, Company shall ensure that there is written permission from the Client authorising the disclosure, except where the disclosure is required under law.

‍

_{5. RETENTION OF CLIENT INFORMATION}

1. 5.1 Company shall not retain or store Client Information for periods longer than is required except when such information may lawfully be used or is otherwise required under any other law for the time being in force or for the purpose of fraud prevention or regulatory compliance. Typically, Company may retain Client Information for 10 (ten) years. For the first 5 (five) years, such Client Information shall be deemed (for internal purposes) as `Active Data’ and which may be accessed by Company’s personnel (on a need-to-know basis) for the purpose of delivery of Company’s services, internal records management, permitted disclosure to third parties and/or compliance under law. Thereafter, provided there is no interaction of Company with the relevant Client, it shall be treated (for internal purposes) as `Passive Data’. Company’s personnel may be provided access to Passive Data only upon express written permission of Chief Risk Officer (CRO).
2. 5.2 By agreeing to avail the services offered by Company, Client has agreed to the collection and use of Client Information by Company. Client has the right to refuse or withdraw his/her consent to share/disseminate Client Information by contacting the Chief Operating Officer of the Company. However, in the event of your refusal or withdrawal of consent, Client shall not be able to avail any services of Company to the fullest extent.
3. 5.3 Data Destruction Practices: Subject to law, Company’s data destruction practice is set out herein. All computer desktops, laptops, hard drives, and portable media are processed for proper disposal. Paper and hard copy records shall be disposed of in a secure manner. The destruction of data shall address the following:

         (i) evaluation and final disposition of sensitive information, hardware, or electronic media          regardless of media format or type.

         (ii) procedures may include shredding, incinerating, or pulp of hard copy materials so that          sensitive information cannot be reconstructed.

         (iii) Electronic Media (physical disks, tape cartridge, CDs, printer ribbons, flash drives, printer          and copier hard-drives, etc.) shall be disposed of by one of the methods:

              • Overwriting Magnetic Media - Overwriting uses a program to write binary data sector by                  sector onto the media that requires sanitization;

              • Degaussing - Degaussing consists of using strong magnets or electric degaussing                 equipment to magnetically scramble the data on a hard drive into an unrecoverable                 state.

‍

_{6.  SECURITY PRACTICES AND CONTROL MECHANISM}

1. 6.1 Company uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of Client Information. These include internal reviews of our data collection, storage and processing practices and security measures, such as appropriate encryption and physical security measures to guard against unauthorized access to systems where we store personal data.
2. 6.2 Company maintains physical and electronic safeguards to protect Clients’ personal and financial information. Company has placed the mechanisms outlined below to ensure information – both physical and electronic data storage, access, retrieval, sharing of data.

Information Management and Data Security

1. 6.3 Records may be transferred from and between offices of Company/ third party service providers for record keeping purposes. We ensure that such third-party service providers maintain strict confidentiality (ensuring the same level of confidentiality as maintained by Us) in respect of Client Information.
2. 6.4 The database of current Clients and those Clients who do not have any current loan outstanding with Company are properly archived and kept and stored in the same manner as we store data/ documents of our Clients.
3. 6.5 All Client data/ records/ documents/ information shall be maintained by Company for such time period as may be required as per applicable laws.

_{Specific Authorization}

1. 6.6 Authorized personnel may see data from all the branches, but rights to edit or modify the data is given to select personnel with specific login access.
2. 6.7 Client database changes require the Chief Risk Officer, Chief Operating Officer and Chief of Partnerships to authorise/ approve the changes.
3. 6.8 Each personnel who accesses the database uses an individual username and password.
4. 6.9 Whenever an employee logs into the database, their name, the information they query,
5. 6.10 Company has a strong back-up system in which it uses a combination of hardcopy and digital backups of Client information. Company’s system backsup all information on our cloud servers located in India periodically.

‍

_{7. COMPLAINT REDRESSAL MECHANISM}

7.1 It is the Company’s constant endeavour to put the interest of its Clients first and to provide with financial solutions that are right for them. In keeping with its promise, the Company looks forward to receiving both positive and negative feedback from the Clients on its products and services.

7.2 Any discrepancies and grievances related to the processing and use of Client information can be raised to the grievance officer appointed by Company as below:

Mr. Sunil Kumar Tadepalli

sunil.kumar.t@avantifinance.in

The grievances of the Clients will be redressed in the manner provided below:

1. (i) Clients can register grievances through email id and toll-free number provided at the Company’s branches / Head Office / website and at any other place where the business of the Company is transacted.
2. (ii) After examining the matter, the Company will endeavour to send the Client its response expeditiously and intimate the stakeholder how to escalate the complaint to higher level, if they are not satisfied with the response.
3. (iii) Clients have to confirm whether the grievance has been resolved to their satisfaction or not. The grievance will be deemed to be closed, if Client does not respond via toll free number or email.
4. (iv) The Company shall also request the Client to provide feedback on the services rendered. This can be done through direct contact by staff or through specific stakeholder satisfaction surveys that may be conducted from time to time.

1. (v) A periodical review of the above mechanism at various levels of management would be undertaken by the Company.

‍

_{8.  Policy Review updated}

This document shall be reviewed by the CRO, and shall be reviewed at least once a year. Reviews shall also account for any significant business changes and/or any regulatory requirements.

This Policy was:

I. Drafted on behalf of the Company by: Mr. Manish Thakkar, COO and the time when the request is made, are all recorded in a query log.

II. Internally reviewed by: Mr. Nagaraj Subrahmanya, CRO

III. Approved by the Board of the Company on: June 05, 2021, Revision 1 on : March 13, 2023 , Revision 2 on: August 10, 2023, Revision 3 on: October 31, 2023.

‍

Members of the Committee:

Chief Risk Officer (CRO), Chief Operating Officer (COO), Chief of Partnerships (COP) and Chief Product Officer (CPO)

Invitee:

Company Secretary, Chief Audit Officer (CAO), Chief Financial Officer (CFO) and VP of Product.

Quorum:

Minimum three members of the committee‍

Chairperson of the meeting: 

The Chief Operating Officer (COO). In case, the Chief Operating Officer (COO) who is the Chairman of the IT Steering Committee is absent from the meeting, then the members of the IT Steering Committee should nominate the Chairman for the meeting from the members who are present at the meeting.

Purpose:

The primary role of The Information Technology Steering Committee (ITSC) is to exercise oversight and governance over the organization’s IT function.

Responsibilities:

Accountability is a key concern of IT governance and this may be achieved via an organizational structure that has well-defined roles for the responsibility of information, business processes, applications, and IT infrastructure.

The IT Steering Committee is responsible for the following:

a.  Understanding technology risks that confront the organization and ensuring that they are properly managed and mitigated.

b.  Monitoring IT performance and recommending appropriate actions to ensure the achievement of desired results. Such as;

(i).  Providing the Board with adequate information on IT performance, the status of major IT projects or other significant issues, to enable the Board to make well- informed decisions on the Organization’s IT operations.

(ii).  Review, regular monitoring, and recommend revisions to the Board, of the Organization’s IT Strategic Plan in the context of the business strategy.

c.  Compliance oversight

d.  Review and assessment of the adequacy of the Terms of Reference at least annually or updating whenever there are significant changes therein, and ensuring that subsequent changes are approved by the Board of Directors.

Authority:

The IT Steering Committee advises the Chief Product Officer about current and future IT-related issues, initiatives, and recommendations.

Frequency of the meeting:

The IT Steering Committee will meet at least once every quarter or as needed to accomplish its duties

Agenda for the meeting:

Will be shared by the COO before every meeting

Notice for the meeting:

Meeting notice should be shared a week before the meeting

Regulatory requirements:

The meeting should be recorded and MOM should be added to the board pack, for all four meetings.

Reporting:

The ITSC shall present or submit periodic reports to the Board offering a summary of its activities, issues, and related recommendations, delivered by the CPO. In addition, committee members will disseminate meeting agendas, minutes and supporting documents to ensure that various stakeholders of AFPL are aware of the work and recommendations of the committee.

Charter Review updated

This document shall be reviewed by the COO, and shall be reviewed at least once a year. Reviews shall also account for any significant business changes and/or any regulatory requirements.

This Charter was:

i.  Drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO Manish Thakkar, COO

ii.  Internally reviewed by: Mr. Manish Thakkar, COO

ii.  Approved by the Board of the Company on: March 13, 2023

Members of the Committee

Chief Executive Officer (CEO), Chief Risk Officer (CRO), Chief Operating Officer (COO), Chief Product Officer (CPO), Chief of Partnerships (COP)

Invitee

Company Secretary, Chief Audit Officer (CAO), Chief Financial Officer (CFO)

‍Chairperson

The Chairman of the Information Technology Strategy Committee shall be an independent Director, who is nominated by the board members. In case, the independent director who is the Chairman of the ITSC is not present for the meeting, then the members of the ITSC should nominate the Chairman for the meeting from the members who are present at the meeting.

Quorum

Minimum three members of the committee.

Frequency of the meeting

Once every three months. The Chairperson of ITSC should attend the ITSC strategy meeting once every six months. The IT Strategy Committee will meet at least once every quarter or as needed to accomplish its duties.

Terms of reference

Role of IT Strategy Committee can be referred from the Terms of reference of the IT strategy committee document.

Charter Review updated

This document shall be reviewed by the COO, and shall be reviewed at least once a year. Reviews shall also account for any significant business changes and/or any regulatory requirements.

This Charter was:

• (I).  Drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO Manish Thakkar, COO
• (II).  Internally reviewed by: Mr. Manish Thakkar, COO
• (III).  Approved by the Board of the Company on: March 13, 2023

1. Introduction 

Avanti Finance Private Limited (AFPL) provides access to information, physical assets, computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with company policies and protects the company against any damages to assets or relevant legal issues emerging from unacceptable use of assets. 

Over the past two decades, the proliferation of technology has enabled the cohabitation of human beings with constantly connected devices, networks, software and services. As a digital-first financial services entity, Avanti Finance Private Limited has built a digital lending platform that benefits both consumers and businesses from the active interactions between people and technology. 

AFPL conducts business in a complex environment of opportunities, risks, vulnerabilities and threats. The Cyber Security Policy offers broad guidelines to AFPL concerning the Identification, Protection, Detection, Response, and Recovery of people and systems, building agility and resilience for the organisation. 

The Reserve Bank of India has regularly issued guidelines to the sector concerning the protection of information and people. These guidelines cover aspects related to Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds. The Cyber Security Policy of AFPL seeks to assist its management and employees to take note of the dynamic ecosystem of technological evolution and persistent threats, remaining alert to risks and producing processes and practices to protect the organisation and its various stakeholders.

The Cyber Security Policy shall protect the interests of the business, internal and external stakeholders, including customers, business partners and employees. It also helps the organisation fulfill statutory & regulatory requirements. In instances, where the policy may not afford explicit or unambiguous guidelines on a relevant aspect of cyber security, the management and employees are encouraged to embrace leading practices borrowing from leading competitors.

Each individual and entity interacting, using or administering AFPL’s technology and information assets shall abide by this policy. The policy serves to inform customers, employees, vendors and other authorized users of their obligatory requirements for protecting the technology and information assets of the business. The policy describes some of the user’s responsibilities and privileges. The policy describes user limitations and informs users there will be penalties for violation of the policy 

2. Objectives 

The objectives of the policy include but are not limited to - 

1. Protect the Confidentiality, Integrity and Availability of the information assets of the organisation
2. Maintain the privacy of customer information and any proprietary business information 
3. Comply with relevant regulatory and statutory requirements in a timely manner 
4. Establish responsibility and accountability for cyber security in the organisation 
5. Ensure the effective management of related incidents 
6. Protect information at rest, motion, use and change 

3. Scope 

All employees, contractors, consultants, temporary and other workers at AFPL, including all personnel affiliated with third parties must adhere to this policy. This policy applies to information assets owned or leased by AFPL, or to devices that connect to an AFPL network or reside at an AFPL site. 

The IT team, vendors and related outsourcing partners shall practice secure measures to protect the organisation. These activities shall cover the following elements –

1. Network Management and Security 
2. Secure Configuration 
3. Application Security Life Cycle (ASLC)
4. Patch/Vulnerability & Change Management 
5. User Access Control / Management
6. Authentication Framework for partners and customers
7. Secure mail and messaging systems
8. Vendor Risk Management
9. Protect Removable Media
10. Anti-Phishing Measures
11. Data Leak Prevention strategies
12. Maintenance, Monitoring, and Analysis of Audit Logs
13. Audit Log Settings
14. Vulnerability Assessment and Penetration Test
15. Incident Response & Management

4. Governance

The information security team shall be responsible for the day-to-day implementation of Cyber Security related measures at AFPL. The Chief Operations Officer shall be accountable for the effective management of the team. The Information Security Committee and IT Strategy Committee shall review the work performed by the team and offer oversight and support to the function. The COO shall present the workings of the Cyber Security team to the board on an annual basis, or upon facing any severe disruption lasting more than twelve hours due to the lack of or failure of cyber security controls. 

The IT Steering committee will take care of all the roles and responsibilities of the Information Security Committee. 

Role of the IT Strategy Committee can be referred from the Terms of reference of the IT strategy committee document. 

Role of Information Security Committee

1. Review cyber security incidents and relevant responses
2. Ensure cyber security awareness and training for the employees of the organisation
3. Review the implementation of cyber security related procedures
4. Plan and implement periodic vulnerability assessment and penetration testing by independent, suitably qualified entities
5. Review VAPT reports and relevant action taken measures to ensure correction and compliance within a reasonable period of time
6. Ensure adequate allocation of resources for the effective implementation of cyber security controls 
7. Evaluate and provide approval/rejection decisions related to resource allocations
8. Offer an annual report to the board declaring the security posture of AFPL, including a
   summary of risks and controls 

5. Monitoring & Review 

The policy and procedures related to cyber security shall be reviewed at least once annually. In the event of a significant systems change (including process, hardware and software) or an unplanned disruption lasting more than twelve hours, the policy and procedures shall be called into review with immediate effect, irrespective of the date of the previous review.

Observations and incidents shall be recorded in Jira at the instance they reach the attention of an employee, partner or any other stakeholder internal or external to the business. These incidents shall be assigned relevant priority and addressed effectively by the cyber security team. All changes to the systems, processes and controls shall be submitted to the Information Security Committee for their review each month.

A thorough VAPT by a suitably qualified entity shall be conducted at least once in six months or at any significant change/event, whichever occurs earlier. 

Individuals or entities, including the senior management of the organisation, violating the cyber security policy, procedures or controls shall be presented to the Information Security Committee for a violation review. The committee shall exercise its collective powers to initiate and complete appropriate disciplinary action, including termination from services, where necessary without any limitation or hindrance. The aggrieved entity can appeal the decision made by the ISC through an immediate appeal to the IT Strategy Committee. Any appeal shall be made within twelve hours of the ISC decision. In the interim period between the initial verdict and the consideration of the appeal, the aggrieved entity shall remain disallowed from any form of access to the information assets of the organisation. Further and final action can be communicated and implemented with no further internal recourse to the entity violation policy, procedure or controls. If any member or chair of a particular committee is deemed to commit such a violation, they shall excuse themselves from the duties of the committee till a final decision is implemented by the organisation. 

The cyber security team shall collect and report a summary of cyber security incidents to the RBI and any other relevant statutory body at least once in six months. In the event of no incident, a zero-incident report shall be submitted at the same interval. However, in the event of any significant incident causing financial loss to a customer or business, or a business disruption lasting more than twelve hours, the RBI shall be provided detailed information of the particular incident within five business days from the time of the incident. 

The next section of this policy document shall cover key elements of interest for AFPL and its stakeholders, with a view to strengthening and sustaining a strong cyber security culture for the organisation. 

I. Confidential Data

AFPL defines "confidential data" as: 

1. Unreleased and classified financial information 
2. Customer, supplier, and shareholder information
3. Customer leads and sales-related data
4. Patents, business processes, and/or new technologies 
5. Employees' passwords, assignments, and personal information
6. Company contracts and legal records

II. Device Security Company Use 

To ensure the security of all company-issued devices and information, AFPL employees are required to: 

1. Keep all company-issued devices, including tablets, computers, and mobile devices, password-protected (minimum of 8 characters) 
2. Device should be locked when left unattended 
3. Refrain from sharing private passwords with coworkers, personal acquaintances, senior personnel, and/or shareholders
4. Regularly update devices with the latest security software

Personal Use

AFPL recognizes that employees may be required to use personal devices to access company systems. In these cases, employees must report this information to management for record- keeping purposes. To ensure company systems are protected, all employees are required to: 

1. Keep all devices password-protected (minimum of 6 characters for mobile, 8 characters for other handheld or desktop equipment and devices)
2. Ensure all personal devices used to access company-related systems are password protected
3. Lock all devices if left unattended
4. Ensure all devices are protected at all times
5.  Always use secure and private networks

III. Email Security 

Protecting email systems is a high priority as emails can lead to data theft, scams, and carry malicious software like worms and bugs. Therefore, AFPL requires all employees to:

1. Verify the legitimacy of each email, including the email address and sender name
2. Avoid opening suspicious emails, attachments, and clicking on links
3. Look for any significant grammatical errors 
4.  Avoid clickbait titles and links
5. Contact isms@avantifinance.in upon receipt of any suspicious emails 

IV. Data Transfer 

AFPL recognizes the security risks of transferring confidential data internally and/or externally. To minimize the chances of data theft, we instruct all employees to: 

1. Refrain from transferring classified information to employees and outside parties 
2. Only transfer confidential data over AFPL networks, use Cloud services related access
   controlled links
3. Obtain the necessary authorization from senior management
4. Verify the recipient of the information and ensure they have the appropriate security measures in place 
5. Adhere to AFPL data protection guidelines and non-disclosure agreements
6. Immediately alert isms@avantifinance.in of any breaches, malicious software, and/or
   scams 

6. Disciplinary Action 

Violation of this policy can lead to disciplinary action, up to and including termination. AFPL’s disciplinary protocols are based on the severity of the violation. Unintentional violations only warrant a verbal warning, repeat violations of the same nature can lead to a written warning, and intentional violations can lead to suspension and/or termination, depending on the circumstances of the case. 

7. Awareness 

The management shall ensure that stakeholders have access to the policy and awareness of their responsibilities toward the organisation. An awareness session shall be conducted at least once in six months. Awareness shall be considered an ongoing effort and stakeholders shall be informed of the relevant risks and controls regularly using media such as emails, internal meetings and discussions. 

8. References 

1. AFPL Information Security Policy

This Policy was:

• I.   Drafted on behalf of the Company by: Ms Nalini Chinta 
• II.  Internally reviewed by: Mr Nagaraj Subrahmanya, CRO and Mr Manish Thakkar,
        COO. 
• III. Approved by the Board of the Company on: March 13, 2023
  

1. Introduction

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has framed the Policy on Asset Classification and Provisioning Norms (hereafter referred to as “Asset Classification and Provisioning Norms Policy” or “the Policy”) to set out the guidelines, principles and approach to manage NPAs of the Company and put in place a framework to identify, assess, measure, monitor, control and containment of NPA at minimum level and ensuring that their impingement on financials are minimum.

2. Objectives of the Policy

This Policy on Asset Classification and Provisioning Norms is applicable to all lending activities of the Company. 

The quality and performances of advances have a direct bearing on the profitability of the Company. Despite an efficient credit appraisal, disbursement and monitoring mechanism, problems can still arise due to various factors and give scope for Non- Performing Assets (NPA). These factors may be internal or external. 

The objective of the Policy on Asset Classification and Provisioning Norms is to ensure that asset quality of the company remains sound on a sustained basis and adequate provision is made on non-performing assets.

‍3. Scope 

The Policy on Asset Classification and Provisioning Norms attempts to analyse the common reasons for delinquency and suggests preventive measures for avoidance of default. The scope of the Policy would include the following: 

• i.  Provide standards and guidance towards identification, classification and provisioning of NPAs. 
• ii.  Provide the roles and responsibilities for the activities relating to the recognition of non- performing assets (“NPAs”) and provisioning on assets 
• iii.  Provide process of review and control
• iv.  Provide reporting and disclosures relating to NPAs and provisioning 
• v.  Strengthen the management of NPAs and proactive initiatives to prevent generation of fresh NPAs. 

4.Income Recognition 

Income from Non-Performing Assets (NPA) is not recognised on accrual basis but is recognised as income only when it is actually received. Therefore, the Company should not charge and take to income account interest on any NPA. 

Fees and commissions earned by the Company as a result of re-negotiations or rescheduling of outstanding debts should be recognised on an accrual basis over the period of time covered by the re-negotiated or rescheduled extension of credit.

4.1.  Reversal of Income 

For advances which becomes NPA, the entire accrued interest which has been credited to income account in the past periods, shall be reversed if the same is not realised. 

Fees, commission and similar income that have accrued to NPAs shall cease to accrue in the current period and reversed with respect to past periods, if uncollected. 

Passing of entries for reversal of interest is to be done only for those accounts, which have been identified as fresh NPAs. 

4.2.  Appropriation of recovery in NPAs 

Interest realised on NPAs may be taken to income account if the credits in the accounts towards interest are not out of fresh/ additional credit facilities sanctioned to the borrower concerned. 

In the absence of any specific agreement between the Company and the borrower, any recoveries in NPA shall be first adjusted towards the unpaid principal and residual amount, if any, shall be adjusted towards unrealized interest/charges. This appropriation logic requires a change to the platform and hence will be effective only once the necessary changes are made on the platform. Until then, appropriation logic used will be as earlier - first adjust to unrealized interest / charges and then the residual amount, if any, will be adjusted to the principal. 

4.3.  Recoveries in Compromise Settlements 

Recoveries in NPA accounts in which compromise is accepted and the compromise amount is less than or equivalent to the real account balance, shall be adjusted to the real account balance only. 

For NPA accounts in which compromise is accepted and the compromise amount is more than the real account balance, recovery over and above the real account balance shall be credited to P&L interest on Loans. Company shall ensure that compromise settlement is accepted as a last resort for recovery. It shall not be encouraged as a common practice. Approvals from designated authorities shall be reckoned for all such settlements. 

5. Asset Classification 

Non-Performing Assets

An asset becomes non-performing when it ceases to generate income for the Company. A "Non-performing Asset" (NPA) is a loan or an advance where, interest and/or instalment of principal remain overdue for a period of more than 90 days.

All accounts classified as Non-performing Assets are further classified into following three categories based on the period for which the asset has remained non-performing and the realisability of the dues: 

• 1.  Sub-standard Assets
• 2.  Doubtful Assets
• 3.  Loss Assets

Sub-standard Assets 

A Substandard asset would be one, 

• a)  which has remained NPA for a period less than or equal to 12 months. Such an asset will have well defined credit weaknesses that jeopardise the liquidation of the debt and are characterised by the distinct possibility that the Company will sustain some loss, if deficiencies are not corrected.
• b)  an asset where the terms of the agreement regarding interest and/ or principal have been renegotiated or rescheduled or restructured after commencement of operations, until the expiry of one year of satisfactory performance under the renegotiated or rescheduled or restructured terms. 

Doubtful Assets 

An asset would be classified as doubtful if it has remained in the Sub-standard category for a period more than 12 months. A loan classified as doubtful has all the weaknesses inherent in assets that were classified as sub-standard, with the added characteristic that the weaknesses make collection or liquidation in full, – on the basis of currently known facts, conditions and values – highly questionable and improbable. 

Loss Assets 

A loss asset is one where loss has been identified by the Company or internal or external auditors or the RBI inspection but the amount has not been written off wholly. In other words, such an asset is considered un-collectable and of such little value that its continuance as a bankable asset is not warranted although there may be some salvage or recovery value. 

Loan accounts classified as NPAs may be upgraded as ‘standard’ asset only if entire arrears of interest and principal are paid by the borrower. In case of borrowers having more than one credit facility, loan accounts shall be upgraded from NPA to standard asset category only upon repayment of entire arrears of interest and principal pertaining to all the credit facilities. 

6. Provisioning requirements 

In conformity with the prudential norms, provisions should be made on the non- performing assets on the basis of classification of assets into prescribed categories. Taking into account the time lag between an account becoming doubtful of recovery and its recognition as such the Company should make provision against sub-standard assets, doubtful assets and loss assets as below: 

6.1  Standard Assets 

Company shall make a provision of 0.40% of the outstanding Standard Assets which shall not be reckoned for arriving at NPAs. The provision towards standard assets should not be netted from gross advances but shall be shown separately as ‘Contingent Provisions against Standard Assets’ in the balance sheet. 

6.2  Sub-standard assets 

Company shall make a general provision of 10% of total outstanding of these assets. 

6.3  Doubtful Assets 

Company shall make a provision of 100% of the extent to which the advance is not covered by the realisable value of the security to which the Company has a valid recourse and the realisable value is estimated on a realistic basis. 

6.4  Loss Asset 

Loss asset should be written off. If the loss assets are permitted to remain in the books for any reason, 100% of the outstanding should be provided for. 

Additional provisions may be taken for certain loan accounts on the recommendations of the collections team based on their assessment of the collectability of the loan account. 

7. Write Offs 

All possible means of recovery of due amounts should be made prior to recommendation to write off the amount from the books of the Company. Waiver of legal action can be recommended only for cases where the management is satisfied that the borrower has no tangible security or attachable assets, has no adequate income for repayment and no useful purpose will be served by resorting to legal recourse. 

Guidelines for write off recommendation: 

• a)  Cases beyond 180 DPD should be recommended for write-off unless there is a reasonable indication that recovery is possible from the loan account 
• b)  Cases between 90 DPD and 180 DPD can also be recommended for write off if there is adequate indication that there is very little possibility of recovery from the loan account 
• c)  In cases of death, account may be written off prior to 90 DPD

Approvals for all write offs should be taken as per the approval matrix laid out in the Credit Committee Terms of Reference. 

Any recoveries from the written off loan will be entered in the system towards repayment of the borrower and the same shall be reduced from the written off amount. 

8. Reporting Requirement & Disclosures ‍

The Company shall disclose in their Annual Financial Statement:

1. NPAs and movement of NPAs 
2. Provision for NPA 
3. Product wise NPA
4. Concentration of NPA i.e. total exposure to top four NPA accounts. 

• The Company shall identify incipient stress in the account by creating a sub- asset category viz. 'Special Mention Accounts' (SMA) as outlined below. 

1. SMA-0: Principal or interest payment not overdue for more than 30 days but account showing signs of incipient stress 
2. SMA-1: Principal or interest payment overdue between 31-60 days 
3. SMA-2: Principal or interest payment overdue between 61-90 days 

The Company will report to the Central Repository of Information on Large Credits (CRILC) data on all borrowers' credit exposures including SMA categorized accounts having aggregate fund-based and non-fund based exposure of INR 50 million and above. 

9. Regulatory Reference 

This policy is framed as per the following regulatory references and in accordance with leading industry practice:

1. Master Direction - Non-Banking Financial Company - Systemically Important Non- Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016 i.e., every non-deposit accepting NBFC with asset size of Rs.500 crore and above (NBFCs-ND-SI) (Refer Para 6 & 8 of this policy) 

10. Policy Review and Updates 

The Policy shall be reviewed as and when required or at least once in a year, to suit the needs of the Company with the approval of the board and to comply with revised guidelines issued by RBI from time to time.

• (i)  Drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO
• (ii)  Internally reviewed by: Mr. Rahul Gupta, CEO 
• (iii)  Approved by the Board of the Company on: October 30, 2017, Revision 1 on: March 13, 2023

This revised Policy comes into effect from date of approval of the Board.

PURPOSE: 

The purpose of the Credit Committee is to assist the Board of Directors and Senior Management Team in fulfilling its responsibilities by providing oversight of Company policies and management activities relating to the identification, assessment, measurement, monitoring, and management of the Company’s credit risk. 

The Avanti Credit Committee (CC) shall have all the Senior Management Team (SMT) being part of the same. This consists of Chief Executive Officer (CEO), Chief Risk Officer (CRO), Chief Operating Officer (COO), Chief of Partnerships (COP) and Chief Product Officer (CPO). The CC may invite other members of the Avanti team or advisers by invitation. 

All partner onboarding and disbursements (including credit policy & pricing changes) will have to be approved by the CC. In addition to the above, only material events/programs shall be tabled to the CC. Other policy matters may also be tabled by any functional leader on items such as liquidity, capital allocation, significant investments, partner updates, external risks, data security etc. In some matters, the CC may also be used for circulations and noting purpose only as a functional leader may have brought an item to resolution via prior discussions. 

The CC will evaluate proposed material changes to Avanti's risk profile or risk appetite arising from planned new or increased business and/or the risks associated with entry into relationships, programs and/or geographical areas 

Portfolio management:
The CC, with a minimum quorum of 4 members, CRO mandatory, will review the company’s portfolio quality, discuss key issues and propose any remedial actions where required in a monthly CC Meeting for Portfolio Quality Review (PQR). 

This review will cover

• i)  Portfolio Trends 
• ii)  Delinquency Trends & Collections efficiency 
• iii)  Customer account management 
• iv)  Policy matters relating to

1. Delinquency and aging of accounts on system 
2. Provisioning and Write-offs 
3. Forbearance and restructuring 

• v)  Operating Risk e.g. concentration risk, partner issues etc.
• vi)  Fraud incidents
• vii)  Industry trends
• viii)  Any other items / policies which have an impact on the financials of the company based on portfolio credit quality 

New Product Introduction (NPI) and product changes 

All NPI’s e.g., new insurance products for customers or changes to the product structures (including credit policy & pricing changes) will need approval from the CC 

QUORUM: 

The quorum for the CC will be a minimum of three out of the five members being present with CRO's presence being mandatory. All members will try and be present for the meeting. The CRO shall chair the meeting. Any matter shall be deemed passed subject to the majority of the members being in favour of the motion. In the event that there being a tie, the chair shall have the deciding vote. 

The Company Secretary shall be the secretary for the meeting and shall be the custodian of the proceedings of the meeting. 

Delegation of Approvals Matrix

Sanctions 

The operating principle of the delegation of approvals from an execution standpoint would be to have 80%+ of all credit decisions being managed between Partnerships, Operations and Risk. In line with the operating principle, the following is the approval matrix: 

• A) FPO/Institutional Loans:
• i)  New Entities:

1. Upto INR 2Cr - CRO plus 1 SMT (maker, checker)
   
2. INR 2 – 10 Cr – CRO, 1 SMT and CEO
   
3. Above INR 10 Cr - CRO, 1 SMT, CEO & 1 Board Member 

• ii)  Renewals: 

1. Upto INR 5Cr - CRO + 1 SMT member.
   
2. INR 5 – 20Cr – CRO, 1 SMT and CEO
   
3. Above INR 20Cr - CRO, 1 SMT and CEO + 1 Board Member

As a matter of good principle and leadership visibility, all new FPO/Institutional onboarding should be tabled at Leadership meeting or via written circulation prior to disbursement 

B) Retail Loans: 

All members of the SMT have the delegation to approve all retail loans.
In case of delegations to be provided to additional personnel, the CRO + 1 SMT may authorise the same. This should be after careful consideration and taking into account the knowledge & training of the candidate 

Note: Not more than 2 approvals in a year for any partner by the same committee. If more than 2 approvals, then approval will be required by the next higher approval authority 

WriteOffs 

‍

Fraud 

‍

The Committee shall review and assess the adequacy of this Charter bi-annually. The Committee may recommend amendments to this Charter based on internal or external requirements, at any time with documentation of the reasons. 

Record of updates: 

This TOR was:

• (i)  drafted on behalf of the Company by: Nagaraj Subrahmanya, CRO 
• (ii)  internally reviewed by: Rahul Gupta, CEO
• (iii)  approved by the Board of the Company on: March 13, 2023 

This TOR comes into effect immediately on the above date of approval. 

1. Introduction 

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has framed the Credit Risk Policy to set out the guidelines, principles and approach to manage credit risks for the Company and put in place a framework to identify, assess, measure, monitor and control credit risks in a timely and effective manner. 

2. Objectives of the Policy 

The key objectives of the policy are as under:
The Policy has been designed to achieve the following key objectives: 

• i.  Establish a governance framework to ensure an effective oversight, segregation of duties, monitoring and management of credit risk in the Company. 
• ii.  Lay down guiding principles for setting up & monitoring of the credit risk appetite &limits. 
• iii.  Establish standards to facilitate effective identification and assessment of credit risks in the Company enabled by the internal credit scoring framework. 
• iv.  Establish standards for effective measurement and monitoring of credit risk
• v.  Achieve a well-diversified portfolio enabled by concentration risk management and maintaining credit risk exposures within established credit limits. 
• vi.  Establish principles for credit risk stress testing for securitisation arrangement and portfolio purchased by the company 
• vii.  Enable monitoring of credit risk by way of Early Warning Signals (EWS) 
• vii.  Adhere to the guidelines/policies related to credit risk management, as issued by the Reserve Bank of India (RBI) from time to time. 

3. Scope 

This aims at outlining the Company’s credit risk management framework and establishing the guidelines for offering the products i.e. Line of Credit, Personal Loan and Farmer Financing products for credit risk mitigation purposes. 

The Company will also have its own benchmark rate which shall be determined on the basis of considering the average cost of funds including administrative cost and average return on net worth which the risk management committee/department and finance department will determine / review on quarterly basis. 

4. Credit Risk Governance Framework 

The credit risk governance framework establishes the responsibility and approach through which the Board of Directors and the management functions (i.e., Business, Risk, Internal Audit functions) of the Company govern credit risk management issues. An effective governance framework ensures the independence of the credit risk function (i.e., risk managing function) from the business function (i.e., risk taking function). Through an effective Board-approved credit risk governance framework, the Company seeks to ensure adequate risk oversight, monitoring and control of credit risks. 

The Company has set out the following governance structure and corresponding roles and responsibilities for the effective management of credit risk. 

4.1.  Governance Structure 

The credit risk governance framework is designed with consideration to the following key principles: 

1. Risk Management department, will take the risk, manage the risk, will do the risk reporting and analysis, and will be responsible for implementing corrective actions to address process and control deficiencies. Board of Directors will provide policy guidance and recommendations.
   
2. Risk Management Department shall retain accountability for managing the credit risks.
   
3. The governance structure shall promote transparency, accountability, communication and flow of information.
   
4. The Board would be responsible for firm-wide credit risk management.
   
5. Senior management understands all the products / activities of the Company giving rise to credit risk and understands the basis of the credit risk management framework.
   
6. The Company has staff with sufficient expertise and appropriate skill-sets to perform risk management tasks, and is supported by appropriate tools and technology.
   
7. All material credit risks are identified and measured, exposures are aggregated and management attends to the risky exposures. 

Based on the above guiding principles, the credit risk governance framework of the Company comprises of the following: 

1. Board of Directors (BoD)
   
2. Risk Management Committee (RMC) 

4.2.  Board of Directors 

The Board of Directors (“Board”) of the Company is responsible for providing oversight for overall credit risk management at the Company. The key responsibilities of the Board relating to credit risk management include: 

1. Approving and periodically reviewing the business and credit risk management strategy and the credit risk appetite.
   
2. Approving the credit risk management policy and framework as required.
   
3. Ensuring the establishment of a robust credit risk management culture by delegating responsibilities for key decision making and controls to appropriate management authorities.
   
4. Assessing the adequacy of capital needed to support business activities undertaken by the Company.
   
5. Provide adequate supervision for the decisions taken by the delegated authority. 

4.3.  Risk Management Committee 

The Risk Management Committee is a committee of the Board of the Company. The key responsibilities of the Risk Management Committee relating to credit risk management include: 

1. Ensure implementation of credit risk policy and strategy approved by the Board.
   
2. Monitor quality of loan portfolio at periodic intervals, identifying problem areas and
   issuing directions for rectifying deficiencies.
   
3. Monitor credit risks on the Company-wide basis and ensuring compliance with the approved risk parameters/ prudential limits and monitor risk concentrations including geographic exposures as per Credit Concentration Risk norms;
   
4. Incorporate regulatory compliance in the Company’s policies and guidelines in regard to credit risk;
   
5. Review the use of internal risk rating systems for business and risk management purposes and placing recommendations before the Board;
   
6. Bring to the attention of Board material issues for information / recommendation / approval; and
   
7. Review and approve the credit risk stress testing scenarios, results and analysis. 

5. Products 

The Company intends to offer following products to customer including but not limited to:

Term Loans for meeting working capital / project funding to organisations 

• Individual loans, specifically: 

1. Livelihood Loans
   
2. Microfinance Loans
   
3. Agriculture and Livestock Loans
   
4. Personal Loans
   
5. Medical, education and Emergency Loans 

6. Portfolio Monitoring

Portfolio Trigger 

1. This will be managed and monitored by Risk Management Department.
   
2. Trigger will be implemented based on criteria such as Delinquency at a partner level exceeds 5% of the total loan disbursed and other criteria as defined by the Risk Management department. 

Process of visiting delinquent customers 

1. The allocation of customers to be visited is done by the Customer Contact Center and they are visited by Supervisor / Service Representative is done
   
2. After visits, reports are to be submitted to central collection team in standard format and this is to be concluded within 10 working days.
   
3. Then central team will review the report and allocate case to collection agency. 

7. Policy Review and Updates 

This policy represents the minimum standards for credit risk management and is not a substitute for experience, common sense and good judgment. Given that the credit risk management policy is to be flexible and responsive to changing market and regulatory conditions, it will be reviewed by the Chief Risk Officer (CRO) from time to time and any revisions will be updated at least annually or as necessary. In the event that clarification on interpretation is required, consultation must first be sought from the Risk function. 

The policy shall be approved by the Board of Directors and put up for review to the Risk Management Committee at least annually. 

8. Regulatory References 

RBI circular on Master Direction - Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016 dated September 1, 2016. 

9. Key Definitions 

1. Credit Risk: Credit risk is defined as the possibility of losses associated with diminution in the credit quality of borrowers or counter parties. In the Company’s portfolio, losses stem from outright default due to inability or unwillingness of a borrower to meet commitments in relation to settlement. 
2. Borrower: Borrower is defined as any entity or individual that the Company has credit exposure to.
   
3. Exposure: Exposure will include credit exposure to partners or organizations (B2B loans). The sanctioned limits or outstanding to partners or organizations (B2B loans), whichever are higher, shall be reckoned for arriving at the exposure limit.
   
4. Credit Score: Credit score is a numeric value derived using product-specific scorecards (generally referred to as credit scorecards), that determine the riskiness of a borrower application for a particular asset product. The credit score generally considers credit history, income characteristics, borrower capacity to pay as well as product-specific characteristics. The scorecards wherever used, will be developed, validated and approved by designated authorities and assignment of scores to credit applicants/loan accounts will be automated.
   
5. Credit Concentration Risk: Risk concentration refers to the risk that any single exposure or group of correlated exposures (within the same activity / industry / geography / any other segment) which may potentially produce losses large enough (relative to the Company’s capital, totals assets, or overall risk level) to threaten Company’s health or ability to maintain its core operations. To mitigate these risks, there are state- wise exposure limits based on a percentage to the total loans given by the Company and others as may be decided by the company.
   
6. Early Warning Signals: Early warning signals help in early identification and reporting of problem accounts and is the first step towards containing slippages and minimising the risk of loss. Borrowers could be identified as weak on the occurrence of various triggers relating to performance on existing loan account or any other factors that may negatively affect the repayment behaviour of the borrower.
   

10. Policy Review and Updates 

The implementation of this policy shall be monitored and reviewed periodically by the Board of the Company. 

This Policy was: 

• (i)  Drafted on behalf of the Company by: Mr. [Nagaraj Subrahmanya, CRO 
• (ii)  Internally reviewed by: Mr. Rahul Gupta, CEO 
• (iii)  Approved by the Board of the Company on: October 30, 2017, revised on September 30, 2022, revised on March 13, 2023 
• This revised Policy comes into effect from date of approval of the Board. 

1. Introduction 

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has framed the Information Technology Policy (hereafter referred to as “Information Technology Policy” or “the Policy”) in accordance with the regulatory requirements specified by the Reserve Bank of India (RBI). 

Purpose 

The Company has laid down an IT Policy to: 

1. Govern operations of the IT function while aligning to the business strategy and relevant industry best practices/standards; 
2. Ensure compliance to all relevant statutory and regulatory requirements that are applicable to the IT function. 

Applicability 

1. This policy applies to the IT function of the Company. 
2. The IT policies in this document will be followed by all IT and relevant business personnel as applicable. 

Document Maintenance and Distribution 

1. The Chief Operating Officer (“COO”), assisted by Vice-President Product will review the information technology process and policy framework at least annually. 
2. It is the responsibility of the COO to monitor, initiate and obtain relevant approvals for any changes/revisions required to this document.
   
3. All editions of this policy will be version controlled. 
4. The COO is responsible for distributing approved revisions of the document to concerned stakeholders. 

Waiver/Exception 

Waivers to the IT policy and guidelines in this document will be formally submitted to the Company’s COO, including justification and benefits attributed to the waiver, and it will be approved by the COO as deemed fit. The waiver will only be used in exceptional situations when communicating any non-compliance with the IT policy and guidelines for a specific case/period of time. At the completion of the case/time period, the need for the waiver will be reassessed and re-approved by the COO, if necessary.

The waiver will be monitored by the Chief Operating Officer team to ensure its concurrence with the specified period of time and exception. 

IT Organization Structure & Governance 

COO working closely with the Product Team is responsible for owning and delivering IT services in accordance with business objectives. The in-house IT Team and/or technology outsourced partner will be responsible to deliver the business expectations. Keeping in view the pervasive presence of technology, it is essential that business stakeholders have appropriate involvement in making key technology decisions. 

1. The Company under the leadership of the COO, working closely with the CPO and CRO, to develop an organizational structure reflecting its needs and IT priorities.

The organization structure will be established taking into consideration the following: 

• 1.  Internal and extended organizational structure
  
• 2.  Manpower required for the execution of the IT strategy
  
• 3.  Stakeholders are critical for decision making
  
• 4.  Communication needs
  
• 5.  Any applicable regulatory requirements 

● The IT function will establish, agree and communicate the IT-related roles and clearly define     responsibilities and accountability. 

2. Project Management 

• a.  A detailed project plan covering the business case for system acquisition/development will be developed for all projects as deemed necessary by the COO and will include the cost-benefit analysis, success criteria, risk management, funding and resource requirements. 
• b.  Specific risks associated with individual projects will be treated through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change. 
• c.  Accountability for achieving the benefits, controlling the costs, managing the risks, and coordinating the activities and interdependencies of multiple projects will be clearly and unambiguously documented, assigned and monitored. Where accountability is assigned, accountability will be accepted and sufficient authority will be assigned. 
• d.  The responsibilities, relationships, authorities and performance criteria of project team members, and sponsors will be defined.
• e.  Periodic monitoring of the project's progress will be carried out by the COO and timely remedial actions will be taken in case of delays. 

3. IT Strategy 

The COO, in consultation with the CPO, 

• 1.  Will understand the business strategy of the Company and frame the IT strategy which aligns with the business strategy and objectives, and this will be reviewed at least once a year. 
• 2.  Will consider the current organization's environment, business processes and future objectives to arrive at the conclusion for the direction of the IT strategy. 
• 3.  Will also consider any criteria that are based on industry factors, applicable legal and regulatory requirements. 
• 4.  Will verify the conclusions with relevant business units before the final confirmation and execution of the IT strategy. 
• 5.  Conduct a gap analysis exercise against the current statutory/regulatory requirements as necessary to formulate and implement an appropriate remediation plan. All execution steps of the remediation plan will be supervised and reviewed by COO periodically. 

4. IT Budgeting 

• a.  IT investment requirements in support of business/IT strategy will be identified, categorized, prioritized, and agreed upon. 
• b.  IT investment programmes will specify the following:

1. The business benefit expected and performance to be achieved
2. The method for measuring outcomes 
3. Accountability for achieving the outcome
4. The expected delivery schedule for each outcome

• c.  The relevant costs and benefits for IT investments will be reviewed and approved by the IT Strategy Committee. 
• d.  A formal IT budget will be defined and implemented.
• e.  A decision-making process will be followed to prioritize the allocation of IT resources for operations, projects and maintenance to optimize the return on the enterprise’s portfolio of IT investment programmes and other IT services and assets. 
• f.  Costs incurred by IT will be identified along with their allocation across the IT budget and projects. 
• g.  Variances between forecasts and actual costs will be analyzed and reported to relevant stakeholders by the Finance Team. 
• h.  Monitoring and reporting costs against the budget and managing costs will be done through the yearly review and the budget utilization report will be maintained by the Finance Team. 

5. IT Resource Management 

The Company will maintain and annually review an inventory for all IT assets including but not limited to hardware and software. 

Performance of critical IT systems/Infrastructure along with IT partners’ service level performance will be monitored periodically by the COO.

6. IT Operations 

COO working closely with the Product Team and CRO: 

• 1.  Will manage appropriate processes and activities required to deliver the IT strategy and ensure that it adds value to the organization’s IT requirements. 
• 2.  Will develop procedures and standards/guidelines as necessary to support its endeavour in implementing the information systems. 
• 3.  Recognize the maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information. 
• 4.  Will enable the provision of system-generated reports for the management team summarizing financial position including operating and non-operating revenues and expenses, cost-benefit analysis of segments/verticals, cost of funds, etc. 
• 5.  Will manage the following under IT operations (including but not limited to the following): 
• a.  IT asset/ Equipment management & configuration
• b.  Backup and restoration
• c.  Patch management
• d.  Network Management
• e.  Change & Release management 
• f.  Data center operations management 
• g.  Define & manage IT third-party services 
• h.  System and Software development
• i.  Database implementation and support 
• j.  Access Control 
• k.  Manage problems and IT events and incidents
• l.  Filing of regulatory returns to RBI including COSMOS returns (where applicable)

7. IT Risk Management 

IT Operations and business risks will be managed during the project lifecycle by the CRO and relevant business heads. Also, the CRO will lay down procedures for the assessment and treatment of IT risks and drive the annual IT risk assessments with the involvement of relevant stakeholders from business functions. 

8. IT Security Management 

Purpose 

The broad purpose of IT security management shall be to respond to security incidents within agreed timelines and mitigate any damage from security incidents (Cybersecurity Events). Additionally, the following goals are also sought to be addressed herein: 

• 1.  To set up a channel for quick reporting of Cybersecurity Events and make employees aware of the point of contact for reporting incidents; 
• 2.  To set up an internal team to correct or recover from the incident based on agreed parameters; and 
• 3.  Ensure that event reporting and escalation procedures are in place; 

The steps outlined herein apply to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, other third parties who have access to services systems of Company (for the purpose of this Section 8, the aforementioned personnel shall be referred to as “Personnel”). 

Approved Information Security (IS) policy of the organization will be followed and implemented with necessary controls which are defined by CRO in consultation with CPO and COO. 

Reporting Procedure 

Personnel can report Cybersecurity Events by any of the following means: 

• 1.  Sending mail to isms@avantifinance.in 
• 2.  Call the help desk at 080-41689310 in case the incident requires immediate attention. 

Personnel should make sure that any Cybersecurity Event, even if it is of a minor nature, is not left unreported, as it may cause harm if left unattended over a period of time. 

As an indicative illustrative list of what may constitute a Cybersecurity Event, the following may be referred: 

• 1.  Virus attack
  
• 2.  Denial of Service
  
• 3.  Unauthorized access
  
• 4.  Modification of information/data
  
• 5.  Compromise of user/Personally identifiable information (PII) data
  
• 6.  Loss of sensitive information
  
• 7.  Misuse of information & computing resources
  
• 8.  Incidents related to physical security such as but not limited to, laptop lost, unauthorized entry into premises, assault, etc. 

Response Procedure 

Upon reporting a Cybersecurity Event, the CRO may record the details and further delegate the response (with regard to the severity of the reported incident) to any authorized personnel in this regard. In any case, the following information shall be recorded: 

1. Date and time of the incident; 
2. Location of the incident;
3. Type of incident (security breach/weakness/malfunction); 
4. Brief description of the incident;
5. Name and designation of the person reporting the incident;
6. Name and designation of the person receiving the report of the incident; 
7. Name and designation of a person to whom any task with respect to investigation or
   otherwise is delegated; 
8. Identification of the root cause of the incident;
9. Action taken by the person authorized to do so;
10. The Root cause analysis to develop preventive approaches to avoid similar incidents; and
11. Close date in respect of the incident. 

• Conduct an awareness programme for employees and other related stakeholders about Information Security and incident management on a quarterly basis. This shall be delivered either digitally or physically
  

Roles and responsibilities of CRO 

• a.  Reporting to CERT-In: 
• On the occurrence of any Cybersecurity Event, the Company shall as soon as possible, through the CRO, report such event to the Computer Emergency Response Team of India (CERT-In) in accordance with the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
• b.  Establish and maintain security policies and standards for the organization to follow.
  
• c.  Directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology risks.
  
• d.  Ensure that disaster recovery and business continuity plans are in place and tested.
  
• e.  Arrange for backup of data with periodic testing.
  
• f.  Enable independent investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities.
  
• g.  Maintain a current understanding of the IT threat landscape for the industry.
  
• h.  Ensure compliance with the changing laws and applicable regulations, and translate that knowledge to the identification of risks and actionable plans to protect the business.
  
• i.  Schedule periodic security audits internally.
  
• j.  Make sure that cyber security policies and procedures are communicated to all personnel and that compliance is enforced.
  
• k.  Provide training and mentoring to security team members.
  
• l.  On reporting of a Cybersecurity Event, CRO may initiate action by directing any authorized personnel or set of such personnel to respond, correct and prevent similar incidents in future. A detailed report of the critical incident will be made by the CRO. 

9. Digital Signatures

When using digital signatures, the Company endeavors to use such Digital signatures to protect the authenticity and integrity of important electronic documents and also for high- value fund transfer. 

10. Mobile Financial Services 

The Company shall develop mechanisms for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to- end encryption. 

11. Use of social media 

Where the Company uses any relevant social media to market its products, Company shall ensure that its social media accounts(s) are safeguarded with proper controls such as encryption and secure connections to prevent risks such as account takeover and/or malware distribution. 

12. Password Policy 

Passwords are an important aspect of IT security. A poorly chosen password may result in unauthorized access and/or exploitation of the resources of the Company. This section details the standard for the creation, maintenance and change cycle for strong passwords. All users, including employees, contractors, vendors and all other stakeholders with access to systems of the Company are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 

Password Construction 

Strong passwords have the following characteristics: 

• 1.  Contain at least three of the five following character classes: 
  
• 2.  Lowercase characters
  
• 3.  Upper case characters 
  
• 4.  Numbers
  
• 5.  Punctuation
  
• 6.  “Special” characters (for example: @#$%^&*()_+|~-=\`{}[]:";'<>/, etc.)
  
• 7.  Contain at least 8 alphanumeric characters.

Password Protection Standards 

• a.    Change cycle:
• i.    All cloud service management passwords must be changed at least once every 90 days. 
• ii.    All administrative passwords for the platform must be changed at least once every 180 days. 
• iii.    All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least once every 365 days. 
• b.    Personnel shall use different passwords for official and personal accounts. 
• c.    Personnel shall not share official passwords with anyone. 
• d.    Passwords should never be written down or stored online without encryption.
• e.    Personnel shall not reveal their password in email, chat, or other electronic communication; or speak about a password in front of others.  
• f.    If someone demands a password, refer them to this document and direct them to the CRO.  
• g.    Passwords should be changed immediately in case of password leakage is noticed or suspected.
• h.    If an account or password compromise is suspected, report the incident to isms@avantifinance.in . 

13. Business Continuity 

Company shall ensure that: 

• 1.    It identifies critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. Due regard shall be given to account for any impact of any unforeseen natural or man-made disasters on the Company’s business; 
• 2.    It understands the vulnerabilities associated with interrelationships between various systems, departments and business processes. It shall endeavor to come up with the probabilities of various failure scenarios and evaluate various options for recovery and minimization of losses in case of a disaster;
• 3.    It considers the need to put in place necessary backup sites for its critical business systems and data centers; and  
• 4.    It tests the business continuity plan annually as well as when significant IT or business changes take place. 
• 5.    Review cloud service arrangements and SLA for business continuity once every six months. 

Company’s COO approves and oversees the annual business continuity plan strategy and road map. Business continuity plans are reviewed and maintained periodically to incorporate any significant changes to process, human resources and technology. The Company’s business continuity plan is in line with the guidelines issued by RBI and is subject to annual review by the Board of Directors. 

Company understands the environment in which it operates in and the associated risks, hence the Company has developed and implemented business recovery strategies and infrastructure to ensure recovery and continuity of critical IT operations as per agreed timelines and acceptable service levels. The plan is designed to facilitate the continuity of the critical business processes in the event of defined disaster scenarios. The same is tested periodically to address any gaps. 

In a significant disruption scenario: During a significant disruption or a disaster, if a customer’s usual access to Company’s services is affected, please connect with us through our customer care numbers (1800-3095021). Customer care number of the Company is published on the Company's website. If a customer is not able to contact us through our customer care number, you could visit our website at [ www.avantifinance.in and send us your queries/complaints/requests through online contact links published on the website]. 

14. Value Delivery 

• a.    Value delivery will be an integral form of IT service delivery to the organization. 
• b.    Business functions will be able to register formal service complaints to be addressed to the IT team.
  
• c.    All service complaints will be recorded by IT, investigated, addressed, reported and formally closed 
  
• d.    Business functions will be able to escalate cases wherein a complaint is not resolved by IT as per the agreed service levels. 
  
• e.    Satisfaction of business needs and managing the business relationships will be the responsibility of the COO within the applicable business constraints. 
  
• f.    Measures will be put in place to satisfy business needs and actions for improvement will be identified, recorded and updated in a continual service improvement plan 

15. IT Compliance and Audit 

Compliance 

Compliance functions include the following: Evaluate, define the compliance parameters based on internal and regulatory requirements, assess the reported observations, recommendations and perform timely corrective actions to ensure compliance to identified requirements. 

Audit 

Auditing of Information Systems will take into consideration the risks and the impacts on all the in-scope systems (e.g. potential for disruption). The Information systems will be audited at least once a year. Auditing requirements will include: 

1. Audit requirements for access to systems and data should be agreed with appropriate management;
   
2. Computer Assisted Auditing Techniques (CAATs) will be used wherever feasible
   
3.  The scope of technical audit tests should be agreed and controlled;
   
4. Audit tests should be limited to read-only access to software and data requirements for special or additional processing should be identified and agreed; audit tests that could affect system availability should be run outside business hours;
   
5. All access should be monitored and logged to produce a reference trail.
   

The findings of the audit shall be shared with each relevant stakeholder for remedial action or an adequate management response. The IT Steering Committee shall review the progress and action taken on the audit findings during their quarterly review. 

16. Regulatory reference 

This policy is framed as per the following regulatory references and in accordance with leading industry practice: 

1. Master Direction - Information Technology Framework for the NBFC Sector

17. Policy Review updated 

This document shall be reviewed by the CRO, and shall be reviewed at least once a year. Reviews shall also account for any significant business changes and/or any regulatory requirements. 

This Policy was: 

•   I.    Drafted on behalf of the Company by: Mr Manish Thakkar, COO 
  
•  II.    Internally reviewed by: Mr Nagaraj Subrahmanya, CRO and Mr Lalitesh Katragadda, CPO 
  
• III.    Approved by the Board of the Company on: September 12, 2018, Revision 1 on : March 22, 2021 and Revision 2 on : March 13, 2023 

1. BACKGROUND 

The Reserve Bank of India has notified Master Directions - Reserve Bank of India (Securitisation of Standard Assets) Directions, 2021 (“Directions”). In line with the Directions and as a matter of good governance, Avanti Finance Private Limited (hereinafter referred to as “Company” which term includes its successors and assigns) has sought to adopt this policy towards undertaking securitisation transactions. 

2. KEY DEFINITIONS AS PER THE DIRECTIONS 

“securitisation” means a structure where a pool of assets is transferred by an originator to a SPE and the cash flow from this pool of assets is used to service securitisation exposures of at least two different tranches reflecting different degrees of credit risk, where payments to the investors depend upon the performance of the specified underlying exposures, as opposed to being derived from an obligation of the originator; 

“securitisation notes” mean securities issued by the special purpose entity as a part of securitisation; 

“special purpose entity (SPE)” means a company, trust or other entity organised for a specific purpose, the activities of which are limited to those appropriate to accomplish the purpose of the SPE, and the structure of which is intended to isolate the SPE from the credit risk of an originator; 

“standard assets” means exposures which are not classified as non-performing asset; 

"originator" refers to a lender that transfers from its balance sheet a single asset or a pool of assets to an SPE as a part of a securitisation transaction and would include other entities of the consolidated group to which the lender belongs; 

Definitions of other terms used in this policy are as stated in the Directions. 

3. PERMITTED TRANSFERORS 

3.1 Securitisation is permitted to the following entities: 

• a)    Scheduled Commercial Banks;
  
• b)    All India Financial Institutions (NABARD, NHB, EXIM Bank, and SIDBI);
  
• c)    Small Finance Banks; and
  
• d)    All Non-Banking Finance Companies (NBFCs) including Housing Finance Companies (HFCs). 

3.2 Permitted Assets 

• 3.2.1    Except as provided under paragraph 3.2.2, all on-balance sheet exposures of originators, which are in the nature of loans and advances and are classified as standard assets, are eligible as underlying assets in a securitisation transaction.
  
• 3.2.2    Following exposures shall not be allowed for the purpose of securitisation: 
• a)  Re-securitisation exposures;
  
• b)  Structures in which short term instruments such as commercial paper, which are periodically
• rolled over, are issued against long term assets held by a SPE
  
• c)  Synthetic securitisation;
  
• d)  Securitisation with the following assets as underlying: 
• (i)  revolving credit facilities as underlying – these involve underlying exposures where the borrower is permitted to vary the drawn amount and repayments within an agreed limit under a line of credit (e.g. credit card receivables and cash credit facilities);
  
• (ii)  Restructured loans and advances which are in the specified period;
  
• (iii)  Exposures to other lending institutions;
  
• (iv)  Refinance exposures of AIFIs; and
  
• (v)  Loans with bullet payments of both principal and interest as underlying;
  
• (vi)  Loans with residual maturity of less than 365 days; 
• e)  Agriculture loan extended to Individual where loan tenure is more than 24 months and up to 24 month but both interest and principal are not due on maturity; and
  
• f)  Trade receivables with tenor more than 12 months discounted/purchased by lenders from their borrowers. 

4. KEY RESPONSIBILITIES 

4.1 Specific responsibility of Originator

• 4.1.1     The originator i.e., Company, of such securitisation shall have satisfied the Minimum Holding Period requirement as per Clause 39 of the Reserve Bank of India (Transfer of Loan Exposures) Directions, 2021 including the proviso to the above Clause.
  
• 4.1.2    Company shall adhere to the requirements of Minimum Retention Requirement(MRR)as provided in the Directions while securitising loans leading to issuance of securitisation notes.
  
• 4.1.3    Company would follow stringent underwriting standards. There shall not be any difference in the criteria for credit underwriting applied by the Company on exposures retained on the balance sheet of the Company vis-a-vis exposures securitised.
  

4.1.4    The total exposure of an originator to the securitisation exposures should be as per Clauses 25, 26 and 27 of the Directions. 

4.1.5    The minimum ticket size for issuance of securitisation notes shall be INR 1crore.Listing of securitisation notes, especially in respect of certain product class, such as RMBS, and/or generally above a certain threshold is recommended, though not mandatory. Any offer of securitisation notes to fifty or more persons in an issuance would be required to be listed as per SEBI Regulations (Issue and Listing of Securitised Debt Instruments and Security Receipts), 2008. 

Priorities of payments for all liabilities have to be clearly defined at the time of securitisation with full transparency over any changes to the cash flow waterfall, payment profile or priority of payments that might affect a securitisation and all triggers affecting the cash flow waterfall, payment profile or priority of payments of the securitisation should be clearly and fully disclosed in offer documents and in investor reports.

• 4.1.6    Securitisations featuring a replenishment period shall include provisions for appropriate early amortisation events and/or triggers of termination of the replenishment period and other terms as mentioned in Directions.
  
• 4.1.7    Company transferring assets to Special Purpose Entity(SPE) may make representations and warranties concerning those assets and undertake to hold capital against such representations and warranties if any of the conditions referred in Clause 32 of the Directions are not satisfied.
  
• 4.1.8    Company may provide supporting facilities such as credit enhancement facilities, liquidity facilities, underwriting facilities and servicing facilities but should be as per conditions outlined in Chapter IV of the Directions.
  
• 4.1.9    Company has to maintain capital against the exposures transferred to the SPE, which then forms the underlying for securitisation notes issued by the SPE, i.e., the exposures transferred to the SPE must be included in the calculation of risk-weighted assets of the originator and the consideration received from SPE must be recognised as an advance, unless at least conditions mentioned in Clause 81 of the Directions are satisfied tax and regulation.
  

4.1.10  The transactions undertaken in terms of the Directions must not contravene the rights of underlying obligors. To ensure compliance with this stipulation, enabling clauses must be included in the contract between Company and servicing agent (if any) and all necessary consent from obligors (including from third parties), where necessary as per the respective contracts, should have been obtained. 

4.2 Specific responsibility of Company who is Investor in Securitisation: 

• 4.2.1    Companyshouldinvestinsecuritisednotesonlyiftheoriginatorhasexplicitlydisclosedto the purchasing lenders that it has adhered to the MRR and MHP requirements and will
  adhere to MRR on an ongoing basis, as applicable and advised in the Directions.
  
• 4.2.2    Company should be able to access performance information on the underlying pools on an ongoing basis. Such information may include: 

1. the average credit quality through average credit scores,
   
2. extent of diversification of the pool of loans,
   
3. volatility of the market values of the collaterals supporting the loans,
   
4. prepayment rates,
   
5. property types,
   
6. occupancy, etc. 

4.2.3    Company should take note of, analyse and record the following while taking the decision regarding a securitisation exposure: 

1. Reputation of originators,
   
2. Loss ratio of originators,
   
3. Valuation concept and methodology of collateral
   
4. Disclosures made by the originator. 

4.2.4    Company will share with the Board the valuation approach being adopted and the process of credit monitoring proposed before investing in securitisation notes. This will, inter alia, include: 

1. the models used for valuation,
   
2. the assumptions underpinning the models, the policy regarding back-testing, and
   
3. stress testing the valuation model and its parameters etc. 

• 4.2.5    Company needs to monitor on an ongoing basis and in a timely manner, performance information on the exposures underlying their securitisation positions and take appropriate action, if any, required. Action may include modification to exposure ceilings to certain type of asset class underlying securitisation, modification to ceilings applicable to originators etc.
  
• 4.2.6    Company should maintain capital against all securitisation exposure amounts, including those arising from the provision of credit risk mitigants to a securitisation transaction, investments in asset-backed or mortgage-backed securities, retention of a subordinated tranche, and extension of a liquidity facility or credit enhancement.
  

For the purpose of computing capital to be maintained and the exposure amount, reference may be drawn to Clauses 73 and 74 of the Directions. 

For the purpose of calculating capital requirements, in respect of exposures that do not meet the requirements of the clause Chapter IV of the Directions, transferee shall maintain capital charge equal to the actual exposure acquired. 

• 4.2.7    Company should compute risk-weight for rated securitisation exposures via Securitisation External Ratings Based approach (SEC-ERBA), for unrated securitisation exposures, buyer to maintain capital charge equal to the actual exposure. The capital requirement for any securitisation position should not exceed the securitisation exposure amount.
  
• 4.2.8    Company should compute risk weight as per external ratings-based approach (SEC- ERBA) will be determined by multiplying securitisation exposure amounts by the appropriate risk weights as determined by Clauses 102 to 104 of Directions for securitisation exposures that are externally rated, provided that the criteria mentioned in Clause 101 of theDirections are met.
  
• 4.2.9    The Directions have laid down clear guidelines on de recognition of transfer red as sets for capital adequacy. Buyer should ensure that originator should satisfy below conditions in order to achieve de-recognition.
  

• a)    Originator should not have any control over the transferred exposures. The originator shall be considered to have retained effective control over the exposures if: 
• ►  It is able to repurchase the exposures from the SPE in order to realise the benefits, or
  
• ►  It is obligated to retain the risk of the transferred exposures
• b)    Except for clean-up calls, the originator should not be able to repurchase the exposure.
  
• c)    The securitisation notes issued by SPE are not obligations of the originator. Thus, the investors who purchase the securitisation notes have a claim only to the underlying exposures.
  
• d)    The transferred exposures are legally taken isolated in such a way that they are beyond the reach of the creditors in case of bankruptcy or otherwise.
  
• e)    As per the Directions, the holders of the securitisation notes issued by the SPE against the transferred exposures have the right to pledge or trade them without any restriction, unless the restriction is imposed by a statutory or regulatory risk retention requirement.
  
• f)    The originators must not be obligated to replace loans in the pool in case of deterioration of the underlying exposures to improve the credit quality.
  
• g)    The originator should not be allowed to increase the credit enhancement provided at the inception of the transaction, after its commencement. 
• h)    The securitisation does not contain clauses that increase the yield payable to parties other than the originator such as investors and third-party providers of credit enhancements, in response to a deterioration in the credit quality of the underlying pool.
  
• i)    There must be no termination options or triggers to the securitisation exposures except eligible clean-up call options or termination provisions for specific changes in tax and regulation.
• 4.2.10.    Company may invest in such securitised notes where the originator has explicitly disclosed that the applicable provisions of the Reserve Bank of India (Know Your Customer (KYC) Directions, 2016 (as amended from time to time) shall be complied with in all cases. 

5. REPORTING RESPONSIBILITY 

Company shall submit the details of the securitisation transactions undertaken, including the details of the securitisation notes issued, to the Reserve Bank of India on a quarterly basis in the format shared by RBI. 

6. ACCOUNTING AND DISCLOSURE 

• 6.1    Company can sell assets to SPE only on cash basis and the sale consideration should be received not later than the transfer of the asset to the SPE. Further, there should not be a gap of more than 30 days between transfer of the assets and the issuance of securitisation notes. In case of other lenders, any loss, profit or premium realised at the time of the sale should be accounted accordingly and reflected in the Profit & Loss account for the accounting period during which the sale is completed.
  
• 6.2    Accounting treatment in the case of unrealised gains arising out of sale of underlying assets need to done as per the Clause 36 of the Directions.
  
• 6.3    Appropriate disclosures to be made in financial statements as per Clauses 116 and 117 of the Directions.
  
• 6.4    Disclosure in respect of the weighted average holding period of the assets securitised and the level of their MRR in the securitisation as per Clauses 112 and 113 of the Directions           made to investor in investor report should be as per format prescribed in Clause 115 of the Directions.
  

7. INDEPENDENCE

The functioning and reporting responsibilities of the units and personnel involved in acquisition of loan exposures shall be independent from that of personnel involved in loan origination.  

8. IT SYSTEMS 

Requisite IT systems for capture, storage and management of data pertaining to the acquired loan exposures and towards meeting the compliance requirements under the Directions shall be established. 

9. BOARD OVERSIGHT 

The policy shall be reviewed by the Board of Directors on an annual basis and the implementation of this policy shall be monitored and reviewed periodically by the Board of Directors. 

10. RECORD OF UPDATES: 

This Policy was: 

• 10.1  drafted on behalf of the Company by: Ankit Hurkat
  
• 10.2  internally reviewed by: Manish Thakkar
  
• 10.3  approved by the Board of the Company on: March 11, 2022, Revision 1 on : March 13, 2023 

This Policy comes into effect immediately on the above date of approval. 

1. Introduction

Avanti Finance Company Private Limited (“Company”) considers ongoing risk management to be a core component of the Management of the Company, and understands that the Company’s ability to identify and address risk is central to achieving its corporate objectives. 

Risk can represent both a threat and an opportunity for the Company and is a fundamental factor in the success or failure of our business. Company promotes a risk-aware corporate culture to support key decisions made in the business. Our employees can identify risk through integrated risk analysis and then manage these risks to enhance commercial opportunities or reduce threats to maintain and build competitive advantage. 

2. Purpose & Objective of the Risk Committee: 

• a). To advise and assist the Board in its oversight of the design and effectiveness of the Enterprise Risk Management Framework.
  
• b)  To advise and assist the Board of Directors in fulfilling its oversight responsibilities with regards to the risk appetite of the Company, its risk management and compliance framework and the governance structure that supports it.
  
• c)  Overseeing risk appetite and risk tolerance appropriate to each business area
  
• d)  Ensuring that there are adequate enterprise-wide processes and systems for identifying
  and reporting risks and deficiencies, including emerging risks
  
• e)  To ensure alignment of the risk framework with the Company’s growth strategy,
  supporting a culture of risk taking within sound risk governance
  
• f)  To monitor all material aspects of the risk profile and to notify the board of any material
  changes or exceptions to established risk policies 

3. Authority 

• 3.1.  The Risk Committee (the “Committee”) is a committee of the Board of the Company from which it derives its authority and to which it regularly reports. 
• 3.2.  The Committee has delegated authority from the Board in respect of the functions and powers set out in these Terms of Reference. 
• 3.3.  The Committee has authority to investigate any matter within its Terms of Reference and to obtain such information as it may require from any director, officer of the company, employee or Partner. 
• 3.4.  When required, the Committee may delegate matters to a panel comprising a minimum of two members of the Committee plus such additional individuals with relevant expertise as deemed appropriate, and subject to terms of reference (including protocols for escalation to the Committee) as determined by the Committee.
  
• 3.5.  In addition, the Committee may have delegated authority from the Board for oversight of specified strategic, cultural or transformational projects led by the Executive.
  

4. Constitution 

• 4.1.  The Committee will be composed of Elected or Nominated Board Members, CEO of Company, heads of various risk verticals as well as other personnel as required and ratified by the Board. 
• 4.2.  The Committee members present shall elect one of themselves to chair the meeting.
  
• 4.3.  Members of the Committee shall be appointed by the Board.
  
• 4.4.  Working groups of the Committee may be established by the Committee for specific
  tasks and activities, including for analysis, consultations and escalations as appropriate; such groups may be comprised of representatives of the Committee and other individuals with relevant expertise.
  
• 4.5.  Members may be removed from the Committee at any time before the end of their term by the Board.
  
• 4.6.  Unless otherwise determined, the duration of appointments of members of the Committee and of co-opted members shall be for a period of up to 2 years which may be extended for an additional period of 1 year.
  

5. Proceedings of Meetings 

5.1.  Frequency of Meetings
5.1.1.  Meetings of the Committee may be called by the Chair of the Committee at any time to consider any matters falling within these Terms of Reference, but at a minimum on a quarterly basis. 

5.2 Quorum for Risk Committee 

• 5.2.1  A quorum will require the presence of at least 50% or 3 of the committee members, whichever is higher
  
• 5.2.2  A duly convened meeting of the Committee at which a quorum is present shall be competent to exercise all or any of the authorities, powers and discretions 

6. Attendees

6.1  Risk committee attendees 

• 6.1.1  Only the members of the Committee and other Elected and Nominated members of the Board and Independent Non-Executives directors have the right to attend Committee meetings and the right to cast a vote, if called upon.
  
• 6.1.2  The following will be expected to attend Committee meetings on a regular basis (as and when appointed): 
• a)  Chief Executive Officer;
  
• b)  Chief Risk Officer;
  
• c)  Chief Operating Officer;
  
• d)  Chief of Partnerships; 
• e)  Chief Financial Officer;
  
• f)  General Counsel;
  
• g)  Head of Regulatory Affairs;
  
• h)  Head of Internal Audit;
  
• i)  Head of Corporate Affairs; and
  
• j)  Company Secretary 

6.2 ALCO committee attendees 

• 6.2.1  The members of the Committee, management team members (on a special invite basis) have the right to attend Committee meetings and the right to cast a vote, if called upon.
• 6.2.2  The following will be expected to attend Committee meetings on a regular basis (as and when appointed): 
• a)  Chief Executive Officer;
  
• b)  Chief Risk Officer;
  
• c)  Chief Operating Officer;
  
• d)  Chief of Partnerships
  
• e)  Chief Financial Officer / Head of Finance; 

7. Powers of Risk Committee: The Risk committee shall have the powers – 

• a)  Investigate any matter within its terms of reference and seek information from any director, office of the company, employee or Partner. 
• b)  To obtain advice from auditors or lawyers or experts, retain services of external consultants for redressing issues relating to and arising from risk management framework.
  
• c)  To call for any information, documents, records from any officers of the Company for ascertaining the adherence to the Risk policies, procedures and standards laid for effective monitoring, evaluating and reporting of risks.
  
• d)  To institute and periodically review the terms of reference of the Asset Liability committee (ALCO) 

8. Roles and responsibilities of the Committee 

• a) Review and recommendation to the Board of Directors (Board) for approval: 
• i.  Enterprise Risk Management (ERM) framework for the Company and its subsidiaries
  
• ii.  Risk appetite for the Company
  
• iii.  Stress testing framework
  
• iv.  Internal Capital Adequacy Assessment Process (ICAAP)
  
• v.  Framework for capital allocation.
  
• b)  Review the policies pertaining to credit, market, liquidity, operational, outsourcing, reputation risks and business continuity plan, disaster recovery plan and limits for each risk category would be a part of the respective Policy for amendments as necessary based on changes in regulatory guidelines, risk environment and business considerations and recommendation to Board for approval
• c)  Review key risk indicators, level and direction of major risk categories as detailed below on a quarterly basis:
• i. Credit risk: corporate, retail, small enterprises, rural, micro-banking and agri portfolio 
• ii.  Market risk: interest rate risk, credit spread risk, foreign exchange risk and equity risk
  
• iii.  Liquidity risk: domestic and international operations
  
• iv.  Operational risk: process risk, people risk, technology risk, event risk, outsourcing risk
  and reputation risk
  
• v.  Compliance risk: domestic
  
• vi.  Capital at risk 
• d)  Review of outsourcing activities
  
• e)  Review report on activities of Asset Liability Management Committee
  
• h)  Review of Cyber Security Risk on periodic basis.
  
• i)  Setting limits on any industry, sector or country
  
• j)  Authorised to delegate above mentioned functions to sub-committees (comprising members of Risk Committee and/or whole-time directors).
  
• k)  To keep the board of directors informed about the nature and content of its discussions, recommendations and actions to be taken.
  
• l)  The Risk Committee shall coordinate its activities with other committees, in instances where there is any overlap with activities of such committees, as per the framework laid down by the board of directors.
  
• m)  Advise the Board in relation to its determination of overall risk appetite, tolerance levels and strategy, taking account of the Company’s values and public interest purpose, as well as the current and prospective regulatory, macroeconomic, technological, environmental and social developments and trends that may be relevant for the Company’s risk policies
  
• n)  Using internal and external sources of assurance monitor the robustness of the Company’s risk management policies and processes, including the Company’s Enterprise-Wide Risk Management Framework and their fitness for purpose when tested against the Board’s strategy and risk appetite;
  
• o)  Consider and review the prevailing risk culture in the organisation (values, beliefs, knowledge, attitudes and understanding about risk) and maintain oversight of relevant work streams and projects to bring about the desired risk culture which may include specific training when required
  
• p)  Review the integration of risk management and control objectives (and consequences) in the compensation structure
  
• q)  Annually review and approve the Executive Committee’s objectives and goals in relation to risk management
  
• r)  Provide advice and assurance to the Board by adopting a holistic and enterprise-wide view of the Company and the key risks that it is exposed to, assessing the adequacy and effectiveness of the Company’s adoption of the Enterprise-Wide Risk Management Framework;
  
• s)  Consider and review the prevailing risk culture in the organisation (values, beliefs, knowledge, attitudes and understanding about risk) and maintain oversight of relevant work streams and projects to bring about the desired risk culture;
  
• t)  Ensure the internal audit work plan is aligned to the identified risks
  
• u)  Review regularly and approve the parameters used in risk assessment measures and
  the methodology adopted
  
• v)  Review the Company’s adherence to all applicable regulations as updated from time to time by various regulatory authorities
  
• w)  Before a decision to proceed is taken by the Board, advise the Board on proposed strategic transactions including acquisitions or disposals ensuring that a due diligence appraisal of the proposition is undertaken, focusing in particular on risk aspects and implications for the risk appetite and tolerance of the Company, and taking independent external advice where appropriate and available
  
• x)  Review reports on any material breaches of risk limits and the adequacy of proposed action
  
• y)  Review and approve the statements to be included in the annual report concerning risk management
  
• z)  Review and monitor management’s responsiveness to the findings and recommendations of the CRO 

9. Review of Terms of Reference: 

The Committee shall annually review its Terms of Reference and may recommend to the Board any amendments to its Terms of Reference. 

10. Amendment: 

Any change in the Policy shall be approved by the Board of Directors or any of its Committees (as may be authorized by the Board of Directors in this regard). The Board of Directors or any of its authorised Committees shall have the right to withdraw and / or amend any part of this Policy or the entire Policy, at any time, as it deems fit, or from time to time, and decision of the Board or its Committee in this respect shall be final and binding. 

11. Record of updates: 

This TOR was: 

• (i)  drafted on behalf of the Company by: Nagaraj Subrahmanya, CRO
  
• (ii)  internally reviewed by: Rahul Gupta, CEO
  
• (iii)  approved by the Board of the Company on: September 30, 2022, Revision 1 on March 13, 2023 

This TOR comes into effect immediately on the above date of approval. 

1. Purpose / Mission / Objective

The Information Technology (IT) Strategy Committee (hereinafter referred to as “the Committee”) is an executive committee of Avanti Finance Private Limited (hereinafter referred to as “the Company”) formed to achieve the following key objectives: 

1. Facilitating and building an effective IT security framework
2. Assist in aligning IT strategy to business strategy/plan
3. Approve and periodically review the IT Policy of the Company 
4. Identify the risks affecting IT and managing it by documenting controls and monitoring
5. Ensure timely and effective resolution of IT issues

2. Membership & Meetings 

An independent director shall be the chairman of the Committee. Other members shall include the Chief Executive Officer, Chief Operations Officer, Chief Product Officer, Chief Risk Officer, Chief of Partnerships. The Committee may invite any executives as it may consider necessary. 

The Information Technology (IT) Strategy Committee should meet at appropriate frequency as and when needed (at least four times in a year). The quorum for the Committee shall be at least three attendees. The Company Secretary will minute the meetings and share the minutes with the Board. 

3. Authority 

The Committee shall operate under delegated authority from the Board of the Company. 

The Committee shall have access to any internal information it may require in order to fulfil its responsibilities. The Committee, at its discretion, may seek advice from external consultants or experts on the various ongoing IT projects of the Company and understand their opinions in order to perform its duties effectively. The Committee may also seek information from any employee for the functioning of the Committee. The Committee may also secure attendance of outsiders with relevant expertise, if it considers necessary. 

4. Roles & Responsibilities 

The key responsibilities of the Committee shall be as under: 

1. Review the IT related strategy and policy and ensure that the same is approved by the Board
2. Assist the management in implementing the IT strategy that has been approved by the Board 
3. Implementation of an IT governance framework covering basic principles of value delivery, IT Risk Management, IT resource management and performance management
4. Oversee the creation of a suitable governance structure for IT which will include IT Operations and supplier and resource management, each of which may be headed by suitably experienced and trained senior officials
5. Review the investments made into IT infrastructure to sustain the Company’s growth
6. Ensure the IT risks and controls are documented and covered and risk mitigation and monitoring initiatives are taken
7. Work in partnership with other Board committees and Senior Management to provide input, review and amend the aligned corporate and IT strategies. 
8. Ensure arrangements are present for monitoring the information security condition of the Company, which are documented, agreed with top management and performed regularly 
9. Ensure that an Information System Audit of the internal systems and processes is conducted once in a year to assess operational risks faced by the company. 
10.  Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place; 
11. Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business;
12. Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable; 
13. Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources; 
14. Ensuring proper balance of IT investments for sustaining NBFC’s growth and becoming aware about exposure towards IT risks and controls. 

The Role of IT Strategy committee in respect of outsourced operations shall include 

1. Instituting an appropriate governance mechanism for outsourced processes, comprising of risk based policies and procedures, to effectively identify, measure, monitor and control risks associated with outsourcing in an end to end manner;
2. Defining approval authorities for outsourcing depending on nature of risks and materiality of outsourcing;
3. Developing sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements;
4. Undertaking a periodic review of outsourcing strategies and all existing material outsourcing arrangements;
5. Evaluating the risks and materiality of all prospective outsourcing based on the framework developed by the Board;
6. Periodically reviewing the effectiveness of policies and procedures; 
7. Communicating significant risks in outsourcing to the NBFC’s Board on a periodic basis;
8. Ensuring an independent review and audit in accordance with approved policies and procedures;
9. Ensuring that contingency plans have been developed and tested adequately;
10. Ensuring that business continuity preparedness is not adversely compromised on account of outsourcing. The company will adopt sound business continuity management practices as issued by RBI and seek proactive assurance that the outsourced service provider maintains readiness and preparedness for business continuity on an ongoing basis. 

5. Reporting Requirements 

The following matters are reported to the Committee: 

•     a)  Security incidents and corrective action plans
  
•     b)  Trends of security incidents and the long-term strategy to mitigate the risks
  
•     c)  Report on implementation of IT policy
  
•     d)  Report on the effectiveness and adequacy of IT governance structure of the Company
  
•     e)  Appropriateness of allocation of IT projects of the Company to vendors 

The Committee shall submit an annual note to the Risk Management Committee (RMC) about its activities on a periodic basis. The following matters shall be reported to the RMC: 

•     a)  Recommend changes for approval in the IT policy
  
•     b)  Security incidents and concerns for resolution
  
•     c)  Report on the information security status of the Company
  
•     d)  Report on the IT risks associated with new products or processes 

6. Review of the Charter

The Committee shall review this Charter as and when required and recommend amendments, if any, to the Board of Directors. The Committee shall also review the attendance and frequency of the meetings on an annual basis. 

This Policy was: 

• I.  Drafted on behalf of the Company by: Ms Nalini Chinta
  
• II.  Internally reviewed by: Mr Nagaraj Subrahmanya, CRO and Mr Manish Thakkar,
  COO.
  
• III.  Approved by the Board of the Company on: March 13, 2023 

Introduction 

Avanti Finance Private Limited (hereinafter referred to as ‘the Company’) has framed the Risk Management Policy to set out the guidelines, principles and approach to manage risks for the Company and establish a risk culture and risk governance framework to enable identification, measurement, mitigation and reporting of risks within the Company. 

1. Objectives of the Policy 

The key objective of the Risk Management Policy aims at the following: 

1. To understand the company's risk profile, define the risk appetite, tolerance and limits that the company is willing to undertake to achieve its strategic and business objectives
   
2. To understand the requirement of Capital adequacy, Fraud reporting, Asset liability management, Liquidity Risk Management etc.
   
3. To enable the company to monitor risk - reward at corporate and business unit level thereby integrating/ embedding risk management in business decisions
   
4. To assist in anticipating risk in order to take proactive actions instead of depending on reactive risk management actions through continuous activities such as risk identification, risk assessment, mitigation, monitoring and reporting
   
5. To embed risk management in all the processes and decision making such that the Senior Management is in a position to make informed business decisions based on risk assessment 

2. Guiding Principles for the Risk Management Framework 

The guiding principles of the risk management framework as defined in COSO framework are as follows: 

1. Risk Management principles are incorporated into strategy and objective setting processes as well as the day-to-day activities and decision-making
   
2. Risks are understood and prioritized based on the event frequency and impact to one or more objectives
   
3. The same metrics used to measure objectives e.g., revenue, regulatory compliance etc.are leveraged during risk management activities
   
4. Risk response strategies are evaluated for those risks deemed to be high or medium priority
   
5. Key risk management information (e.g., key events, results of risk assessments, risk
   responses) is documented in a timely and structured manner
   
6. A portfolio view of risks is presented to the Risk Management Committee on a regular basis 

3. Event and Risk 

Event:

In order to understand risk, one needs to define an 'Event'. An event is an incident or occurrence from internal or external sources that affects achievement of objectives. Events can have negative impact, positive impact, or both. 

A series of events from internal or external sources has the potential to affect strategy implementation and achievement of objectives. Events potentially have a negative impact, a positive impact or a combination of both. Events with a potentially negative impact represent risks. Accordingly, risk is the possibility that an event will occur and adversely affect the achievement of objectives. Events with a potentially positive impact may offset negative impacts or they may represent opportunities 

Risk: 

Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Further Opportunity is the possibility that an event will occur and positively affect the achievement of objectives. Risks can be thought of in three distinct senses as threats, uncertainty or lost opportunity. 

1. Loss opportunity: The risk that an opportunity is not identified or possibility of something positive not happening — typical examples include not capitalizing on technological advancements and new markets/ geographies
   
2. Uncertainty: The possibility that actual results will not measure up to expectations —typical examples include unfavourable outcomes vis-a-vis budget etc.
   
3. Threats or hazards: The threat of loss or negative things happening—typical examples include system failure, fraud, etc. 

4. Risk Management Framework 

Effective risk management processes defined as Objective setting, Risk identification, Risk response, Risk assessment, mitigation, monitoring and reporting of risk issues across the organisation. Essential to this process is a well-defined and articulated corporate strategy and business objectives. 

The framework will help in creating an environment in which risk management is consistently practiced across the Company and where Management can take informed decisions to reduce the possibility of surprises. 

The objective of the Risk Management Framework is to formalise and communicate Company's approach towards management of risk. It will have the following attributes: 

1. Responds to the Management's need for enhanced risk information and improved governance
   
2. Provides the ability to prioritize, manage and monitor the increasingly complex risks in the business
   
3. Provides an explicit, comprehensive process to satisfy the regulators, and other stakeholders, that significant risks are being effectively managed
   
4. Set up the Risk Committee to advise and assist the Board in its oversight of the design and effectiveness of the Enterprise Risk Management Framework 

4.1  Objective Setting 

Like every Company, Avanti Finance Private Limited also faces risk from external and internal sources and Objective setting is pre-condition to event identification, risk assessment and risk response. Objectives can be broadly classified in the four categories: 

1. Strategic Objective — Strategic Objective are the high-level goals, aligned with and supporting Company's Mission and Vision statement. 
2. Operational Objective — Effectiveness and efficiency of entity's operations, including performance and profitability goals and safeguarding resources against loss.
   
3. Compliance Objective — Adherence to relevant laws and regulations.
   
4. Reporting Objective — Reliability of internal and external reporting including financial and non-financial information

4.2  Risk Management Committee 

The Risk Management Committee is a committee of Board of the Company. The key responsibilities of the Risk Management Committee relating to risk management include: 

1. To advise and assist the Board in its oversight of the design and effectiveness of the Enterprise Risk Management Framework
   
2. To advise and assist the Board of Directors in fulfilling its oversight responsibilities with regards to the risk appetite of the Company, its risk management and compliance framework and the governance structure that supports it
   
3. Overseeing risk appetite and risk tolerance appropriate to each business area
   
4. Ensuring that there are adequate enterprise-wide processes and systems for identifying and reporting risks and deficiencies, including emerging risks
   
5. To ensure alignment of the risk framework with the Company’s growth strategy, supporting a culture of risk taking within sound risk governance
   
6. To monitor all material aspects of the risk profile and to notify the board of any material changes or exceptions to established risk policies
   
7. To ensure the Company’s adherence to all applicable regulations as updated from time to time by various regulatory authorities 

4.3  Risk Assessment 

Risk prioritization is the process of rating the risks in order to identify those risks which may have the most significant impact on the achievement of the stated goals and objectives of the business 

After the key risks have been identified, they will be assessed in terms of their 'Consequence' and 'Likelihood'. Also, in order for risks to be assessed objectively, there must be a common approach or methodology for measuring risks. It is critical for the process owners and management to define and agree on the quantitative and qualitative descriptors (for consequence and likelihood scale) in identifying and assessing risks. 

Risks that are characterized with high inherent risks (gross risk in absence of any controls) or high residual risks (risk assessed to be higher than the 'targeted' level after considering existing controls) should be prioritized for treatment. 

4.4  Risk Response 

Risk response relates to the policies, procedures, processes and controls implemented to address the risks associated with specified future events. The sophistication of the response selected is a factor of the cost versus benefit, including the effect on event likelihood and impact 

Various response strategies are available for responding to a given event and associated risks. These strategies are broadly divided into the following four categories: 

Avoidance - An organization considers adopting this strategy in circumstances where

1. the cost of implementing a response is prohibitive and out-weighs the benefits,
2. Risk undertaken is well outside the risk appetite or
3. Activity giving rise to the risk does not fit with the overall strategy.

Reduction - By considers adopting this strategy with the intent that if a proposed action is taken, it will reduce likelihood or impact, or both 

Sharing - By adopting this strategy, an entity attempts to reduce likelihood or impact or both by transferring or otherwise sharing a portion of risk. Common techniques include outsourcing an activity. This strategy is generally resorted to 

1. The cost of implementing a response strategy internally is prohibitive and greatly outweighs its benefits 
2. The activity giving rise to the risk is not a core competency of the organization e.g verification of customer documents submitted during the loan appraisal process.
3. The cost of sharing the risks is less than the benefits i.e. risk exposure is brought within the risk tolerance by transferring portion of risk 

Acceptance: No action is taken to affect risk likelihood or impact. This suggests that either the existing residual risk is already in line with risk tolerances or management has accepted the current risk level regardless of whether it exceeds the risk tolerances 

4.5  Control Activity 

Control activities are the policies and procedures that helps to ensure that management's risk responses are carried out as intended. They serve as mechanism for managing the achievement of objectives. 

Control activities exist throughout the organization, at all levels and in all functions. They include a range of activities — as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

Control activities are identified with reference to objectives, events & associated risks and response strategies selected. Following may be considered while identifying control activities: 

1. Formal documented policies, procedures, processes and controls to mitigate the likelihood and impact of occurrence of risk for the given event
   
2. Policies, procedures, processes and controls exist but not formally documented
   
3. Existence and effectiveness of the policies, procedures, processes and controls as
   formally documented.
   
4. Reference to industry global good practices for risks and events identified
   
5. Use of experts (e.g., external consultants and Internal Audit) in designing control activities
   
6. Brainstorming and discussions 

On identification of control activities against events and associated risks, the existence of same is ascertained to identify additional control activities, if any, required for mitigation of risk. 

4.6  Information and communications 

Information systems use internally generated data and information from external sources, providing information for managing risks and making informed decisions relative to objectives. 

Effective communication should also occur, flowing down, across, and up the organization. All personnel receive a clear message from top management that enterprise risk management (ERM) responsibilities must be taken seriously. They understand their own role in enterprise risk management, as well as how individual activities relate to the work of others. They must have a mean of communicating significant information upstream. 

An effective information and communication approach will increase the level of risk management awareness and understanding at all levels across the company 

4.7  Monitoring and reporting 

Ongoing monitoring occurs in the normal course of management activities. ERM deficiencies are reported upstream, with critical matters reported to top management and the Board.

Monitoring mechanisms will help to: 

1. Ensure consistent application of Risk Management Framework across the Company
   
2. Ensure the effectiveness of the Risk Management policies and procedures
   
3. Identify weaknesses / enhancements and develop corrective action plans 

Independent risk management evaluations are periodic reviews of design effectiveness of Risk management framework conducted by Internal Audit. Such reviews focus mainly on following aspects: 

1. Alignment of Risk Management philosophy and principles with respect to Company's
   vision. Adequacy of measures for developing risk awareness culture within the Company
   
2. Appropriateness of procedures adopted to implement various Risk Management components
   
3. Applicability of risk management framework's organizational structure and roles and responsibilities with respect to changes in organization 

Ongoing monitoring of risk management components will be conducted by the Chief Risk & Compliance officer. Such monitoring / validation encompass: 

1. Ensuring alignment of objectives with risk appetite and risk tolerance at all times. Changes,
   addition or deletion in the corporate/ business division objectives, risk appetite or Risk Management framework, organizational structure should be reviewed to ensure alignment of objectives, risk appetite and risk tolerance.
   
2. Ensuring that new events risks have been documented and the inventory of events is kept current and up-to-date. It is critical to have processes in place to periodically monitor and review the completeness and accuracy of the event inventory.
   
3. Review of risk assessment results to update changes in impact and likelihood of occurrence of any risk. Such changes may arise due to internal or external factors. Ensuring that appropriate communication happens at all levels and at all times.
   
4. Reviewing reports of key business activity indicators, business performance, exceptions, etc.
   
5. Understanding of effectiveness for self-performed controls
   

1. Walkthrough testing of controls on a sample basis. 

Chief Risk & Compliance officer shall submit a report on updated risk profile and operating effectiveness of the existing controls to senior management. 

Based on the report so submitted, senior management will present the assessment of implementation status of the Risk Management framework to the Risk Management Committee. 

Key findings/outcome of the Risk Management Committee will be discussed with the Board for taking corrective actions. 

5. Limitation of Risk Management 

Effective Risk Management Framework provides only reasonable assurance and not absolute assurance to the senior management and the Board of Directors regarding achievement of an entity's objectives. Achievement of objectives is affected by limitations inherent in all management processes, which include: 

1. Human judgment in decision making, which can be faulty and that breakdowns can occur because of such human failures
   
2. Controls can be circumvented by the collusion of two or more individuals
   
3. Management's ability to override the risk management decisions
   
4. Decisions on responding to risk and establishing controls depend on their related costs and benefits 

6. Capital Adequacy Requirement 

The Company shall maintain a minimum capital ratio consisting of Tier I and Tier II capital which shall not be less than 15% of its risk weighted assets on-balance sheet and the risk adjusted value of off-balance sheet items or as is regulatorily applicable. 

Consequently, Tier I capital cannot be less than 10% unless regulatorily applicable. 

Composition of Tier I 

Tier-I Capital" means owned fund as reduced by investment in shares of other NBFCs and in shares, debenture, bonds, outstanding loans and advances including hire purchase and lease finance made to and deposits with subsidiaries and companies in the same group exceeding, in aggregate, 10% of the owned fund.

Composition of Tier II 

“Tier II capital” includes the following:- 

•      a.  preference shares other than those which are compulsorily convertible into equity;
•      b.  revaluation reserves at discounted rate of fifty five percent; 
•      c.  general provisions and loss reserves to the extent these are not attributable to actual diminution in value or identifiable potential loss in any specific asset and are available to meet unexpected losses, to the extent of one and one fourth percent of risk weighted assets; 
•      d.  hybrid debt capital instruments; 
•      e.  subordinated debt; (to the extent, value does not exceed fifty per cent of Tier-I capital); and
•      f.  Perpetual debt instruments issued by a systemically important non-deposit taking non- banking financial company which is in excess of what qualifies for Tier I Capital, to the extent the aggregate does not exceed Tier I capital. 

Explanations: 

On balance sheet assets 

Degrees of credit risk expressed as percentage weightages shall been assigned to balance sheet assets. Hence, the value of each asset/item requires to be multiplied by the relevant risk weights to arrive at risk adjusted value of assets. The aggregate shall be taken into account for reckoning the minimum capital ratio. 

The risk weighted asset shall be calculated as the weighted aggregate of funded items as detailed hereunder: - 

*Approved securities will be based on list as per exchanges 

Notes: 

Netting may be done only in respect of assets where provisions for depreciation or for bad and doubtful debts have been made. (The provision for bad and doubtful debts will be done by way of creation of a ‘Memorandum Account’ to the extent of same asset value by debiting the P&L account). 

Assets which have been deducted from owned fund to arrive at net owned fund shall have a weightage of ‘zero’. 

• NBFCs were advised vide DNBR (PD) C.C. No. 008/ 03.10.119/ 2016-17 dated September 1, 2016 that in terms of Accounting Standard 22, the tax effects of timing differences are included in the tax expense in the statement of profit and loss as deferred tax assets (DTA) (subject to the consideration of prudence) or as deferred tax liabilities (DTL) in the balance sheet. Further that the balance in DTL account will not be eligible for inclusion in Tier I or Tier II capital for capital adequacy purpose and that DTA being an intangible asset, will be deducted from Tier I Capital. In this connection it is further clarified that
  

• a)  DTL created by debit to opening balance of Revenue Reserves or to Profit and Loss Account for the current year will be included under ‘others’ of “Other Liabilities and Provisions.”
  
• b)  DTA created by credit to opening balance of Revenue Reserves or to Profit and Loss account for the current year will be included under item ‘others’ of “Other Assets.”
  
• c)  Intangible assets and losses in the current period and those brought forward from previous periods will be deducted from Tier I capital.
  
• d)  DTA computed as under will be deducted from Tier I capital: 
•      (i)  DTA associated with accumulated losses; and
  
•      (ii)  The DTA (excluding DTA associated with accumulated losses) net of DTL. Where
  the DTL is in excess of the DTA (excluding DTA associated with accumulated losses), the excess shall neither be adjusted against item (i) nor added to Tier I capital.”
  

Off-balance sheet items 

General 

The Company shall calculate the total risk weighted off-balance sheet credit exposure as the sum of the risk-weighted amount of the market related and non-market related off-balance sheet items. The risk-weighted amount of an off-balance sheet item that gives rise to credit exposure shall be calculated by means of a two-step process: 

1. The notional amount of the transaction shall be converted into a credit equivalent amount, by multiplying the amount by the specified credit conversion factor or by applying the current exposure method; and
   
2. the resulting credit equivalent amount shall be multiplied by the risk weight applicable viz. zero percent for exposure to Central Government/State Governments, 20 percent for exposure to banks and 100 percent for others. 

Non-market-related off- balance sheet items

The credit equivalent amount in relation to a non-market related off-balance sheet item shall be determined by multiplying the contracted amount of that particular transaction by the relevant credit conversion factor (CCF). 

Note: - Cash margins/deposits shall be deducted before applying the conversion factor. 

7. Reporting of Fraud

7.1 Classification of frauds 

A. Frauds have been classified as under based mainly on the provisions of the Indian Penal Code: 

1. Misappropriation and criminal breach of trust.
   
2. Fraudulent encashment through forged instruments, manipulation of books of account
   or through fictitious accounts and conversion of property.
   
3. Un authorised credit facilities extended for reward or for illegal gratification.
   
4. Negligence and cash shortages.
   
5. Cheating and forgery.
   
6. Any other type of fraud not coming under the specific heads as above. 

B. Cases of ‘negligence and cash shortages’ referred above are to be reported as fraud if the intention to cheat / defraud is suspected / proved. However, the following cases where fraudulent intention is not suspected / proved, at the time of detection, will be treated as fraud and and reported accordingly: 

1. cases of cash shortages more than Rs.10,000/- and
   
2. cases of cash shortages more than Rs. 5000/- if detected by management /auditor /inspecting officer and not reported on the occurrence by the persons handling cash. 

7.2 Reporting of Frauds to Reserve Bank of India 

The below mentioned frauds to be reported to Reserve Bank of India (where applicable as per relevant directions from RBI): 

1. Frauds involving Rs. 1 lakh and above
   
2. Frauds committed by unscrupulous borrowers
   
3. Cases of attempted fraud 

7.3. Quarterly returns 

The below mentioned quarterly returns to be submitted to Reserve Bank of India (where applicable as per relevant directions from RBI): 

1. Report on Frauds Outstanding
   
2. Progress Report on Frauds 

7.4 Reports to the Board 

• Reporting of Frauds ‍

Company should ensure that all frauds of Rs. 1 lakh and above are reported to Board promptly on detection. Such reports should, among other things, take note of the failure on the part of the concerned officials, and consider initiation of appropriate action against the officials responsible for the fraud. 

• Quarterly Review of Frauds 

a.  Information relating to frauds for the quarters ending March, June and September shall be placed before the Board of Directors during the month following the quarter to which it pertains.

• b.  These should be accompanied by supplementary material analysing statistical information and details of each fraud so that the Board would have adequate material to contribute effectively in regard to the punitive or preventive aspects of frauds.
  

c.  All the frauds involving an amount of Rs. 1 crore and above should be monitored and reviewed by the Audit Committee of the Board. The periodicity of the meetings of the Committee will be decided according to the number of cases involved. However, the Committee should meet and review as and when a fraud involving an amount of Rs.1 crore and above comes to light. 

• • Annual Review of Frauds

Company should conduct an annual review of the frauds and place a note before the Board of Directors for information. The reviews for the year-ended December should be put up to the Board before the end of March the following year. Such reviews need not be sent to the Bank 

7.5 Cases of attempted fraud 

All individual cases involving Rs. 25 lakh or more should be placed before the Audit Committee of applicable NBFC’s Board. The report containing attempted frauds which is to be placed before the Audit Committee of the Board should cover inter alia the following viz; 

1. The modus operandi of the attempted fraud;
   
2. How the attempt did not materialize in the fraud or how the attempt failed / was foiled;
   
3. The measures taken by the Company to strengthen the existing systems and controls;
   
4. New systems and controls put in place in the area where fraud was attempted;
   
5. In addition to the above, yearly consolidated review of such cases detected during the
   year containing information regarding area of operations where such attempts were made, effectiveness of new process and procedures put in place during the year, trend of such cases during the last three years, need for further change in process and procedures, if any, etc. as on March 31 every year within three months of the end of the relative year. 

7.6  Guidelines for reporting frauds to Police 

Company should follow the following guidelines for reporting of frauds such as unauthorised credit facilities extended for illegal gratification, negligence and cash shortages, cheating, forgery, etc. to the State Police authorities: 

• • In dealing with cases of fraud/embezzlement, Company should not merely be actuated by the necessity of recovering expeditiously the amount involved, but should also be motivated by public interest and the need for ensuring that the guilty persons do not go unpunished. 

• • Therefore, as a general rule, the following cases should invariably be referred to the State Police:

a.  Cases of fraud involving an amount of Rs. 1 lakh and above, committed by outsiders on their own and/or with the connivance of Company’s staff/officers; 

b.  Cases of fraud committed by employees, when it involves the NBFC funds exceeding Rs. 10,000/-. 

8. Asset Liability Management (ALM) 

The Asset Liability Management shall be in accordance with relevant and applicable RBI directions including the Master Direction - Non-Banking Financial Company –Systemically Important Non-Deposit Taking Company and Deposit taking Company (Reserve Bank) Directions, 2016. 

The Asset Liability Management Committee (ALCO) will assist the Risk Committee in evaluating risks emanating from Asset-liability mismatch, Interest rate risk, various aspects of liquidity risk management such as specifying the appropriate liquidity risk tolerance, internal product pricing, the funding strategy, stress testing and developing contingency plans etc., and other specific matters as may be indicated by the Board of the Company from time to time. 

9. Liquidity Risk Management 

The intent of the liquidity risk management framework is to ensure that the NBFC maintains sufficient liquidity, including a cushion of unencumbered, high quality liquid assets to withstand a range of stress events, including those involving the loss or impairment of both unsecured and secured funding sources. 

In addition to the ALCO., the NBFC will also ensure appropriate internal controls and procedures to ensure adherence to the Liquidity Risk Management framework and a reliable MIS system for providing timely and accurate reporting of the liquidity position of the Company. 

The Company will also have procedures to monitor other aspects of liquidity risk management as below:

(A) Maturity Profiling 

A maturity ladder and calculation of cumulative surplus or deficit of funds at selected maturity dates can be used for measuring and managing net funding requirements, The Maturity Profile should be used for measuring the future cash flows of the Company in different time buckets. The time buckets shall be distributed as under: 

• (i)  1 day to 7 days
• (ii)  8 days to 14 days
• (iii)  15 days to 30/31 days (one month) 
• (iv)  Over one month and upto 2 months 
• (v)  Over two months and upto 3 months 
• (vi)  Over 3 months and upto 6 months 
• (vii)  Over 6 months and upto 1 year
• (viii)  Over 1 year and upto 3 years 
• (ix)  Over 3 years and upto 5 years 
• (x)  Over 5 years 

Within each time bucket, there could be mismatches depending on cash inflows and outflows. While the mismatches up to one year would be relevant since these provide early warning signals of impending liquidity problems, the main focus shall be on the short-term mismatches, viz., 1-30/ 31 days. The net cumulative negative mismatches in the Statement of Structural Liquidity in the maturity buckets 1-7 days, 8-14 days, and 15-30 days shall not exceed 10 percent, 10 percent and 20 percent of the cumulative cash outflows in the respective time buckets. NBFCs, however, are expected to monitor their cumulative mismatches (running total) across all other time buckets upto 1 year by establishing internal prudential limits with the approval of the Board. NBFCs shall also adopt the above cumulative mismatch limits for their structural liquidity statement for consolidated operations. 

In order to enable the NBFCs to monitor their short-term liquidity on a dynamic basis over a time horizon spanning from 1 day to 6 months, NBFCs shall estimate their short-term liquidity profiles on the basis of business projections and other commitments for planning purposes. 

(B) Liquidity Risk Measurement – Stock Approach 

The Company should monitor certain critical ratios and specify some internal limits for these ratios based on the Company’s liquidity risk management capabilities, experience and profile. An indicative list of critical ratios are as below:

• (i)  Short-term liability to total assets 
• (ii)  Short-term liability to long term assets 
• (iii)  Commercial papers to total assets 
• (iv)  Short-term liabilities to total liabilities 
• (v)  long-term assets to total assets 

(C) Currency Risk 

The Board of NBFCs should recognise the liquidity risk arising out of exchange rate volatility affecting exposures to foreign assets or liabilities and develop suitable preparedness for managing the risk. 

(D) Interest Rate Risk (IRR) 

Company should measure the Gap or Mismatch risk by calculating Gaps over different time intervals as at a given date. Gap analysis measures mismatches between rate sensitive liabilities and rate sensitive assets (including off-balance sheet positions). An asset or liability is normally classified as rate sensitive if: 

1. within the time interval under consideration, there is a cash flow;
   
2. the interest rate resets/re-prices contractually during the interval;
   
3. dependent on RBI changes in the interest rates/Bank Rate;
   
4. it is contractually pre-payable or withdrawal before the stated maturities. 

The Gap Report shall be generated by grouping rate sensitive liabilities, assets and off- balance sheet positions into time buckets according to residual maturity or next repricing period, whichever is earlier.

The gaps shall be identified in the following buckets 

• i.  1 day to 7 days
• ii.  days to 14 days
• iii.  15 days to 30/31 days (one month)
• iv.  Over one month to 2 months
• v.  Over two months to 3 months
• vi.  Over 3 months to 6 months
• vii.  Over 6 months to 1 year
• viii.  Over 1 year to 3 years
• ix.  Over 3 years to 5 years
• x.  Over 5 years
• xi.  Non-sensitive 

(E) Public disclosure on liquidity risk 

• (i)  Funding Concentration based on significant counter party (both deposits and borrowings) 
• (ii)  Top 20 large deposits (amount in ₹ crore and % of total deposits)
• (iii)  Top 10 borrowings (amount in ₹ crore and % of total borrowings)
• (iv)  Funding Concentration based on significant instrument/product 
• (v)  Stock Ratios:
•       (a) Commercial papers as a % of total public funds, total liabilities and total assets
•       (b) Non-convertible debentures (original maturity of less than one year) as a % of total public funds, total liabilities and total assets
•       (c) Other short-term liabilities, if any as a % of total public funds, total liabilities and total assets
• (vi) Institutional set-up for liquidity risk management 

10. Adherence to Applicable Regulations 

The Company should incorporate appropriate processes to ensure that it is abreast of applicable changes in regulation as updated by various regulatory authorities from time to time and necessary changes are made to the operational processes to ensure compliance to the latest regulations. 

The Risk Committee will monitor the Company’s adherence to the latest regulations as part of the periodic review of the Company’s risk management practices. 

11. Regulatory Reference 

This policy is framed as per the following regulatory references (where applicable) and in accordance with leading industry practice: 

1. Section 134 of Companies Act, 2013 (Refer Para 2 to 5 of this policy)
   
2. Master Direction - Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016 i.e. NBFC not accepting / holding public deposits and having total assets of Rs. 500 crore and above as shown in the last audited balance sheet; (Refer Para 7 of this policy)
   
3. Master Direction - Non-Banking Financial Company - Systemically Important Non- Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016 i.e. every non-deposit accepting NBFC with asset size of Rs.500 crore and above (NBFCs-ND-SI) 

12. Policy Review and Updates 

This document shall be approved by the Risk Management Committee and shall be reviewed at least annually.

This Policy was: 

• (i)  Drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO
  
• (ii)  Internally reviewed by: Mr. Rahul Gupta, CEO
  
• (iii)  Approved by the Board of the Company on: October 30, 2017, Revision 1 on: March 22, 2021, Revision 2 on September 30, 2022, Revision 3 on March 13, 2023 

This revised Policy comes into effect from date of approval of the Board. 

Approved by the Board of Directors on April 03, 2020

Relief measures approved by the Board

Retail loans of INR 54.84 crores (23791 accounts) outstanding as on March 31'20

• 1.  All borrowers will be given the option of a moratorium for EMI falling due between the period March 01, 2020 to May 31, 2020 (upto 92 days) without a change in the EMI amount.
• 2.  All borrowers will be given an option to continue making repayments falling due between the moratorium period in case their cash flows permit & they are not in favour of extending their loan tenure & paying additional accrued interest for the moratorium period.
• 3.  Interest will continue to accrue on the outstanding portion of the term loans during the moratorium period and will be collected along with the last EMI or additional installment.
• 4.  The revised asset classification of the loans will be on the basis of revised due dates and the revised repayment schedule. The same will be shared with the Credit Information Companies (Regulatory requirement).

Institutional loans of INR 12.14 crores (10 accounts) outstanding as on March 31'20

All institutional borrowers will be provided an option to opt for moratorium. However, decision pertaining to grant of moratorium will be solely made by Avanti, on a case to case basis.

Repayment Moratorium 2 Policy of Avanti Finance Private Limited

This is with reference to the circular issued by the Reserve Bank of India on the subject of COVID 19 regulatory package pertaining to grant of moratorium to borrowers. The Board of each financial institution has to approve its own policy & your approval is therefore sought for Avanti Finance Pvt Ltd. Our policy is aimed at adhering to the spirit & letter of the RBI's guidelines & enabling the right choice for our borrowers.

The gist of the guidelines is as under:

• 1.  RBI has released a comprehensive Statement of Development and Regulatory Policies onMarch 27, 2020 covering the Covid-19 package.
• 2.  All term loans were permitted to be granted a moratorium of three months on payment of all instalments falling due between March 1, 2020 and May 31, 2020 (Moratorium 1) by the Board on April 3, 2020.
• 3.  Further, through a media statement by the Governor, the moratorium was extended by another three months from June 1, 2020 to August 31, 2020 (Moratorium 2).
• 4.  The repayment schedule for such loans can be shifted across the board by a total of six months after the moratorium period (M1 and M2).
• 5.  Interest shall continue to accrue on the outstanding portion of the term loans during the moratorium period.
• 6.  The asset classification of term loans which are granted relief as per point 2 and point 3 shall be determined on the basis of revised due dates and the revised repayment schedule.
• 7.  The rescheduling of payments, including interest, will not qualify as a default for the purposes of supervisory reporting and reporting to Credit Information Companies (CICs) by the lending institutions.
• 8.  This is applicable to all commercial banks (including regional rural banks, small finance banks and local area banks), co-operative banks, all-India Financial Institutions, and NBFCs (including housing finance companies).

On account of the disruption in incomes of our customers due to the impact of Covid-19, the Board, on April 3, 2020, had approved to provide Moratorium 1 to all our customers.

Given that the situation on ground remains similar with continued lockdowns at local levels, our customers livelihoods still remain affected. Hence, we propose to extend Moratorium 2 across the board to all standard accounts as per the RBI guidelines and repayments will start w.e.f September 01, 2020 (as per the original EMI dates of the month).

We request approval of the Board for the following measures for effective implementation of the above mentioned guidelines.

Retail loans / balances are Rs 51.78 crs (23372 accounts) outstanding as of June 1, 2020

• 1.  All borrowers will be given the option of a moratorium for EMI falling due between the period June 01, 2020 to August 31, 2020 (upto 92 days) without a change in the EMI amount
• 2.  All borrowers will be given an option to continue making repayments falling due between the moratorium period in case their cash flows permit & they are not in favour of extending their loan tenure & paying additional accrued interest for the moratorium period.
• 3.  Interest will continue to accrue on the outstanding portion of the term loans during the moratorium period and will be collected along with the last EMI or additional installment.
• 4.  The revised asset classification of the loans will be on the basis of revised due dates and the revised repayment schedule. The same will be shared with the Credit Information Companies (Regulatory requirement).

Institutional loans of INR 9.70 crores (12 accounts) outstanding as on June 1, 2020

All institutional borrowers will be provided an option to opt for moratorium. However, decision pertaining to grant of moratorium will be solely made by Avanti, on a case to case basis.

1. Objectives of the Policy

‘Outsourcing’ may be defined as a Company's use of a third party (either an affiliated entity within the corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the company itself, now or in the future. Continuing basis would include agreements for a limited period.

Company that outsource various activities are exposed to various risks as Strategic Risk, Reputation Risk, Compliance Risk, Operational Risk, Legal Risk etc. Further, the outsourcing activities are to be brought within regulatory purview to:

1. Protect the interest of the customers and,
2. To ensure that the Company and the Reserve Bank of India have access to all books, records and information available with service provider.

The key objective of the Outsourcing Policy aims at the following:

1. Assign clear accountability and responsibility for management of Outsourcing activities
2. Provide guidance on the types of activities that can or cannot be outsourced by to external vendors
3. Assist in managing various risks associated with outsourcing and the techniques the company needs to employ to mitigate the risks
4. Designing a methodology for selection of activities to outsource, selection and monitoring of vendors and assess the materiality of the outsourced activity.

‍

2. Governance Structure

The overall expenses will be approved by the board and within the approved budget, delegation will be done.

The Company will follow the 2-tier governance structure based on various thresholds as follows:

A. Outsourcing and procurement Committee

Approval Limit will be exercised when the expenditure proposal is recommended by department head and 2 other senior employees approving the Outsourcing arrangement. One of the approving members must be the Chief Executive Officer (CEO).

The Outsourcing and procurement Committee will comprise of the representatives of following areas as its permanent members

Mr. Manish Thakkar I Sunil Tadepalli I Saikrishnan

B. Board of Directors

The Board Directors: Approval Limit will be exercised when the outsourcing proposal is recommended by the Outsourcing and Procurement Committee and approved by at least 2 Committee members.

C. Periodicity of Meeting

The Committee will periodically review and assess Outsourcing arrangement. The Committee may also meet the vendors at periodic intervals to understand difficulties faced by them and to get feedback on ways to improve the Outsourced process.

D. Roles and Responsibilities

1. Implement prudent Outsourcing Policy and procedures commensurate with the nature, scope and complexity of outsourcing activities.
2. Undertake periodic reviews of outsourcing arrangements for their continued relevance, safety, soundness and to identify new material outsourcing risks, if any.
3. Ensure a central record of material outsourcing that is readily accessible for review by the Board and Senior Management and the records are updated promptly and half yearly reviews are placed before the Board.
4. Monitor implementation of internal guidelines covering aspects such as material outsourcing, business continuity, management of Disaster Recovery Plan (DRP), and tele assessment of existing and proposed outsourcing arrangements.
5. Review customer grievances pertaining to activities outsourced and the redressal mechanism
6. Communicate information pertaining to material outsourcing risks to the Board on an annual Basis.
7. Defining approval authorities for outsourcing depending on nature of risks and materiality of outsourcing.
8. Approve budgets for the proposed outsourcing activities

E. Internal Audit department

Regular audits by either the internal auditors or external auditors of the Company should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the Company’s compliance with its risk management framework and the requirements of the regulatory guidelines at appropriate interventions.

‍

3. Outsourcing Process

A. Identification of Core and Non-core activities

Company should not outsource core management functions including Internal Audit, Compliance function and decision-making functions like determining compliance with KY norms for opening deposit accounts, according sanction for loans and management of investment portfolio. The primary servers of the service providers should be located within India.

B. Pre-outsourcing activities

The business unit / operating unit can propose to outsource an activity after considering factors like:

1. Increase in volumes
2. Best practices in the industry
3. Lack of skilled manpower available in-house
4. Lack of adequate infrastructure e.g. systems, space etc.
5. Perceived cost benefits
6. Any other factor as determined

While deciding on scope of activities to be outsourced, the following considerations should be kept in purview:

1. The activity should be such which could be performed efficiently by an external agency, however the ultimate responsibility will be with the Company;
2. Such outsourcing should result in maintaining, if not enhancing the quality of customer service,
3. Outsourced persons should not have access to the ‘core software’ except for the purpose of limited enquiry and data entry, subject to authorization of the officials,
4. Such outsourced activities should be covered under a Service Agreement spelling out the responsibilities and liabilities of the vendor.

Evaluation of the Risks in Outsourcing Activity

The Company shall evaluate and guard against the following risks in outsourcing:

i.  Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the Company.

ii.  Reputation Risk – Where the service provided is poor and customer interaction is not consistent with the overall standards expected of the Company.

iii.  Compliance Risk – Where privacy, consumer and prudential laws are not adequately complied with by the service provider.

iv.  Operational Risk- Arising out of technology failure, fraud, error, inadequate financial capacity to fulfil obligations and/ or to provide remedies.

v.  Legal Risk – Where the Company is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the service provider.

vi.  Exit Strategy Risk – Where the Company is over-reliant on one firm, the loss of relevant skills in the Company itself preventing it from bringing the activity back in-house and where the Company has entered into contracts that make speedy exits prohibitively expensive.

vii.  Counter party Risk – Where there is inappropriate underwriting or credit assessments.

viii.  Contractual Risk – Where the Company may not have the ability to enforce the contract.

ix.  Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence the Company may lack control over the service provider.

x.  Country Risk – Due to the political, social or legal climate creating added risk.

5.4  Evaluating the Capability of the Service Provider

a)  In considering or renewing an outsourcing arrangement, appropriate due diligence will be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence shall take into consideration qualitative and quantitative, financial, operational and reputational factors.

b)  The Company will consider whether the service providers' systems are compatible with their own and also whether their standards of performance including in the area of customer service are acceptable to it.

c)  The Company will also consider, while evaluating the capability of the service provider, issues relating to undue concentration of outsourcing arrangements with a single service provider.

d)  The Company will obtain independent reviews and market feedback on the service provider to supplement its own findings, if necessary.

e)  Due diligence shall involve an evaluation of all available information about the service provider, including but not limited to the following:

i.  past experience and competence to implement and support the proposed activity over the contracted period;

ii.  financial soundness and ability to service commitments even under adverse conditions;

iii.  business reputation and culture, compliance, complaints and outstanding or potential litigation;

iv.  security and internal control, audit coverage, reporting and monitoring environment, business continuity management and

v.  ensuring due diligence by service provider of its employees.

The process for approval for outsourcing an activity has been documented below:

If the outsourcing arrangement is approved in the meeting

If the outsourcing arrangement is declined / approved with modifications in the meeting

C. Outsourcing Agreement

The terms and conditions governing the contract between Company and the service provider will be carefully defined in written agreements and vetted by Company’s legal counsel on their legal effect and enforceability. Every such agreement addresses the risks and risk mitigation strategies. The agreement should be sufficiently flexible to allow Company to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement should also bring out the nature of legal relationship between the parties i.e. whether agent, principal or otherwise. Some of the key provisions of the contract are as follows:

(a) the contract clearly defines what activities are going to be outsourced, including appropriate service and performance standards;

(b) Company will ensure that it has the ability to access all books, records and information relevant to the outsourced activity available with the service provider;

(c) the contract provides for continuous monitoring and assessment by Company of the service provider, so that any necessary corrective measure can be taken immediately;

(d) a termination clause and minimum periods to execute a termination provision, if deemed necessary, will be included;

(e) controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information will be incorporated;

(f) there must be contingency plans to ensure business continuity;

(g) the contract provides for the prior approval / consent by Company of the use of sub-contractors by the service provider for all or part of an outsourced activity;

(h) provide Company with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for Company;

(i) outsourcing agreements should include clauses to allow RBI or persons authorized by it to access Company’s documents, records of transactions and other necessary information given to, stored or processed by the service provider, within a reasonable time;

(j) outsourcing agreement will also include a clause to recognize the right of RBI to cause an inspection to be made of a service provider of Company and its books and account by one or more of its officers or employees or other persons;

(k) the outsourcing agreement will also provide that confidentiality of customer’s information should be maintained even after the contract expires or gets terminated; and

(l) Company will ensure it has necessary provisions to ensure that the service provider preserves documents and data as required by law and take suitable steps to ensure that its interests are protected in this regard even post termination of the services.

D. Post outsourcing activities:

a)  Periodic Evaluation of Service Provider

The respective department will maintain a calendar for yearly review of outsourced activities by the Outsourcing Committee. Respective department will review the vendor and place it before the Outsourcing Committee. The Committee will perform a review of the service provider to assess the financial and operational condition, performance during the year and re-assess the capabilities of the service provider/vendor on the basis of:

1. Past breaches of performance standards, confidentiality and security and business continuity preparedness, if any,
2. Business practices and process,
3. Instances of mis-selling and fraud,
4. Instances and frequencies of customer grievances / presidential complaints related
5. Compliance with related manuals,
6. Compliance with applicable laws and regulations,
7. Compliance with post outsourcing evaluation form,
8. A confirmation on the statutory registrations along with a declaration on statutory registrations to be obtained from the service provider
9. Service provider organization structure, infrastructure, management strength, and management controls should be reviewed
10. Feedback report of the reviews needs to be maintained and stored with local operations

The Outsourcing and procurement Committee is authorised to amend and suitably lay down evaluation criteria from time to time. The Outsourcing and procurement Committee on a periodic basis may also authorise surprise checks and audits of the service provider by the authorised personnel from the Company.

In case the service provider does not perform satisfactorily during the period, the company may decide to terminate the agreement in line with the clauses of the agreement executed with the service provider. The Company would maintain a list of terminated agencies and promoters.

b)  Responsibilities of DSA / DMA / Recovery Agents

1. Company will ensure that DSA / DMA / Recovery Agents are properly trained to handle with care and sensitivity, their responsibilities, particularly aspects like soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer etc.
2. Company shall put in place a Board-approved Code of Conduct for DSA / DMA / Recovery Agents and obtain their undertaking to abide by the code. In addition, Recovery Agents shall adhere to extant instructions on Fair Practice Code for Non-Banking Financial Companies as also their own code for collection of dues and repossession of security. It is essential that the Recovery Agents refrain from action that could damage the integrity and reputation of Company and that they observe strict customer confidentiality.
3. Company and their agents should not resort to intimidation or harassment of any kind either verbal or physical against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the debtors’ family members, referees and friends, making threatening and anonymous calls or making false and misleading representations.

c)  Business Continuity and Management of Disaster Recovery Plan

1. Company requires its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. Company needs to ensure that the service provider periodically tests the Business Continuity and Recovery Plan and company may also consider occasional joint testing and recovery exercises with the service provider.
2. In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, company should retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the company and its services to the customers.
3. In establishing a viable contingency plan, Company will consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in house, in an emergency and the costs, time and resources that would be involved.
4. Outsourcing often leads to the sharing of facilities operated by the service provider. Company will ensure that service providers are able to isolate Company’s information, documents, records and other assets. This is to ensure that in adverse conditions, all documents, records of transactions and information given to the service provider, and assets of Company, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

d)  Monitoring and Control of Outsourced Activities

1. Company will have in place, a management structure to monitor and control its outsourcing activities. It should ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities.
2. A central record of all material outsourcing that is readily accessible for review by the Board and senior management of Company will be maintained. The records will be updated promptly and half yearly reviews should be placed before the Board or Risk Management Committee.
3. Regular audits by either the internal auditors or external auditors of Company will assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, Company’s compliance with its risk management framework and the requirements of RBI Directions. 
4. Company will, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.
5. In the event of termination of outsourcing agreement for any reason in cases where service provider deals with the customers, the same will be publicized by displaying at a prominent place in the branch, posting it on the website and informing the customers so as to ensure that the customers do not continue to entertain or deal with the service provider.
6. Certain cases, like outsourcing of cash management, might involve reconciliation of transactions between Company, the service provider and its sub-contractors. In such cases, Company will ensure that reconciliation of transaction between Company and the service provider (and / or its sub-contract) are carried out in a timely manner. An ageing analysis of entries pending reconciliation with outsourced vendors will be placed before the Audit Committee of the Board (“ACB”) / Outsourcing & Procurement Committee and Company will make efforts to reduce the old outstanding items therein at the earliest.
7. A robust system of internal audit of all outsourced activities will also be put in place and monitored by the ACB / Outsourcing & Procurement Committee of Company.

e)  Redressal of Grievances related to Outsourced Services

1. Company has constituted a Grievance Redressal Machinery as contained in RBI’s circular on Grievance Redressal Mechanism vide DNBS.CC.PD.No.320/03.10.01/2012-13 dated February 18, 2013. At the operational level, Company has displayed the name and contact details (telephone/mobile numbers and email address) of the Grievance Redressal Officer prominently at their branches / places where business is transacted. The designated officer ensures that genuine grievances of customers are redressed promptly without involving delay including the issues relating to services provided by outsourced agency.
2. Generally, a time limit of 30 days may be given to the customers for preferring their complaints/grievances. The grievance redressal procedure of Company and the time frame fixed for responding to the complaints will be placed on Company’s website.

f)  Reporting of Transactions to FIU or other Competent Authorities

The company is responsible for making Currency Transactions Reports and Suspicious Transactions Reports to FIU or any other competent authority in respect of Company's customer related activities carried out by the service providers.

‍

4. Outsourcing within a Group / Conglomerate

• In a group structure, Company may have back-office and service arrangements /agreements with group entities e.g. sharing of premises, legal and other professional services, hardware and software applications, centralize back-office functions, outsourcing certain financial services to other group entities, etc. Before entering into such arrangements with group entities, Company will frame a Board approved policy and also service level agreements / arrangements with its group entities, which also covers demarcation of sharing resources i.e. premises, personnel, etc. Moreover, the customers will be informed specifically about the company which is actually offering the product /service, wherever there are multiple group entities involved or any cross selling observed.
• While entering into such arrangements, Company will ensure that these:

1. are appropriately documented in written agreements with details like scope of services, charges for the services and maintaining confidentiality of the customer's data;
2. do not lead to any confusion to the customers on whose products/ services they are availing by clear physical demarcation of the space where the activities of Company and those of its other group entities are undertaken;
3. do not compromise the ability to identify and manage risk of Company on a standalone basis;
4. do not prevent RBI from being able to obtain information required for the supervision of Company or pertaining to the group as a whole; and
5. incorporate a clause under the written agreements that there is a clear obligation for any service provider to comply with directions given by the RBI in relation to the activities of Company.

• Company will ensure that its ability to carry out their operations in a sound fashion would not be affected if premises or other services (such as IT systems, support staff) provided by the group entities become unavailable.
• If the premises of Company are shared with the group entities for the purpose of cross selling, Company will take measures to ensure that the entity’s identification is distinctly visible and clear to the customers. The marketing brochure used by the group entity and verbal communication by its staff / agent in Company’s premises will mention nature of arrangement of the entity with Company so that the customers are clear on the seller of the product.
• Company will not publish any advertisement or enter into any agreement stating or suggesting or giving tacit impression that they are in any way responsible for the obligations of its group entities.
• The risk management practices expected to be adopted by Company while outsourcing to a related party (i.e. party within the Group / Conglomerate) would be identical to those specified in Clause 3 of this Policy.
• ‍

5. Off-Shore Outsourcing of Financial Services

• The engagement of service providers in a foreign country exposes Company to Country Risk -economic, social and political conditions and events in a foreign country that may adversely affect Company. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with Company. To manage the country risk involved in such outsourcing activities, Company will take into account and closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements will only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement will also be clearly specified.
• The activities outsourced outside India will be conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of Company in a timely manner.
• As regards the off-shore outsourcing of financial services relating to Indian Operations, Company will additionally ensure that:

(a)  where the off-shore service provider is a regulated entity, the relevant off-shore regulator will neither obstruct the arrangement nor object to RBI inspection visits /visits of Company’s internal and external auditors;

(b)  the availability of records to management and the RBI will withstand the liquidation of either the offshore custodian or Company in India;

(c)  the regulatory authority of the offshore location does not have access to the data relating to Indian operations of Company simply on the ground that the processing is being undertaken there (not applicable if off shore processing is done in the Company's home country);

(d)  the jurisdiction of the courts in the off-shore location where data is maintained does not extend to the operations of Company in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India; and(e) all original records continue to be maintained in India.

(e)  all original records continue to be maintained in India.

6. Confidentiality and Security

1. • Public confidence and customer trust in Company is a prerequisite for the stability and reputation of Company. Hence, Company seeks to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider
2. Access to customer information by staff of the service provider should be on ‘need to know’ basis, i.e. limited to those areas where the information is required in order to perform the outsourced function.
3. Company will ensure that the service provider is able to isolate and clearly identify Company's customer information, documents, records and assets to protect the confidentiality of the information. In instances, where service provider acts as an outsourcing agent for multiple companies, care should be taken to build strong safeguards so that there is no co-mingling of information / documents, records and assets.
4. Company will review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches.
5. Company will immediately notify RBI in the event of any breach of security and leakage of confidential customer related information. In these eventualities, Company would be liable to its customers for any damage.

• ‍

7. Company’s Role and Regulatory and Supervisory Requirements

1. The outsourcing of any activity by Company does not diminish its obligations, and those of its Board and senior management, who have the ultimate responsibility for the outsourced activity. Company is, therefore, be responsible for the actions of its service provider including Direct Sales Agents (“DSA”) / Direct Marketing Agents (“DMA”) and Recovery Agents and the confidentiality of information pertaining to the customers that is available with the service provider. Company retains ultimate control of the outsourced activity.
2. Company will, when performing its due diligence in relation to outsourcing, consider all relevant laws, regulations, guidelines and conditions of approval, licensing or registration.
3. Outsourcing arrangements will not affect the rights of a customer against Company, including the ability of the customer to obtain redress as applicable under relevant laws. Since the customers may be required to deal with the service providers in the process of dealing with Company, Company will incorporate a clause in the product literature /brochures etc., stating that they may use the services of agents in sales / marketing etc. of the products. The role of agents may be indicated in broad terms.
4. Outsourcing, whether the service provider is located in India or abroad, should not impede or interfere with the ability of Company to effectively oversee and manage its activities nor should it impede RBI in carrying out its supervisory functions and objectives.
5. Company will provide a robust grievance redressal mechanism, which in no way will be compromised on account of outsourcing.
6. The service provider, if it is not a group entity of Company, will not be owned or controlled by any director or officer/employee of Company or their relatives; these terms have the same meaning as assigned under Companies Act, 2013.

‍

8. Record Keeping

The Company will maintain all records, documents and other papers relating to outsourcing for a period of 8 years.

‍

9. Policy Review and Updates

This Policy is intended to continue to evolve over time with business changes. The Policy should at least be reviewed on an annual basis by the Outsourcing and Procurement Committee.

(i)  Drafted on behalf of the Company by: Mr. Nagaraj Subrahmanya, CRO

(ii)  Internally reviewed by: Mr. Manish Thakkar, COO

(iii)  Approved by the Board of the Company on: October 30, 2017, Revision 1 on: March 13,2023

‍

10.Regulatory References

This policy is framed according the following regulatory references:

1. Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs, 2017