IT Policy

Great Meera Finlease Private Limited, in accordance with Master Directions as amended from to time  and the circular issued by the Reserve Bank of India (“RBI”) dated September 2, 2022 on Digital Lending Guidelines, has approved and adopted this policy at the meeting of the Board of Directors of the Company (“Policy”).

OBJECTIVES

Information technology (“IT”) governance is an integral part of corporate governance of all non-banking financial companies, and effective IT governance is the responsibility of the board of directors of the Company (“Board”).

SECURITY ASPECTS

1. Password Policy
   All users are responsible for keeping their passwords secure and confidential. The password credentials of the users must comply with the password parameters (“Complexity Requirements”) and standards laid down in this Framework. Passwords must not be shared with or made available to anyone in any manner that is not consistent with this Framework. The Complexity Requirements for setting passwords are as follows:
   A. A strong password must be at least 8 (Eight) characters long.
   B. It should not contain any of the user’s personal information—specifically his/her real name, user name, or even company name.
   C. It must be very unique from the passwords used previously by the users.
   D. It should not contain any word spelled completely.
   E. It should contain characters from the four primary categories i.e. uppercase letters, lowercase letters, numbers, and characters.
   F. To ensure that a compromised password is not misused on a long-term basis, users are encouraged to change the password every 30 (Thirty) days.
   G. Passwords must not be stored in readable form in computers without access control systems or in other locations where unauthorized persons might discover them. Passwords must not be written down and left in a place where unauthorized persons might discover them.
   H. Immediately upon assignment of the initial password and in case of password “reset” situations, the password must be immediately changed by the user to ensure confidentiality of all information.
   I. Under no circumstances, the users shall use another user’s account or password without proper authorization.
   J. Under no circumstances, should the user share his/ her password(s) with other user(s), unless the said user has obtained from the concerned branch manager/ IT head the necessary approval in this regard. In cases where the password(s) is shared in accordance with the above, the user shall be responsible for changing the said password(s) immediately upon the completion of the task for which the password was shared.
    

2. Access Controls
   A. Access to the Company’s electronic information and information systems, and the facilities where they are housed, is a privilege that may be monitored and revoked without notification. Additionally, all access is governed by law and Company policies including but not limited to requirements laid down in this policy.
   B. Persons or entities with access to the Company’s electronic information and information systems are accountable for all activities associated with their user credentials. They are responsible to protect the confidentiality, integrity, and availability of information collected, processed, transmitted, stored, or transmitted by the Company, irrespective of the medium on which the information resides.
   C. Access must be granted on the basis of least privilege - only to resources required by the current role and responsibilities of the person.
   D. Requirements:

   1. All users must use a unique ID to access Company’s systems and applications.

   2. Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.

   3. Remote access to the Company’s systems and applications must use a two-factor authentication where possible.

   4. System and application sessions must automatically lock after [insert ] minutes of inactivity.

INFORMATION SECURITY AND CYBER SECURITY

1. Information Security:
   The Company has an information security framework with the following principles:
    

   1. Identification and classification of information assets: The Company shall maintain detailed inventory of information asset with distinct and clear identification of the asset.

   2. Functions: The information security function is adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there is a clear segregation of responsibilities relating to system administration, database administration and transaction processing.

   3. Role based access control – Access to information is based on well-defined user roles (system administrator, user manager, application owner.). The Company has a clear delegation of authority to upgrade/change user profiles and permissions and also key business parameters.

   4. Personnel Security - A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose potential threat to systems and data. The Company has a process of appropriate checks and balances to avoid any such threat to its systems and data. Personnel with privileged access like system administrator, cyber security personnel, etc. are subject to rigorous background check and screening.

   5. Physical Security - The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. The Company has created a secured environment for physical security of information assets such as secure location of critical data, restricted access to sensitive areas like data centres etc. and has further obtained adequate insurance to safeguard such data.

   6. Maker-checker – Maker checker is one of the important principles of authorization in the information systems of financial entities. It means that for each transaction, there are at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information. The Company shall ensure that it complies with this requirement to carry out all its business operations.

   7. Trails – The Company shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity is recorded in the audit trail.

   8. Mobile Financial Services – The Company has a mechanism for safeguarding information assets that are used by mobile applications to provide services to Customers. The technology used by the Company for mobile services ensures confidentiality, integrity and authenticity and provides for end-to-end encryption.

   9. Social Media Risks – The Company uses/may use social media to market their products and is well equipped in handling social media risks and threats in order to avoid any account takeover or malware distribution. The Company shall further ensure proper controls such as encryption and secure connections to mitigate such risks.

   10. Digital Signatures – The Company may consider use of digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.

   11. Regulatory Returns – The Company has adequate system and formats to file regulatory returns to the RBI on a periodic basis. Filing of regulatory returns is managed and verified by the authorised representatives of the Company.
        

2. Cyber Security

   1. The Company takes effective measures to prevent cyber-attacks and to promptly detect any cyber intrusions to respond / recover / contain the fall out. Among other things, the Company takes necessary preventive and corrective measures in addressing various types of cyber threats which includes denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds and password related frauds.

   2. The Company realises that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This requires a high level of awareness among staff at all levels. The Company ensures that the top management and the Board have a fair degree of awareness of the fine nuances of the threats. Further, it also proactively promotes, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and ensures appropriate action to support their synchronised implementation and testing.
       

3. Confidentiality

   1. The Company, along with preservation and protection of the security (as set out in detail above), also ensures confidentiality of customer information in the custody or possession of the service provider.

   2. Access to customer information by employees of the service provider to NBFC is on 'need to know' basis i.e., limited to those areas where the information is required in order to perform the outsourced function.

   3. The Company shall further ensure that the service provider isolates and clearly identifies the Company’s customer information, documents, records and assets to protect the confidentiality of the information. The Company has strong safeguards in place so that there is no commingling of information / documents, records and assets.

   4. The Company shall ensure that it immediately notifies RBI in the event of any breach of security and leakage of confidential customer related information.

   5. No information (including personal information or data of the borrowers) shall be collected by LSPs / DLAs without the prior explicit consent of the borrowers.

   6. All data collection by the Company is stored in the servers located in India. Nothing stated above shall preclude the Company from adhering to the mandate of disclosing / reports borrowers to the credit information companies in accordance with the Digital Lending Guidelines and/or the Outsourcing Policies and/or other extant instructions / guidelines / directions / circulars of the RBI.

   7. In line with the mandate of RBI, the Company has adopted and implemented the following requirements:

i. The Company shall ensure that LSPs/DLAs engaged by them do not store personal information of the Customers except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out their operations.
ii. The Company shall carry out the responsibility of ensuring that the LSPs and DLAs maintain data privacy and security of the Borrower’s personal information.
iii. The Company shall be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data.
iv. The Company shall ensure that any collection of data by their DLAs and DLAs of their LSPs is need-based and with prior and explicit consent of the Customers having audit trail. The Company shall also ensure that DLAs desist from accessing mobile phone resources like file and media, contact list, call logs, telephony functions, etc.
v. The Company shall ensure that the Customer shall be provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the app delete/ forget the data.
vi. The purpose of obtaining borrowers’ consent needs to be disclosed at each stage of interface with the borrowers.
vii. Explicit consent of the borrower shall be taken before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.
viii. The Company shall ensure that clear policy guidelines regarding the storage of customer data including the type of data that can be stored, the length of time for which data can be stored, restrictions on the use of data, data destruction protocol, standards for handling security breach, etc., are put in place and also disclosed by DLAs of the REs and of the LSP engaged by the Company prominently on their website and the apps at all times.
ix. The Company shall ensure that no biometric data is stored/ collected in the systems associated with the DLA of the Company / their LSPs, unless allowed under extant statutory guidelines.
x. The Company shall ensure that they and the LSPs engaged by them comply with various technology standards/ requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending.
xi. All data (including personal data and information of the Customers) shall be stored in India