Access Controls

Access to the BPS’s electronic information and information systems, and the facilities where they are housed, is a privilege that may be monitored and revoked without notification. Additionally, all access is governed by law and BPS’s policies including but not limited to requirements laid down in this policy.

Persons or entities with access to BPS’s electronic information and information systems are accountable for all activities associated with their user credentials. They are responsible to protect the confidentiality, integrity, and availability of information collected, processed, transmitted, stored, or transmitted by BPS’s, irrespective of the medium on which the information resides.

Access must be granted based on least privilege - only to resources required by the current role and responsibilities of the person.

---

Requirements:

• All users must use a unique ID to access BPS’s systems and applications.
• Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
• Remote access to BPS’s systems and applications must use a two-factor authentication where possible
• System and application sessions must automatically lock after 10 (Ten) minutes of inactivity.

Our Information Security Policy shall ensure the following:

• Confidentiality, integrity, and availability of information across the company.
• Protection of all data from unauthorised physical and logical access.
• Protection of information from fraud, corruption or loss during input, processing, transmission, and storage.
• Protection of critical information to ensure continuation of its day-to-day operations with minimal breakdowns.
• Educating its users to ensure that they comply with relevant legislation relating to the maintenance, protection, retention and withholding of information.
• Appropriate management of Information Security related incidents.

INFORMATION SECURITY AND CYBER SECURITY

Information Security:

• BPS has an information security framework with the following principles:
• Identification and classification of information assets: BPS maintains detailed inventory of information assets with distinct and clear identification of the asset.
• Functions: The information security function is adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there is a clear segregation of responsibilities relating to system administration, database administration and transaction processing.
• Role based access control – Access to information is based on well-defined user roles (system administrator, user manager, application owner.) BPS has a clear delegation of authority to upgrade/change user profiles and permissions and key business parameters.
• Personnel Security - A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose a potential threat to systems and data. BPS has a process of appropriate checks and balances to avoid any such threat to its systems and data. Personnel with privileged access like system administrator, cyber security personnel, etc. are subject to rigorous background checks and screening.
• Physical Security - The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. BPS has created a secured environment for physical security of information assets such as secure location of critical data, restricted access to sensitive areas like data centers etc. and has further obtained adequate insurance to safeguard such data.
• Maker-checker – Maker checker is one of the important principles of authorization in the information systems of financial entities. It means that for each transaction, there are at least two individuals necessary for its completion as this will reduce the risk of error and will ensure the reliability of the information. BPS ensures that it complies with this requirement to carry out all its business operations.
• Audit Trails - BPS ensures that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity is recorded in the audit trail.
• Mobile Financial Services – BPS has a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used by BPS for mobile services ensures confidentiality, integrity and authenticity and provides for end-to- end encryption.
• Social Media Risks – BPS uses social media to market their products and is well equipped in handling social media risks and threats to avoid any account takeover or malware distribution. BPS further ensures proper controls such as encryption and secure connections to mitigate such risks.
• Digital Signatures - A Digital signature certificate authenticates an entity's identity electronically. BPS protects the authenticity and integrity of important electronic documents and for high value fund transfer.
• Regulatory Returns – BPS has adequate systems and formats to file regulatory returns to the RBI on a periodic basis. Filing of regulatory returns is managed and verified by the authorized representatives of BPS.

Cyber Security

• BPS takes effective measures to prevent cyber-attacks and to promptly detect any cyber intrusions to respond / recover / contain the fall out. Among other things, BPS takes necessary preventive and corrective measures in addressing various types of cyber threats which includes denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds and password related frauds. BPS realizes that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This requires a high level of awareness among staff at all levels.
• BPS ensures that the top management and the Board have a fair degree of awareness of the fine nuances of the threats. Further, it also proactively promotes, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and ensures appropriate action to support their synchronized implementation and testing.

Confidentiality

• BPS, along with preservation and protection of the security (as set out in detail above), also ensures confidentiality of customer information in the custody or possession of the service provider.
• Access to customer information by employees of the service provider to BPS is on 'need to know' basis i.e., limited to those areas where the information is required to perform the outsourced function.
• BPS further ensures that the service provider isolates and clearly identifies BPS’s customer information, documents, records, and assets to protect the confidentiality of the information. BPS has strong safeguards in place so that there is no commingling of information / documents, records, and assets.
• BPS ensures that it immediately notifies RBI in the event of any breach of security and leakage of confidential customer related information.

BUSINESS CONTINUITY PLANNING (BCP)

• BCP forms a significant part of any organization’s overall Business Continuity Management plan, which includes policies, standards, and procedures to ensure continuity, resumption, and recovery of critical business processes. BCP at BPS is also designed to minimize the operational, financial, legal, reputational, and other material consequences arising from a disaster. BPS has a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports.
• BPS requires its service providers to develop and establish a robust framework for documenting, maintaining, and testing business continuity and recovery procedures. BPS ensures that the service provider periodically tests the Business Continuity and Recovery Plan and occasionally conducts joint testing and recovery exercises with its service provider.
• To mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, BPS retains an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of BPS and its services to the customers.
• BPS ensures that service providers can isolate BPS’s information, documents and records and other assets. In appropriate situations, BPS can remove all its assets, documents, records of transactions and information given to the service provider, from the possession of the service provider to continue its business operations, or delete, destroy, or render the same unusable.
• The CTO is responsible for formulation, review, and monitoring of BCP to ensure continued effectiveness including identifying critical business verticals, locations, and shared resources to prepare a detailed business impact analysis.
• After the vulnerabilities and inter relationships between various systems, departments and business processes are identified, there should be a recovery strategy available with the CTO to minimize losses in case of a disaster. BPS also has the option of alternate service providers and would be able to bring the outsourced activity back in-house in case of an emergency.
• BPS also has in place necessary backup sites for their critical business systems and Data centers.
• These plans will also be tested by BPS on a regular basis. The results along with the gap analysis will be placed by the CTO before the Board.

ARRANGEMENT FOR BACKUP OF DATA

By performing regular backups, data will be adequately protected. The designated IT team shall be responsible for carrying out backups of all critical and responsible data.

All backup data shall be stored in an encrypted format. Backup copies will be maintained in an environmentally protected and access-controlled secure location.

Each stored backup copy shall include a brief description containing the following details:

• Backup date
• Resource name
• Type of backup method

Stored backup copies shall be made available only upon authorized request. Any request for access to stored data must be approved by an authorized person nominated by a Director or Manager of the relevant department.

Requests for Access to Stored Backup Data

All requests for access to stored backup data must comply with the following mandatory requirements:

1. Completion of a formal request form detailing:
   • The specific backup copy being requested
   • The preferred delivery location and time
   • The purpose and justification for the request
2. Written acknowledgment confirming that the backup copy will be returned or securely destroyed immediately after its intended use.
3. Submission of a return receipt as evidence that the backup copy has been returned to authorized storage.

A comprehensive record of all physical and logical movements of backup copies shall be maintained at all times. This includes:

1. The creation of the initial backup copy and its secure transit to the designated storage location.
2. Any subsequent movement of backup copies from the primary storage location to another authorized location.

Record of Physical and Logical Movement of Backup Media

A detailed record shall be maintained for every instance of physical or logical movement of backup media. The record must include the following information:

1. Identification details of all requested backup copies.
2. Purpose of the request for accessing the backup media.
3. Name and designation of the person requesting the copy.
4. Authorization details approving the request.
5. Location where the backup copy will be held while out of storage.
6. Date and time when the backup copy was released from storage.
7. Expected and actual date when the backup copy is returned to storage.

Protection of Backup Media During Transit and Storage

All backup media, whether in transit or in storage, shall be adequately protected against unauthorized access, misuse, loss, or corruption. Sufficient safeguards shall be implemented to prevent physical damage to backup media during handling, transportation, and storage.

Security controls shall ensure that backup media is handled only by authorized personnel. All personnel responsible for data backup processing must possess:

1. Valid identification confirming their role and responsibility.
2. Explicit authorization to perform backup-related activities.

Backup Verification, Monitoring, and Recovery Assurance

Backups for all relevant departments shall be verified periodically to confirm their integrity and ability to successfully recover data. Verification results shall be documented and reported to ensure reliability of the backup process.

On a daily basis, information generated from each backup job shall be reviewed for the following purposes:

1. To identify, analyze, and correct errors in backup jobs.
2. To monitor backup job duration and detect abnormal delays.
3. To optimize backup performance wherever feasible.

The IT team shall proactively identify backup-related issues and take timely corrective actions to minimize risks associated with failed or incomplete backups.

PROVISIONS PERTAINING TO INFORMATION AND CYBER SECURITY

Information Security Governance and Risk Management

The risk assessment findings shall be formally presented to the Chief Risk Officer (CRO), Chief Technology Officer (CTO), and the Board of Directors. These findings shall also serve as key inputs for Information Security Auditors.

All technologies used for mobile-based facilities shall ensure confidentiality, integrity, and authenticity of information and provide end-to-end encryption for data transmission.

For the use of social media platforms in product marketing, the marketing team shall be adequately trained to identify and manage social media–related risks and threats. Appropriate security controls, encryption mechanisms, and secure connections shall be implemented to mitigate risks such as account takeovers and malware distribution.

The management shall define, implement, and continuously monitor information security controls for all information assets on a real-time basis.

An Information Security Committee shall be constituted comprising senior executives along with top management. The committee shall be responsible for overseeing and guiding all information security–related activities within the organization.

Information Classification of Applicant Data

All information received from applicants shall be classified based on sensitivity, criticality, and intended usage. The classification shall determine applicable access controls, handling procedures, storage requirements, and disclosure restrictions.

• Secret: Data related to identity, authentication, authorization, and access credentials shall be classified as secret and protected with the highest level of security controls.
• Confidential: System programs, application code, configurations, and any changes thereto shall be classified as confidential and restricted to authorized personnel only.
• Internal: Information used for internal operations, including data related to dispute resolution, internal reviews, and process documentation, shall be treated as internal.
• Public: Non-sensitive information approved for external disclosure and public consumption shall be classified as public.

Regulatory Returns to RBI (CIMS Portal)

B P Securities (India) Private Limited (BPS) shall ensure that adequate and robust IT infrastructure arrangements are in place to enable timely, accurate, and secure filing of regulatory returns to the Reserve Bank of India (RBI) through the CIMS Portal.

The infrastructure shall support the submission of all applicable DNBS regulatory returns, ensuring data integrity, system availability, access control, and compliance with RBI-prescribed timelines and formats.

Confidentiality / Non-Disclosure Agreements and Human Resources Security

This policy has been prepared and implemented to ensure that all employees, users, and third parties are fully aware of their responsibilities toward the IT resources and information assets of BPS. It defines acceptable usage requirements and reinforces the obligation to maintain confidentiality, integrity, and availability of organizational information.

Human Resources Security Policy – Prior to Employment

To reduce information security risks arising from human resources, personnel screening shall be conducted prior to employment, in accordance with applicable laws and regulatory requirements.

• Verification of proof of identity (e.g., passport, government-issued ID).
• Verification of academic qualifications (e.g., degrees, certificates).
• Verification of employment history and work experience (e.g., résumé/CV and professional references).
• Criminal background check, where legally permissible.
• Credit check, where relevant to the role and permitted by law.

All employees shall be required to sign appropriate Confidentiality and Non-Disclosure Agreements (NDAs) as a condition of employment, binding them to protect BPS information assets during and after their engagement with the organization.

In the case of third parties, contractors, or temporary staff, a similar screening process shall be followed. Where such personnel are provided through an external agency, the contract with the agency shall clearly define the agency’s responsibility for conducting background verification and for notifying BPS of any incomplete, adverse, or doubtful screening results.

Authorization Controls and Terms & Conditions of Employment

Authorization granted to access sensitive systems, applications, or information assets for new or inexperienced staff shall be subject to supervision. Management shall periodically review and evaluate such access to ensure it remains appropriate, secure, and aligned with business requirements.

Terms and Conditions of Employment

The terms and conditions of employment shall clearly define information security obligations and shall include, at a minimum, the following:

• Defined information security roles and responsibilities applicable to the employee.
• Disciplinary actions to be taken in the event of non-compliance or disregard of information security requirements.
• Clarification of legal responsibilities and rights, including obligations under applicable copyright, data protection, and intellectual property laws.
• An indemnification clause covering any loss, claim, or damage caused to a third party due to the employee’s actions or negligence.
• Responsibility for classification, handling, protection, and management of organizational data.
• Confirmation that information security responsibilities apply beyond organizational premises and outside normal working hours, including scenarios such as remote or home working.

Information security roles and responsibilities shall be formally documented within job descriptions and role definitions, including:

• General responsibilities for implementation and maintenance of the Information Security Policy.
• Specific responsibilities for the protection of information assets.
• Specific responsibilities for security processes, controls, or activities relevant to the role.

All employees shall be required to sign Confidentiality / Non-Disclosure Agreements (NDAs) at the time of joining. These obligations shall remain enforceable during and after the termination of employment.

Human Resources Security – During Employment

Management Responsibilities

During the period of employment, management shall ensure that information security responsibilities are effectively communicated, understood, and enforced to protect BPS information assets.

• Ensure that all employees, contractors, and third-party users are properly briefed on their information security roles and responsibilities before being granted access to sensitive information or information systems.
• Provide clear guidelines defining the security expectations associated with each role within the organization.
• Ensure that all employees, contractors, and third-party users comply with the terms and conditions of their employment, contract, or service agreement.
• Ensure that all personnel with information security responsibilities continue to possess appropriate skills, qualifications, and competence through ongoing evaluation, training, or certification where required.

Information Security Awareness, Education, and Training

BPS shall establish and maintain a structured information security awareness, education, and training program to ensure that all users understand security risks, responsibilities, and acceptable use of IT resources.

• Training programs shall be conducted periodically to make users aware of emerging and evolving security threats. A training calendar shall be maintained and reviewed regularly.
• The IT Team shall issue security alerts, advisories, and notifications to employees via email or other approved communication channels, as and when required.
• Copies of information security policies, training material, and security awareness manuals shall be made readily available to all employees.
• Users shall be adequately trained in the correct and secure use of IT facilities, including logon procedures, system access, and approved software applications.

User training and awareness programs shall, at a minimum, cover the following areas:

• Reporting of information security incidents
• Virus and malware protection controls
• Physical access security
• Internet usage and acceptable use guidelines
• Email usage and phishing awareness
• Password creation, usage, and protection
• File sharing and data transfer controls
• Remote access and secure working practices

Disciplinary Process for Information Security Breaches

BPS shall establish and maintain a formal disciplinary process to address violations of information security policies, standards, and procedures. Disciplinary actions shall be initiated only after verification that a security breach has occurred.

• A formal and documented disciplinary process shall be applied to employees who are found to have committed an information security breach, subject to prior investigation and validation.
• The disciplinary process shall ensure fair, consistent, and unbiased treatment of employees who are suspected of committing security violations.
• Investigations shall be conducted in a confidential manner, respecting the employee’s legal rights and due process.
• The response and disciplinary action shall take into account factors such as:
  • The nature and severity of the security breach
  • The impact on confidentiality, integrity, and availability of information
  • Whether the breach was intentional, negligent, or accidental
  • Any previous history of security violations
• Disciplinary measures may range from formal warnings and retraining to termination of employment or legal action, depending on the seriousness of the breach and applicable laws.

All disciplinary actions related to information security incidents shall be documented and retained as part of organizational records for audit, compliance, and legal purposes.

on business, whether or not this is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required.

In serious cases of misconduct, the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.

Termination or Change of Employment

BPS shall manage terminations, resignations, and internal job changes to ensure that information security responsibilities and legal obligations are properly addressed.

• The communication of termination or role-change responsibilities shall include:
  • Ongoing security requirements applicable during and after employment
  • Legal obligations under employment contracts, confidentiality agreements, or NDAs
  • Responsibilities that continue for a defined period post-termination, where applicable
• The Human Resources (HR) function is primarily responsible for the overall termination or change-of-employment process, and shall coordinate with the supervising manager to ensure that all security aspects are effectively managed.
• Security measures during termination or role change shall include:
  • Revocation of system access, credentials, and privileges
  • Return of organizational assets, devices, and information
  • Confirmation that all ongoing information security responsibilities are acknowledged and understood

All termination or role-change actions shall be documented and retained to ensure compliance with organizational, legal, and regulatory requirements.

Return of Assets and Removal of Access Rights

Upon notification from the HR Department regarding terminations, resignations, or internal job changes, the IT Team shall ensure the secure return of all organizational assets and the revocation of access rights.

• Return of Assets:
  • All hardware and software assigned to the employee, contractor, or third-party user
  • All organizational documents, including policy and procedure manuals, technical documentation, and other sensitive information
  • All keys, passes, access cards, and other access devices
• The IT Team shall confirm in writing to HR (via email or other approved communication) that all assets and access devices have been returned.
• Removal of Access Rights:
  • Disable or delete all system access identifiers associated with the departing employee
  • Remove access privileges from applications, databases, and information systems
  • Ensure that no residual or unauthorized access remains after termination or role change

These measures shall be documented and retained for audit, compliance, and legal purposes, ensuring that organizational information assets are protected at all times.

Contract-End Asset Management and User Access Controls

To ensure the secure handling of organizational assets and information at the end of a contract, BPS shall implement measures that cover asset return, user access, and security controls.

• Authorization and Access Management:
  • Authorization process for user access shall be formally documented and approved
  • The right to monitor and revoke user access shall be reserved to IT and management
  • A maintained list of individuals authorized to use services or systems shall be kept current
  • Permitted access methods, including the control and use of user identifiers and passwords, shall be defined
• Asset Return and Protection:
  • All physical and digital assets, documentation, and access devices must be returned
  • Physical protection measures shall be applied as required
  • Protection against the spread of computer viruses shall be enforced
• User Training and Security Practices:
  • Users shall receive training on methods, procedures, and security requirements
  • Arrangements and responsibilities for reporting and investigating security incidents shall be clearly defined
  • Mechanisms shall be implemented to ensure that security measures are consistently followed

All actions, including asset return, access revocation, and monitoring, shall be documented and retained for audit, compliance, and legal purposes.

Third-Party Employee Confidentiality and Security Responsibilities

All third-party employees engaged with BPS shall adhere to confidentiality and information security obligations, ensuring protection of organizational assets and data.

• Each third-party employee shall sign the Confidentiality and Non-Disclosure Agreement (NDA), which shall be securely maintained in a file by the Information Security Manager (ISM).
• Third-party employees are responsible for immediately informing the manager responsible for the contract of any security breaches, including unauthorized access to or compromise of BPS data or IT resources.
• Any BPS employee who becomes aware of security violations by vendors or third-party personnel must report the incident to both the concerned information owner and the security administrator.

All reports and related actions shall be documented and retained for audit, compliance, and legal purposes.

User Access Management: Registration & De-registration

Users shall follow the formal registration and de-registration processes adopted by BPS to ensure secure access to information processing facilities.

• Access to all information services and facilities shall be controlled through a formal registration process using unique user IDs. Group IDs may only be used where approved and appropriate for the work.
• The Information Security Manager (ISM) or IT Manager shall review access requests to confirm alignment with business purpose and security policy, ensuring segregation of duties is not compromised.
• Users shall receive a written statement of their access rights and formally acknowledge their understanding and acceptance of these conditions.
• Access for new users or users with modified rights shall be denied until all authorization procedures are completed by the Information Owner / Custodian.
• A formal record of all registered users shall be maintained by the Information Owner / Custodian.
• Procedures shall exist to immediately notify the Information Owner / Custodian of users leaving BPS or changing responsibilities, ensuring timely removal or modification of accounts.
• Periodic checks (at least monthly) shall be performed to remove redundant user IDs and accounts that are no longer required, with safeguards to prevent re-issuance of redundant IDs.
• Low or inactive usage shall be monitored regularly, and accounts showing minimal or no activity shall be deactivated according to established procedures.

User Access Management: Access Control & Authorization

• Access to all information services and facilities shall be controlled through a formal registration process using unique user IDs. Use of group IDs is permitted only where approved and appropriate for the assigned work.
• The Information Security Manager (ISM) or IT Manager shall review access requests to ensure they are appropriate for the business purpose and consistent with security policies, e.g., not compromising segregation of duties.
• Users shall receive a written statement of their access rights and formally acknowledge their understanding and acceptance of the access conditions.
• Access for new users or users with modified rights shall be denied until authorization procedures are fully completed by the Information Owner / Custodian.
• A formal record of all registered users shall be maintained by the Information Owner / Custodian.
• Procedures shall ensure immediate notification of the Information Owner / Custodian for users leaving BPS or changing responsibilities, and their accounts shall be promptly removed or updated.
• Periodic checks (at least monthly) shall be performed to remove redundant user IDs and accounts no longer required, with safeguards to prevent re-issuance of these IDs.
• Periodic reviews (at least monthly) shall also detect low or inactive user accounts, which shall then be removed according to established procedures.

Logging and Monitoring: Event Logging

The Information Security Manager (ISM) shall determine the conditions for logging. Audit logs shall capture key information to ensure traceability and accountability.

• User IDs for all system access
• Dates and times for log-on and log-off events
• Terminal identity or location where possible
• Records of successful and rejected system access attempts
• Records of successful and rejected data and other resource access attempts

Logging and Monitoring: Audit Events & Log Protection

The following audit events shall be logged on servers and desktops to ensure traceability:

• Audit account logon events – Success and Failure
• Audit logon events – Success and Failure
• Audit policy changes – Success and Failure
• All user-reported faults shall be logged by the IT Team
• Faults displayed by systems or servers shall be logged, and respective vendors notified
• IT Team shall record the corrective actions taken in the log
• IT Team shall submit a monthly report to the ISM on logged faults, actions taken, and status, including third-party vendor issues
• ISM shall review corrective measures to ensure controls are intact and actions fully authorized

Protection of Log Information

• No one shall be allowed to edit or delete log files
• All log files shall be backed up and made available to the monitoring authority
• Log backups shall be maintained on a server separate from the device being logged

Log Retention, Administrator Logs, and Clock Synchronization

BPS shall retain user access logs for a minimum period of two years. Periodic backups shall be conducted and stored in an encrypted format.

Administrator and Operator Logs

• Logs shall capture details of all activities performed by the IT Manager / System Administrator
• Logs should include:
  • System start and stop times
  • System errors and corrective actions taken
  • Confirmation of correct handling of data files and computer output
  • Name of the person making the log entry
• These logs shall be subjected to regular, independent checks against operating procedures, performed by the IT Team

Clock Synchronization

The real-time clocks on all workstations shall reflect the accurate current time at their physical location. This shall be enforced at the system level through clock synchronization protocols such as Network Time Protocol (NTP).

IT Security Reviews and Periodic Audits

The Information Security Policy (IS Policy) shall be reviewed annually, or upon any major change in the IT environment affecting policies and procedures, whichever is earlier. All updates shall be made as distinct version changes and tracked. Annual reviews shall be recorded in the Review / Version Control Table of the document.

• IT Security audits shall be carried out at six-monthly intervals.
• Any deviation from the IS Policy requires Board approval. The reason for deviation must be presented to the Board.
• All deviations are valid for a fixed term, with a maximum of 12 months. Extensions require Board approval.

Regular Reviews of Risk Assessment

Risk assessments shall be reviewed at least once a year. More frequent reviews shall be conducted in cases of:

• Significant organizational changes
• Significant change in technology architecture
• Change of business objectives
• Changes in the business environment
• Acquisition of a new major client
• Addition of a new business line or division
• Change in the legal or regulatory environment

Board Review and Approval

The Board of Directors has overall responsibility for this IT Framework and operational functions of BPS. The Board is responsible for timely amendments to the IT Framework pursuant to operational requirements or any changes in regulations, including new regulations issued by the RBI.