Category Archives: Articles

Simplified process of Incorporation & Commercial registrations

Introduction

The Ministry of Corporate Affairs (MCA) had notified the Companies (Incorporation) Third Amendment Rules, 2019[1] on 29 March 2019 which introduced the e-form INC-35 [Application for Goods and services tax Identification number, employees state Insurance corporation registration pLus Employees provident fund organisation registration (AGILE)]. The said AGILE form aims at bringing a single window where applicants can make applications under the Goods and Services Tax (GST), Employees Provident Fund Organization (EPFO) and Employees State Insurance Corporation (ESIC).

At present, the application for incorporation of a Company is made in e-form INC-32 (SPICe) along with e-Memorandum of Association (e-MOA) in Form No. INC-33 and e-Articles of association (e-AOA) in Form no. INC-34. Through e-form INC-32, the applicants can apply for PAN and TAN and now with the deployment of e-form INC-35, applications can be made for GST, EPFO and ESIC while incorporation of the Company.

This is a welcoming change brought about by the MCA wherein the incorporation process has been made hassle-free and the applicants can apply for various registrations while incorporating the Company. Previously, even after obtaining the certificate of incorporation Companies had to apply for registrations under the GST, EPFO and ESIC and subsequent approval. This proved to be a setback for companies and they couldn’t actually commence operation. However, with the introduction of the AGILE form the Ease of doing Business in India initiative has now been further enhanced.

How does this work?

For incorporation of the Company, applicants have to upload the requisite incorporation related linked e-forms i.e., INC-32, INC-33, INC-34 and INC-35. Thereafter, on approval of the same by the MCA, the Certificate of Incorporation, PAN and TAN is issued. Subsequently, the requisite information for GST, EPFO and ESIC (whichever service is availed) that has been filed in e-form INC-35 is forwarded to the concerned departments for its approval.

Thus, there are no repetitive submissions of incorporation related documents for obtaining registrations under GST, EPFO and ESIC.

Practical issues faced

Though this new amendment has made the incorporation process stress-free, applicants still face practical issues in this respect. Some of the issues are as follows:

  1. Companies have to provide a registered office address compulsorily for the AGILE form: While incorporating a company, applicants have an option to provide a correspondence address instead of a registered office address. However, they do have to obtain a registered office address within 30 days from the date of incorporation of the Company. This helps applicants a sufficient time to set up a registered office in case they do not have one at the time of incorporation. However, for the purpose of filing the AGILE form it is mandatory to have a registered office address as the form will only accept the address provided in the SPICe i.e., INC-32, or the correspondence address has to be the same as the address of the registered office.
  2. Principal place of business should be the same as the Registered Office of the proposed Company: Applicants willing to apply for GSTIN/Establishment code as issued by EPFO/Employer Code as issued by ESIC at the time of incorporating company, have to make sure that the principal place of business is the same as the Registered Office Address of the proposed Company. Thus, Companies intending to have the principal place of business different from the Registered Office address cannot avail this facility. They have to follow the existing registration procedure under the GST, EPFO and ESIC.
  3. Mandatory filing of AGILE form: Applying for GSTIN/ Establishment code as issued by EPFO/Employer Code as issued by ESIC at the time of incorporating company is optional. However, applicants have to still file the e-form as it is a linked e-form which accompanies the SPICe form for incorporation. This can prove to be an unnecessary compliance requirement for applicants who do not want to apply for GST, EPFO and ESIC registrations at the time of incorporation. 
  4. Resubmission of GST Application through the GST portal: In case of any error in the GST Application and the same has been sent for resubmission, applicants have to resubmit the application through the GST portal only. Further, if the TRN expires, a fresh application for GST shall have to be made through the GST portal too.

Conclusion

The introduction of this form surely proves to be beneficial for stakeholders however it still does not cover all the general registration requirements for a newly incorporated company such as Professional Tax, Trade License, Shop and Establishments, etc. Additionally, the MCA also has to look into the practical issue that are being faced and incorporate the changes to provide a seamless service.

Authors: Alivia Das and Ashwin Bhat

Reference:

[1] http://www.mca.gov.in/Ministry/pdf/companiesINC3rdAmendmentRules_30032019.pdf

Advertisements

ANALYSIS OF THE TIK-TOK ORDER

The Madras High Court delved into an important issue related to protecting children’s privacy in the context of web-based applications such as Tik-Tok, published by Bytedance (India) Technology Private Limited (“Company”). The petitioner contended that the app was “degrading culture”, encouraging pornography and exposing children to paedophiles.

As per Section 79 of the Information Technology Act, 2000 (“IT Act”) an intermediary would not be held liable for any third party information, data, or communication link made available or hosted by him provided that the intermediary’s functionality is limited to providing access to a communication system over which information made available by third parties is transmitted, temporarily stored or hosted or if the intermediary does not– (i) initiate the transmission, (ii) select the receiver of the transmission, and (iii) select or modify the information contained in the transmission. The exemption would not be applicable if the intermediary is involved in the unlawful act or if the intermediary fails to take down any unlawful content upon receiving actual knowledge of such content.

Further, for the exemption to be applicable the Intermediary should abide by the due diligence standards prescribed in the Information Technology (Intermediaries Guidelines) Rules, 2011 (“IT Rules”). The Rules provide that an intermediary should, among other things:

  1. publish the rules for access or usage of the intermediary’s computer resource and inform its users that in case of non-compliance with rules, the Intermediary has the right to immediately terminate the access to the intermediaries resources.
  2. Include in the aforementioned rules, that the users should not host/upload any content that is grossly harmful, obscene, pornographic, paedophilic, libellous etc.
  3. publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users can notify their complaints

Tik-Tok can be deemed an “intermediary” under the IT Act. The petitioner had incorrectly compared the Tik-Tok to the infamous “Blue-Whale” application, which unlike Tik-Tok is not an intermediary. Through an interim order the Hon’ble High Court had directed the Government to prohibit any further downloads of the app and asked the Central Government whether it would enact any statute specifically protecting the privacy of children online, akin to US’s Children’s Online Privacy Protection Act (“COPPA”).

The COPPA was enacted with the intention of protecting the children and making the website operators more diligent towards the protection of personal data. The resultant obligations ensure that the websites obtain consent from the parents prior to collecting or processing any child’s information. COPPA requires site operators to allow parents to review any information collected from the children. This entails that the website would have to provide full access to all user records, profiles and log-in information upon being requested by the parent.

Mr. Arvind P. Datar, learned Senior Counsel, the amicus curiae submitted that the Indian laws were comprehensive enough to deal with the issues mentioned by the petitioner and that no special legislation needed to be enacted. It may also be noted that the draft Personal Data Protection Act (“Bill”) also deals with certain aspects of children’s privacy such as barring website operators from profiling of children or making any targeted advertising directed children.

The Company contended that it followed all the requirements under the IT Act and the IT Rules and in fact went above and beyond the requirements by 1) engaging a content moderation team to screen harmful content, 2) allowing users to block mischievous users, 3) providing a “report” feature which lead to average takedown time of just 15 minutes (even though the law expected intermediaries to initiate suitable actions within 36 hours of being informed of any unlawful content) 4) providing parental control/supervision related features  5) deploying an AI-powered takedown mechanism that detects illegal content, including content that is violative of Section 354C of the Indian Penal Code, 1860 and Section 66E of the IT Act etc.

The contentions of the Company with regards to diligence practices in accordance with industrial standards were taken on record by the Madras High Court as an undertaking and in furtherance of same, the interim ban imposed by its previous order dated April 3rd,  2019 was lifted.

Author: Spandan Saxena and Asis Panda

Reference:  S. Muthukumar v. M/S Bytedance (India) Technology Private Limited- http://164.100.79.154/madurai-do/index.php/casestatus/viewpdf/wp(md)_7855_2019_xxx_0_0_25042019_107_135.pdf

Valuation for issuance of shares: Which method to choose?

Determining the fair market value (FMV) of unquoted shares may prove to be challenging for companies owing to choose the valuation method. There have been multiple rulings by the Income Tax Appellate Tribunal (the “ITAT”) wherein the methodology adopted by the company for the valuation has been rejected on the grounds of being non-substantial. However, few rulings have also been in favour of Companies where the ITAT has squashed the argument of the Assessing Officer (the “AO”) stating that the tax authorities can scrutinise the valuation report to the extent of finding any arithmetical mistakes and not compel a taxpayer to choose the method of valuation.

Despite Valuation practice being prevalent since the last six decades in India, there is no specific guidance on the same and the debate continues pertaining to the method to be followed.

Valuation Methods as per Rule 11UA of Income Tax Rules, 1962

As per Rule 11UA of Income Tax Rules, 1962, Companies have an option to adopt either the Net Asset Value (the “NAV”) method or the Discounted Free Cash Flow (the “DFCF”) method for valuation purpose. On 24 May 2018, the Central Board of Direct Taxes (CBDT) has amended the Income Tax Rules, 1962, by omitting the words “or an accountant” from rule 11UA(2)(b). As a consequence of such amendment, now only a merchant banker can independently determine the FMV of the unquoted equity shares by using the DFCF method and an accountant is no longer eligible to do this valuation.

Various Case Laws pertaining to the Valuation Methods opted by Companies

Case 1: In the case of M/s. TUV Rheinland NIFE Academy Pvt. Ltd., Vs. The Income Tax Officer, the Company had issued 5,00,000 shares having face value of INR 100 each, at a premium price of INR 479 per share, to its parent, TUV Rheinland (I) Pvt. Ltd. (“TUVR India”). The Fair Market Value (the “FMV”) of the shares was computed as Rs. 479 as per the DFCF Method which was based on the projections of the company’s future cash flows.

The Assessing Officer (the “AO”) rejected the valuation report on the grounds that the values were certified by the management of the taxpayer. Further, the AO computed the FMV based on the NAV and concluded that the FMV should be INR 84.20 per share. Hence, the AO passed an order wherein an addition of INR 19.74 crore was made to the taxpayer’s income. Such an addition was made under section 56(2)(viib) of the Income Tax Act, 1961.

The ITAT concluded that the AO had not rejected the choice of valuation method but the valuation entirely justifying that it was non-substantial and there is no proof given for the basis of estimates provided in the valuation. Further, the ITAT also mentioned that the actual figures did not have any relevance with the projections made. Thus, the arguments of the Company were rejected and reference was drawn from the ruling in Agro Portfolio Pvt. Ltd v. ITO wherein the AO can carry out its own independent valuation and adopt the NAV method for this purpose, after rejecting the original valuation by the Company.

Case 2: In the case of Innoviti Payment Solutions Pvt. Ltd. vs. ITO, the Company had issued 10,42,658 shares having face value of INR 10 per share at premium of INR 23.50 per share. The FMV was determined by a Chartered Accountant through the DFCF method.

The same was rejected by the AO mentioning that the accountant has taken haze cash flow as certified by the management and the projections were not verified by the valuer. Further, it also added that the company had failed to provide any basis for the projections and that the management had clearly ignored factors such as performance, growth prospects, earnings capacity, etc. The Bangalore Bench of the ITAT ruled that the projections made in the valuation report should be supported with reasonable certainty and in its absence the valuation report shall be deemed unworkable.

A similar contention was also drawn in the case of 2M Power Health Management Services Pvt. Ltd. vs. ITO.

Case 3: Contrary to the case 1 & case 2 above, the Bombay High Court in the case of Vodafone M Pesa Ltd. v PCIT, ruled that the AO do not have the authority to reject the method of valuation already adopted by the taxpayer. It justified that the AO has the power scrutinize the valuation report and point out any arithmetical error in the same, but not compel the taxpayer to choose an entirely different valuation method.

The Income Tax Rules, 1962 provides for an option to the taxpayer to choose either the DFCF or NAV method of valuation. Thus, the AO could not adopt a method of his choice, especially when Rule 11UA gives an option to the taxpayer to choose the method of valuation. Doing so, the it would render clause (b) of Rule 11UA(2) as purposeless.

The Jaipur Bench of the ITAT had drawn a similar ruling in the case of Rameshwaram Strong Glass Pvt. Ltd. vs. ITO and ACIT vs. Safe Decore Pvt. Ltd.

Concluding thoughts

Based on the various rulings, it can be concluded that the tax authorities do not have the power to order the taxpayer to adopt any particular method of valuation. The taxpayer has the right to choose the DFCF method or the NAV method for valuation as mentioned in the Income Tax Rules, 1962. However, it should be noted that the taxpayer should be able to provide reasonable information to substantiate the projections certified by the management. Since the valuation report shall be subject to scrutiny, the valuer should verify the parameters taken into consideration in preparation of the valuation report and should be in a position to justify the same.

Authors: Alivia Das and Shivani Handa

Cyber-Security: The Vulnerability of Medical Institutions to Cyber-Attacks

McAfee researchers were able to modify the vital sign data in real time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records database was subject to ransom ware cyber-attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine to machine communications.

It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices.

However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that needs urgent consideration. Just as financial data is loved by the cybercriminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems or no dedicated framework or surveillance on its own data.

Personally identifiable data is an indicator of an individual, such as  name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;[i]

A number of cyber-attacks on medical institutions are initiated to extract the electronic health records (EHRs). These EHRs may contain personal health information of the patients, their medical history, diagnosis codes, billing information, etc. which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or only sold on prescription.

Take this example. On 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computer being locked out, diversion of patients from accidents and emergency departments etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHS mail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June Mahatma Gandhi Memorial (a trust run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked, and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyber-attacks arises due to many reasons, outdated digital infrastructure or medical personnel not being aware or not trained about cyber-attacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking emails, or (e) phishing etc. It is time that our healthcare providers upgrade their technologies, networks, understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and standards to ensure necessary cybersecurity processes and controls which helps medical institutions to mitigate cyber risks and vulnerabilities. For the purpose of this article we will be primarily focusing on various safeguards and standards put in place by European Union and India to deal with such cyber-attacks.

Position in Europe

As a part of the EU cybersecurity strategy, the European Commission adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and the same came into force in August 2016. As the NIS Directive is an EU directive every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (i) national capabilities, (ii) cross-border collaborations and (iii) national supervision of the critical sectors including health.

  • National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g. it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).
  • Cross Border collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.
  • National Supervision of critical sectors: As per the NIS Directive every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (i) identification criteria of cyber-attacks, (ii) incident notification, (iii) security requirements for Digital Signal Processors (DSPs), (iii)  mapping of operators of essential services (OES) security requirements for specific sectors including health and (iv) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN. ETSI and CENELEC ensures protection of consumers, facilitates cross-border trade, ensures interoperability of goods/products, encourages innovation and technological development, and includes environmental protection and enables businesses to grow.[ii]

The General Data Protection Regulations (“GDPR”)[iii] specifically defines ‘data concerning health’, ‘genetic data’ and ‘bio metric data’ and regards them as ‘special category of data’, this means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

Position in India

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cyber security when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cyber security incidents occurring in India and analysing information related to cyber-crimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident[iv].

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cyber security incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cyber security as may be prescribed[v].

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks ‘cyber resilient’. Being cyber resilient allows these institutions which is nothing but a process of effectively anticipating the various threats and the mechanism of dealing with the cyber-attacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient[vi]:

  • Anticipate: Maintain a state of informed preparedness in order to forestall compromises of mission/ business functions from adversary attacks
  • Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
  • Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyber attacks
  • Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
  • Evolve: To change missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and to ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain Rules. The Rules requires each and every body corporate including medical institutions who are collecting such sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyber-attacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as out-dated Windows operating system patch, lack of proper anti-virus or reasons such as phishing, lack of awareness among the people about cyber security etc.

EU, through GDPR has made data security an integral part of law and India is taking strong steps have a robust data protection and data security law. Various regulations, programmes, codes, standards etc. discussed in this article are some indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and has to take steps to safeguard its networks and systems from such threats.

References:

[i] Article 4.1 General Data Protection Regulations (GDPR).

[ii]CENELEC, Marketing Standards for Europe, available at: https://www.cencenelec.eu/aboutus/Pages/default.aspx

[iii] GDPR (2016/679) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area

[iv] Section 70B (4) of the Information Technology Act, 2000

[v] Supra footnote 1

[vi] CERT- In, Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism

 

This article was first published at Innohealth Magazine, Volume IV Issue II

Essentials of Statements of Work

In order to avoid having a multiplicity of contracts between such vendors and clients, and to save time, a Master Service Agreement (MSA) is entered between the parties with corresponding Statements of Work (SoWs) for different services or work orders to be performed by the service providers for future transactions. An MSA is entered between the parties which establishes the terms which once negotiated remain fixed between the parties, for example, representations and warranties, confidentiality obligations, ownership of intellectual property, the liability of the parties, indemnity, the scenarios under which the parties can terminate the contract, dispute resolution, etc. Therefore, the MSA forms the genesis of the legal relationship between the parties which is generally negotiated once. The Statement of Work (SOW) on the other hand is a concise document executed for a specific project. It lays down specific services to be provided as a part of the work order, the deliverables, the commercials, etc.

Key components of an SOW are as follows:

  • Specific services have to be detailed in an SOW. An SOW should clearly spell out the specific services which need to be provided under the project. It should also state the roles and responsibilities of each party and the safeguards which should be kept in place if there are any inaccuracies in deliverables or delay in the project. An SOW in addition to providing the details regarding the exact nature of the services to be provided should also provide the key assumptions, dependencies of the project, if any. Once the assumptions of a project are identified it helps to shape a project in ways such as identifying the skills required to complete a project, the availability of a member working on the project, the delivery times of the project, etc. Dependencies on the other hand in an SOW clearly spell out the factors which the respective parties are dependent on for the completion of the project. Dependencies can be a crucial part of the SOW as one can assess the dependencies to fasten the liability on a party in case the project is not completed successfully. The SOW should have in place a timeline for the project i.e. the start and the end date of the specific project. The commercials involved canned be mapped to the timeline in certain cases. If a specific project is time-based it is recommended to state the number of hours or days that one should take to complete the project.
  • An SOW should outline in detail the particular items which need to be delivered, if any, i.e. the deliverables, and provisions should be in place to safeguard the interest of the client in case the deliverables are inadequate. Acceptance criteria is one of the ways of safeguarding the interests of the client. Acceptance criteria lays down the requirements and essential conditions which must adhered to vis-a-vis the deliverable.  For instance, in an SOW for the development of a software various quality/functionality analysis tests could be included in the acceptance criteria to ensure that the software is functional and suits the needs of the client.  At times the parties may want to change the services which have been agreed to be provided through the SOW. This is can be done if the SOW provides for change orders which have been agreed by both the parties.
  • SOW should also provide the specific location where the services are required to be performed.
  • Finally, it is a good practice in the SOW to have in place the staffing requirements needed to complete the project, and to appoint a Project Manager from each party who would serve as the point of contact.

There are two key issues which arise from the interplay between an MSA and an SOW. First, what should be the position the parties should take to tackle conflicts between provisions of an MSA and an SOW and second should all the SOWs terminate if the parties terminate the main agreement i.e. the MSA.

An SOW generally uses the MSA as a backdrop and then builds upon the MSA to bring the project to life. Therefore, the SOW terms are supplemental to the MSA terms and as MSA is the one which is vetted heavily by legal professionals and negotiated at length between the parties, the parties would usually want the MSA to prevail over an SOW.

On the other hand, there can be scenarios when the parties would want the SOWs to prevail over the MSA. For example, if specific conditions for termination are laid down for a particular SOW in the SOW, and the same conflicts with the termination clauses stated in the MSA, the parties would want the SOW’s provisions to prevail over those of the MSA. However, one should note that only the particular SOW would prevail over the MSA(in relation to such conflict) and not the other SOWs which have been entered between the parties. Therefore, the decision on which of the agreements will prevail over the other has to be taken in accordance with the flexibility the parties need to exercise while entering into the SOW and it is dependent on the level of scrutiny that an SOW would go through.

The second issue pertaining to an MSA and an SOW is the effect of termination of an MSA on the SOWs. The same has to addressed keeping in mind the intention of the parties. The Parties may decide that upon termination of the MSA for any reason, all SOWs then in effect and all rights granted pursuant to the MSA and the SOWs would continue in accordance with their terms, in which case this MSA will continue in effect with respect to such pending SOWs until the completion of such SOWs, even though no new SoWs can be executed post the termination of the MSA.

Author: Anuj Maharana

Post-Merger Corporate Governance

Corporate governance is an important aspect for the success and growth of any organisation. A well-structured corporate governance regime becomes even more important post a merger (strategic or otherwise). It might prove to be especially beneficial in the smooth transition and functioning of the business of the merged entity, especially during the early stages after the merger. At the same time, a weak corporate governance structure may be detrimental to the success of the merged entity.

In a merger, the merging entities commonly come together to work and operate as a single merged entity. This would mean the integration of different cultures, mindsets, viewpoints, work ethics, principles, etc. Therefore, post-merger corporate governance becomes important so that all discussions between the key stakeholders of the merged entity are seamlessly documented leaving zero scope for potential conflict in the future. This would also help the key stakeholders to run the business of the merged entity without having to worry about internal conflicts, mismanagement, etc. Also, depending on the end goal or the objectives of the merging entities, there has to be a clear understanding on the type of merger to be undertaken. Refer to our previous post on M & A: Different structures and a comparative to know more about different structures of M&A.

What is Corporate Governance?

Before moving on to the different aspects of corporate governance to be considered post a merger, let us try to understand the meaning of the term ‘corporate governance’. With respect to early-stage unlisted entities, corporate governance generally refers to the internal rules and policies of the organisation, the relationship between the shareholders, the roles and responsibilities of the directors and the top management and the decision-making structure, including the financial and operational decision making. In a nutshell, it includes all aspects which govern the organisation and basis which business is conducted and an organisation is run, both with respect to internal stakeholders, as well as external stakeholders.

Significance of Post-Merger Corporate Governance

Merger of entities, more often than not, would mean the integration of different cultures, mindsets, viewpoints, work ethics, principles, etc. Even though the end goal would be the same, that is, the success and growth of the merged entity, perspectives on the means to achieve the end goal may differ from person to person. However, since the merging entities would no longer be separate entities, it is important that the means to achieve the end goal is also aligned. Thus, while corporate governance is very important for every organisation, it gains even more significance post a merger.

There has to be a clear understanding on the structure of the corporate governance post-merger, which could primarily be recorded discussions and step plans to achieve the objectives of the merger. For example, if the main objective of a merger is market expansion of the business, it would be good to have a clear step plan detailing out the potential markets, key people to target the same, timelines and other operational parameters which could eventually determine achievement of results as agreed amongst the key stakeholders. If a merger involves employee movement, a clear plan for the transitioning of employees, in terms of location, identification, compensation plan, positive interactions across teams and often (in new age companies) regular counselling on challenges faced may prove to be tremendously beneficial in the long run.

Also, post the merger, it is always better to have each and every discussion documented. Such discussions (including the informal discussions) should also be conducted at the board level, which would help in ensuring that the important stakeholders are part of these discussions. The objective is not to increase bureaucracy but to ensure that the operations are seamless. This might not seem to be important especially during the initial stages after a merger. However, the importance of documenting every discussion comes into play when, at some point, the difference of opinion arises. In order to avoid tense and awkward situations at that point of time, if every decision or discussion in relation to the business and operations is documented and is taken with the knowledge of all the key stakeholders, it would to a large extent help in solving the issue at hand in a much more efficient and faster manner.

A merger would, in most circumstances, result in a change in the board composition and management. The board of the merged entity will play an important role in effective management and quick transition. The composition of the board (and the committees of the board) is usually determined prior to the closing of the transaction and is documented in the transaction documents. The composition of the board (and the committees of the board) will have to be properly thought through and well planned. Every member of the board/committee needs to understand their respective roles. It is important to ensure that there is equal representation for all the key stakeholders. The members of the board/committees have to be diverse, experienced and should have a clear understanding of the goals of the merger. Also, it is important to conduct review meetings to ensure that the goals or targets are being met and if not, analyse on the reasons and improve on the same. The board/committee meetings may be conducted on a regular basis.

It may be a good option to appoint an independent director to the board. This will help in situations where there is a difference of opinion between the various members of the board since the independent director will be a neutral party and would be able to give unbiased opinions. The independent directors bring objectivity and an independent opinion to the decisions made by the directors. They can also help in bringing more transparency to the proceedings of the board and also ensure that the interests of the shareholders are given due regard. However, an independent director can play a major role in ensuring good corporate governance only as long as he/she functions independently. His/her decisions should not be influenced by the other board members. Refer to our previous post on Independent Directors to know more about independent directors and their independence.

Conclusion

Even though there is no specific statute or law governing corporate governance as a whole in case of unlisted companies, there are various provisions under the Companies Act, 2013, SEBI guidelines, etc. which indirectly strives to have a good corporate governance system like provisions for appointment of independent directors and their roles and duties, appointment of audit committees, role of directors, etc.

To achieve the goals and objectives of the merged organisation and for a smooth transition, a well-structured corporate governance is vital.

 

Author: Paul Albert, Associate at NovoJuris Legal

ESOP vesting: Can it be paused during maternity leave?

Employee Stock Option Schemes (“ESOPs”) are structured by companies such that the employees are granted options which is a right that vests over a period of time. Upon vesting the employee can ‘exercise’ and shares are allotted by the company (or transferred by the Trust, if the ESOP is administered by a Trust).

The question is, can the vesting be paused / stopped for reasons such as sabbatical, unauthorized leave, garden leave, maternity leave etc.?

Sabbaticals, garden leave is usually a program / policy that a company would have and they spell out treatment of full pay, partial pay, benefits and the like.

Unauthorized leave is usually treated as mis-conduct and is treated per company’s policies.

However, maternity leave is a statutory right and the pay and other benefits cannot be stopped or paused during this period.

The United Nations Convention on the Elimination of all forms of Discrimination Against Women (“UNCEDAW“), which India is a signatory to, mandates under Article 11 that State Parties are required to ensure that the female employees would have a right to pay or comparable benefits without loss of employment, seniority or social allowances.

India being a signatory to the UNCEDAW is bound under the obligation of pacta sund servanda Article 26 and Article 18 providing for the obligation not to defeat the object and purpose of a treaty of the Vienna Convention on the Law of Treaties (“VCLT”).

Vesting of ESOP during Maternity Leave

The vesting of options stays in effect as long as the employee remains in the employment of the company. A female employee’s employment, during maternity leave, cannot be terminated in accordance with Section 12 of the Maternity Benefit Act 1981 and it shall be unlawful for her employer to discharge or dismiss her during or on account of such absence.

The said position has been upheld in the case of Neera Mathur v Life Insurance Corporation of India[1] where it was held that the employment of a female employee shall be protected and it would be wrongful on part of the employer to terminate the employment of the female employee during the period of maternity leave. The same position was upheld in the case of Bharti Gupta (Mrs.) v. Rail India Technical and Economical Services Limited and Ors[2] wherein it was held that Section 12 of the Act underscores the independent and inflexible nature of the liability to mandate that no woman employee can be dismissed on account of her pregnancy. It is the right of the employee to get medical benefits since such grant of maternity benefit is according to the mandate of the law.

Section 5 of the Maternity Benefit Act 1981 states that female employees cannot be denied the emoluments such as continuation of employment and payment of wages on account of being on maternity leave. This position has been upheld by the Supreme Court in the case of Municipal Corporation of Delhi v. Female Workers (Muster Roll) and Ors[3].

ESOP taxation is treated as a perquisite. Ie. at the time of exercise, the difference to exercise price and fair market value is taxed as perquisite. Shares when sold are subject to capital gains tax.

An inference can be drawn from the above, that vesting of ESOP cannot be suspended, paused during maternity leave.

Author: Mr. Spandan Saxena

[1] AIR 1992 SC 392

[2] 2005 VII AD (Delhi) 435

[3] AIR 2000 SC 1274.