Case Law Details
Rajendra Khare Vs Information Systems Audit and Control Association, Inc (Competition Commission of India)
The Informant has also alleged contravention of Section 4(2)(e) of the Act stating that ISACA is ruling over CMMI Maturity Level Certification Market in India as it is completely capable of protecting any market or denying market access because it has no competitor, and that ISACA is completely able to dictate the price as it wants and is totally uninfluenced by the market conditions. Beyond this, the Informant has not explained how ISACA is leveraging its dominant position and in which market is ISACA trying to protect its position. In the absence thereof, the Commission is of the view that such bald allegation does not require any further assessment.
Besides, the Informant has also alleged fraudulent practices carried out by ISACA. The Informant has mentioned that ISACA is carrying out the CMMI Business under the domain name CMMIINSTITUTE.COM which creates false impression of existence of an institutional structure, whereas there exists no Institute as such. Further, the Informant has also found fault with ISACA making a ‘false’ claim on its websites related to statistics of organisations who have adopted CMMI and improved their business. At the outset, it may be highlighted that such alleged fraudulent practices, as highlighted in the present case, do not fall within the ambit of the Act. Even otherwise, the information on ISACA and CMMI’s website indicate that the CMMI training is being provided through partner institutions and ISACA centrally controls certification.
FULL TEXT OF THE ORDER OF COMPETITION COMMISSION OF INDIA
Order under Section 26(2) of the Competition Act, 2002
1. The present Information has been filed under Section 19(1)(a) of the Competition Act, 2002 (‘Act’) by Rajendra Khare (‘Informant’) alleging contravention of the provisions of Section 4 of the Act by Information Systems Audit and Control Association, Inc. (‘Opposite Party/ISACA Inc’)
Facts, as stated in the Information
2. Informant is the Managing Director of DQS Certification India Private Limited, an Authorised Transition Partner of Software Engineering Institute, Carnegie Mellon University, Pittsburgh, USA to provide CMMI Assessment and Training Services.
3. ISACA, Inc is a US-based organisation having more than 200 chapters established in over 80 countries worldwide. The global community of ISACA members and certified individuals covers a variety of professional IT-related positions, information systems or IT auditors, internal auditors, governance, security and risk professionals, consultants, educators, and C-suite executives. ISACA provides training, through partner institutions, and certification to professionals worldwide. It also develops/owns models such as Capability Maturity Model Integration (‘CMMI’) for enterprises to have clear and sustainable business results by accessing models and resources that are updated regularly to reflect the ever-changing business landscape.
4. CMMI is approximately 600-page document (called CMMI Model Document or the CMMI Model), which is a management system model having a structured collection of best practices in the field of software with systems engineering and service industry. The CMMI Model is used to provide CMMI Maturity Level Certification to organizations. Currently, there are two popular models of CMMI: (i) CMMI for Development; and (ii) CMMI for Services. The scheme of CMMI Maturity Level Certification was initially operated, till the year 2016, by the Software Engineering Institute (‘SEI’), under the auspices of Carnegie Mellon University, and was funded by Department of Defence, Government of USA. Thus, the CMMI Maturity Model Certification was owned by the Government of USA through the SEI till 2016, after which SEI, created a company called Clear Model LLC which started doing business as CMMI Institute and became the owner of CMMI Maturity Model Certification. After 2016, the CMMI Maturity Level Certification was purchased by ISACA which became the owner of the CMMI Maturity Model Certification, the CMMI Model Document and the CMMI Trademark, worldwide.
5. The CMMI Maturity Model Certification, despite being owned by ISACA, a private organization, is being used by the Government of India as an eligibility criterion for bid/tender requirements for high value bids. Because of this reason, the companies in India, both in the field of IT industry and in the service-industry have to get themselves appraised [audited] by ISACA Approved Lead Appraisers to get CMMI Certification and this has created entry barrier for participating in such bids/tenders.
6. The purchase of CMMI by ISACA has allegedly led to a situation of monopoly and ISACA is using this monopolistic position to carry out abuse of dominance. As per the Informant, ISACA is operating independent of the competitive forces in the relevant market called CMMI Licensing Business because no other organization in the world, except ISACA, owns the CMMI Maturity Model Certification, the CMMI Model Document and the CMMI Trademark. This enables ISACA to impact the consumer and the Indian market completely in its favour. The Informant has mentioned that the market share of ISACA in the relevant market is 100%. Compared to the Licensed Partners of ISACA, it is stated to be an organization of large size and is in complete situation of controlling them. Moreover, ISACA has strong economic power to dominate the market and the consumer is dependent on ISACA and has no recourse in case of a problem or difficulty because ISACA ‘has no procedures for certification’.
7. The Informant has alleged that ISACA is abusing its dominant position by discriminating amongst its ISACA Licensed Partners by stratifying the ISACA Licensed Partners into different levels and providing different service level to partners in different layers, depending upon different payment terms, which contravenes Section 4(2)(a)(i) of the Act. The Informant has also claimed that ISACA charges all the Licensing Partners at the same price on pro-rata basis but provides discriminatory services to different level of partners which contravenes Section 4(2)(a)(ii) of the Act.
8. Further, the Informant has alleged that ISACA has contravened Section 4(2)(b)(i) of the Act by creating artificial scarcity in the market by restricting the number of appraisals to 16 per year that can be carried out by one Lead Appraiser without providing any scientific reason for this kind of restriction. This, as per the Informant, has led to very steep artificial increase in price, as much as five times, which the consumer (Indian companies) have to pay, for the CMMI Maturity Level Certification. This has allegedly created difficulty in the availability of service as the consumer is not able to get the CMMI Maturity Level Certification when it wants because the ISACA Lead Appraisers are booked for years well in advance and in the process, the consumer suffers immensely because it cannot bid for the required tender in a time-bound manner.
9. The Informant has alleged that ISACA is restricting the technical and scientific development of the CMMI Model Document because it is keeping it isolated and not investing in the required resources which contravenes Section 4(2)(b)(ii) of the Act. There is no systematic method for technical and scientific development of the CMMI Model as that of development of ISO [International Organization for Standardization] Standards. Also, ISACA has not developed any procedures for CMMI Maturity Level Certification, specially related to, the decision-making processes in the manner as are defined in ISO 17021, Rules for Certification Bodies. ISACA uses sole discretion as the main method for any important decision-making process and does not have any appeals process. It has not published its appraisal methods, certification procedures on its website. The Indian consumer is not aware by which method it is being audited. In relation to this, the Informant has submitted the organisational chart of ISACA and a screenshot where it is mentioned that ISO17021 requires certification bodies to make some information accessible publicly.
10. Further, the Informant has averred that ISACA has denied market access to all other organizations because of its ownership of the CMMI Model which contravenes Section 4(2)(c) of the Act. It has been stated that ISACA should not act as the certification body itself because it owns the model, and should rather act like ISO, which publishes the ISO Standard and does not get involved in the nitty-gritty of certification. However, on the contrary, ISACA is directly acting as the Certification Body itself and thus denying market access to other players who may also like to enter the Certification Business.
11. The Informant has also alleged that ISACA contravenes Section 4(2)(d) of the Act by using its dominant position to impose supplementary obligations on its Licensed Partners which are one-sided, unconscionable and totally lie in ISACA’s favor. The Informant has added that these supplementary obligations include limitation of liability, termination without cause, jurisdictional obligations and discretion to elect or reject dispute resolution through arbitration.
12. The Informant has further alleged that ISACA is abusing its dominant position by having complete control over CMMI Maturity Level Certification Market in India as they are completely capable to protect any market because it neither has any competitors, nor is covered under the regulatory control of the Government of India, resulting in violation of Section 4(2)(e) of the Act.
13. Besides the contravention of aforesaid provision of Section 4 of the Act, the Informant has also mentioned fraudulent practices carried out by ISACA in carrying out the CMMI Business under the domain name CMMIINSTITUTE.COM. This, according to the Informant, is creating a false impression of existence of an “institutional structure”, whereas there is no CMMI Institute and ISACA is running this business with a skeletal staff of 5 to 9 individuals. In fact, there is no organization called CMMI Institute having an institutional infrastructure like that of Software Engineering Institute (SEI) or any such similar institute. It is stated that ISACA is trying to impersonate the goodwill and reputation of SEI and its trusted business name by using the name CMMI Institute and the domain name CMMIINSTITUTE.com.
14. Further, the Informant has added that ISACA is making false claims on its website by posting that “CMMI has proven to improve business performance in the following ways: [a] Reduce rework by 60%; [b] Improve Product Quality by 70%; [c] Improve Productivity by 54%; [d] Average Improvement in Defect Containment.” without any research and experiment. Moreover, ISACA claims on its website that “Thousands of high-performing organizations” which have “achieved sustainable business success through CMMI adoption, demonstrating their ability as capable business partners and suppliers” without any backed-up research. Finally, the Informant has submitted that ISACA has bought CMMI Model in 2016 and has drastically changed the model content in the recent past with CMMI Version 2.0 and has also changed the Appraisal Method from SCAMPI Appraisal Method of SEI to ISACA’s Benchmark Appraisal Method but still claims on its website that from past 30+ years, organization has achieved sustainable business results, which is not the case.
15. Based on the aforesaid facts and allegations, the Informant has requested the Commission to dilute the dominant position of ISACA by brining CMMI Maturity Model Certification under National Regulatory Bodies like Quality Council of India (QCI) and National Board for Certification Bodies.
16. The Informant has also sought interim relief under Section 33 of the Act praying that ISACA should be restrained from carrying out any CMMI related activities in India including CMMI Maturity Level Certification Business because Indian consumers are suffering irreparable harm as ISACA is denying them the services by placing restrictions on the availability of service. Further, it has been prayed that the Commission should direct the Government of India not to use CMMI Model document as eligibility criteria for bidding of high-value tenders.
17. The Informant has also intimated about a pending litigation in the Hon’ble High Court of Delhi, being Civil Suit Commercial Case No. 611 of 2021, DQS Certification versus ISACA.
Analysis of the Commission
18.The Commission notes that the gravamen of Informant’s grievance stems from ISACA being the only organisation entrusted with CMMI Maturity Model Certification and also providing authorisation to the partner institutes and/or individuals for undertaking appraisal which has allegedly resulted in it having control over the whole certification process, to the exclusion of other organisations/bodies who could have operated in the certification business, besides making these partner institutions and individuals totally dependent upon ISACA. Further, since the Government of India allegedly mandates CMMI certification as an eligibility criterion for bidding in high value tenders, according to the Informant the companies have no option but to get this certification from individuals authorised by ISACA to provide such certification. The Informant has alleged contravention of all the sub-sections of Section 4 of the Act, i.e. Sections 4(2)(a)(i), 4(2)(a)(ii), 4(2)(b)(i), 4(2)(b)(ii), 4(2)(c), 4(2)(d) and 4(2)(e).
19. Presently known only by its acronym, ISACA was formerly known as the Information Systems Audit and Control Association. From the information available in public domain, the Commission understands that ISACA is a global professional association and has presence in 188 countries, including more than 200 chapters worldwide. With the help of licensed partner institutions, ISACA imparts training and certification to individuals on different models that it owns (one of which is CMMI Model) and these individuals, in turn, align the procedures and practices being followed in the organisations where they work to the internationally accepted best practices; or if those individuals or their firms/entities certify the organisations are trained beyond a level to have become Lead Appraisers, then such individuals certify the organisations about the quality of processes being followed by them against some benchmarking e.g. CMMI model. Though ISACA provides certifications on various models, the grievance of the Informant is with regard to CMMI Model.
20. The CMMI is a model that helps organizations to effectuate process improvement and develop behaviours that decrease risks in service, product and software development. The first version of the CMMI was released in 2002 and built upon the Capability Maturity Model (CMM), which was developed from 1987 to 1997. Thereafter, newer versions have been developed. The CMMI Maturity Level ratings range from 1 to 5, with Level 5 being the highest level. The organisations/entities having high CMMI maturity level signify higher overall competency.
21. As mentioned in the information, initially the CMMI Maturity Model Certification was governed by SEI at Carnegie Mellon University (USA). In 2012, Carnegie Mellon University founded the CMMI Institute in order to extend the benefits of CMMI beyond software and systems engineering to any product or service company regardless of size or industry. In March 2016, CMMI® Institute was acquired by ISACA. As it appears from the publicly available information that ISACA does not have an institute like infrastructure in the conventional sense and the training on CMMI model is being provided by ISACA through licensed partner institutions which are private training institutes having certified trainers to impart such trainings. The Informant is one such trainer who is the MD of one such training firm namely DQS Certification India Private Limited through which trainings are being provided for different certification courses.
22. The Informant has alleged contravention of Section 4 of the Act by ISACA. Before examining ISACA’s conduct Section 4 of the Act, it needs to be seen whether ISACA falls within the scope of definition of ‘enterprise’ in terms of Section 2(h) of the Act. For ascertaining whether an entity is an ‘enterprise’ or not within the meaning of Section 2(h) of the Act, it is essential to examine the nature of the activity undertaken by the entity. As discussed earlier, ISACA Inc is a non-profit global professional association and learning organization. Through various certifications/solutions, ISACA enables enterprises to train and build quality teams. The Annual report released by ISACA in 2019 indicate that their operating revenue include certification, relations, education, end user product sponsorship, publications, licensing, consultation and others amounting to $ 83,201,260. This shows that ISACA is involved in economic activities and, thus, it falls within the definition of the term ‘enterprise’ under Section 2(h) of the Act.
23. The next step under the assessment framework for Section 4 of the Act is delineation of the relevant market to ascertain dominance and for analysing the abusive conduct of ISACA as alleged by the Informant.
24. The Informant has proposed relevant product market as CMMI Licensing Business and has primarily alleged that ISACA is dominant in this market because it owns the CMMI maturity model certification and CMMI model document.
25. The Commission observes that the Informant’s grievance is with regard to CMMI certification which is used by organisations to indicate the competency of the software and processes. In this regard, the Commission found that though there are certain ISO certifications also which are being used by organisations (e.g. ISO 9001 and ISO 27001) for having better processes, these are standards as opposed to certification given by ISACA authorised individuals. Moreover, the ISO standards and the CMMI certifications technically seem to be catering to different industries and meant for different project deliverables.
26. In the Guidance Note (2018) available on the Ministry of Electronics and Information Technology (MEITY) website for selection of implementation Agencies, MEITY has cautioned the Ministries and Government departments on the prescription of certification in tender documents as pre-qualification criterion. In the said document, it has clarified the purpose for which standards/certifications like ISO 9001, ISO 27001, CMMI, ISO 14001, ISO/IEC 20000 etc. should be prescribed in different tender documents, which shows that these certifications are not as such substitutable. Further, CMMI (SEI) certification is stated to be relevant for projects where software implementation or application development is being done. Thus, it appears that different certifications are meant for different purposes and ISO standards may not be able to fulfil the same purpose as a CMMI certification and vice versa.
27. Apparently, organizations use CMMI model to improve their processes on a consistent basis and organisations which are CMMI certified are perceived to have better solution delivery in projects. Further, the CMMI certification of companies by ISACA authorised professionals is in some way used as a benchmarking mechanism to signify efficiency in performance. Thus, following a functional approach, the relevant product market in the present case appears to be ‘market for providing solutions for process improvement and certification for benchmarking performance’. As regards the geographic market, though the certification is provided on a global basis, given the scope of the Act being India, the relevant geographic market is ‘India’. Thus, the relevant market is ‘market for providing solutions for process improvement and certification for benchmarking performance in India’.
28. As regards the market delineated above, CMMI certification seems to be the only and most widely used certification at present. The Informant has also pointed towards the mandatory requirement of CMMI certification for participating in high value tenders by Government of India. As noted earlier, though there are certain ISO standards also which are being used by organisations (e.g. ISO 9001 and ISO 27001) for having better processes, they appear to be technically implemented by companies in different industries for different project deliverables. ISACA seems to have a lot of control owing to the fact that CMMI Institute has been acquired by ISACA in 2016 and any partner institution willing to provide training for CMMI model has to necessarily get a license from ISACA and any individual seeking to have the authorisation to provide CMMI certification to organisations, have to go through the necessary channel of ISACA and its partner institutions.
29. Based on the above, the Commission is of the view that ISACA being the owner of CMMI model, and having sole control over the imparting of training and certification, appears to be dominant in the ‘market for providing solutions for process improvement and certification for benchmarking performance in India’.
30. As regards abuse, the Informant has first alleged that ISACA is classifying ISACA Licensing Partners into different tiers and providing different service level to partners in different tiers which contravenes Section 4(2)(a)(i) of the Act. The Commission analysed the screenshot submitted by Informant substantiating this allegation and noted that there are three options available to the Partner Institutions at the time of becoming a licensed partner for imparting CMMI training i.e. Standard, Premium and Elite. These three types of partner tiers come with different prices/cost and also assure different services which the partner institution gets in return from ISACA. The charges are $0 to $74,999 for Standard, $75,000 to $1,99,999 for Premium and $2,00,000 and above from Elite partners. As it appears, the Standard tier provides basic services such as access to knowledge base, listing as partner and basic sales template. When a partner upgrades to Premium tier, they get a dedicated account manager, better marketing services and presales and quarterly business review, in addition to standard tier services. Finally, if the partner opts for Elite tier, they get all the benefits of standard and premium ties plus priority helpdesk, co-branding, success story marketing, discounts in training, access to exclusive products and others. Thus, these three different service offerings come for a different pricing structure, where the partner institutions are free to make a choice and avail service as per the class they have chosen. It is not the case of the Informant that ISACA is denying any partner institute from accessing any of these service offerings. Also, the Informant has not been able to demonstrate how availing these different services has led to unequal accessibility to the partner institutes in reaching the market. For the foregoing reasons, the Commission is of the opinion that providing different services with different cost structures may not be termed as discriminatory in the present case and thus, the contravention under Section 4(2)(a)(i) is not established.
31. As regards the second allegation, the Informant has stated that ISACA is creating artificial scarcity by restricting the number of audits which can be undertaken by one Lead Appraisers in a year at 16 which results in steep artificial increase in price for CMMI Maturity Level Certification. This is alleged to be in contravention of Section 4(2)(b)(i) of the Act. The Commission notes that though such stipulations restrict the number of audit/appraisals undertaken by each certified individual capable for providing lead appraisal certifications, there can be objective justifications for putting such stipulations. As per Exhibit 2 titled CMMI Appraisal Delivery Limits Policy enclosed with the information, ISACA has linked this restriction to quality. It has been stated that “[w] ith so many factors influencing process implementation within an organization, LAs must invest the time necessary to thoroughly understand an organization and its processes as well as plan and manage the appraisal. This policy establishes an annual limit to the number of Benchmark or Sustainment Appraisals an LA can conduct to ensure adequate care and rigor is taken to plan for, manage, and credibly assess an organization’s capabilities.” Thus, given the justification of ensuring quality provided by ISACA in limiting the number of appraisals to 16 per year, the Commission prima facie finds no contravention under Section 4(2)(b)(i) of the Act on this ground.
32. The next allegation of the Informant is that ISACA is restricting the technical and scientific development of the CMMI Model Document because it is keeping it isolated and not investing in the required resources and also has not released any guidelines on certification method and appraisal method which contravenes section 4(2)(b)(ii) of the Act. Apparently, ISACA is controlling the CMMI maturity model; however, no fault can be seen with such control given that the CMMI institute has been acquired by ISACA. The Informant has not illustrated if the users (entities who employ CMMI certification to improve their processes) are finding such model outdated. Even otherwise, CMMI model has been updated from time to time and that the CMMI model has been updated in 2018 from CMMI 1.3 to CMMI 2.0 as per Informant’s own submission in the information. Thus, no case seems to be made out under Section 4(2)(b)(ii) of the Act.
33. Further, the Informant has alleged contravention of Section 4(2)(c) of the Act by ISACA, stating that it has denied market access to all other organizations because of its ownership of the CMMI Model. The Informant has also compared the CMMI Maturity Level Certification to the ISO standards. He has stated that while ISO publishes the ISO Standard and does not get involved in the nitty-gritty of certification, ISACA is directly acting as the certification body itself and thus, denying market access to other players who may also like to enter the certification business.
34. In this regard, it is noted that ISO is an independent, non-governmental international organization with a membership of 165 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges. IAF (International Accreditation Forum) and ILAC (International Laboratory Accreditation Cooperation) are global networks of accreditation bodies and organisations involved in conformity assessment activities, which authorise members to provide certification. By comparison, CMMI Model Document is owned by ISACA. Also, ISACA provides training through Partner Institutions to organisations about use of CMMI Model and certification to individuals to become Lead Appraisers and apply CMMI Model in the organisation. Thus, apparently, ISACA has a different structure and operational system as compared to the ISO. However, the Commission is of the view that though these bodies work differently, the Informant has not established how the ISACA’s functioning and CMMI maturity model certification is leading to any anti-competitive outcome. If one institute is managing and controlling the certification and the standard/model as against involvement of multiple organisations, this in itself may not be sufficient to raise a competition concern.
35.The Informant has also alleged that ISACA has contravened Section 4(2)(d) of the Act by using its dominant position to sign the contract with Licensing partner which include supplementary obligations that are one-sided, unconscionable and totally lie in ISACA’s favor. The Commission looked into the screenshot of some of the clauses of the agreement submitted by the Informant and noted that under the termination clause, both the parties have the right to terminate the agreement with 30 days’ notice, though without assigning any cause. Even other clauses highlighted by the Informant prima facie do not seem to raise competition concern, nor the Informant has explained how those clauses are one-sided.
36.The Informant has also alleged contravention of Section 4(2)(e) of the Act stating that ISACA is ruling over CMMI Maturity Level Certification Market in India as it is completely capable of protecting any market or denying market access because it has no competitor, and that ISACA is completely able to dictate the price as it wants and is totally uninfluenced by the market conditions. Beyond this, the Informant has not explained how ISACA is leveraging its dominant position and in which market is ISACA trying to protect its position. In the absence thereof, the Commission is of the view that such bald allegation does not require any further assessment.
37. Besides, the Informant has also alleged fraudulent practices carried out by ISACA. The Informant has mentioned that ISACA is carrying out the CMMI Business under the domain name CMMIINSTITUTE.COM which creates false impression of existence of an institutional structure, whereas there exists no Institute as such. Further, the Informant has also found fault with ISACA making a ‘false’ claim on its websites related to statistics of organisations who have adopted CMMI and improved their business. At the outset, it may be highlighted that such alleged fraudulent practices, as highlighted in the present case, do not fall within the ambit of the Act. Even otherwise, the information on ISACA and CMMI’s website indicate that the CMMI training is being provided through partner institutions and ISACA centrally controls certification.
38. In view of the foregoing, the Commission is of the opinion that there exists no prima facie case, and the information filed is directed to be closed forthwith against ISACA under the provisions of Section 26(2) of the Act.
39. Notwithstanding the order passed above, the Commission emphasises that the findings reflect the views of the Commission purely from the standpoint of the provisions of the Competition Act, 2002 and may not be construed as expressing any opinion on merits, in any manner, in respect of other ongoing proceedings against ISACA in any other forum/tribunal/court.
40. The Secretary is directed to communicate to the Informant, accordingly.
