Code of Conduct

Engagement with government/regulatory authorities

  1. Monitor and adhere to all regulations that directly or indirectly apply to the companies regulated by financial sector regulators3 and government authorities. Please refer to Annexure 1 for relevant regulations4 . Regularly update internal policies and procedures to ensure compliance with these regulations.
  2. Be part of the FinTech repository and contribute accurate and timely information.
  3. Engage with regulatory and government authorities to ensure alignment with compliance and risk management expectations, and provide complete, accurate, and timely information as required.
  4. Contribute to regulatory and industry consultations/sandboxes/standards.
  5. Cooperate with regulators and government authorities during inspections by allowing access to IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the company and/or its sub-contractors as applicable to the scope of the investigation.

Responsible innovation

  1. Understand the client’s5 compliance needs to provide suitable and professional services.
  2. Validate models6 as per the robust, documented internal processes to mitigate biases and ensure reliable, fair, and robust outcomes across diverse use cases. Implement AI models that are explainable, contestable, protect human agency, and are accountable with periodic reviews and impact assessments after deployment.
  3. Conduct thorough risk assessments of solutions before implementation, ensuring alignment with industry best practices and regulatory expectations.
  4. Disclose key performance indicators and limitations of the RegTech solutions to the client.

Data Privacy & Security

  1. Secure sensitive data with encryption, access controls, and regular audits.
  2. Support and ensure your clients take explicit consent7 for data collection, processing, and sharing, as mandated under applicable data protection laws.
  3. Develop clear, concise internal policies that comply with India’s data protection laws, sectoral regulations, focusing on obtaining user consent, managing data retention, and handling sensitive personal data.
  4. Get relevant certifications. Please refer to Annexure 2 for relevant certifications.
  5. Maintain customer and client data confidentiality if serving multiple clients and sharing data with service providers. Ensure compliance with data localisation and data protection guidelines, as applicable.
  6. Establish a clear process for reporting and resolving security incidents, data breaches, misuse, or system failures. Conduct third-party audits of security systems.

Partnerships

  1. Conduct due diligence on partnerships, both upstream8 and downstream.
  2. Thoroughly assess the service provider, including, but not limited to, financial stability, infrastructure, IT & cybersecurity, reputation, and compliance history. It should also include the ability to handle scale-up, past performance with similar businesses, a business continuity and disaster recovery plan, and previous security breaches.
  3. Execute a legally binding agreement with the parties in the value chain covering development, management or operation of APIS/solutions/services, not compromising the integrity, confidentiality, or compliance of the Reg-Tech services. Outline parties' roles, responsibilities, and expectations with details on activities, service levels, data handling, security protocols, and compliance obligations.
  4. Take steps to ensure that the service providers employ the same high standard of care in performing the services as the company would have.
  5. Ensure that the partners (clients or service providers) handle data (use, sharing, retention, destruction) in compliance with applicable data protection laws. This shall apply from the origination to the end use of data.
  6. Establish a clear chain of responsibility for failures/issues by third-party dependencies.
  7. Develop clear guidelines for data storage/computing/movement in a cloud environment.
  8. Implement controls to prevent unauthorised disclosure of confidential data within the company and service providers.
  9. Follow local laws/standards as applicable, if operating in a jurisdiction other than India.

Transparency & Accountability

  1. Engage in fair, transparent9, and ethical business practices with all stakeholders, including clients, partners, and regulators.
  2. Identify, disclose, and appropriately manage conflicts of interest in all business dealings.
  3. Maintain transparent pricing structures and clearly outline service terms.
  4. Maintain records and audit trails demonstrating compliance with regulatory requirements and industry practices.
  5. Develop a robust framework to monitor and control performance, adherence to Service Level Agreements, and incident reporting mechanisms.

Employee training & conduct

  1. Regularly train employees on relevant laws and industry standards (e.g. data privacy, IT & cybersecurity, AI). Foster a culture of compliance, integrity, and ethical behaviour within the company.
  2. Establish mechanisms10 for employees to report misconduct or non-compliance without fear of retaliation.

Grievance redressal

  1. Provide accessible channels for stakeholders (clients, customers, employees) to report grievances. This includes email, phone lines, and dedicated web portals with process and escalation metrics.
  2. Establish precise and efficient systems for promptly and transparently resolving customers' and clients' complaints and regulatory queries.
  3. Review and improve grievance redressal processes and escalation matrix to ensure effectiveness and adherence to best practices.
  4. Report all grievances about regulatory non-compliance and data breaches to the relevant authorities.