RISK MANAGEMENT POLICY

INTRODUCTION

This Risk Management Policy aims to ensure that all material risks — including financial, legal, technological, regulatory, operational, and reputational — are proactively identified, evaluated, monitored, and mitigated.

The policies are drafted in a manner to conduct the Company’s operations in full compliance with:

1. The Payment and Settlement Systems Act, 2007

2. RBI’s Guidelines on Regulation of Payment Aggregators and Payment Gateways (2020)

3. Information Technology Act, 2000

4. The Prevention of Money Laundering Act, 2002

5. FATF Recommendations and PCI DSS Standards

It involves identifying potential threats to business continuity, legal compliance, data security, and customer trust, and implementing controls to mitigate these threats. This policy applies to all employees, contractors, and third parties associated with the Company.

GOVERNANCE AND OVERSIGHT

Board of Directors

The Board of Directors holds the ultimate responsibility for the oversight of risk management practices within the organization. The Board shall:

1. Approve Risk Appetite and Strategy:Establish and periodically review the company’s risk appetite, tolerance levels, and overall risk strategy, ensuring alignment with business objectives and regulatory requirements.
2. Policy Endorsement:Review and formally approve the Risk Management Policy, including updates and amendments.
3. Oversight of Key Risks:Monitor material risks through periodic reports from management and the Risk Management Committee.
4. Ensure Resource Allocation:Guarantee sufficient allocation of resources financial, human, and technological to risk management and compliance functions.
5. Review Audit Reports:Receive and review internal and external audit findings related to risk management.

Risk Management Committee (RMC)

A dedicated Risk Management Committee shall be constituted to oversee the implementation of the risk framework. The RMC shall:

1. Composition:Include senior executives such as the Chief Risk Officer (CRO), Chief Technology Officer (CTO), Chief Financial Officer (CFO), Chief Compliance Officer (CCO), and Legal Counsel.
2. Responsibilities:
   1. Conduct comprehensive risk assessments across all business functions.
   2. Maintain and update a centralized Risk Register documenting all identified risks, their status, and mitigation measures.
   3. Review the effectiveness of internal controls and risk mitigation plans.
   4. Monitor emerging risks and recommend policy or process changes.
   5. Oversee incident investigations and root cause analyses.
   6. Prepare quarterly risk reports for presentation to the Board.

Chief Risk Officer (CRO)

The CRO shall be responsible for the day-to-day management of risk and:

1. Develop and implement risk management frameworks, policies, and procedures.

2. Coordinate with business units to identify, assess, and mitigate risks.

3. Ensure compliance with regulatory risk reporting and documentation requirements.

4. Lead risk awareness and training programs.

5. Serve as a liaison with regulators during audits and inspections.

Internal Audit Function

The internal audit team operates independently to:

1. Provide objective assessments of the risk management processes and controls.

2. Conduct scheduled and surprise audits focusing on operational, compliance, IT, and financial risks.

3. Evaluate the adequacy of the risk mitigation measures.

4. Report audit findings directly to the Audit Committee and Board.

Compliance and Legal Function

This function ensures:

1. Adherence to all relevant laws, regulations, and internal policies.

2. Continuous monitoring of regulatory developments and advising management on compliance impact.

3. Management of regulatory filings, disclosures, and correspondence.

4. Oversight of the Anti-Money Laundering (AML) program and data privacy compliance.

Risk Culture and Communication

1. Promote a risk-aware culture through ongoing communication, training, and leadership example.

2. Encourage employees at all levels to identify and report risks or breaches without fear of retaliation.

Regularly review and update risk communication channels to ensure clarity and accessibility.

OPERATIONAL RISK MANAGEMENT

Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events.

Third-Party Vendor Risk

To ensure that third-party entities involved in technology, payment processing, fraud detection, or customer support do not introduce unacceptable risk to the organization. The following measures are implemented:-

1. Due Diligence:All vendors must undergo a comprehensive due diligence process evaluating their financial stability, operational practices, data security controls, and prior regulatory compliance.
2. Contractual Safeguards:Agreements with third parties must include detailed clauses on confidentiality, data protection, liability, incident response, and compliance with applicable laws (including IT Act, RBI circulars, and the Data Protection Act).
3. Performance Monitoring:Service Level Agreements (SLAs) shall be defined and continuously monitored. Periodic reviews and audits of vendors are mandatory, particularly those handling payment data or customer information.

Business Continuity and Disaster Recovery (BCP/DR)

To ensure resilience in the face of operational disruptions and to provide continuity of critical services. The following measures are implemented:-

1. Business Continuity Plan:A formal BCP document shall identify critical functions, alternate infrastructure, responsible personnel, and action plans for various risk scenarios (e.g., data center failure, natural disaster, cyberattack).
2. Disaster Recovery (DR):DR sites must be geographically separate and capable of handling full-load transaction volume.
3. Testing:BCP and DR plans must be tested bi-annually, with test results reported to the Risk Management Committee and Board.
4. Compliance:Plans must align with RBI’s Master Direction on Digital Payment Security Controls.

Incident Management

To ensure timely detection, response, and resolution of operational incidents. The following measures are implemented:-

1. Incident Response Team (IRT):A cross-functional team including IT, security, legal, and compliance heads will be activated in case of any significant event.
2. Reporting:Any major incident must be logged immediately, with Root Cause Analysis (RCA) completed within 72 hours and reported to RBI (where applicable) within the timeframes prescribed.
3. Documentation:An incident management log must be maintained with timelines, impact, resolution steps, and mitigation strategies.

COMPLIANCE AND LEGAL RISK MANAGEMENT

Regulatory Adherence

To maintain full compliance with all applicable legal and regulatory frameworks governing payment systems and digital transactions in India. The following measures are implemented:-

1. Regulatory Framework:A cross-functional team including IT, security, legal, and compliance heads will be activated in case of any significant event.
   1. The Payment and Settlement Systems Act, 2007
   2. RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways (2020)
   3. Information Technology Act, 2000, including the SPDI (Sensitive Personal Data or Information) Rules
   4. FEMA regulations for cross-border payments
   5. Periodic circulars and master directions issued by RBI
2. Licensing:The company must maintain valid authorization from the RBI under the PSS Act and renew approvals as per prescribed timelines.
3. Regulatory Reporting:Submission of timely and accurate regulatory reports (e.g., fraud statistics, merchant onboarding data, system audit certificates) is mandatory. A compliance calendar must be maintained to track due dates.
4. Internal Audits:The Internal Audit team must perform compliance checks quarterly, with reports reviewed by the Risk Management Committee and Board.

Anti-Money Laundering (AML) and Know Your Customer (KYC)

To prevent money laundering, terrorist financing, and illegal transactions through effective onboarding and transaction monitoring. The following measures are implemented:-

1. Customer Identification:All merchants must be verified using RBI’s KYC norms, including PAN validation, business verification, GST details, and bank account ownership confirmation.
2. Ongoing Due Diligence:Continuous monitoring of merchant activity for transaction pattern anomalies and excessive chargebacks. Re-KYC must be conducted every two years.
3. Suspicious Activity Monitoring:All flagged transactions (based on volume, velocity, location mismatch, or blacklisted keywords) must be reviewed by a compliance analyst.
4. Reporting Obligations:File Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) with the Financial Intelligence Unit-India (FIU-IND) in accordance with the Prevention of Money Laundering Act (PMLA), 2002.
5. Training:AML/KYC training must be conducted bi-annually for all relevant staff.

Data Privacy and Protection

To ensure the confidentiality, integrity, and lawful processing of customer and merchant data. The following measures are implemented:-

1. Lawful Processing:Personal data must be collected with explicit consent and only for defined, legitimate purposes in accordance with the Digital Personal Data Protection Act, 2023.
2. Data Rights:The company must provide mechanisms for users to:
   1. Access their data
   2. Correct inaccuracies
   3. Withdraw consent
   4. Request deletion where applicable
3. Data Storage:Payment and personal data must be encrypted at rest and in transit. Storage must be limited to within India (or RBI-approved jurisdictions).
4. Data Retention and Deletion:Data retention schedules shall be defined, with automatic data purging mechanisms after the legally mandated period.
5. Incident Notification:Any data breach must be reported to the Data Protection Board of India within 72 hours and to affected users without undue delay.
6. Role of DPO:A Data Protection Officer (DPO) shall be designated to oversee compliance, respond to data subject requests, and conduct regular audits.

FINANCIAL RISK MANAGEMENT

Financial risks may include exposure to credit defaults, inadequate liquidity, delayed settlements, and financial misstatements.

Credit Risk

To manage exposure arising from merchants or partners defaulting on their financial obligations. The following measures are implemented:-

1. Merchant Credit Evaluation:A thorough financial due diligence process is mandatory before onboarding merchants. This includes review of:
   1. PAN, GST, and bank account verification
   2. Past payment history
   3. Business longevity and market reputation
   4. Credit reports from registered bureaus (e.g., CIBIL, CRIF)
2. Risk-Based Categorization:Merchants shall be categorized (Low, Moderate, High) based on risk scores. High-risk merchants may be subjected to:
   1. Collateral deposits or rolling reserves
   2. Delayed settlement cycles
   3. Increased monitoring for chargebacks and fraud
3. Exposure Limits:Limits will be defined for individual merchant exposure and overall portfolio risk. Breach of thresholds triggers an automatic review and may lead to suspension.
4. Default Management:In the event of a merchant default, an escalation mechanism shall involve legal action, invocation of contracts, and financial recovery through withheld funds or guarantees.

Liquidity Risk

To ensure adequate funds are available to meet obligations including settlements, refunds, and operational needs. The following measures are implemented:-

1. Escrow/Nodal Account Compliance:As per RBI guidelines, all customer payments must be routed through a nodal/escrow account maintained with a scheduled commercial bank. Daily reconciliation and fund isolation must be ensured.
2. Liquidity Buffer:A defined minimum liquidity buffer (e.g., 1.25x of daily settlement obligations) shall be maintained in operating accounts to cover emergencies.
3. Stress Testing:Quarterly liquidity stress tests must be conducted under adverse transaction volume and refund conditions. Findings to be reviewed by the CFO and Risk Committee.
4. Contingency Planning:Establish lines of credit or financial backstops from banks/NBFCs to meet liquidity shortfalls, if needed.

Settlement Risk

To mitigate risks arising from delays or failures in settling funds to merchants. The following measures are implemented:-

1. Settlement Timelines:Adherence to T+1/T+2 settlement schedules as mandated by RBI, with appropriate cut-off times for transaction batches.
2. Daily Reconciliation:Automated systems must reconcile payment inflows and merchant balances every 24 hours. Discrepancies must be resolved within the next business day.
3. Automated Alerts:Generate alerts in cases of under-settlement, duplicate settlements, or reconciliation mismatches.
4. Dispute Handling:Maintain a structured escalation matrix for settlement disputes, with clear timelines for resolution (preferably within 3 business days).
5. Audit and Review:Settlement processes must be independently audited every quarter. A summary report shall be submitted to the Board and shared with RBI upon request.

CYBERSECURITY AND INFORMATION SECURITY

PCI DSS Compliance

To ensure the secure handling of cardholder data in alignment with the Payment Card Industry Data Security Standard (PCI DSS). The following measures are implemented:-

1. Certification:The Company shall maintain PCI DSS Level 1 compliance, the highest standard, as validated by certified Qualified Security Assessors (QSAs).
2. Scope:All systems, networks, and processes handling cardholder data must be included within the PCI DSS scope.
3. Regular Assessments:Conduct mandatory annual PCI DSS audits and quarterly vulnerability scans.
4. Remediation:Identified vulnerabilities must be prioritized and remediated within a maximum of 30 days.

Access Control and Authentication

To restrict access to sensitive systems and data only to authorized personnel and prevent unauthorized use. The following measures are implemented:-

1. Role-Based Access Control (RBAC):Assign access privileges strictly based on job roles and responsibilities with the principle of least privilege.
2. Multi-Factor Authentication (MFA):Enforce MFA for all administrative access and sensitive transaction processing platforms.
3. Password Management:Implement strong password policies including complexity, expiration, and storage protocols.
4. Session Management:Auto-logout for inactive sessions and tracking of user activities via secure audit logs.

Vulnerability Assessment and Penetration Testing (VA/PT)

To proactively identify and mitigate security weaknesses in infrastructure and applications. The following measures are implemented:-

1. Frequency:Conduct Vulnerability Assessments and Penetration Tests at least twice per year or after any significant infrastructure or application change.
2. Third-Party Experts:Use certified external security firms to perform independent assessments.
3. Issue Tracking:Document all findings, assign remediation owners, and enforce deadlines for fix implementation, typically within 15 business days.
4. Retesting:Confirm fixes through retesting before closure.

Data Encryption

To protect sensitive data during transmission and storage. The following measures are implemented:-

1. Encryption Standards:Use industry-standard encryption protocols (e.g., TLS 1.2 or higher) for data in transit.
2. At Rest:Cardholder and personal data must be encrypted at rest using strong cryptographic algorithms such as AES-256.
3. Key Management:Maintain a secure, auditable encryption key management system.

Security Awareness and Training

To cultivate a security-conscious culture among employees and contractors. The following measures are implemented:-

1. Training Programs:Mandatory quarterly cybersecurity awareness training covering phishing, social engineering, password hygiene, and incident reporting.
2. Simulated Phishing:Conduct periodic simulated phishing attacks to assess and improve employee vigilance.
3. Policy Acknowledgement:All personnel must annually acknowledge understanding and compliance with security policies.

FRAUD RISK MANAGEMENT

Real-Time Monitoring and Detection

To identify and prevent fraudulent transactions in real-time by leveraging advanced analytics and machine learning tools. The following measures are implemented:-

1. Transaction Monitoring:Deploy AI-powered fraud detection systems to continuously monitor transactions for suspicious patterns such as unusual transaction amounts, frequency, geolocation anomalies, or device fingerprint inconsistencies.
2. Rule-Based Controls:Implement predefined business rules to flag high-risk transactions (e.g., multiple rapid transactions, blacklisted IP addresses).
3. Alert Management:Establish a dedicated fraud operations team to review alerts promptly and take necessary actions such as blocking or flagging transactions for further investigation.
4. False Positive Management:Balance fraud prevention with customer experience by fine-tuning alert thresholds and conducting periodic reviews to reduce false positives.

Chargeback Management

To efficiently handle chargebacks and minimize financial loss from fraudulent or disputed transactions. The following measures are implemented:-

1. Chargeback Monitoring:Maintain detailed records of chargebacks by merchant and transaction type, analyzing trends to identify potential fraud schemes.
2. Dispute Resolution Workflow:Develop a structured dispute management process with clear timelines for evidence collection, submission to payment networks, and communication with merchants.
3. Merchant Education:Train merchants on best practices to reduce chargebacks, including transaction verification and customer communication.
4. Reserve Funds:Maintain appropriate reserves or holdbacks to cover potential chargeback liabilities, especially for high-risk merchants.

Merchant Risk Profiling

To categorize merchants according to their fraud risk level and implement controls accordingly. The following measures are implemented:-

1. Risk Assessment:Conduct detailed risk assessments during merchant onboarding covering business model, industry sector, geographic location, transaction volumes, and historical fraud data.
2. Ongoing Monitoring:Perform continuous evaluation of merchant behavior, including unusual transaction spikes or excessive refund rates.
3. Enhanced Due Diligence:Apply stricter KYC and transaction monitoring requirements for high-risk merchants.
4. Suspension/Termination:Define clear criteria for suspension or termination of merchants found to be involved in fraudulent activities.

CUSTOMER PROTECTION

Transparency and Disclosure

To provide clear, accessible information regarding services, fees, data usage, and dispute resolution. The following measures are implemented:-

1. Terms of Service:Clearly articulate terms and conditions, including fee structures, refund policies, and liability clauses, in plain language accessible to all users.
2. Privacy Notice:Disclose data collection, usage, storage, and sharing practices in compliance with the Digital Personal Data Protection Act, 2023.
3. Communication:Ensure timely updates on changes to policies, system outages, or security incidents via multiple communication channels.

Dispute Resolution

To provide an efficient mechanism for addressing customer complaints and disputes. The following measures are implemented:-

1. Complaint Management System:Maintain a formalized system to log, track, and resolve customer complaints within defined service level agreements (SLA), typically 5 business days.
2. Escalation Procedures:Define clear escalation paths from frontline support to higher management and, if necessary, external dispute resolution bodies.
3. Refund Policies:Implement fair and transparent refund processes compliant with RBI guidelines, ensuring timely reversal of erroneous or fraudulent transactions.
4. Documentation:Maintain records of all disputes and resolutions for audit and regulatory review.

Data Security and Privacy

To protect customer data and uphold privacy rights. The following measures are implemented:-

1. Data Minimization:Collect only essential customer information required for transaction processing and regulatory compliance.
2. Consent Management:Obtain explicit consent before data collection or processing, allowing customers to opt-out where feasible.
3. Access Rights:Facilitate customers' rights to access, correct, or delete their data in line with applicable laws.
4. Breach Notification:Promptly notify affected customers in case of any data breach impacting their information.

Risk Reporting

To ensure timely, accurate, and comprehensive risk information is communicated to all relevant stakeholders. The following measures are implemented:-

1. Internal Reporting:The Risk Management Committee shall receive monthly risk reports detailing risk exposures, incidents, compliance status, and remediation actions.
2. Board Reporting:The Board of Directors shall be provided with quarterly consolidated risk reports including key risk indicators (KRIs), emerging risks, and audit findings.
3. Regulatory Reporting:All regulatory reporting requirements, including incident notifications, audit certificates, and compliance attestations, must be submitted within prescribed timelines.
4. Ad Hoc Reporting:Significant incidents or material risks must be escalated immediately to senior management and regulators where applicable.

Audit and Review

To verify adherence to policies and identify areas for improvement. The following measures are implemented:-

1. Internal Audits:Conduct periodic internal audits covering operational, financial, IT, and compliance controls.
2. External Audits:Facilitate independent audits by regulators or accredited third parties, including PCI DSS and IT security assessments.
3. Findings and Actions:Document audit findings and ensure corrective action plans are developed, approved, and tracked to closure.

Policy Review and Updates

To maintain the relevance and effectiveness of the risk management policy. The following measures are implemented:-

1. Annual Review:The policy shall be reviewed at least annually by the Risk Management Committee and updated to reflect changes in the regulatory environment, business model, or risk landscape.
2. Change Management:Amendments to the policy require Board approval following recommendations from the Risk Management Committee.
3. Training and Communication:Updated policies must be communicated promptly to all employees, with mandatory training sessions where necessary.

TECHNOLOGY RISK MANAGEMENT

System Availability and Resilience

To minimize downtime and ensure continuous availability of payment processing services. The following measures are implemented:-

1. High Availability Architecture:Implement redundant systems, load balancing, and failover mechanisms across all critical components including servers, databases, and network infrastructure.
2. Disaster Recovery Plan (DRP):Develop and maintain a comprehensive DRP covering data backup, recovery procedures, and alternate site arrangements. The DRP shall be tested bi-annually.
3. Business Continuity Plan (BCP):Establish a BCP to maintain critical business functions during incidents, including clearly defined roles and communication protocols.
4. Incident Response:Maintain a formal incident response plan with defined escalation procedures, root cause analysis, and corrective actions.

Security of IT Infrastructure

To protect hardware, software, and network components against unauthorized access, malware, and other cyber threats. The following measures are implemented:-

1. Network Security:Deploy firewalls, intrusion detection/prevention systems (IDS/IPS), and secure gateways.
2. Endpoint Protection:Implement antivirus, anti-malware, and endpoint detection and response (EDR) solutions.
3. Patch Management:Apply security patches promptly according to a defined schedule, prioritizing critical vulnerabilities.
4. Asset Inventory:Maintain an updated inventory of IT assets with ownership and lifecycle details.

REPUTATIONAL RISK MANAGEMENT

Brand and Public Communication

To ensure consistent, transparent, and responsible communication with all stakeholders. The following measures are implemented:-

1. Communication Protocols:Establish clear guidelines for public statements, press releases, and social media interactions. Only authorized personnel may speak on behalf of the company.
2. Crisis Communication Plan:Develop a comprehensive plan outlining roles, responsibilities, and messaging strategies in the event of incidents impacting reputation.
3. Media Monitoring:Continuously monitor media channels, social media platforms, and online forums for mentions of the company to identify potential reputation issues early.
4. Response Time:Commit to timely responses to misinformation or negative publicity, providing factual clarifications where appropriate.

Customer Experience and Service Quality

To maintain high standards of service that support customer satisfaction and loyalty. The following measures are implemented:-

1. Service Level Agreements (SLAs):Define and monitor SLAs to ensure consistent transaction processing times, availability, and support responsiveness.
2. Customer Feedback:Implement mechanisms for collecting, analyzing, and acting upon customer feedback and complaints.
3. Continuous Improvement:Use customer insights to improve processes, products, and support services.

Incident and Issue Management

To manage operational or compliance incidents that could harm reputation. The following measures are implemented:-

1. Incident Reporting:All employees must promptly report incidents with potential reputational impact to senior management.
2. Root Cause Analysis:Conduct thorough investigations to identify root causes and implement corrective actions.
3. Transparency:Where appropriate, communicate incidents and remediation efforts openly with affected stakeholders and regulators.
4. Training:Regularly train employees on reputation risk awareness and the importance of adherence to company policies.

INSIDER AND EMPLOYEE RISK MANAGEMENT

Employee Screening and Background Checks

To ensure that individuals with access to sensitive systems and data are trustworthy and qualified. The following measures are implemented:-

1. Pre-Employment Checks:Conduct comprehensive background verification including identity, criminal record, employment history, and education credentials.
2. Periodic Re-Screening:For critical roles, perform periodic re-verification to detect any change in risk status.
3. Contractor Due Diligence:Extend screening procedures to contractors, consultants, and third-party service providers.

Access Management and Segregation of Duties

To limit insider risk by ensuring appropriate access controls and operational segregation. The following measures are implemented:-

1. Role-Based Access:Assign access strictly based on job functions, enforcing the principle of least privilege.
2. Segregation of Duties (SoD):Implement SoD to prevent any single individual from executing conflicting tasks (e.g., initiation and approval of transactions).
3. Periodic Access Reviews:Conduct regular reviews of user access rights and promptly revoke access when no longer required.

Employee Training and Awareness

To educate employees about security policies, ethical standards, and risk mitigation. The following measures are implemented:-

1. Mandatory Training:Conduct regular mandatory training on data protection, fraud prevention, and compliance requirements.
2. Code of Conduct:Enforce adherence to a documented Code of Conduct outlining expected behaviors and disciplinary actions for violations.
3. Whistleblower Program:Provide secure and confidential channels for employees to report suspicious activities or breaches without fear of retaliation.

Monitoring and Surveillance

To detect and prevent insider threats through proactive monitoring. The following measures are implemented:-

1. Activity Logging:Maintain detailed logs of user activities on critical systems for audit and forensic purposes.
2. Anomaly Detection:Use automated tools to identify unusual behaviours such as unauthorized data access or unusual transaction patterns.
3. Incident Investigation:Investigate all suspected insider incidents promptly with appropriate disciplinary or legal action.

REGULATORY CHANGE RISK MANAGEMENT

To maintain continuous awareness of new and updated regulations applicable to the payment gateway industry. The following measures are implemented:-

1. Dedicated Compliance Team:Assign responsibility to a specialized team to monitor regulatory developments issued by relevant authorities such as the Reserve Bank of India (RBI), Data Protection Authorities, and other financial regulators.
2. Subscription to Regulatory Alerts:Maintain subscriptions to official regulatory bulletins, industry associations, and legal advisories.
3. Regular Reviews:Conduct periodic reviews (monthly/quarterly) of regulatory updates to assess relevance and impact.

Impact Assessment

To evaluate the implications of regulatory changes on policies, processes, and technology. The following measures are implemented:-

1. Cross-Functional Assessment:Engage relevant departments—Legal, Compliance, IT, Risk, and Operations—to assess the impact of regulatory changes.
2. Risk and Compliance Gap Analysis:Identify gaps between current practices and new requirements, prioritizing areas requiring immediate attention.
3. Documentation:Maintain comprehensive records of assessments, decisions, and implementation plans.

Implementation and Compliance

To ensure timely incorporation of regulatory changes into organizational practices. The following measures are implemented:-

1. Policy Updates:Revise internal policies and procedures to comply with new regulations.
2. Systems Update:Collaborate with IT teams to modify systems, workflows, and controls as necessary.
3. Training and Communication:Conduct training sessions and communicate regulatory changes to affected employees and stakeholders.
4. Compliance Reporting:Ensure that all required filings, disclosures, and reports are submitted accurately and on time.

Regulatory Liaison

To maintain proactive engagement with regulatory authorities. The following measures are implemented:-

1. Regular Communication:Establish formal channels for communication with regulators, including participation in consultations and feedback sessions.
2. Audit and Inspection Preparedness:Prepare for regulatory audits or inspections by maintaining up-to-date documentation and compliance evidence.
3. Incident Reporting:Immediately report any regulatory breaches or incidents in accordance with prescribed timelines and procedures.

DATA GOVERNANCE AND RETENTION POLICIES

Data Classification and Ownership

To clearly define data categories and assign responsibility for data management. The following measures are implemented:-

1. Data Classification:Categorize data into defined levels such as Confidential, Sensitive, Internal Use, and Public based on sensitivity and regulatory requirements.
2. Data Ownership:Assign data owners for each data category responsible for defining access controls, quality standards, and compliance adherence.
3. Data Inventory:Maintain an up-to-date inventory of all data assets, including data sources, storage locations, and access permissions.

Data Access and Security

To protect data from unauthorized access, alteration, or destruction. The following measures are implemented:-

1. Access Controls:Enforce strict role-based access controls aligned with the data classification scheme.
2. Encryption:Apply encryption for data at rest and in transit using industry-standard cryptographic methods.
3. Data Masking and Anonymization:Utilize data masking or anonymization techniques where applicable, especially for non-production environments.
4. Data Loss Prevention (DLP):Implement DLP tools to detect and prevent unauthorized data exfiltration.

Data Retention and Disposal

To manage data lifecycle in accordance with legal, regulatory, and business requirements. The following measures are implemented:-

1. Retention Periods:Define minimum and maximum retention periods for each data category aligned with statutory requirements (e.g., RBI mandates) and business needs.
2. Regular Reviews:Conduct periodic reviews to identify data eligible for archival or disposal.
3. Secure Disposal:Employ secure deletion methods such as shredding, wiping, or degaussing to prevent data recovery.
4. Documentation:Maintain records of data destruction activities for audit purposes.

Data Quality and Integrity

To ensure accuracy, completeness, and reliability of data used for processing and decision-making. The following measures are implemented:-

1. Data Validation:Implement automated and manual controls to verify data accuracy upon collection and entry.
2. Error Handling:Define procedures for identifying, reporting, and rectifying data errors.
3. Audit Trails:Maintain comprehensive logs tracking data modifications, access, and transfers.
4. Backup and Recovery:Establish regular backup schedules and verify restore capabilities to prevent data loss.

Compliance with Data Privacy Laws

To uphold data privacy rights as mandated under applicable laws such as the Digital Personal Data Protection Act, 2023. The following measures are implemented:-

1. Consent Management:Ensure explicit, informed consent is obtained from data subjects prior to data collection and processing.
2. Data Subject Rights:Facilitate requests for data access, correction, portability, or deletion in a timely manner.
3. Breach Notification:Establish protocols for notifying authorities and affected individuals in the event of data breaches.
4. Privacy Impact Assessments:Conduct assessments for new projects or changes affecting personal data.