This Code of Conduct outlines the principles and guidelines that govern Kissht's operations, including engagement with regulatory authorities, responsible innovation practices, data privacy and security measures, partnership management, transparency standards, employee conduct, and grievance redressal mechanisms.
Regulatory Adherence: Monitor and adhere to all regulations that directly or indirectly apply to the companies regulated by financial sector regulators and government authorities. Please refer to Annexure 1 for relevant regulations. Regularly update internal policies and procedures to ensure compliance with these regulations.
FinTech Repository Participation: Be part of the FinTech repository and contribute accurate and timely information.
Regulatory Engagement: Engage with regulatory and government authorities to ensure alignment with compliance and risk management expectations, and provide complete, accurate, and timely information as required.
Industry Contribution: Contribute to regulatory and industry consultations/sandboxes/standards.
Inspection Cooperation: Cooperate with regulators and government authorities during inspections by allowing access to IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the company and/or its sub-contractors as applicable to the scope of the investigation.
Client Compliance Understanding: Understand the client's compliance needs to provide suitable and professional services.
Model Validation and AI Implementation: Validate models as per the robust, documented internal processes to mitigate biases and ensure reliable, fair, and robust outcomes across diverse use cases. Implement AI models that are explainable, contestable, protect human agency, and are accountable with periodic reviews and impact assessments after deployment.
Risk Assessment: Conduct thorough risk assessments of solutions before implementation, ensuring alignment with industry best practices and regulatory expectations.
Solution Transparency: Disclose key performance indicators and limitations of the RegTech solutions to the client.
Data Security: Secure sensitive data with encryption, access controls, and regular audits.
Consent Management: Support and ensure your clients take explicit consent for data collection, processing, and sharing, as mandated under applicable data protection laws.
Internal Policy Development: Develop clear, concise internal policies that comply with India's data protection laws, sectoral regulations, focusing on obtaining user consent, managing data retention, and handling sensitive personal data.
Certifications: Get relevant certifications. Please refer to Annexure 2 for relevant certifications.
Data Confidentiality: Maintain customer and client data confidentiality if serving multiple clients and sharing data with service providers. Ensure compliance with data localisation and data protection guidelines, as applicable.
Incident Management: Establish a clear process for reporting and resolving security incidents, data breaches, misuse, or system failures. Conduct third-party audits of security systems.
Partnership Due Diligence: Conduct due diligence on partnerships, both upstream and downstream.
Service Provider Assessment: Thoroughly assess the service provider, including, but not limited to, financial stability, infrastructure, IT & cybersecurity, reputation, and compliance history. It should also include the ability to handle scale-up, past performance with similar businesses, a business continuity and disaster recovery plan, and previous security breaches.
Legal Agreements: Execute a legally binding agreement with the parties in the value chain covering development, management or operation of APIS/solutions/services, not compromising the integrity, confidentiality, or compliance of the Reg-Tech services. Outline parties' roles, responsibilities, and expectations with details on activities, service levels, data handling, security protocols, and compliance obligations.
Service Standards: Take steps to ensure that the service providers employ the same high standard of care in performing the services as the company would have.
Partner Data Compliance: Ensure that the partners (clients or service providers) handle data (use, sharing, retention, destruction) in compliance with applicable data protection laws. This shall apply from the origination to the end use of data.
Responsibility Chain: Establish a clear chain of responsibility for failures/issues by third-party dependencies.
Cloud Environment Guidelines: Develop clear guidelines for data storage/computing/movement in a cloud environment.
Confidentiality Controls: Implement controls to prevent unauthorised disclosure of confidential data within the company and service providers.
International Operations: Follow local laws/standards as applicable, if operating in a jurisdiction other than India.
Ethical Business Practices: Engage in fair, transparent, and ethical business practices with all stakeholders, including clients, partners, and regulators.
Conflict of Interest Management: Identify, disclose, and appropriately manage conflicts of interest in all business dealings.
Transparent Pricing: Maintain transparent pricing structures and clearly outline service terms.
Record Maintenance: Maintain records and audit trails demonstrating compliance with regulatory requirements and industry practices.
Performance Monitoring Framework: Develop a robust framework to monitor and control performance, adherence to Service Level Agreements, and incident reporting mechanisms.
Employee Training: Regularly train employees on relevant laws and industry standards (e.g. data privacy, IT & cybersecurity, AI). Foster a culture of compliance, integrity, and ethical behaviour within the company.
Misconduct Reporting Mechanisms: Establish mechanisms for employees to report misconduct or non-compliance without fear of retaliation.
Accessible Reporting Channels: Provide accessible channels for stakeholders (clients, customers, employees) to report grievances. This includes email, phone lines, and dedicated web portals with process and escalation metrics.
Complaint Resolution Systems: Establish precise and efficient systems for promptly and transparently resolving customers' and clients' complaints and regulatory queries.
Process Review and Improvement: Review and improve grievance redressal processes and escalation matrix to ensure effectiveness and adherence to best practices.
Regulatory Reporting: Report all grievances about regulatory non-compliance and data breaches to the relevant authorities.
Email: [email protected]
Phone Numbers:
Location: Mumbai, Maharashtra
This Code of Conduct references: