Risk Management Policy - Global Access
Effective date - October 30, 2025
Objective
This policy establishes a comprehensive framework for identifying, assessing, monitoring, and mitigating risks arising from INDmoney Global (IFSC) Private Limited (“INDmoney Global”) activities as a Global Access Provider (GAP) under the International Financial Services Centres Authority (IFSCA) framework. It ensures alignment with the requirements under Clauses 26, 30, and related provisions of the circular-Regulatory Framework for Global Access in the IFSC and the IFSCA (Capital Market Intermediaries) Regulations, 2025.
Scope
This policy applies to:
- All global access operations of INDmoney Global.
- All employees, systems, and third-party partners (including but not limited to foreign brokers, introducing brokers, custodians, and technology service providers).
- All products offered through global access, limited to permitted financial products under IFSCA and FEMA guidelines.
Governance Structure
| Role | Responsibility |
|---|---|
| Board of Directors | Overall oversight of risk framework and annual review of this policy. |
| Principal Officer (PO) | Reporting to the Board of Directors, implementation of risk mitigation controls. |
| Compliance Officer | Ensures regulatory adherence, reporting to IFSCA, and coordination with internal/external auditors. Day-to-day risk monitoring. |
| Operations & Product Heads | Embed risk controls in trading, client onboarding, settlement, and technology systems. |
Risk Identification and Assessment
The Company identifies risks under three broad categories.
Category I: Customer and onboarding risks, which include incorrect KYC, failure to detect red-flagged customers, customers funding wallets from unauthorized accounts, and fraudulent activities involving identity theft.
Category II: Transaction and operational risks, which include customer funds stuck in SWIFT settlement, erroneous transfers, incorrect beneficiary crediting, and issues arising from 180-day flush-out requirements and suspense accounts.
Category III: Technology, cybersecurity, and third-party risks, including cyberattacks, vulnerabilities in third-party providers, and geographic or operational dependencies.
A risk register is maintained to classify risks as high, medium, or low, based on likelihood and impact ratings.
Risk Mitigation Measures
Risk mitigation measures include strengthening customer onboarding with automated AML and CFT screening, penny-drop verification, CKYC integration, and geo-tagging controls. Transaction controls are ensured by requiring dual authorisation for outward payments, automated transaction monitoring with red flag alerts, and validation of purpose codes for wallet credits.
Customer funds are safeguarded through segregation of applicable funds in nodal accounts, daily reconciliation of wallet balances, and adherence to regulatory guidelines.
Operational risks are mitigated by maintaining a Business Continuity Plan (BCP) and Disaster Recovery (DR) framework and by conducting periodic stress tests on liquidity and net worth. Cybersecurity resilience is maintained in accordance with IFSCA standards, while FATCA and CRS compliance (if applicable) is ensured through collection of tax residency declarations and timely regulatory reporting.
Risk Management of Third-Party Service Relationships
The Company evaluates the criticality of third-party services based on financial, operational, and strategic importance, substitutability, and sensitivity of shared data. Due diligence is carried out on the financial soundness, cybersecurity capabilities, internal controls, conflicts of interest, and geographic dependencies of third-party providers.
Contractual arrangements are put in place with binding clauses on information sharing and regulatory access. Ongoing monitoring ensures that third parties perform in line with contractual obligations, while exit strategies are documented to manage provider failure, breaches, or extended service disruptions.
Monitoring and Review
Compliance Officer shall submit quarterly risk management reports to the Board. The Company ensures timely submission of all required returns and submissions to regulators. This Framework shall be reviewed annually, or earlier if necessitated by regulatory changes or material risk events, to ensure its continued effectiveness and alignment with regulatory expectations.