Code of Conduct
Introduction
Context
In the rapidly evolving regulatory landscape of the BFSI sector, Regulatory Technology (RegTech) plays a crucial role in ensuring compliance, and India has witnessed the emergence of several RegTech companies catering to the BFSI sector and beyond.
The RegTech companies are vital to compliance, so promoting and protecting their good practices and integrity is essential. In the past, the industry has also experienced suboptimal solutions, which bring risks to the clients it caters to. Currently, no specific regulations exist for RegTech products/services or companies. RegTech operates based on contractual terms with regulated entities (REs) and other FinTechs and adheres to applicable guidelines, including KYC, AML, and data protection. While various good practices have emerged, the absence of specific regulations calls for universal self-regulatory standards.
RegTech companies at FACE agree to adopt a self-regulatory Code to address this. It builds on existing regulatory norms and aims to improve individual and collective practices, thereby fostering stakeholder trust and improving the company's client experience, market outreach, and brand reputation. The Code reflects stakeholders' rights and guarantees FACE members' voluntary commitment to safeguarding customers/companies using RegTech solutions.
Coverage
All FACE members offering RegTech products or services must adhere to this Code and implement it within six months of its publication. Equally, we welcome industry stakeholders2 to adapt the Code. For any suggestions or clarifications, please email sro@faceofindia.org.
The Code does not substitute or override rights under various regulations and laws, which take precedence in the event of conflict. The Code does not cover other obligations companies may have, including multiple laws/regulations related to governance, reporting, human resources, technology, foreign investment, taxation, and corporate social responsibility.
The Code is subject to periodic updates by the FACE Board, incorporating feedback from members and stakeholders, to align with evolving regulations, market trends, and technologies, ensuring the Code maintains stewardship of responsible RegTech. Members will be notified of any changes in the Code with timelines for adherence. The Code can be reviewed anytime in exceptional circumstances, such as changes in applicable laws or regulatory mandates.
Code of Conduct
Engagement with government/regulatory authorities
- Monitor and adhere to all regulations that directly or indirectly apply to the companies regulated by financial sector regulators3 and government authorities. Please refer to Annexure 1 for relevant regulations4 . Regularly update internal policies and procedures to ensure compliance with these regulations.
- Be part of the FinTech repository and contribute accurate and timely information.
- Engage with regulatory and government authorities to ensure alignment with compliance and risk management expectations, and provide complete, accurate, and timely information as required.
- Contribute to regulatory and industry consultations/sandboxes/standards.
- Cooperate with regulators and government authorities during inspections by allowing access to IT infrastructure, applications, data, documents, and other necessary information given to, stored or processed by the company and/or its sub-contractors as applicable to the scope of the investigation.
Responsible innovation
- Understand the client’s5 compliance needs to provide suitable and professional services.
- Validate models6 as per the robust, documented internal processes to mitigate biases and ensure reliable, fair, and robust outcomes across diverse use cases. Implement AI models that are explainable, contestable, protect human agency, and are accountable with periodic reviews and impact assessments after deployment.
- Conduct thorough risk assessments of solutions before implementation, ensuring alignment with industry best practices and regulatory expectations.
- Disclose key performance indicators and limitations of the RegTech solutions to the client.
Data Privacy & Security
- Secure sensitive data with encryption, access controls, and regular audits.
- Support and ensure your clients take explicit consent7 for data collection, processing, and sharing, as mandated under applicable data protection laws.
- Develop clear, concise internal policies that comply with India’s data protection laws, sectoral regulations, focusing on obtaining user consent, managing data retention, and handling sensitive personal data.
- Get relevant certifications. Please refer to Annexure 2 for relevant certifications.
- Maintain customer and client data confidentiality if serving multiple clients and sharing data with service providers. Ensure compliance with data localisation and data protection guidelines, as applicable.
- Establish a clear process for reporting and resolving security incidents, data breaches, misuse, or system failures. Conduct third-party audits of security systems.
Partnerships
- Conduct due diligence on partnerships, both upstream8 and downstream.
- Thoroughly assess the service provider, including, but not limited to, financial stability, infrastructure, IT & cybersecurity, reputation, and compliance history. It should also include the ability to handle scale-up, past performance with similar businesses, a business continuity and disaster recovery plan, and previous security breaches.
- Execute a legally binding agreement with the parties in the value chain covering development, management or operation of APIS/solutions/services, not compromising the integrity, confidentiality, or compliance of the Reg-Tech services. Outline parties' roles, responsibilities, and expectations with details on activities, service levels, data handling, security protocols, and compliance obligations.
- Take steps to ensure that the service providers employ the same high standard of care in performing the services as the company would have.
- Ensure that the partners (clients or service providers) handle data (use, sharing, retention, destruction) in compliance with applicable data protection laws. This shall apply from the origination to the end use of data.
- Establish a clear chain of responsibility for failures/issues by third-party dependencies.
- Develop clear guidelines for data storage/computing/movement in a cloud environment.
- Implement controls to prevent unauthorised disclosure of confidential data within the company and service providers.
- Follow local laws/standards as applicable, if operating in a jurisdiction other than India.
Transparency & Accountability
- Engage in fair, transparent9, and ethical business practices with all stakeholders, including clients, partners, and regulators.
- Identify, disclose, and appropriately manage conflicts of interest in all business dealings.
- Maintain transparent pricing structures and clearly outline service terms.
- Maintain records and audit trails demonstrating compliance with regulatory requirements and industry practices.
- Develop a robust framework to monitor and control performance, adherence to Service Level Agreements, and incident reporting mechanisms.
Employee training & conduct
- Regularly train employees on relevant laws and industry standards (e.g. data privacy, IT & cybersecurity, AI). Foster a culture of compliance, integrity, and ethical behaviour within the company.
- Establish mechanisms10 for employees to report misconduct or non-compliance without fear of retaliation.
Grievance redressal
- Provide accessible channels for stakeholders (clients, customers, employees) to report grievances. This includes email, phone lines, and dedicated web portals with process and escalation metrics.
- Establish precise and efficient systems for promptly and transparently resolving customers' and clients' complaints and regulatory queries.
- Review and improve grievance redressal processes and escalation matrix to ensure effectiveness and adherence to best practices.
- Report all grievances about regulatory non-compliance and data breaches to the relevant authorities.
Adherence framework
Companies
- Inform and create awareness amongst the board, employees, clients and partners/service providers about the commitment to the Code.
- Ensure that all policies, processes, tech stacks, and systems align with the Code's norms and promptly vet any changes for adherence to standards.
- Implement internal monitoring systems to ensure adherence to the Code and share the report with Senior management and the Board.
- Train employees on the Code to ensure understanding and commitment and inculcate a culture of adherence to the Code.
- Display adherence to the Code in public11 and private communications to clients and other stakeholders as a trust mark to showcase that the company is committed to adhering to the Code.
FACE
- As per the FACE Article of Association (AoA), members must abide by the Code as it applies to them.
- As necessary, FACE may ask a member for self-certification and undertaking of adherence to the Code.
- Each Member will designate a PoC with FACE to take responsibility for the Code, including dissemination and awareness within the company, clarification, compliance, and response to questions related to non-adherence to the Code.
- The FACE SRO Oversight & Enforcement Committee will examine the evidence12 of non-adherence to the Code by Members and act as per the process13 laid out by the Board.
Annexures
Annexure 1: Relevant regulations
- Master Direction on Outsourcing of Information Technology Services
- Information Technology Act, 2000
- Master Direction - Know Your Customer (KYC) Direction, 2016
- Aadhaar Act, 2016
- DPDP Rules, 2025
- Prevention of Money Laundering Act, 2002
- CFT-AML
- Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs Conduct outsourcing
Annexure 2: Relevant certifications
| Sl no | Certifications | Requirement |
|---|---|---|
| 1 | ISO/IEC 27001:2013 (Information Security Management) | For securing information and data systems. Required for RegTech companies dealing with sensitive financial or personal data. |
| 2 | ISO 22301 (Business Continuity Management) | Often mandated for companies handling critical financial infrastructure or working with banks/insurance. |
| 3 | SOC 2 Type II (System and Organisation Controls) | Especially relevant for SaaS-based RegTech companies; important for working with global or enterprise clients. |
| 4 | PCI DSS (Payment Card Industry Data Security Standard) | Needed if the companies handle or process payment card data. |
| 5 | CERT-In Audits | For cybersecurity |
