Setting up a Fund Management Entity (FME) in an International Financial Services Centre is often viewed as a licensing or capital adequacy exercise. In reality, however, the more enduring test of regulatory compliance lies in the internal governance architecture of the entity. The IFSCA (Fund Management) Regulations, 2025 do not present a single annexure titled “Mandatory Policies,” yet the combined reading of Chapter II (Eligibility and Key Personnel), Chapter VIII (General Obligations and Responsibilities), and the Third Schedule (Code of Conduct and Fiduciary Duties) leaves little room for ambiguity. The Authority’s expectation is clear — an FME must function through documented systems, written procedures, and institutional controls, not through informal practices or individual discretion.
What follows is therefore not merely a best-practice checklist but a regulatory interpretation of the minimum policy framework that an IFSC-based fund management entity is expected to maintain.
Regulatory Expectation, Board Oversight, and IFSCA’s Supervisory Power
It is important to appreciate that these internal policies are not optional governance embellishments; they flow directly from the regulatory architecture of the Fund Management Regulations themselves. The IFSCA’s approach is principle-based but enforcement-driven. Under Chapter VIII dealing with general obligations, maintenance of records, risk management, business continuity, cyber resilience, and codes of conduct, the Authority places a continuous obligation on the FME — not a one-time filing requirement. This means the expectation is not merely that policies exist on paper, but that they are formally approved at the board or fiduciary level, periodically reviewed, and readily available at all times.
From a supervisory perspective, IFSCA possesses broad inspection, information-seeking, and compliance-verification powers. During inspections or regulatory queries, the absence of a documented and board-approved policy framework may not be treated as a minor administrative lapse; it is viewed as a governance deficiency indicating systemic non-compliance risk. In practical regulatory experience, the Authority does not ask whether an entity “intended” to comply — it examines whether the entity can produce, demonstrate, and evidence compliance through written policies, internal approvals, and implementation trails.
Accordingly, these policies operate as mandatory compliance instruments embedded within the regulations, even where the word “policy” is not expressly repeated in every clause. The obligation arises from duties imposed on the FME, its directors, principal officer, compliance officer, and fiduciaries to maintain risk systems, internal controls, investor protection mechanisms, and record-keeping structures. A board-approved policy serves as proof that the entity has institutionalised these duties rather than leaving them to informal practice.
Therefore, for an IFSC FME, the regulatory expectation is twofold: first, that the relevant internal policies exist in documented form; and second, that they are approved, accessible, and actively implemented. Failure to maintain such readily demonstrable policies can expose the entity to regulatory observations, directions for corrective action, or heightened scrutiny, all of which translate into tangible regulatory risk. In essence, the regulations convert internal policy frameworks from discretionary governance tools into structural compliance requirements integral to the entity’s licence to operate. With this regulatory foundation in place, it becomes necessary to move from the broader expectation of governance to the specific internal policies through which an FME demonstrates ongoing and tangible compliance. Each of these policies is not merely a procedural formality but a direct reflection of duties embedded within the regulations themselves. Having understood this foundational expectation, the discussion now moves from the regulatory philosophy to the individual internal policies through which an FME evidences compliance in practice.
Compliance Policy and Regulatory Monitoring Framework
The requirement of a Compliance Policy flows implicitly yet unmistakably from Regulation 7 of the IFSCA (Fund Management) Regulations, 2025, read in conjunction with the Third Schedule, Part C dealing with the obligations of the Principal Officer and Compliance Officer. The regulation mandates the appointment of a Designated Compliance Officer who is entrusted with responsibilities such as monitoring adherence to applicable laws and circulars, ensuring maintenance of statutory records, supervising internal trade conduct, and addressing investor grievances. These obligations, by their very nature, cannot be fulfilled through informal or ad-hoc processes; they necessitate a structured and written compliance framework approved at the organisational level.
In practical terms, this policy operates as the institutional memory and control centre of the FME. It establishes reporting hierarchies, defines review and audit frequencies, prescribes escalation thresholds for non-compliance, and sets out mechanisms for tracking and implementing regulatory updates issued by the Authority. More importantly, it ensures that compliance is embedded into operational routines rather than being dependent on the vigilance or interpretation of individual officers. Over time, the Compliance Policy becomes the instrument through which regulatory intent is translated into measurable daily behaviour, providing both the board and the regulator with demonstrable evidence that adherence to law is systemic, continuous, and actively supervised rather than assumed. Yet governance under the Fund Management Regulations does not end with legal conformity alone; the framework deliberately extends beyond compliance and requires the entity to institutionalise foresight and prudence in its decision-making structures, which logically leads to the next critical pillar — a formal and documented risk management framework.
Risk Management Policy
The requirement to maintain a Risk Management Policy arises expressly from Chapter VIII of the IFSCA (Fund Management) Regulations, 2025, which obligates every Fund Management Entity to establish a sound risk management system and internal control structure commensurate with its activities. Unlike several governance expectations that are inferred from broader duties, this obligation is articulated in direct and affirmative terms, leaving little scope for interpretational flexibility. The Authority does not mandate a uniform template, yet the expectation is unmistakable — risks must be systematically identified, evaluated, mitigated, and periodically reviewed through a documented methodology capable of withstanding supervisory scrutiny.
In practical operation, a well-constructed risk policy evolves beyond a theoretical enumeration of risks and becomes an active decision-support framework influencing investment conduct and operational discipline. It typically addresses market volatility, liquidity exposure, operational failures, credit and counter-party dependencies, and leverage thresholds, while also incorporating reputational considerations and technological vulnerabilities that increasingly shape fund management outcomes. Crucially, the regulatory philosophy here is one of proportionality rather than uniformity. The Authority does not expect identical risk structures across all FMEs; instead, it expects the sophistication, review frequency, and depth of controls to align with the size, complexity, and nature of schemes being managed. In effect, the Risk Management Policy serves as demonstrable evidence that prudence is embedded within the entity’s investment architecture and that risk oversight is continuous, deliberate, and institutionally anchored rather than reactive or incidental. Yet, even the most sophisticated risk framework cannot fully safeguard investor interests if decision-making itself is exposed to competing loyalties or undisclosed affiliations. It is for this reason that the regulations move beyond operational prudence and place equal emphasis on the management of conflicts, thereby introducing the necessity of a formal Conflict of Interest Policy.
Conflict of Interest Policy
The obligation to maintain a Conflict of Interest Policy arises explicitly from Part D of the Third Schedule to the IFSCA (Fund Management) Regulations, 2025, which requires Fund Management Entities to establish and implement written policies and procedures to identify, monitor, disclose, and appropriately mitigate conflicts throughout the scope of their business. Unlike several other governance expectations that are inferred from broader fiduciary duties, this requirement is articulated in express and written terms, underscoring the Authority’s recognition that unmanaged conflicts can erode investor confidence even in otherwise compliant structures. The regulatory concern is particularly acute in environments where an FME may manage multiple schemes, engage related parties, or operate alongside advisory and portfolio management functions that create overlapping interests.
In practical application, a well-designed conflict policy serves both as a control mechanism and as a transparency instrument. It typically defines disclosure norms for related-party transactions, prescribes arm’s-length standards in dealings between schemes and affiliates, and establishes procedural safeguards for managing overlapping or competing interests. More than a technical compliance document, the policy reassures investors and regulators alike that investment decisions are guided by fiduciary judgment rather than internal or group-level considerations. Over time, it becomes an institutional safeguard that reinforces objectivity, preserves credibility, and demonstrates that governance is not only procedurally sound but also ethically anchored. However, ethical objectivity and conflict transparency alone do not address another equally critical regulatory concern — the integrity of financial flows entering and exiting the fund structure. Consequently, the regulatory framework extends further to require institutional safeguards against misuse of the financial system itself, which brings into focus the necessity of a comprehensive AML and Counter-Terror Financing policy.
AML / CFT Policy (Anti-Money Laundering and Counter-Terror Financing)
The obligation to maintain an AML / CFT Policy emerges from the combined reading of the Code of Conduct provisions in the Third Schedule and the record-maintenance and reporting obligations contained in Chapter VIII of the IFSCA (Fund Management) Regulations, 2025. While the regulations may not isolate AML in a standalone chapter within the fund management framework, they unmistakably require FMEs to demonstrate adherence to applicable Anti-Money Laundering and Counter-Terror Financing norms through documented procedures, verifiable due-diligence mechanisms, and evidentiary record trails. This expectation naturally translates into the necessity of a structured internal policy addressing investor onboarding protocols, beneficial ownership verification, ongoing transaction monitoring, reporting of suspicious activities, and retention of supporting documentation in retrievable formats.
Within the IFSC ecosystem, the significance of this policy extends beyond regulatory conformity into commercial credibility. Banking partners, custodians, correspondent institutions, and international investors routinely evaluate the robustness of an FME’s AML framework before entering into operational relationships. A well-articulated AML / CFT policy therefore functions not only as a compliance instrument but also as a market-confidence signal, indicating that the entity possesses both procedural discipline and institutional maturity. Over time, it becomes a cornerstone of reputational stability, evidencing that the FME’s governance architecture is capable of safeguarding not merely investor interests but also the integrity of the broader financial system in which it operates. Yet safeguarding the integrity of financial inflows is only one aspect of investor protection; the regulations equally recognise that investor confidence ultimately rests on the fairness and transparency with which portfolio values are determined and communicated. This naturally leads to the necessity of a formal Valuation and NAV Computation Policy.
Valuation and NAV Computation Policy
The requirement for a Valuation and NAV Computation Policy flows from repeated references within the Sixth Schedule and various scheme-level disclosure and valuation obligations under the IFSCA (Fund Management) Regulations, 2025. The regulatory emphasis is consistent and unmistakable — asset valuation methodologies must be documented, applied uniformly, independently verified where required, and periodically reviewed. In effect, the framework leaves little room for informal or discretionary valuation practices, making a structured written policy practically unavoidable. Such a policy typically establishes asset valuation hierarchies, defines engagement criteria for independent valuers or fund administrators, prescribes frequency and methodology for NAV computation, and outlines audit and verification procedures to ensure consistency and accountability.
Beyond technical precision, the valuation policy serves a deeper reputational and fiduciary purpose. Transparent and consistently applied valuation standards reduce the likelihood of investor disputes, strengthen the credibility of disclosures, and reinforce the perception that portfolio pricing is governed by objective methodology rather than subjective discretion. Over time, this policy becomes a visible indicator of fairness within the fund structure, assuring both regulators and investors that value determination is not merely accurate but also impartial, repeatable, and institutionally controlled. However, accurate valuation and disclosure frameworks alone cannot guarantee investor protection if the entity itself is vulnerable to operational breakdowns or unforeseen disruptions. Recognising this, the regulatory architecture extends beyond financial transparency to demand structural resilience, thereby introducing the requirement of a formal Business Continuity Plan.
Business Continuity Plan (BCP)
The obligation to maintain a Business Continuity Plan (BCP) arises expressly from Regulation 121 under Chapter VIII of the IFSCA (Fund Management) Regulations, 2025, making it one of the few areas where the regulation leaves virtually no interpretational flexibility. The Authority mandates that every Fund Management Entity must document clear procedures for addressing emergencies and significant operational disruptions, conduct periodic reviews — typically on an annual basis — and update the plan whenever there is a material change in the entity’s operations, organisational structure, or physical location. This requirement signals that continuity planning is not a one-time compliance submission but a living governance instrument that must evolve alongside the entity’s business model.
In practical application, a well-designed BCP functions as the resilience blueprint of the organisation. It addresses contingencies ranging from technology outages and cyber incidents to natural disasters, key-person dependency risks, and infrastructure failures. For fund managers entrusted with investor assets across multiple jurisdictions and time zones, operational continuity is not merely an IT or administrative safeguard; it becomes a direct extension of fiduciary responsibility. The presence of a tested and regularly updated BCP reassures regulators and investors alike that the entity is capable of sustaining critical functions even under stress conditions, thereby preserving market confidence and preventing operational disruptions from translating into investor harm. Yet operational continuity alone does not fully address the vulnerabilities inherent in a digitally driven financial ecosystem. As fund management activities increasingly rely on interconnected systems, data flows, and automated execution environments, the regulatory focus logically expands from continuity of operations to protection of digital infrastructure itself, giving rise to the necessity of a dedicated Cyber Security and Cyber Resilience Policy.
Cyber Security and Cyber Resilience Policy
The obligation to maintain a Cyber Security and Cyber Resilience Policy flows directly from Regulation 122 under Chapter VIII of the IFSCA (Fund Management) Regulations, 2025, which requires every Fund Management Entity to establish a robust cyber security framework in accordance with standards specified by the Authority from time to time. This requirement reflects the recognition that technological infrastructure is no longer a supporting function but a core operational pillar of fund management. Consequently, compliance is not limited to installing technical safeguards; it demands a documented and institutionally approved policy that defines data protection protocols, access and authentication controls, incident response mechanisms, vendor and third-party risk assessments, and integration with the broader disaster recovery and business continuity architecture.
Increasingly, regulatory interpretation treats cyber preparedness not as a purely IT responsibility but as an extension of fiduciary duty. Digital vulnerabilities — whether arising from data breaches, unauthorised access, or system manipulation — have the potential to directly affect investor assets, confidentiality, and market integrity. A structured cyber resilience policy therefore functions as both a defensive and a confidence-building instrument, demonstrating that the entity is capable of anticipating, detecting, and responding to technological threats in a systematic and accountable manner. Over time, it becomes a visible assurance that the FME’s governance framework extends beyond financial prudence into the protection of the digital environments through which modern fund management operates. However, technological safeguards and operational resilience, while critical, do not by themselves guarantee disciplined decision-making or accountability within the organisation. The regulatory framework therefore moves a step further to emphasise the structural architecture through which authority is exercised, monitored, and reviewed — giving rise to the necessity of a clearly articulated Internal Controls and Governance Framework.
Internal Controls and Governance Framework
The expectation of maintaining a structured Internal Controls and Governance Framework emerges from the combined reading of the fiduciary obligations set out in the Third Schedule and the broader internal control requirements embedded within Chapter VIII of the IFSCA (Fund Management) Regulations, 2025. Although the regulations may not always label this requirement under a single policy heading, the cumulative effect of these provisions unmistakably requires FMEs to institutionalise mechanisms that ensure segregation of scheme assets, arm’s-length functioning between related activities, periodic oversight by fiduciaries, and demonstrable internal accountability. The emphasis is not merely on outcomes but on the presence of documented systems that govern how decisions are made, reviewed, and corrected when necessary.
In practical implementation, FMEs typically translate these expectations into a comprehensive governance document or internal control manual that defines board and committee oversight mechanisms, audit and review structures, segregation protocols for funds and information, delegation matrices, and decision-making hierarchies. This framework ensures that governance is institutional rather than personality-centric, reducing reliance on individual discretion and strengthening organisational continuity. Over time, it becomes a foundational instrument that reassures regulators and investors alike that accountability is structurally embedded within the entity, and that oversight is continuous, transparent, and capable of withstanding both operational stress and regulatory examination. Yet even the most robust governance architecture cannot function effectively without reliable documentation and traceability of actions. Recognising this, the regulatory framework places significant emphasis on systematic record-keeping and preservation of information, thereby introducing the need for a structured Books, Records, and Document Retention Policy.
Books, Records, and Document Retention Policy
The obligation to maintain a Books, Records, and Document Retention Policy flows directly from Regulation 119 under Chapter VIII of the IFSCA (Fund Management) Regulations, 2025, which prescribes explicit timelines and formats for maintaining financial, transactional, and investor-related documentation. The regulation is unusually specific in this regard, generally requiring operational and accounting records to be preserved for a minimum of eight years and scheme-specific records to be retained for at least five years following the winding-up of the scheme. Such precision effectively transforms record maintenance from a procedural expectation into a formal compliance mandate, making a documented retention policy practically unavoidable.
In practical application, this policy establishes standards for physical and electronic storage, defines retrieval protocols to ensure accessibility during inspections, and sets out controlled destruction procedures once statutory timelines expire. Beyond satisfying regulatory audits, a well-structured retention framework contributes significantly to operational efficiency by promoting uniform documentation practices across departments. Over time, it becomes an institutional safeguard that enhances transparency, reduces informational ambiguity, and ensures that the entity’s historical decisions and financial trails remain verifiable, thereby reinforcing both regulatory confidence and internal accountability. Yet documentation and traceability, while critical for transparency, must ultimately be supported by an organisational culture that values integrity and fairness in decision-making. It is this cultural and ethical dimension that the regulations seek to institutionalise through the requirement of a formal Code of Conduct and Ethics Policy.
Code of Conduct and Ethics Policy
The expectation of maintaining a Code of Conduct and Ethics Policy arises from the Code of Conduct provisions contained in the Third Schedule of the IFSCA (Fund Management) Regulations, 2025, which lay down behavioural and professional standards applicable to Fund Management Entities, fiduciaries, principal officers, compliance officers, and other key personnel. While the regulations articulate these principles at a normative level, most FMEs translate them into a written internal policy to ensure clarity, uniform understanding, and enforceability across the organisation. This document typically reinforces expectations of integrity, fair dealing, professional judgment, confidentiality, avoidance of misleading or exaggerated claims, and adherence to fiduciary responsibility in all interactions with investors and market participants.
From an investor’s perspective, the Code of Conduct functions as a public declaration of institutional values and ethical orientation. From a regulator’s standpoint, it serves as demonstrable evidence that ethical governance is not left to presumption or individual discretion but is formally embedded within organisational systems. Over time, such a policy evolves beyond a compliance artefact into a cultural anchor — shaping behaviour, guiding internal accountability, and signalling that the entity’s governance framework is designed not merely to comply with rules, but to uphold the spirit of fiduciary responsibility that underpins the fund management ecosystem.
Concluding Perspective
Taken together, these policies form the structural foundation of a compliant IFSC Fund Management Entity. The IFSCA (Fund Management) Regulations, 2025 deliberately avoid rigid templates, yet their cumulative effect unmistakably signals that documented governance systems are mandatory in substance even where not named in form. An FME that approaches policy development as a strategic exercise rather than a procedural obligation invariably builds stronger investor confidence, smoother regulatory relationships, and a more resilient operational framework. In the IFSC environment, internal policies are not mere compliance artefacts — they are the architecture through which fiduciary responsibility is demonstrated and sustained.
That said, mature governance does not end at the boundary of what is expressly or implicitly mandated. In practice, regulators, investors, and institutional partners often evaluate an FME not only on minimum compliance but also on the depth of its voluntary governance ecosystem. Consequently, while the regulations may not explicitly compel certain additional policies, industry practice and supervisory expectations increasingly position them as strongly recommended extensions of prudent fund management.
Among these, an Information Security and Data Privacy Policy is frequently adopted to complement cyber-resilience frameworks by addressing data classification, cross-border data handling, confidentiality obligations, and employee data-access controls in greater granularity. Similarly, a Whistleblower or Vigil Mechanism Policy provides internal channels for reporting misconduct or ethical breaches, thereby strengthening early-warning governance and reinforcing the credibility of the Code of Conduct in practical terms rather than symbolic ones. It is important to note, however, that a Cyber Security and Cyber Resilience Policy is not synonymous with an Information Security or Data Privacy Policy, even though the two are often read together or incorporated within a unified framework. A Cyber Security and Cyber Resilience Policy is primarily infrastructure-oriented and flows directly from Regulation 122, focusing on safeguarding technological systems, network integrity, access controls, incident-response protocols, and business-continuity or disaster-recovery mechanisms. An Information Security or Data Privacy Policy, by contrast, is data-oriented and governs how sensitive information is classified, processed, stored, transmitted, retained, and ultimately disposed of. In essence, the former protects the digital environment and operational stability mandated under the regulations, while the latter protects the confidential content and privacy interests that reside within that environment and addresses reputational and confidentiality risks beyond pure system security.
Many FMEs also implement a Vendor and Third-Party Risk Management Policy, recognising that outsourced administrators, technology vendors, custodians, and research partners can introduce indirect regulatory or operational risks. By formalising due-diligence standards and monitoring protocols for external service providers, the entity demonstrates that accountability extends beyond its immediate organisational perimeter. In a similar vein, a Training and Competency Development Policy ensures that employees and key personnel remain updated on regulatory developments, market practices, and risk awareness, thereby embedding compliance culture into human capital rather than limiting it to documentation.
Another commonly adopted instrument is an Environmental, Social, and Governance (ESG) or Responsible Investment Policy, particularly for FMEs managing international or institutional capital. While not mandated, such a policy increasingly influences investor perception and aligns the entity with global fiduciary trends. Likewise, a Media and Communications Policy helps regulate external disclosures, investor communications, and public statements, reducing reputational and misrepresentation risks.
These additional policies may not arise from explicit regulatory clauses, yet they serve as governance multipliers — strengthening transparency, reinforcing ethical culture, and demonstrating managerial foresight. In effect, while the mandatory policies establish the minimum threshold for lawful operation, these recommended policies elevate the entity from mere compliance to institutional excellence. Within the IFSC ecosystem, such voluntary frameworks often become the differentiating factor between entities that are simply licensed to operate and those that are demonstrably prepared to operate with sustained credibility and long-term investor trust.
About the Author
Prashant Kumar is a Company Secretary and Published Author who advises financial services businesses, investment platforms, and cross-border entities on corporate governance, regulatory compliance, policy architecture, and IFSCA compliances and regulations. He regularly works with IFSC-based institutions, fund managers, startups, and advisory firms on designing defensible compliance frameworks and board-approved governance structures.
He assists Fund Management Entities and investment platforms in the preparation, review, and implementation of key mandatory internal policies under the IFSCA regulatory framework — including compliance manuals, risk management systems, AML/CFT frameworks, cyber resilience structures, valuation policies, and governance documentation — with the objective of ensuring regulatory defensibility, inspection readiness, and minimisation of enforcement risk. His approach focuses not merely on documentation, but on creating practical, implementable policy ecosystems that withstand supervisory scrutiny and align with operational realities.
He can be reached at +91 9821008011 for professional consultations and policy advisory.
Further Reading
For a broader perspective on how internal policy frameworks function within the IFSC regulatory ecosystem, you may also find the article “Mandatory Policies for Investment Bankers in IFSC India” useful: https://csatwork.in/mandatory-policies-investment-bankers-ifsc-india/
While that article is tailored to investment banking participants in an IFSC context, many of the governance principles it discusses — such as documented compliance systems, internal controls, risk management, and ethical frameworks — are highly relevant to Fund Management Entities as well. It examines how similar regulatory expectations translate into policy requirements in adjacent financial services sectors, creating useful points of comparison and reinforcing why FMEs should view their own policy obligations as part of a broader institutional governance architecture rather than isolated compliance tasks.
Reading across both pieces can help fund managers and compliance professionals develop a more holistic understanding of how IFSC regulators view internal policy frameworks, and how these policies work together to support institutional integrity, accountability, and operational resilience in a competitive international financial environment.
