Operations Edition · April 2026

ZippCRM
Operations Manual

The complete operational guide for compliance managers, billing teams, and senior operators. This manual covers every module not included in the standard Training Manual — the 12-module compliance engine, governance controls, KYC, DPDP, eSign, billing, penalty tracking, analytics, and automation.

Target AudienceCompliance managers, billing ops, senior associates, system admins
Companion ToZippCRM Training Manual (front-office modules)
Regulators CoveredRBI · SEBI · IRDAI · MCA · PFRDA · FEMA
VersionPhase 5 Complete · All Compliance Modules Active
Chapter 1

Return Filings Tracker

The Return Filings Tracker is the operational heart of ZippCRM's compliance engine. Every scheduled regulatory return — RBI, SEBI, IRDAI, MCA, PFRDA, FEMA — is tracked here from creation to acknowledgement. Late filings generate Risk Alerts automatically.

Understanding Filing Statuses

StatusMeaningAction Required
PendingFiling is scheduled, not yet startedAssign to a team member before the due date
In ProgressPreparation underwayMonitor — ensure client documents are available
OverdueDue date passed, not filedEscalate immediately — penalty clock is running
FiledSubmitted to regulatorUpload acknowledgement / proof of filing
AcknowledgedRegulator confirmation receivedNone — record complete

Creating a New Return Filing

1

Click Return Tracker in the Compliance Ops sidebar

The Return Filings list shows all filings across all clients. Use the filters at the top to narrow by client, regulator, status, or due date range.

2

Click "+ New Filing"

The filing form opens. Select the Client, Project (the project this filing belongs to), Return Type (e.g., NBS-1, NBS-2, ALM, CRILC, XBRL), Regulator, and Period (quarter / month / year).

3

Set Due Date and Frequency

Enter the statutory due date for the return. For repeating returns (e.g., monthly NBS-1), set frequency to Monthly — ZippCRM will auto-generate future filings on save.

4

Assign to a team member

Select the responsible Assignee from your team. They will receive an in-app notification and the filing will appear in their task queue.

5

Save — filing is now tracked

The filing appears in the list with status Pending. Risk Alerts will fire automatically if the due date passes without a status change.

Expected ResultNew filing card appears in the Pending queue. Assignee receives a notification. If the frequency was set to Monthly, future filings for the next 12 periods are pre-created in Pending status.

Marking a Filing as Filed and Uploading Proof

1

Open the filing record

Click the filing row. The filing detail panel opens on the right (or as a full page).

2

Change status to "Filed"

Click Mark as Filed. Enter the filing date and any reference / SRN number from the regulator portal. This is mandatory — do not leave it blank.

3

Upload proof of filing

Click Upload Proof and attach the acknowledgement PDF or screenshot from the regulator portal. Supported formats: PDF, JPG, PNG up to 10 MB. This document is stored in the Document Vault linked to the client.

4

Mark Acknowledged when regulator confirms

Once the regulator issues a formal acknowledgement or STP confirmation, open the filing again and click Mark Acknowledged. The filing is now closed.

RBI Compliance NoteNever leave a filing in "Filed" status for more than 7 days without uploading proof. Auditors will require the acknowledgement. Under Section 45Q of the RBI Act, failure to maintain filing records can attract penalties separate from the late filing penalty itself.

Filtering and Exporting Filings

Use the column filters above the filing list to filter by Client, Regulator, Return Type, Status, Due Date range, or Assignee. The Export CSV button downloads the filtered view as a spreadsheet — useful for client MIS reports and internal compliance reviews.

Pro TipRun a filter for Status = Overdue every Monday morning. This gives you the week's escalation list. For clients with 3+ overdue filings, trigger a manual Risk Alert and notify the relationship manager immediately.
Chapter 2

Compliance Calendar

The Compliance Calendar gives a time-based view of all upcoming deadlines across all clients and regulators. It is the single most important daily tool for a compliance manager.

Reading the Calendar

Click Deadline Calendar in the Operations sidebar. The default view is a 30-day rolling window. Each entry is colour-coded:

ColourMeaning
RedOverdue — deadline already passed
AmberDue within 7 days
BlueDue in 8–30 days
GreenFiled / Acknowledged — no action needed

Using Calendar Filters

1

Filter by Regulator

Select RBI, SEBI, IRDAI, MCA, PFRDA, or FEMA from the regulator filter. Use this when preparing for a single regulator's quarterly close.

2

Filter by Client or Team

Isolate one client's full compliance profile, or view a team member's complete deadline load to balance assignments.

3

Switch to List View for bulk actions

Click the List icon in the top-right of the calendar. In List View, you can multi-select filings and bulk-assign them to a team member.

Integration NoteThe Compliance Calendar pulls from Return Filings, Regulatory Notices (response deadlines), and Inspection deadlines — so one view covers all three compliance obligation types simultaneously.
Chapter 3

Regulatory Notices

The Regulatory Notices module tracks every formal communication received from regulators — show cause notices, circular compliance requirements, inspection notices, advisories, and penalty orders. Every notice must be recorded in ZippCRM within 24 hours of receipt.

Notice Types and SLA

Notice TypeUrgencyResponse SLADefault Assignee
Show Cause Notice (SCN)CriticalAs per notice (typically 15–30 days)Senior Partner / Principal
Penalty OrderCritical30 days (appeal window)Senior Partner / Principal
Inspection NoticeHighPreparation within notice periodCompliance Manager
Circular / AdvisoryMediumImpact assessment within 7 daysProject Manager
Data RequestHighAs specified in noticeAssigned Analyst
Routine CorrespondenceLow5 business daysAssociate

Recording a New Regulatory Notice

1

Click Reg. Comms in the Compliance Ops sidebar → Notices tab → "+ New Notice"

This is separate from the Deal Flow RBI Communications module. Use this for all inbound regulator correspondence across RBI, SEBI, IRDAI, MCA, PFRDA, and FEMA for any client.

2

Fill mandatory fields

Select Client, Regulator, Notice Type, and Date Received. Enter the Notice Reference Number exactly as it appears on the notice — this is your audit trail reference. Set the Response Deadline.

3

Upload the original notice document

Always attach the original notice PDF. Do not paraphrase or summarise the notice in the notes field as a substitute for the document. The document is stored in the client's Document Vault automatically.

4

Set severity and assign

Select severity: Critical, High, Medium, or Low. Assign a Primary Responsible person. For SCNs and Penalty Orders, this must be Partner-level or above.

5

Run an Impact Scan (for Circulars)

For new circulars and advisories, click Run Impact Scan. ZippCRM will check all active clients against the circular's applicability criteria and show which clients are affected. Review and confirm the affected client list before saving.

Expected ResultNotice appears in the Regulatory Notices list. Response deadline appears on the Compliance Calendar. The assigned team member receives a notification. For Critical notices, the system sends an email alert to the notice assignee and their manager.

Recording a Response to a Notice

1

Open the notice record

Click the notice row to open the detail view. The Timeline tab on the right shows all actions taken so far.

2

Click "Add Response"

Enter the response date, response method (email, portal, physical letter), and upload the response document. If a tracking number or delivery confirmation exists, enter it in the Reference field.

3

Update the notice status

Set status to: Response Sent, Awaiting Regulator Reply, Closed — Complied, or Escalated as appropriate.

Show Cause Notice RuleNever mark an SCN as Closed without a Compliance Manager or Partner sign-off. The closure requires an approval workflow — ZippCRM will route it through Maker-Checker automatically if the notice type is SCN or Penalty Order.
Chapter 4

Regulatory Communication Threads

Comm Threads is the audit-grade log of all communications between your firm and regulators. Unlike the NBFC Takeover RBI Communication Log (which is deal-specific), Comm Threads covers all ongoing regulatory correspondence for all clients.

When to Use Comm Threads vs. Deal RBI Log

Use CaseUse This Module
NBFC Takeover — RBI application correspondenceDeal Flow → RBI Communication Log
Post-acquisition regulatory submissionsComm Threads
General RBI/SEBI/IRDAI correspondence (any matter)Comm Threads
Regulatory notices responsesComm Threads (linked to the Notice record)
MCA filings correspondenceComm Threads

Creating a Communication Thread

1

Click Reg. Comms in the Compliance Ops sidebar → "+ New Thread"

A thread represents a single matter or subject line of correspondence. All entries (emails, letters, calls) on the same subject are logged as entries within one thread — do not create a new thread for each email.

2

Set Thread Subject, Client, Regulator, and Matter Type

Matter Types: Licensing, Enforcement, Reporting, Inspection, General Query, Policy Clarification. Choose the most specific type available.

3

Add the first entry

Click + Add Entry. Select direction (Inbound or Outbound), entry date, communication channel (Email, Letter, Portal, Phone), and enter a summary. Attach the document.

Acknowledging a Thread Entry

When a senior reviewer has read and confirmed a critical communication, they click Acknowledge on the entry. This records their name and timestamp as the reviewer — providing evidence that the communication was escalated to the right level. Acknowledgement is required for all Inbound entries on Critical threads within 24 hours of receipt.

Audit TipDuring regulatory inspections, the Comm Threads export (PDF with full timeline) is the primary evidence document. Keep threads clean — one thread per matter, one entry per communication, and always attach the original document. Never delete entries.
Chapter 5

Inspection Management

When a regulator (RBI, SEBI, IRDAI) announces or conducts an inspection of a client, the Inspection Management module coordinates your team's response. It tracks inspection stages, document production, questionnaire responses, and findings.

Inspection Lifecycle

Notice Received
Inspection Registered
Document Production
On-Site / Virtual Inspection
Queries Responded
Draft Report Review
Closed

Registering a New Inspection

1

Click Inspections in the Compliance Ops sidebar → "+ New Inspection"

Select the Client, Regulator, Inspection Type (On-Site, Off-Site, Risk-Based Supervision, Thematic), and Inspection Period Covered.

2

Enter inspection dates

Set Notice Received Date, Inspection Start Date, and Expected Close Date. These dates populate the Compliance Calendar automatically.

3

Assign the Inspection Coordinator

One person must own the inspection from end to end. They are responsible for all document production, query responses, and status updates. The coordinator cannot be below Project Manager level.

4

Create the Document Checklist

Click Add Document Request for each document the regulator has asked for (or that you anticipate). These appear as Document Requests (Chapter 12) linked to the inspection — clients can fulfil them through the portal.

Responding to Inspection Queries

1

Open the Inspection → Queries tab

All queries raised by the inspection team are listed here. Each query shows the text, the date raised, and the response deadline.

2

Click a query to open it and draft the response

Enter the response text and attach supporting evidence. The response is saved as a draft until a manager approves it.

3

Submit for approval

Click Submit for Approval. The response routes through Maker-Checker if the inspection type is RBI or if the query is marked Critical. A Partner or Compliance Manager must approve before the response is dispatched.

Critical RuleNo inspection query response should ever be sent to a regulator directly from outside ZippCRM. All responses must be logged in ZippCRM first, approved through Maker-Checker, and then dispatched. This maintains an unbroken audit chain.
Chapter 6

Maker-Checker Governance

Maker-Checker is ZippCRM's dual-control framework required under RBI's Internal Control guidelines (Master Direction — Governance, 2023). Every high-risk action in the system requires a second person to approve it before it takes effect. The person who initiates the action is the Maker. The person who reviews and approves or rejects it is the Checker.

RBI MandateDual-control (Maker-Checker) is a non-negotiable requirement for NBFCs under RBI's Governance and Compliance Framework. Disabling or bypassing this control for any action on the governed list is a compliance violation that can attract enforcement action.

Actions Governed by Maker-Checker

ActionMaker RoleChecker Role
SCN / Notice ClosureProject Manager+Compliance Manager / Partner
Penalty Register — Close/MitigateProject Manager+Compliance Manager / Partner
Inspection Query ResponseAssociate+Project Manager / Partner
Stage Advance — Critical ProjectsProject ManagerCompliance Manager
Regulatory Document ApprovalAssociateProject Manager+
Client KYC — Final ApprovalAssociateProject Manager / Partner
DPDP Data Deletion RequestAssociateCompliance Manager / Admin
Large Invoice (above threshold)Billing OpsManager / Partner
User Role ChangesAdminSecond Admin

How to Review Items in the Maker-Checker Queue (Checker Workflow)

1

Click Maker-Checker in the Compliance Ops sidebar

The queue shows all pending items awaiting your approval. Items are sorted by urgency — Critical items glow red. The count of pending items also appears in the left sidebar badge.

2

Click an item to review the full context

The detail panel shows: who initiated the action (Maker), what they are trying to do, all supporting documents they attached, and any notes they added. Do not approve without reading the notes and reviewing attached documents.

3

Approve or Reject

Click Approve to allow the action to proceed — it will execute immediately. Click Reject to return it to the Maker with a mandatory rejection reason. You cannot reject without entering a reason.

4

Add approval notes (required for Critical items)

For Critical items, type a brief justification for approval before clicking Approve. This note becomes part of the permanent audit record.

Expected ResultOn Approve: the action executes, the Maker receives a notification, and the item moves to the Approved queue with your name and timestamp. On Reject: the action is blocked, the Maker receives a notification with your rejection reason, and the item appears in their queue as Returned.

When You Are the Maker — Submitting an Action for Approval

You do not need to navigate to a separate screen to submit a maker-checker action. When you attempt an action that is governed by Maker-Checker, ZippCRM will intercept it and show a Submit for Approval modal instead of executing it directly. Fill in your notes, attach supporting documents if prompted, and click Submit. The action will remain pending until a Checker approves it.

ImportantThe Maker and Checker cannot be the same person. If you initiated an action, you cannot approve it yourself even if you have a Checker-level role. ZippCRM enforces this automatically and will show an error if you attempt self-approval.

Maker-Checker Dashboard

ZippCRM — Governance → Maker-Checker
7
Pending Your Approval
2
Critical / Overdue
43
Approved This Month
🚨 SCN Closure — Apex Capital Ltd · RBI
Critical
Maker
Riya Sharma · 2026-04-21
Action
Mark Show Cause Notice (SCN-2026-0047) as Closed — Complied
Docs Attached
Response Letter.pdf · Regulator Acknowledgement.pdf
✓ Approve ✗ Reject
Chapter 7

Security Controls Framework

The Controls module maps your firm's internal controls to regulatory requirements. Each control has an owner, a testing schedule, and an evidence trail. This is your primary tool for RBI's Internal Control Attestation and IS Audit preparation.

Control Statuses

StatusMeaning
EffectiveControl was tested and passed. Evidence on file.
Needs ReviewLast test date is approaching expiry or evidence is stale
DeficientControl failed testing — requires remediation
Not TestedControl has not been tested in the current cycle

Submitting Evidence for a Control

1

Click ISO/CERT-In Controls in the Views sidebar

The controls list is organised by Framework (RBI IT Framework, IS Audit, SEBI Cybersecurity, etc.) and Domain (Access Control, Data Security, Change Management, etc.).

2

Click a control to open it

The control detail page shows the control description, testing frequency, last test date, current status, and all previously submitted evidence.

3

Click "+ Submit Evidence"

Enter the evidence title (e.g., "Q1 2026 Access Review Log"), select the evidence type (Screenshot, Report, Log Extract, Attestation Letter), and upload the file. Add notes describing what the evidence demonstrates.

4

Update the control status

After submitting evidence, update the status to Effective if the control passed, or Deficient if it failed. Deficient controls automatically create a Remediation Task assigned to the control owner.

IS Audit RequirementAll evidence must include the title, document, and testing date. An evidence submission without an attached file will be rejected by the system. Ensure the file clearly shows the date of the evidence — undated screenshots are not acceptable for IS Audit purposes.
Chapter 8

Audit Trail & Activity Log

ZippCRM maintains an immutable audit log of every action taken by every user in the system. This log cannot be edited or deleted by any user, including Admins. It is the primary evidence artefact for regulatory examinations, IS Audits, and internal investigations.

What Is Logged

Every login and logout (with IP address and device fingerprint)
Every record created, modified, or deleted
Every document uploaded or downloaded
Every status change on any record (with before/after values)
Every Maker-Checker action (submission, approval, rejection)
Every eSign request sent and signed
Every role or permission change
Every failed login attempt
Every API call (for integrations)

Viewing the Audit Log

1

Click Admin in the Tools sidebar → Audit Trail tab

Admin-only access. The log shows all events in reverse chronological order. Each row shows: Timestamp, User, Action Type, Module, Record ID, and IP Address.

2

Filter to narrow scope

Filter by: User, Date Range, Module (Clients, Projects, Billing, etc.), Action Type (Create, Update, Delete, Login, Export), or Record ID. For investigations, always filter by User + Date Range first.

3

Export for regulators

Click Export PDF or Export CSV. The PDF export is formatted for regulatory submission and includes a system-generated hash of the log contents to prove it has not been tampered with.

Note for IS AuditWhen presenting the audit trail to IS Auditors, use the PDF export with the system hash. Auditors will verify the hash independently. Do not modify or reformat the export — any alteration will invalidate the hash verification.
Chapter 9

KYC Management

Know Your Customer (KYC) compliance is mandatory under the Prevention of Money Laundering Act (PMLA), 2002 and RBI's KYC Master Directions (2016, updated 2023). ZippCRM's KYC module tracks KYC status for every client, flags renewals, and maintains the document trail required for regulatory inspection.

KYC Statuses

StatusMeaningAction Required
CompleteAll KYC documents collected, verified, and within validityNone — review at renewal date
Renewal DueKYC documents approaching expiry (within 60 days)Request fresh documents from client
ExpiredKYC documents are past validityFreeze new transactions — request immediate renewal
Pending DocumentsKYC initiated but documents not yet receivedFollow up with client
Under ReviewDocuments received, undergoing internal verificationCompliance Manager to complete verification
Not StartedKYC not yet initiated for this clientInitiate immediately

Viewing and Updating a Client's KYC Record

1

Open the Client record → KYC tab

Click Leads & Clients in the Workspace sidebar → open the client → KYC tab. This tab shows the current KYC status, document checklist, verification history, and renewal date.

2

Review the Document Checklist

The checklist shows all required KYC documents based on client type (Individual / Entity / NBFC / Listed Company). Green tick = received and valid. Amber = received but approaching expiry. Red X = missing or expired.

3

Upload or update documents

Click Upload Document next to a checklist item. Select the document type, upload the file, and enter the Validity Date from the document (e.g., Aadhaar — 10 years from date of issue; PAN — lifetime; Certificate of Incorporation — lifetime). Validity dates drive the renewal alerts.

4

Submit for KYC Approval

Once all documents are uploaded and verified, click Submit for KYC Approval. This routes through Maker-Checker — a Compliance Manager or Partner must approve the KYC completion. On approval, status changes to Complete and the next renewal date is calculated.

Mandatory KYC Documents by Client Type

DocumentIndividualPrivate Ltd / LLPNBFC
PAN Card✓ Required✓ Entity PAN✓ Entity PAN
Aadhaar / Passport✓ Required— Directors only— Directors only
Certificate of Incorporation✓ Required✓ Required
MCA Master Data✓ Required✓ Required
RBI CoR (Certificate of Registration)✓ Required
Latest Audited Financials✓ Required✓ Required
Beneficial Ownership Declaration✓ Required✓ Required
Board Resolution (authorising firm)✓ Required✓ Required
PMLA ObligationUnder PMLA, KYC renewal for high-risk clients must be completed every 2 years. For medium-risk clients, every 8 years. For low-risk, every 10 years. ZippCRM uses the risk category set on the client record to calculate the renewal schedule. Verify the risk category is set correctly before completing KYC.
Chapter 10

DPDP Compliance

The Digital Personal Data Protection Act, 2023 (DPDP Act) imposes obligations on your firm as a Data Fiduciary. ZippCRM's DPDP module tracks consent records, data principal rights requests (access, correction, erasure, nomination), and data breach incidents. Non-compliance can attract penalties up to ₹250 crore.

Key DPDP Concepts in ZippCRM

ConceptZippCRM Feature
Consent RecordEvery client's consent for data processing is recorded with date, purpose, and version of the consent notice
Data Principal Rights RequestTracked under Client → DPDP tab — access, correction, erasure, and nomination requests
Processing PurposeEach data collection point is mapped to a declared processing purpose
Data Breach RegisterMandatory DPDP breach log — tracks incident, scope, notification timeline, and DPBI report
Retention ScheduleConfigurable per data type — ZippCRM flags records approaching the retention limit for review and deletion

Handling a Data Erasure Request

1

Click DPDP Compliance in the Compliance Ops sidebar → Rights Requests tab

All pending requests are listed here. Erasure requests are flagged red — they have a 30-day response deadline under the DPDP Act.

2

Open the request and review the scope

ZippCRM shows all personal data held for this Data Principal across the system. Review the scope before proceeding — some data may be exempt from erasure (e.g., data required for regulatory compliance under another law).

3

Select exempt data and provide justification

Mark any records that are legally required to be retained (e.g., KYC documents under PMLA, transaction records under FEMA). Enter the legal basis for retention. This justification is communicated to the Data Principal in the response.

4

Submit for Maker-Checker approval

Data erasure is a governed action. Submit for approval — a Compliance Manager must approve. On approval, ZippCRM marks the non-exempt records for deletion and logs the deletion event in the Audit Trail.

5

Send the response to the Data Principal

ZippCRM generates a draft response letter covering what data was erased, what was retained, and the legal basis for retention. Review, edit if needed, and dispatch.

DPDP Penalty RiskFailure to respond to a Data Principal rights request within 30 days can attract a penalty of up to ₹10,000 per request under the DPDP Act. A data breach not notified to the DPBI within 72 hours can attract penalties up to ₹250 crore. These deadlines are tracked automatically in ZippCRM's Compliance Calendar.

Recording a Data Breach

1

Click DPDP Compliance in the Compliance Ops sidebar → Data Breaches tab → "+ New Breach"

Record the breach immediately upon discovery. The 72-hour DPBI notification clock starts from the moment of discovery, not from when you finish the investigation.

2

Enter breach details

Discovery date/time, nature of breach (confidentiality, integrity, availability), data types affected, estimated number of Data Principals affected, and systems involved.

3

ZippCRM starts the 72-hour clock

A countdown timer appears on the breach record. The assigned compliance manager receives escalating alerts at T-24 and T-6 hours if the DPBI notification has not been dispatched.

Chapter 11

eSign & DSC Management

The eSign module manages digital signature requests for compliance documents, regulatory filings, board resolutions, and client agreements. ZippCRM supports both Aadhaar eSign (for individual signatories) and USB/Cloud DSC (for company signatories). All signed documents meet IT Act, 2000 and PDMA 2023 validity requirements.

eSign Request Statuses

StatusMeaning
DraftRequest created but not yet sent to signatories
Sent — Awaiting SignatureRequest dispatched, one or more signatories have not yet signed
Partially SignedSome signatories have signed, others pending
Fully ExecutedAll signatories have signed — document is legally valid
ExpiredSigning deadline passed — request must be re-initiated
DeclinedA signatory declined to sign — requires investigation and re-initiation

Creating an eSign Request

1

Click eSign / DSC in the Compliance Ops sidebar → "+ New Request"

Or create directly from within a Project, Document, or Filing record using the eSign button.

2

Upload the document to be signed

Upload the final, approved PDF. Do not upload drafts. The document cannot be changed after the request is sent. If you need to change the document after sending, you must cancel the request and create a new one.

3

Add signatories in signing order

Add each signatory's name, email, and signature type (Aadhaar eSign or DSC). If the signatories must sign in a specific order (sequential), toggle Sequential Signing. If all can sign in parallel, leave it off.

4

Place signature fields on the document

Use the document preview to drag and drop signature placeholders, date fields, and initials to the correct pages and positions for each signatory.

5

Set expiry and send

Set the signing deadline (default 7 days; maximum 30 days). Click Send for Signing. Signatories receive an email with a link. A maker-checker approval is required if the document is a regulatory submission or board resolution.

Expected ResultAll signatories receive email notifications. Status changes to Sent — Awaiting Signature. As each signatory signs, status progresses. On full execution, the signed PDF (with audit certificate) is stored in the client's Document Vault and linked to the originating record.

DSC Expiry Tracking

Navigate to Compliance → eSign → DSC Register to view all registered DSC tokens across your clients and team. ZippCRM sends renewal reminders at 60, 30, and 7 days before expiry. A DSC that expires during an active filing cycle can cause critical delays — monitor this list proactively.

DSC SecurityNever enter a client's DSC PIN into ZippCRM or any other system. DSC operations requiring PIN entry must be performed by the authorised signatory themselves. Your firm's liability for unauthorised use of a DSC is significant under the IT Act, 2000.
Chapter 12

Document Request Workflow

Document Requests are formal requests from your team to clients for specific documents. They appear in the Client Portal for the client to fulfill and are tracked in ZippCRM until the document is received, reviewed, and accepted. This is the primary mechanism for evidence collection during filings, inspections, and KYC.

Document Request Statuses

StatusMeaningAction
PendingRequest sent; client has not yet respondedFollow up after 48 hours if no response
Uploaded — Under ReviewClient uploaded a document; internal review neededReview immediately — do not leave in this state for more than 24 hours
AcceptedDocument received, reviewed, and satisfactoryNone
RejectedDocument uploaded but not acceptable (wrong file, wrong period, corrupted)Reject with specific reason — client must re-upload
OverdueDue date passed, client has not uploadedEscalate to relationship manager — trigger Risk Alert

Creating a Document Request

1

Open the Project / Filing / Inspection record and click "+ Document Request"

Document Requests are always linked to a parent record. Never create a standalone request — always link it to the project, filing, or inspection it relates to.

2

Enter a precise request title

Be specific: "Audited Balance Sheet for FY 2024-25" is correct. "Financial documents" is not. The client sees this title in their portal. Vague titles lead to wrong uploads.

3

Add detailed notes and format requirements

Specify: the exact document, the period or date, the required format (PDF preferred; no scanned JPEGs unless specified), maximum file size, and who should sign/certify it if required.

4

Set due date and save

The due date appears in the client portal and on the Compliance Calendar. Allow at least 5 business days for standard documents. For fresh documents needing board approval or CA certification, allow 15 business days.

Expected ResultRequest appears in the client's portal under Documents. The client receives an email notification. When the client uploads, ZippCRM notifies the assigned team member for review.

Reviewing a Client Upload

1

Open the Document Request

When a client uploads, you receive a notification. Open the request from the notification, from the project, or from the Document Requests queue.

2

Preview the uploaded document

Click the uploaded file to preview it in the browser. Check: Is this the right document? Is the period correct? Is it legible? Is it signed/certified if required?

3

Accept or Reject

Accept: The document is stored in the client's Document Vault and the request is closed. The client sees "Accepted" in their portal. Reject: You must enter a rejection reason that is clear and actionable. The client sees the reason and must re-upload.

Chapter 13

Client Queries

The Client Queries module is the structured help-desk channel between clients and your team. All queries raised through the portal are tracked here with SLA timers. No query should be answered by email outside of ZippCRM — all responses must be recorded in the system for audit completeness.

Query Priority and SLA

PriorityResponse SLAResolution SLA
Urgent2 hoursSame business day
High4 hoursNext business day
Normal1 business day3 business days
Low2 business days5 business days

Responding to a Client Query

1

Click Client Queries in the Compliance Ops sidebar (or open from notification)

Queries are shown newest first. The SLA timer counts down in red when approaching breach. Queries at risk of SLA breach are also surfaced in Risk Alerts.

2

Open the query and read the full context

The query shows the client's message, the project or filing it is linked to (if specified), and any documents the client attached. Review all attached materials before drafting a response.

3

Type your response and attach documents if needed

Use clear, professional language. If the response includes regulated advice (e.g., penalty implications, regulatory strategy), add a disclaimer and flag for Partner review before sending.

4

Set status and submit

If the query is resolved, set status to Resolved. If you need internal clarification before responding, set status to In Progress — Internal Review. Do not leave queries in Open status without acknowledgement for more than the response SLA.

Chapter 14

Invoices & Billing

The Billing module tracks all fee invoices from creation to payment receipt. Invoices can be created manually or triggered automatically by a Billing on Milestone (BOM) event when a project stage advances. All invoices follow a draft → approved → dispatched → paid workflow.

Invoice Workflow

Draft
Approved
Dispatched
Paid
Overdue
Partially Paid

Creating a New Invoice

1

Click Retainers & Payments in the Compliance Ops sidebar → Invoices tab → "+ New Invoice"

Alternatively, open a Client record → Billing tab → Create Invoice. Creating from the client record pre-fills the client details.

2

Select Client and link to Project

Always link the invoice to the relevant project. This is mandatory — unlinked invoices cannot be approved. If the invoice covers multiple projects, select the primary project and add a note.

3

Add line items

Click + Add Line Item for each fee. Enter: Description, SAC Code (for GST), Quantity, Rate, and Discount (if applicable). The system calculates GST automatically based on the client's GST registration type (18% IGST for inter-state, 9%+9% CGST+SGST for intra-state).

4

Set due date and payment terms

Standard payment terms: Net-30. For retainer clients, link to the retainer agreement. Set the Due Date explicitly — this drives the overdue alert and Risk Alert generation.

5

Save as Draft and submit for approval

Invoices above ₹1 lakh require Maker-Checker approval before dispatch. Click Submit for Approval. The approver reviews the amounts, line items, and GST and either approves (invoice moves to Approved) or rejects with a reason.

6

Dispatch the approved invoice

Click Dispatch. ZippCRM sends the invoice PDF to the client's billing email (configured in the Client record). The client also sees it in their portal under Invoices. Status changes to Dispatched.

Recording a Payment

1

Open the invoice and click "Record Payment"

Enter: Payment Date, Amount Paid, Payment Method (NEFT/IMPS/Cheque/UPI), Transaction Reference, and Bank Account. If partial payment, enter only the amount received.

2

Upload payment proof

Attach the bank credit advice or payment screenshot. This is required for invoices above ₹50,000.

3

Confirm — status updates automatically

Full payment → status changes to Paid. Partial payment → status changes to Partially Paid and the outstanding balance is displayed.

Challan TrackingGovernment fee challans (MCA21, RBI portal, SEBI SCORES, etc.) are tracked as a separate line in the billing module under Challans. A Risk Alert fires when a client has 2 or more unpaid challans. Challans are not invoiced — they are tracked for compliance completeness only.

Overdue Invoice Automation (Added April 2026)

The daily background scheduler now automatically marks invoices overdue and sends reminder notifications — no manual follow-up needed.

Midnight daily run
Find: status=SENT & due_date < today
Set status = OVERDUE
Email client contact
+
Push alert to ops team

Client Invoice Ledger (Added April 2026)

A new unified client-level invoice ledger is now available — showing all invoices for a client across all their projects in one view. Access it from:

This view supports filtering by status (draft / sent / paid / overdue) and exports to CSV for accounts reconciliation.

Credit Notes (Added April 2026)

Credit notes correct errors on previously sent or paid invoices. They are linked to the original invoice and cannot be reversed once issued.

1

Open the invoice to be corrected → click "Issue Credit Note"

Available on invoices with status SENT, OVERDUE, or PAID.

2

Enter reason and credit amount

Reason text appears on the credit note document the client receives. Amount must be > 0 and ≤ original invoice amount. Staff role required.

3

Click Save — credit note is issued

Credit number is generated in format CN-YYYY-NNNNNN (e.g., CN-2026-000001). The client is notified. The credit note is permanently linked to the original invoice and visible in the client portal.

Credit notes are permanentOnce issued, a credit note cannot be cancelled or edited. If an error was made in the credit note itself, issue a second corrective credit note and document the reason clearly.

Billing API — New Endpoints (April 2026)

EndpointPurpose
GET /clients/{cid}/invoicesUnified client-level invoice ledger (all projects)
GET /invoices/overdueAll overdue invoices across all clients (staff only)
GET /invoices/{id}/credit-notesList credit notes for a specific invoice
POST /invoices/{id}/credit-noteIssue a new credit note (staff only, amount > 0)
Chapter 15

Retainers & Payments

Retainers are recurring fee agreements with clients. The Retainers module tracks each agreement, auto-generates monthly invoices, records installment payments, and alerts the billing team when payments are overdue.

Setting Up a New Retainer Agreement

1

Click Retainers & Payments in the Compliance Ops sidebar → "+ New Retainer"

Or open a Client record → Billing tab → Create Retainer Agreement.

2

Enter agreement details

Set: Client, Monthly Fee Amount, Currency (INR), Start Date, End Date (or "Ongoing"), Billing Day of Month (e.g., 1st or last day), Payment Terms (Net-15 or Net-30), and scope description. Upload the signed retainer agreement document.

3

Define the services covered

List the specific services included in the retainer. This is important — if the client asks for work outside scope, the team needs to identify it and raise a separate project invoice, not absorb it into the retainer.

4

Activate the retainer

Click Activate. ZippCRM will auto-generate the first invoice on the billing date. Subsequent invoices are generated automatically each month. The billing team receives a notification 3 days before each invoice is auto-generated for review.

Expected ResultRetainer appears in the active retainer list. Invoice auto-generation is scheduled. The client can see their retainer summary in the portal under Invoices.

Handling Retainer Renewals and Amendments

To amend a retainer (fee change, scope change), click Amend on the active retainer record. Enter the amendment effective date and new terms. ZippCRM creates a new version of the retainer — the old version is archived. All invoices generated before the amendment date remain linked to the old version. Amendments above a fee increase of 20% require Maker-Checker approval.

Retainer Health Dashboard

ZippCRM — Billing → Retainers
18
Active Retainers
₹14.2L
Monthly Retainer ARR
3
Payment Overdue
1
Expiring This Month
Apex Capital Ltd · ₹85,000/mo
Status
Active
Last Payment
01 Apr 2026 · ₹85,000 · NEFT · Ref: 2026040100112
Next Invoice
01 May 2026
Chapter 16

Penalty Register & Risk Engine

The Penalty Register is the definitive record of all regulatory penalties levied on or at risk for clients. It feeds the Risk Engine which computes each client's Penalty Risk Score — a composite metric used for client health scoring and internal risk flagging. Every confirmed penalty and every identified penalty risk must be recorded within 24 hours.

Penalty Record Statuses

StatusMeaning
At RiskViolation identified — penalty not yet levied but exposure exists
LeviedRegulator has issued a penalty order — amount confirmed
ContestedClient is appealing the penalty — appeal filed
Mitigation In ProgressWorking with regulator to reduce or compound the penalty
Compounded / SettledPenalty settled — payment made or compounding approved
Closed — ReversedPenalty reversed on appeal

Recording a New Penalty Entry

1

Click Penalty & Risk in the Compliance Ops sidebar → "+ New Entry"

Select: Client, Regulator, Penalty Type (Late Filing, Non-Compliance, Regulatory Breach, AML/KYC Violation), Severity (Minor, Major, Critical).

2

Enter penalty details

For At Risk entries: describe the violation, estimated exposure amount, and the section of the Act or regulation violated. For Levied entries: enter the exact penalty order amount, order reference number, and order date. Upload the penalty order document.

3

Set the response deadline

Enter the deadline for payment, appeal, or compounding application. This date appears on the Compliance Calendar and drives Risk Alerts if the deadline approaches without a status update.

4

Assign a Mitigation Owner

Assign a team member responsible for driving the mitigation strategy. They are accountable for all status updates and deadline compliance on this record.

Closing a Penalty Record

Closing a penalty record (marking it as Compounded/Settled or Closed—Reversed) is a Maker-Checker action. The Maker enters the closure details (payment reference, compounding order, or appeal order) and uploads the supporting document. A Compliance Manager or Partner must approve the closure. This ensures no penalty is silently written off without senior review.

Penalty Risk Score

Each client has a Penalty Risk Score displayed on their Client Overview tab and on the Dashboard. The score is computed by the Risk Engine based on:

FactorWeight
Number of open At Risk or Levied penalties40%
Total exposure amount (as % of last known revenue)25%
Number of overdue regulatory filings in last 12 months20%
Number of SCNs received in last 24 months15%
High Risk ThresholdA Penalty Risk Score above 75 triggers an automatic Risk Alert and flags the client as High Risk in the system. This impacts the client's Compliance Health Score visible in their portal. The client's relationship manager is notified immediately when this threshold is crossed.
Chapter 17

Analytics & MIS

The Analytics module gives Partners, Compliance Managers, and Admin users a real-time intelligence layer across the entire practice. It covers compliance health trends, team utilisation, revenue intelligence, SLA performance, and filing analytics.

Available Analytics Views

ViewWho Uses ItKey Metrics
Compliance Health OverviewCompliance Manager, PartnerOverall compliance score, overdue filings, at-risk clients, regulator breakdown
Filing PerformanceCompliance ManagerOn-time rate %, late filings by regulator/client/team, trend over 12 months
SLA DashboardTeam Leads, ManagerQuery response SLA breach rate, document request fulfillment time, maker-checker cycle time
Team UtilisationPartner, ManagerTasks open per team member, overdue tasks, hours logged (if timetracking enabled)
Revenue IntelligencePartner, AdminMonthly invoiced amount, collected vs. outstanding, retainer vs. project revenue split, top 10 clients by revenue
Risk HeatmapCompliance Manager, PartnerClient risk matrix (Penalty Risk Score vs. Compliance Score), high-risk cluster view
Penalty & Exposure TrackerCompliance Manager, PartnerTotal penalty exposure by client and regulator, YoY trend, contested vs. settled split

Generating an MIS Report

1

Click Analytics in the Compliance Ops sidebar → Reports tab → "+ New Report"

Choose a report template: Compliance Health Summary, Filing Status Report, Invoice Ageing, Retainer Health, Penalty Register Summary, or Team SLA Report.

2

Set parameters

Select date range, clients (all or specific), regulators, and team filter. For client-facing reports, enable the Client View toggle — this removes internal notes and team-level data from the report.

3

Preview and export

Click Preview to see a live render. Click Export PDF or Export Excel. PDF exports are formatted for client delivery. Excel exports include raw data for further analysis.

4

Schedule for auto-delivery (optional)

Click Schedule to set up recurring delivery. Set frequency (weekly/monthly), recipients, and format. Scheduled reports are delivered via the Ops Center on the configured schedule.

Partner-Level InsightThe Revenue Intelligence → Retainer vs. Project split is the most important metric for practice economics. Healthy practices run 60%+ retainer revenue. If this ratio drops below 40%, it indicates over-reliance on project work and under-monetisation of the compliance ops relationship.
Chapter 18

Automation Rules

Automation Rules allow Admin users to configure trigger-action workflows that execute automatically without manual intervention. They reduce repetitive operational tasks and ensure consistent responses to common events across clients.

Automation Rule Structure

Every automation rule consists of three parts: a Trigger (the event that starts the rule), optional Conditions (filters that determine if the rule applies), and one or more Actions (what happens when the rule fires).

Available Triggers

TriggerExample Use Case
Filing Status ChangedWhen a filing moves to "Overdue", create a Risk Alert and assign a follow-up task to the filing owner
Project Stage AdvancedWhen a project advances to "Compliance Review", create a standard checklist task set and assign to the compliance team
KYC Status ChangedWhen KYC status changes to "Renewal Due", send a document request to the client for fresh KYC documents
Invoice OverdueWhen an invoice passes due date, send the client a payment reminder email and notify the billing manager
Penalty Record CreatedWhen a new Levied penalty is recorded, notify the relationship manager and create an escalation task
Document Request OverdueWhen a document request passes its due date, send a reminder to the client portal and notify the project manager
Client Query — SLA At RiskWhen a query is 80% through its response SLA without a reply, reassign to the team lead automatically

Creating an Automation Rule

1

Click Automation Rules in the Compliance Ops sidebar → "+ New Rule"

Admin access required. Give the rule a clear, descriptive name: e.g., "Overdue Filing → Alert + Task" not "Rule 3".

2

Select the Trigger event

Choose from the trigger list. Set any trigger parameters (e.g., for "Filing Status Changed", specify which status to trigger on).

3

Add Conditions (optional but recommended)

Conditions narrow the rule's scope. Example: "Only fire if Regulator = RBI" or "Only fire if Client Risk Category = High". Without conditions, the rule fires for every event matching the trigger across all clients.

4

Add Actions

Click + Add Action for each action. Available actions: Create Task (with title, assignee, due date), Send Notification (in-app or email), Send Client Email, Create Document Request, Update Record Field, Trigger Risk Alert. Actions execute in sequence — top to bottom.

5

Test and Activate

Click Test Rule — select a sample record and simulate the trigger. ZippCRM shows you what actions would fire without actually executing them. Review the simulation output. If correct, click Activate.

Automation GovernanceAll automation rules must be reviewed and approved by a Partner or Compliance Manager before activation. Rules that send client-facing communications require Maker-Checker approval. An automation rule that sends incorrect information to a regulator or client can have serious consequences — test thoroughly before activating.
Views Section

BOM Tracker (Billing on Milestone)

Click BOM Tracker in the Views sidebar section. The BOM Tracker shows all billing events tied to project stage milestones. When a project advances past a stage configured with a BOM trigger, a billing event is created here for the billing team to convert into an invoice.

How BOM Works

A BOM (Billing on Milestone) is configured on a Project Type stage in Admin → Project Types. When any project of that type advances past that stage, the BOM Tracker automatically creates a pending billing event. The billing team reviews the event, confirms the amount, and clicks Raise Invoice to convert it directly into a draft invoice in Retainers & Payments.

BOM StatusMeaningAction
PendingStage reached, billing event created, invoice not yet raisedReview and raise invoice within SLA
Invoice RaisedDraft invoice created and sent to billing queueNone — track in Retainers & Payments
BilledInvoice dispatched to clientNone
On HoldBilling paused — client dispute or project on holdRisk Alert fires after 5 days. Resolve the hold and either raise or waive the billing event.
Risk Alert TriggerAny BOM event in On Hold status for more than 5 days generates a Risk Alert (⛔ BOM On Hold). The billing manager is notified and the event is escalated. Never leave a BOM event on hold without a documented reason.
Views Section

Kanban Board & Gantt / Timeline

Click Kanban Board or Gantt / Timeline in the Views sidebar section. These are alternative visual representations of your active projects — same data as the Projects list, displayed differently.

Kanban Board

Kanban organises projects as cards grouped by their current stage. Drag a card from one column to another to advance or revert a project stage — the same business rules apply as in the standard project view (mandatory evidence, maker-checker gates). Use Kanban during weekly team reviews to get a quick visual of where projects are bunched up (too many cards in one stage indicates a bottleneck).

Gantt / Timeline

Gantt shows projects on a horizontal timeline with their expected start and end dates. Use it for capacity planning and deadline collision detection — when multiple high-priority projects have overlapping end dates, the Gantt view makes the crunch visible before it becomes a crisis. Each bar is clickable — click to open the project detail.

When to Use WhichKanban is best for daily stand-ups and stage-flow reviews. Gantt is best for partner-level capacity reviews and deadline planning. The Projects list view is best for search, filtering, and individual project management.
Views Section

Inbound Emails

Click Inbound Emails in the Views sidebar section. This view shows all emails received into ZippCRM's monitored mailbox (configured in Admin → Email Config → Inbound). Emails from clients and regulators are captured here for linking and action.

Linking an Email to a Record

1

Open the email from the Inbound Emails list

Click the email row to expand the full email content and attachments.

2

Click "Link to Record"

Search for the relevant client, project, notice, or query. Select the record you want to link this email to.

3

Set the action (if required)

Optionally, convert the email into a Client Query, a Comm Thread entry, or a Task. This avoids having to manually re-enter the email content elsewhere.

NoteEmails are read-only in this view — you cannot reply from ZippCRM's Inbound Emails panel. Replies must be sent from your email client. If ZippCRM's outbound email is configured, use Client Queries for two-way communication with clients.
Views Section

Time Tracker

Click Time Tracker in the Views sidebar section. The Time Tracker logs hours spent on projects and tasks by team members. It feeds the Team Utilisation view in Analytics and supports milestone-based billing justification.

Logging Time

1

Click "+ Log Time" or start the live timer

The live timer (green dot in the sidebar) runs in the background. Click Start Timer when you begin work. Click Stop when done — the system records the duration automatically.

2

Link to a project and task

Every time entry must be linked to a project. Task linkage is optional but recommended for billing justification. Select the work category (Filing, Liaison, Review, Advisory, Admin).

3

Add notes and save

Brief notes describing the work done. These notes appear in the client-facing time summary if time reporting is enabled for the client.

Manager ViewPartners and managers can view all team members' time logs from Analytics → Team Utilisation. This shows hours logged per person, per project, and per week — useful for identifying overloaded team members before deadlines collide.
Quick Reference

Operations Quick Reference

Daily Operations Checklist

Check Compliance Calendar for filings due in the next 7 days
Review Maker-Checker queue — approve or reject all pending items
Check Risk Alerts — escalate any Critical items
Review Document Requests in "Uploaded — Under Review" — process within 24 hours
Check Client Queries for SLA-at-risk items
Scan Penalty Register for approaching response deadlines
Review eSign requests approaching expiry

Module → Navigation Path

ModuleNavigation PathMin. Role
Return Filings TrackerCompliance → Return FilingsAssociate
Compliance CalendarCompliance → CalendarAssociate
Regulatory NoticesCompliance → Regulatory NoticesAssociate
Comm ThreadsCompliance → Comm ThreadsAssociate
Inspection ManagementCompliance → InspectionsProject Manager
Maker-Checker QueueGovernance → Maker-CheckerProject Manager
Security ControlsGovernance → ControlsProject Manager
Audit TrailAdmin → Audit TrailAdmin
KYC RecordsClients → [Client] → KYC tabAssociate
DPDP Rights RequestsCompliance → DPDP → Rights RequestsCompliance Manager
DPDP Breach RegisterCompliance → DPDP → Data BreachesCompliance Manager
eSign RequestsCompliance → eSignAssociate
DSC RegisterCompliance → eSign → DSC RegisterAssociate
Document RequestsWithin Project / Filing / Inspection recordAssociate
Client QueriesService Desk → Client QueriesAssociate
InvoicesBilling → InvoicesBilling Ops / Manager
RetainersBilling → RetainersBilling Ops / Manager
Penalty RegisterCompliance → Penalty RegisterProject Manager
Analytics / MISAnalytics → [View]Project Manager+
Automation RulesAdmin → AutomationAdmin

Critical Regulatory Deadlines — Response Windows

EventResponse WindowConsequence of Miss
DPDP Data Principal Rights Request30 daysPenalty up to ₹10,000 per request
DPDP Data Breach → DPBI Notification72 hours from discoveryPenalty up to ₹250 crore
RBI Show Cause Notice responseAs stated in notice (typically 15–30 days)Enforcement action / compounding
Penalty Order — Appeal window30 days from order dateLoss of appeal right
Penalty Order — Compounding applicationAs stated in orderDefault to full penalty amount
Inspection query responseAs stated in inspection communicationAdverse inspection finding

Troubleshooting — Operations Module

ProblemSolution
Maker-Checker approve button is greyed outYou are the Maker for this item — you cannot approve your own submission. Ask a colleague with Checker-level role to review it.
eSign request not received by signatoryCheck the email address entered. Ask the signatory to check their spam folder. Cancel and re-create the request if the email was wrong.
Document upload rejected by system (file size error)Maximum file size is 10 MB per document. Compress the PDF using a PDF compressor before re-uploading.
Penalty Register closure requires approval but no Checker availableThe Maker-Checker requirement cannot be bypassed. Escalate to a Partner to perform the Checker role. If no Partner is available, contact Admin to temporarily grant Checker access to a senior manager.
DPDP breach timer not showingThe breach record may have been created without a discovery date/time. Open the breach record, enter the discovery date and time, and save — the timer will start from that point.
Analytics showing incorrect totalsCheck the date range filter and client filter. If still incorrect, run Refresh Analytics Cache from Admin → System → Cache Management.
Automation rule fired for wrong clientsReview the rule's Conditions. If conditions are missing or too broad, the rule fires for all records. Add client-specific or category-specific conditions and re-test.
Companion DocumentsFor step-by-step module training (Mission Control, Business Hub, Execution, Governance, Billing, Access & Identity, Technical Setup), refer to the ZippCRM Per-Module Training Manuals. For the full product architecture and workflow diagrams, refer to the Workflow Atlas. For API and technical integration, refer to the ZippCRM Technical Documentation.