⚖️ ZippCRM Workflow Atlas
End-to-end compliance workflow reference — project lifecycle, regulatory obligations, role responsibilities, and compliance gates.
RBI
SEBI
IRDAI
MCA
🏛 Core Compliance Principles
1
Block stage movement when compliance evidence is incompleteNo project advances to the next stage unless all mandatory checklist items are verified. Maker-Checker enforces 4-eyes approval on sensitive actions.
2
Surface expiring documents before the regulator doesDSC certificates, board resolutions, networth certificates, and licenses are tracked with 30/60/90-day expiry alerts. The system auto-escalates when documents are within the warning window.
3
Keep billing tied to verifiable regulatory milestonesInvoices and retainer releases are gated on actual stage completions, not calendar dates. This prevents billing disputes and aligns commercial incentives with compliance outcomes.
4
Every action leaves a traceable audit trailAll state changes, document uploads, approvals, and communications are written to the immutable audit log with timestamp, actor, and object reference.
🔄 Project Lifecycle — Stage State Machine
Standard Progression (forward flow)
Lead
Qualification
Prospect scoping & conflict check
›
Onboarding
KYC, AML, FATCA documentation
›
Document
Collection
MOA, AOA, NW certificate, board resolutions
›
Regulatory
Filing
Application to RBI / SEBI / IRDAI / MCA
›
Pending
Regulator
Awaiting acknowledgement & clarifications
›
Query
Response
Respond to regulator observations within SLA
›
Approval
Received
License / certificate issued
›
Post-Approval
Compliance
Ongoing periodic filings & returns
⚠️ Stage regression (e.g. Approval → Query Response) is permitted with mandatory audit note. Cancelled and On Hold are terminal states accessible from any active stage.
📋 License Types & Regulatory Authority Matrix
| License Type | Regulator | Key Requirements | Typical Timeline | Critical Filings |
|---|
| NBFC — Base Layer | RBI | Net worth ₹10 Cr+, CIBIL check, fit & proper directors | 12–18 months | Monthly returns (NBS-1, NBS-2), Annual report |
| NBFC — MFI | RBI | Min 85% qualifying assets, JLG model compliance | 12–18 months | Quarterly portfolio returns, Fair practices code |
| NBFC — P2P Lending | RBI | Net worth ₹2 Cr+, tech audit, escrow mechanism | 9–12 months | Monthly borrower/lender disclosures |
| NBFC — Account Aggregator | RBI | AA framework compliance, data security audit | 12–24 months | Quarterly tech & security reports |
| Stockbroker / Member | SEBI | SEBI registration, NSE/BSE membership, NCFM exams | 6–9 months | Monthly financial filings, Margin reporting |
| Investment Advisor (RIA) | SEBI | NISM certifications, ₹50 Cr AUM compliance | 3–6 months | Annual compliance report, Client disclosures |
| Portfolio Manager (PMS) | SEBI | Net worth ₹5 Cr, disclosures, 3-year track record | 6–9 months | Monthly report to clients, Annual PMS report |
| Direct Insurance Broker | IRDAI | ₹75 lakh net worth, PI cover, qualified staff | 6–12 months | Quarterly & annual compliance reports |
| Reinsurance Broker | IRDAI | ₹4 Cr net worth, specialized staff qualification | 9–15 months | Half-yearly returns, Claims disclosure |
| Company Incorporation | MCA | DIN, DSC, MOA/AOA drafting, registered office | 7–14 days | Annual ROC filings, DIR-3 KYC |
| Section 8 (NGO) | MCA | Charitable objectives, FCRA if foreign donations | 30–60 days | Annual return, IT compliance |
📅 Periodic Regulatory Filing Calendar
Q1 — January to March
Jan 15 — NBS-1 (RBI NBFC monthly)
Jan 31 — DIR-3 KYC (MCA)
Feb 15 — NBS-2 (RBI NBFC)
Mar 31 — SEBI Annual Compliance Report
Mar 31 — IRDAI Annual Return
Q2 — April to June
Apr 30 — Audited Annual Accounts (NBFCs)
May 15 — Quarterly RBI Returns
Jun 30 — Board Resolution renewal check
Jun 30 — SEBI PMS half-yearly report
Q3 — July to September
Jul 15 — NBS-1 / NBS-7 (NBFC)
Jul 31 — IT Returns deadline
Sep 30 — Networth certificate renewal
Sep 30 — IRDAI half-yearly compliance
Q4 — October to December
Oct 15 — RBI Quarterly returns
Nov 30 — DSC renewal check window
Dec 31 — SEBI annual disclosures
Dec 31 — Board meeting minutes filing
⚖️ NBFC M&A — Deal State Machine
Transaction stages (RBI-regulated acquisitions)
SLA
Signed
Engagement letter executed
›
Target
Identified
Target NBFC shortlisted
›
Due
Diligence
Legal, financial & regulatory DD
›
Premium
Filed
RBI application submitted
›
RBI
Pending
Awaiting RBI approval (90–180d)
›
Post-Approval
Share transfer & integration
›
Closed
Transaction complete
⚠️ RBI approval for NBFC acquisitions >26% stake is mandatory under Section 44A NBFC Directions. Timeline: 90–180 days from application. Risk alert triggers at day 60 (follow-up) and day 120 (critical escalation).
👥 Role Responsibility Matrix (RACI)
Responsible (Does the work)
Filing officer — prepares & submits returns
Compliance associate — document collection
KYC analyst — AML/KYC verification
Junior CA — financial statement prep
Accountable (Signs off)
Senior Manager — stage sign-off
Partner / Director — billing approval
Checker (Maker-Checker) — 4-eyes approval
Admin — user & permission management
Consulted (Expert input)
Legal counsel — regulatory interpretation
Senior CA — financial structuring
IT security — DSC & eSign setup
Client RM — client communication
Informed (Kept updated)
Client — via client portal
Finance team — invoice triggers
Top management — risk alerts
Auditor — audit trail access
📁 Document Taxonomy & Retention Policy
🏢 Entity Documents
Core constitutional & legal identity
- Certificate of Incorporation
- MOA / AOA
- PAN Card
- GST Registration
- Shop & Establishment
👤 KYC / Director Documents
Fit & proper verification
- DIN & PAN of all directors
- Aadhaar / passport
- CIBIL / credit report
- Declaration of no criminal record
- Net worth certificate (CA certified)
💰 Financial Documents
Financial health & compliance evidence
- Audited financials (3 years)
- Net worth computation
- Capital adequacy statement
- Bank statements (6 months)
- Source of funds declaration
📜 Regulatory Filings
Filed with regulators — retain 8 years
- RBI application & acknowledgement
- All periodic returns (NBS-1 to NBS-9)
- SEBI registration certificate
- Annual compliance reports
- Inspection reports & responses
✍️ Board & Meeting Records
Governance evidence
- Board meeting minutes
- Resolutions for key decisions
- Audit committee minutes
- Risk committee reports
- AGM records
🔐 Digital Assets
DSC & eSign — renew before expiry
- Class 3 DSC (2-year validity)
- Aadhaar eSign authorization
- TRACES login credentials
- MCA21 portal access
- SEBI SCORES portal credentials
🚨 Escalation & Alert Thresholds
| Trigger | Threshold | Severity | Action Required |
|---|
| Filing due date | 7 days before | HIGH | Email alert to filing officer & RM |
| Filing due date | 2 days before | CRITICAL | SMS + email to senior manager & partner |
| Overdue task in active project | Any overdue task | HIGH | Risk alert raised, appears on dashboard |
| Overdue tasks ≥ 3 OR no activity ≥ 7 days | Combined condition | CRITICAL | Escalation to partner-level; appears in Risk Alerts |
| Document expiry (DSC, networth certificate) | 30 days before expiry | HIGH | Auto-task created for renewal |
| RBI application pending | > 60 days | HIGH | Follow-up with RBI; log in M&A tracker |
| RBI application pending | > 120 days | CRITICAL | Escalate — check for objection letters |
| Pending challans ≥ 2 | Same client | MEDIUM | Finance alert; flag in billing tracker |
| BOM activity on hold | > 5 days | MEDIUM | Manager notification; reason required |
| Compliance rate | < 80% | CRITICAL | Portfolio review; identify stalled filings |
💼 Engagement & Recurring Cycle Model
1
One project per service engagementEach service engagement (RBI NBFC filing, SEBI broker registration, IRDAI insurance broker license) is a separate project. A client may have multiple concurrent projects across different services.
2
Recurring engagements track cycles with cycle_periodFor retainer-based services (monthly / quarterly / annual), the parent project links to cycle children via parent_project_id. Each cycle has its own workflow: "Apr 2025", "Q1 FY26", "FY 2025-26". Completing a cycle auto-creates the next one.
3
Scope amendments track task changes with audit trailAdd or remove tasks mid-cycle via project_scope_amendments. Each amendment records task_name, action (add|remove|na), reason, billing_delta, and who created it. Never delete scope — amend it.
4
Payment schedules decouple billing from workflow stagespayment_schedules tracks retainer dues, milestone invoices, and advances independently. Status: pending|paid|overdue|waived. Retainers are always due on the cycle due_date, regardless of workflow stage.
5
Client Engagement Dashboard rolls up all servicesShows one row per client, with columns for active projects, total retainer due, cycles completed this year, and next payment due. Drill into each service project for stage-level detail.
🔐 Admin Role & Maker-Checker
1
Admin role bypasses Maker-Checker entirelyStage transitions requested by admin users are auto-approved (no checker required). This is appropriate for system cleanup, data corrections, and exception cases after manual review offline.
2
Makers can void pending requestsA maker who submitted a stage transition request can void it if it's still pending (status=pending). Voided requests are logged but never executed. New requests can be submitted.
3
Admins can self-approve in exceptional casesWhen a regulator issues an urgent clarification or court order, admins may jump a project directly to a new stage without normal workflow. All self-approvals are flagged in the audit log with a mandatory note.