# Aayush Gupta — Risk, Controls & Compliance Leader (full site content) Source: https://aayush-gupta.com/ | Licence: content © 2026 Aayush Gupta; quote with attribution and link. --- # Aayush Gupta — Risk, Controls & Compliance Leader **Transforming Risk into Resilience through Human-Centric Design** Strategic risk, controls and compliance leadership — building trust and operational excellence in complex, high-growth environments. 16+ years across gaming, payments, digital lending, consulting and audit. ## Executive summary - 16+ years institutionalizing ERM, Product Risk, Regulatory Compliance, AML/CFT and Internal Audit. - Data-driven risk management for systems processing 1 Bn+ transactions a month. - Delivered programs across US, UK, Middle East, Africa, Europe and Asia. - Built & led multi-disciplinary risk teams of CAs, lawyers, cyber & data specialists. - Chartered Accountant · MSc IT · ISACA Cybersecurity Audit certified. ## Career progression - **EY & PwC** — Consultant to Manager – Risk Advisory (Nov 2011 – Sept 2017 · Tech, ITeS & GCC) - **Bain Capital** — AMEA Head – Risk Management (Oct 2017 – May 2019 · Centrient Pharmaceuticals) - **Paytm** — DGM Risk Management and CEO's Controls Office (May 2019 – Jun 2021 · Double promoted in 18 months) - **Dhani** — Head of Risk (Jul 2021 – Jun 2022 · Indiabulls Consumer Finance) - **Tata Neu** — Director – Fintech Product Risk (Trust & Safety) (Jul 2022 – Jul 2023) - **Flutter** — AVP & Head – Risk & Compliance (Aug 2023 – Present · Junglee Games · Promoted in 18 months) ## Geographies worked Indian Sub-continent, USA, United Kingdom, Middle East, Africa ## Governance setup across the three lines **Strategic Governance: Orchestrating Resilience Across Three Lines** Establishing robust, integrated governance across ERM, controls monitoring, internal audits, AML and ABC — for pre-IPO, public-listed and SEC-regulated entities. Key figures: 100% — ISO 27001; €550 Mn — Bain DD; AI — Governance Agent; $2.5 Bn — IPO Readiness ### Flutter Entertainment (Junglee Games) - Established governance framework comprising Product Controls & Compliance monitoring, ISO 31000 aligned ERM, Regulatory Compliance monitoring, Process Governance, Financial & Data controls, AML and ABC, integrating Junglee into the Group's enterprise controls environment. - Leading implementation of DPDP for product & functional streams and AI governance. Supervised the organisation-wide ISO 27001 certification. - Established the ethics framework comprising the Code of Conduct, Anti-Bribery & Corruption Policy and Whistleblower programme; led organisation-wide & Board-level training, and served as Ombudsman and Chief Investigator for whistleblower complaints. - Developed and deployed (with engineering team) a corporate governance AI agent which assimilates, analyses and responds with compliance status or compliance risk assessment based on organizational context. _Focus: SEC controls, ERM · ISO 31000, ISO 27001, AI Governance, DPDP · Data Privacy, AML & ABC_ ### Paytm (One97 Communications) - Selected by the Founder, Board and investors as part of a three-member transformation office to institutionalise corporate governance ahead of Paytm's ~$2.5Bn IPO to design and implement enterprise governance, risk and compliance frameworks across Payments, Lending, Wealth, Insurance, Consumer Internet and Gaming businesses. - Institutionalised and led Enterprise Risk Management, Risk based Internal Audit planning, Legal & Regulatory Compliance monitoring, Whistleblower, Anti-Bribery & Corruption, ISO 22301-aligned BCDR, and bi-annual forensic spend reviews. _Focus: Pre-IPO Governance, RBI PA/PPI, NPCI, ABC & Whistleblower, BCDR_ ### Tata Neu (Tata Digital) - Hands on experience institutionalizing compliance frameworks for RBI's PA, PPI, Digital Lending Guidelines and NPCI compliance requirements; led GRC tracks for Tata Payments' PA and PPI applications to RBI, securing regulatory approvals. _Focus: RBI PA/PPI, Digital Lending Guidelines, NPCI, Regulatory Approvals_ ### Bain Capital Portfolio — Centrient Pharmaceuticals - AMEA Risk Management anchor for Bain Capital's €550 Mn acquisition of Centrient. Implemented a class leading internal controls framework for commercial & financial processes while managing the transaction & transition risk during acquisition. Re-engineered the strategic risk monitoring and reporting framework, reducing gross risk exposure by 35% within 18 months. _Focus: M&A Due Diligence, Internal Controls, Sanctions, ISO 22301_ ## Product risk & compliance **Safeguarding Innovation at Scale: Product Risk & Compliance** Robust, scalable risk architectures and near-real-time controls that protect millions of users and billions in transactions — without compromising a frictionless experience. ### Flutter Entertainment (Junglee Games) - Led a cross functional team to implement real-time monitoring of product controls for ~500M monthly transactions, covering matchmaking, gameplay anti-fraud controls, geo-blocking, KYC, deposits, and withdrawals. - Setup automated assurance over ~₹1,000 Cr monthly funds management and transaction fees. Reducing effort from 7 man-days to a few hours. - Built an AI agent to automate marketing collateral reviews against regulatory guidelines, reducing review time from 2–3 hours to minutes. - Led the Safer Gaming charter for a 120M+ player base, building an integrated intervention framework that increased player protection tool adoption 15x while positively impacting revenue. _Focus: Controls Assurance, Funds Monitoring, AI Agents, Responsible Gaming_ ### Tata Neu (Tata Digital) - Designed the alternate data strategy for launch of digital lending and BNPL businesses, embedding product controls to accelerate credit approvals while preventing identity theft and account takeover. (40,000+ Loans; ₹400+ Crore disbursed). - Set up product & process controls for TATA Neu × HDFC co-brand credit card launch (1 Mn+ cards issued). Ensured compliance with RBI-guidelines and partner-bank requirements across customer onboarding journey and hand-off points, data-sharing controls, billing & reward-point reconciliations, redemption flows and fair-usage limits. - UPI & Gift Card Fraud Prevention: Designed a first-principles based fraud management framework that delivered enterprise-grade fraud controls without a dedicated fraud platform, combining customer communications, contextual product interventions, transactional rules and dynamic watchlists. _Focus: Trust & Safety, Co-brand Credit Card, UPI / Gift-card Fraud, First-principles Controls, RBI PA/PPI_ ### Dhani (Indiabulls Consumer Finance) - Conceptualised and institutionalised the Dhani Customer Trust Score (pre-AI era), an analytics-driven model using 10+ data sources to validate customer authenticity, doubling conversion rates with no increase in Day 90 DPD. - Built and led the Fraud Analytics function, redesigning risk analytics to evaluate signals in conjunction with business metrics and operational insights, reducing false positives in credit risk actions by 75%. - Co-developed, with the product team, an in-house sanctions screening product referencing 20+ sanctions / financial-crime lists — refreshing its inventory daily and matching new and existing customers each day, with reverse (delta) screening. _Focus: Credit Risk, Fraud Analytics Team, Contextual Reporting, Device Fingerprinting, Fraud Controls_ ### Paytm (One97 Communications) - Promoted to be the Head of Risk Strategy and Analytics for payments and consumer internet businesses spanning 20Mn+ merchants who accepted Paytm for more than 1 Billion transactions every month. Led the teams designing transaction monitoring rules and deploying these to the product with Paytm's proprietary AI powered platform to identify and mitigate ecosystem abusers - Redesigned transaction monitoring rules for the merchant payments business, doubling precision (true positives) and increasing recall (detection coverage) to ~80%, without additional operational headcount. _Focus: Transaction Monitoring, Machine Learning, Fraud Analytics_ ## Internal audit delivery & risk assessment **Audit Excellence: Scaling Assurance in High-Growth Environments** Comprehensive risk assessment, audit-committee leadership and Big-4-partnered internal audit delivery — across listed companies and start-ups, four continents, and a forensic lens. Key figures: 15,000+ — Hours Supervised; 16+ — Countries; 4 — Sectors; $300M+ — Analyzed ### Paytm (One97 Communications) - Delivered ~4% bottom-line improvement by identifying and implementing improvements to reduce revenue leakages and optimise costs across business, operations and corporate functions. ### Flutter Entertainment (Junglee Games) - Implemented a FATF aligned AML/CFT and Sanctions monitoring program in line with SEC requirements (as part of Flutter's globally integrated approach) and balancing the implementation from an Indian regulatory ask perspective. - Resilience through the post-ban pivot: Post PROGA (the law banning core real money gaming business), I moved from defence to design, executing a clean, evidence-grade wind-down with every money game and bonus disabled, no cash-game surface left live, and several million dollars of player balances reconciled and returned with zero defects. - Worked with the engineering team to build and productise an OSINT intelligence capability that continuously monitors the illegal offshore gambling ecosystem operating in India, fusing seven independent data streams of search demand, active websites, paid advertising and organic social, App Store / Play Store, APK inventories, and active UPI handles. ### Dhani (Indiabulls Consumer Finance) - Evaluated 10+ technology products for device fingerprinting tech and implemented a cutting edge tech product to establish device based borrower identity (supplementing the KYC'd one). Created the rules for use of fingerprinting tech which was rolled out to more than 2 Mn BNPL subscribers. ### Bain Capital Portfolio — Centrient Pharmaceuticals - Implemented an ISO 22301-aligned Business Continuity Programme, covering a manufacturing site with 7 plants and ₹600 Cr annual output — a first across the Royal DSM group's 40+ manufacturing sites. This was instrumental in mitigating the impact on manufacturing operations caused by floods (2019) and Covid-19. ### Premium Mineral Water Brand - Led an end-to-end discount rationalisation programme with the National Sales Head for India's leading premium mineral water brand, improving marginal contribution by 20% and making the business EBITDA-positive for the first time since launch. ### Beverage Company — Supply Chain - Led a supply chain optimisation programme with the Head of Supply Chain of a beverages company, redesigning the transportation model for its highest-selling product and reducing logistics costs by 50%. ### BFSI Operational Risk Management - Conceptualised and commercialised an Operational Risk Management service by adapting BFSI risk management principles for non-financial industries, enabling clients across technology, healthcare, and consumer goods to identify operational pain points, monitor KPIs, and improve service delivery across Finance, Customer Service, and IT functions. ### Global Beverages Leader - Led a process re-engineering programme for the India operations of a global beverages leader to optimise and automate field sales workforce management, underpinned by benchmarking, market assessment, and operational diagnostics. ### Event Risk Management - Led the Event Risk Management practice for North India with full P&L responsibility, providing independent assurance over the integrity and effectiveness of jury-based award programs and quiz shows. Grew the practice fourfold in 18 months. ### Global Credit Card Issuer - Led multiple financial, operational, and compliance audits for one of the world's largest credit card issuers, delivering engagements with stakeholder teams across APAC, Europe, and the US. ### Talent & Capability Build-out - Led the end-to-end hiring program, backfilling ~30% of the team's strength (30 hires) in two months by managing the recruitment lifecycle for 400+ candidates. ### Contract Management Solution: Launch & Delivery Lead - Part of the launch team for a Contract Management service offering for the technology sector, leading go-to-market initiatives through client proposals, solution collateral and delivery capability building for a 25+ member team. Established the contract management function for one of India's largest ITeS companies, leading a 10+ member team to digitise and analyse 200+ client contracts, creating a structured obligations framework for reporting, benchmarking and governance. ### Large Private-Sector Bank - Fraud risk analysis for one of India's largest private-sector banks' receivable-management process — assessing operational and system controls at the outsourced contact centre. ## AML & financial crime **AML & Financial Crime — built for scrutiny, across regimes** Designed and led end-to-end AML/CFT and sanctions programmes aligned with a US- and UK-listed group's global FATF standards and India's PMLA requirements, spanning customer, vendor and employee screening, transaction monitoring, and STR governance for a 120M+ user base. Key figures: 120 Mn+ — Subjects Screened; 3 — Regulatory Regimes ### Flutter Entertainment (Junglee Games) - Stood up a full AML/CFT program for a 120 Mn+ player base, extending due diligence to vendor and employee screening — integrated into Flutter's globally-integrated, SEC-aligned and FATF-based framework as part of a US- and UK-listed group. - Implemented the sanctions / watchlist screening tool and re-engineered platform-abuse rules to also capture AML typologies — structuring, layering, collusion and mule behaviour. - Implemented a FATF aligned AML/ CFT and Sanctions monitoring program in line with SEC requirements (as part of Flutter's globally integrated approach) and balancing the implementation from an Indian regulatory ask perspective. _Focus: FATF-aligned, SEC / LSE-listed group, OFAC · UN · EU · UK, PEP & Adverse Media, Vendor & Employee Screening_ ### Tata Neu (Tata Digital) - Architected a unified, enterprise-wide screening strategy across payments, insurance and broking — common input data rails and a single screening engine deployed once for the whole group. - Built the framework and policies to comply with the requirements stipulated by the RBI and FIU-IND viz. reporting-entity obligations, KYC and suspicious-transaction reporting. _Focus: RBI, FIU-IND, Enterprise Screening, Payments · Insurance · Broking_ ### Dhani (Indiabulls Consumer Finance) - Assessed PMLA applicability for a hybrid PPI-issuer-plus-lender business model and stood up the full AML program end-to-end, working in tandem with operations, business and legal. - Co-developed, with the product team, an in-house sanctions screening product referencing 20+ sanctions / financial-crime lists — refreshing its inventory daily and matching new and existing customers each day, with reverse (delta) screening. _Focus: PMLA, PPI + Lending, In-house Screening Product, 20+ Lists, Reverse / Perpetual Screening_ ## Contact - LinkedIn: https://www.linkedin.com/in/guptaaayush/ - Medium: https://medium.com/@ca.aayushgupta - Email: ca.aayushgupta@gmail.com - Based in New Delhi, India - Credentials: Chartered Accountant (2010), MSc IT, BCA, ISACA Cybersecurity Audit ## Selected case studies ### 01 Putting a ₹1,000-Crore Money Machine Under a Microscope — in Near Real Time _Context: Indian skill-gaming arm of a NYSE- and LSE-listed global gaming & entertainment group · ~120 million registered players · ~half a billion gameplay and payment transactions a month._ **The Challenge** — Every month, roughly ₹1,000 crore of player money moved through the platform; deposits, winnings, withdrawals, settlement, and the payment-aggregator/escrow leg. Assurance over that flow rested on manual, sample-based reconciliations that took about seven working days each month, performed well after the money had already moved. For a U.S.-listed group, a single unreconciled break or settlement leakage was both a financial and a regulatory exposure and an annual audit cadence was hopelessly slow for a system clearing money by the second. **The Approach** — Instead of adding auditors, I treated assurance as a data problem. Working with product and analytics engineers, I built an analytics-powered, near-real-time controls assurance system that ingests gameplay, payment, KYC and wallet events and continuously reconciles player-settlement funds and PA/escrow transaction fees against expected outcomes surfacing exceptions the same day rather than the next quarter. Periodic checklists became always-on telemetry. **The Impact** — Reconciliation effort on funds management collapsed from ~7 person-days a month to a few hours; assurance shifted from annual to daily; and the business gained continuous, evidence-grade visibility over a ₹1,000-crore monthly money flow precisely the escrow and settlement control a payments regulator expects to see. _Capabilities: Controls automation, Escrow & settlement assurance, Reg-tech, Three-lines operating model_ ### 02 When the Rules Changed Overnight: a Clean Wind-Down, Then a Blueprint to Come Back _Context: The Indian skill-gaming arm of a NYSE-/LSE-listed global gaming group · ~120 million users · in the immediate aftermath of India’s 2025 PROG Act, which banned real-money online gaming._ **The Challenge** — A new law abruptly outlawed the company’s core real-money business. Within a compressed window I had to wind it down cleanly — switch off every money game and bonus, ensure no cash-game surface stayed live anywhere on the platform, and return several million dollars of player balances accurately and verifiably — all under intense regulatory and reputational scrutiny. Then the harder question: was there a responsible, lawful way back? **The Approach** — I ran the shutdown as a controlled, evidence-grade programme, money games and bonuses disabled, open cash-game pages closed, and player funds reconciled and returned without defect. In parallel I shifted from defence to design. With the policy team, I became chief architect for a proposal of government-controlled regulatory sandbox to reopen skill-based gaming inside strict guardrails: a multi-ministry framework spanning technology, home affairs and finance, the central bank and the financial-intelligence unit, and national technical-standards bodies, with mandatory KYC and live selfie-matching, escrow-segregated player funds, deposit limits and irrevocable self-exclusion, a common national registry of vulnerable and debarred players, AML/CFT transaction monitoring, mule-account detection via the central bank’s AI, and AI-enabled advertising-compliance checks. I also built and then productised a capability to monitor illegal offshore gambling platforms operating in India: their acquisition tactics, payment rails (UPI handles, ‘mule-as-a-service’, side-loaded apps) and the crypto and tax-credit laundering routes through which money leaves the country, packaging the modus operandi and impact for multiple ministries to act on. **The Impact** — A legally fraught shutdown was executed with zero player-fund defects and no residual exposure; player money was returned in full. The sandbox blueprint gave government a concrete, controllable path to reclaim tax revenue and consumer protection from offshore operators, and the offshore-monitoring product turned scattered intelligence into an evidentiary tool for enforcement. Risk leadership at its most consequential — protecting consumers and the exchequer while keeping a lawful industry alive. _Capabilities: Crisis wind-down & player-fund return, AML/CFT & financial-crime intelligence, Multi-regulator engagement, Policy architecture, Productisation_ ### 03 Teaching a Billion-Transaction Payments Engine to Trust Its Own Alarms _Context: India’s largest digital payments platform · ~20 million merchants · 1 billion+ transactions a month · in the run-up to a ~$2.5 billion IPO._ **The Challenge** — The platform’s transaction-monitoring rules were noisy — too many false-positive alerts drowning genuine abuse, draining investigation capacity and degrading both fraud control and merchant experience. At a billion transactions a month, every percentage point of precision or recall was material, and an impending public listing raised the bar on the demonstrable quality of the AML and fraud-monitoring program. **The Approach** — I led a ground-up redesign of the transaction-monitoring rule set for the merchant-payments business, underpinning it with machine learning and behavioural analytics and configuring it directly into the platform’s proprietary, AI-powered monitoring engine. I also designed the AML monitoring process, product and operating model for the online-payments business. The objective was never ‘more alerts’ — it was sharper ones: rules that fire when they should and stay silent when they shouldn’t. **The Impact** — The redesigned rules delivered a 100% improvement in precision while pushing recall to ~80%, and halved false positives across the online-payments and card-acceptance (EDC) businesses, freeing investigators to focus on real threats and giving the business a monitoring program robust enough to withstand IPO-grade scrutiny. _Capabilities: Transaction monitoring & AML, ML & behavioural analytics, Payments fraud, IPO-grade controls_ ### 04 A Customer Trust Score, Built on Common Sense — Years Before the AI Boom _Context: A listed consumer-finance NBFC running one of India’s largest Buy-Now-Pay-Later books · ~6 million subscribers · ~$200 million loan book · ~$500 million annual disbursals._ **The Challenge** — BNPL growth was throttled by a brutal trade-off: tighten onboarding to stop identity theft and synthetic-identity fraud leading to genuine customers dropping out of the funnel; loosen it to grow conversion and expected credit loss (ECL) climbed. And this was before today’s generative-AI and managed-ML tooling - there was no off-the-shelf model to lean on. **The Approach** — I refused to accept the trade-off. Rather than a black box, I conceptualised and institutionalised a ‘Customer Trust Score’ - an analytics model, rooted in common sense, that drew demographic and behavioural signals from 10+ independent data sources to score the authenticity of a customer’s identity. The key shift was methodological: the team stopped reading each data trend in isolation and started analysing trends relative to one another, so the score reflected on-ground reality rather than any single noisy signal. To anchor identity to a device, not only a KYC document - I planned to roll out device fingerprinting technology as an additional layer of identity for which I evaluated 10+ device-fingerprinting technologies, selected one, authored the usage rules, and rolled it out to 2 million+ subscribers. **The Impact** — Conversion roughly doubled with no increase in ECL; the model lifted recall ~2x while improving funnel drop-offs ~3x. A genuinely hard fraud-versus-growth problem was solved with disciplined data engineering and judgement - not budget, and not hype. _Capabilities: Credit & fraud analytics, Alternate-data modelling, Device identity, Growth-with-control_ ### 05 Borrowing a Bank’s Discipline to Fix a Service Business - the Operational-Risk Reboot _Context: One of India’s largest third-party ITeS/BPM enterprises · ~$2.5 billion revenue · delivering F&A, customer service and IT services across 10+ countries (later extended to technology, healthcare and consumer-goods units)._ **The Challenge** — Operational risk in a people-heavy services business was being managed reactively. Pain points in service delivery showed up as client escalations and SLA misses, not as risks identified in advance. Conventional internal-audit checklists told leadership what had already gone wrong; they did little to anticipate failure or measure the health of the things that actually drove client outcomes. **The Approach** — I took the operational - risk discipline that BFSI institutions use to run their control environments and re-engineered it for a service-delivery world. The modified framework reframed each delivery process around its real failure modes, then instrumented them with KPIs management could monitor and report continuously - turning ‘operational risk’ from an audit artefact into a live service-quality dashboard. It was built to be portable: I deployed the same model across service delivery lines for Finance and Accounting, customer-service and IT services across technology, healthcare and consumer-goods clients. **The Impact** — Leadership gained an early-warning view of where delivery was likely to break, and a shared language and metric set to manage it. The framework became a repeatable product across business units and sectors - operational risk that paid for itself in fewer surprises. _Capabilities: Operational-risk framework design, KPI-driven continuous monitoring, Cross-sector portability, RCSA mindset_ ## Publications (Medium) ### Context, Not Control: When Audit Dropped Its Defences _Published: 16 Jun 2026_ In 2020, The Institute of Internal Auditors quietly deleted a single word: Defence. That edit is the whole story of how the people who seemed as a cost centre become the ones who own trust, growth, and yes, the funnel in digital native companies. Read: https://medium.com/@ca.aayushgupta/context-not-control-when-audit-dropped-its-defences-8a0a7d87be34 ### From Wobble to Wave _Published: 09 Jun 2026_ Your organs aren’t standalone systems — and neither are your risks. Why a rising alert queue, a 98%-healthy API, and a “winning” referral campaign were each an enterprise crisis in disguise. Read: https://medium.com/@ca.aayushgupta/from-wobble-to-wave-5efefcd378e6 Full profile & feed: https://medium.com/@ca.aayushgupta