THE CLIENT
ARKA Fincap
Arka Fincap is a systemically scaling NBFC with a diversified lending portfolio across retail, MSME, and corporate segments. As a regulated lender operating at the intersection of finance policy, compliance, and growth, Arka carries the governance burden of a mature financial institution while still moving at the pace of a scaling business.
The company operates across multiple branches, departments, and product lines, with a growing team, a widening vendor network, and transaction volumes that scale every quarter. Running a regulated NBFC means every user, every entry, and every approval has to sit inside a defensible control environment that stands up to internal audit, external SOC2 review, and regulator scrutiny.
Arka was already running on Zoho Books, Zoho Expense, and the broader Zoho Suite as the operating system for finance and internal operations. The platform had served the early years well, but the control environment needed to catch up with where the business was going.
What Was Broken?
The Zoho environment was not failing. It was simply too open for the scale Arka had grown into. Financial data was visible to users across departments with no segregation by branch or team. Approval rules were constrained and not mapped cleanly to Arka’s finance policy. Users could create accounts under the corporate domain on their own, self-manage MFA, and in some cases edit transactions even after payment had been released. There was no centralised identity layer, no structured vendor onboarding workflow, and no clean audit trail mapping departmental SLAs back to responsible owners.
The result: a governance gap that widened with every new hire, every new branch, and every new vendor. Leadership could not give an auditor, a regulator, or the board a clean answer in a single view. The stack needed to enforce policy, not just record transactions.
What BGA Delivered?
BGA designed and implemented a comprehensive governance, identity, and access control framework on the Zoho Suite, architected specifically for Arka’s NBFC operating model. The work touched every layer from organisational identity down to transaction-level lockdowns, built inside the live environment without disrupting the operations team running the business day to day.
- Branch-Wise Access Control Framework
We redesigned how financial data is visible across the organisation. Users now see only the transactions that belong to their branch and their role. Accidental cross-team exposure has been closed by design, and data visibility is now a function of role, not default access.
- Multi-Tier Approval Architecture
Approval rules for bills, expenses, and vendor payments were rebuilt from the ground up to match Arka’s finance policy. The new architecture supports the volume and variation the business now handles, with clear routing by transaction type, department, and value.
- Transaction Lock-Down Controls
Paid and approved transactions are now protected from unauthorised edits by design. Users outside the admin circle cannot modify entries once they have cleared the approval chain, closing a significant control loophole in the earlier setup.
- Centralised Identity and Access Management
We deployed Zoho Directory to bring identity, access, and MFA under centralised administrator control. Individual users can no longer self-provision accounts, self-manage MFA, or close access on their own. Every identity event is now governed from a single point.
- Domain Identity Governance
We locked down the ability for users to create their own Zoho IDs under Arka’s corporate domain. Domain access is now administrator-controlled, removing a long-standing shadow IT risk and tightening the organisation’s identity perimeter.
- Vendor Onboarding Portal
We designed and built a custom Vendor Onboarding Portal on Zoho Creator, tied back into the core finance environment. The portal replaces ad-hoc onboarding by email and spreadsheet with a structured, approval-based workflow covering vendor registration, documentation, compliance checks, and activation, with an audit trail at every step.
- Audit Trail and Traceability Framework
Departmental workflows now carry a clean audit trail with clear ownership and SLA visibility. Leadership and audit teams can trace any transaction, approval, or user action back to the responsible owner and the exact point in the workflow.
- SOC2-Aligned Control Environment
The combined framework across access, approvals, identity, and audit trail was aligned to SOC2 expectations, giving Arka a control environment that is audit-ready and stands up to enterprise review.
BGA Approach
This was not a typical Zoho implementation. Arka already had Zoho running the business. They did not want to replatform. They wanted a control layer built into the existing environment, one that could enforce policy without slowing the operations team down.
BGA brought the right combination: deep understanding of NBFC governance and financial controls, Chartered Accountant discipline, and Zoho platform expertise at Advanced Partner level. We understood that in a regulated lending business, every user needs a defined scope, every transaction needs an approval trail, every identity needs centralised control, and every workflow needs to be defensible to an auditor. The work had to be done inside the live environment, with no disruption to the team running the business.
The result: a Zoho environment that enforces policy at the platform level, gives finance and audit a clean trail, keeps users inside their lane by design, and scales with Arka’s growth without scaling the governance risk.
