Fintech 2024 Comparisons

India is an established market for fintech innovation and investment. with the sector accounting for about 11% of the country’s GDP. It is projected to reach USD350 billion by 2026, or about 20% of the financial sector.

On the consumer side, there has been a significant increase in the adoption of digital payments in India over the past year. The Reserve Bank of India’s (RBI) digital payments index increased from 377.46 in September 2022 to 418.77 in September 2023. India’s 87% fintech adoption rate (leading ahead of the global average of 64%) is a clear indicator of the Government of India’s (GOI) focus on financial accessibility and technical infrastructure.

The Past 12 Months

Over the past 12 months, several key developments have contributed to significant growth in the fintech sector.

UPI global

India’s United Payments Interface (UPI) has enabled seamless, affordable digital payments throughout India, which has been revolutionary for the fintech sector. The RBI is also focusing on integrating the UPI platform with payment systems of foreign jurisdictions. For this international expansion, National Payments Corporation of India (NPCI) has set up a dedicated wholly-owned subsidiary – NPCI International Payments Limited (NIPL).

The UPI global collaborations can be divided into three categories:

• NIPL’s creation, for countries with developed payment systems or with large remittances to India, of bilateral linkages between UPI and the payment systems locally available to reduce the cost of remittances (eg, the UPI-PayNow linkage enabling P2P remittances with Singapore);
• QR code-enabled payments by Indian travellers to merchants abroad (eg, the UPI-Lankapay linkage enabling P2M payments in Sri Lanka, the NIPL-NETs linkage enabling P2M payments in Singapore, and the NIPL-Neopay linkage for P2M payments in UAE); and
• extending India’s UPI technology to nations without their own instant payment infrastructure (eg, NIPL has collaborated with Bhutan’s central bank).

The limits for cross-border payments through UPI global are the same as UPI’s domestic payment limits (ie, typically INR100,000). The NPCI has also issued an operational circular to all members of the UPI payments system directing them to enable the country and currency codes for 40 jurisdictions.

Payment aggregators – cross border

The RBI has issued a circular on “Regulation of Payment Aggregators – Cross Border” on 31 October 2023 (PA-CB Circular), bringing all entities facilitating cross-border payment transactions for import and export of goods and services (PA-CB) under the direct regulation of the RBI. Through the PA-CB Circular, the RBI has moved from a light-touch approach to a full approval regime for PA-CBs. All PA-CBs, except authorised dealer category-1 banks (AD Banks), will need to obtain prior approval from the RBI to facilitate payments involving the import and export of goods and services.

Further, PA-CBs need to comply with all obligations applicable to domestic payment aggregators (PAs). Further, every non-bank PA-CB must register with the Financial Intelligence Unit-India (FIU-IND) as a prerequisite to applying for the RBI’s approval. PA-CB activity is then further classified into three categories – “export only”, “import only“ and both “export and import”.

KYC norms for virtual asset service providers

GOI recently brought all virtual asset service providers under the ambit of the PMLA. The FIU-Ind subsequently published the “AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets” (the “FIU-Ind Guidelines”) which came into effect on 10 March 2023. Every virtual asset service provider operating in India needs to:

• register with the FIU-Ind;
• adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and
• comply with PMLA requirements (eg, maintaining transaction records, reporting suspicious transactions and specified transactions to the FIU-Ind).

The FIU-Ind has also enforced the FIU-Ind Guidelines quite aggressively – it has recently served show cause notices to several crypto-exchanges for failing to register, and directing GOI to block their URLs.

The Next 12 Months

Self-regulation for fintechs

Following the success of the self-regulation model for non-banking financial companies (NBFCs) – microfinance, the RBI issued a “Draft Framework for Self-Regulatory Organisations (SROs) in the FinTech Sector” on 15 January 2024 and has invited stakeholder feedback. By pivoting towards an SRO, the RBI is maintaining a delicate regulatory balance – it is permitting the fintech sector to proactively set and adhere to its own industry standards and best practices.

The RBI is expected to issue the fintech SRO framework this year and to also grant recognition to at least two fintech SROs, in line with the NBFC-microfinance model.

The rupee goes digital

The digital rupee (e₹) is India’s central bank digital currency (CBDC). It is legal tender to be issued in digital form by the RBI and holds a 1:1 exchange rate with physical currency. The current e₹ design framework contemplates both a retail (CBDC-R) and wholesale (CBDC-W) use case. The CBDC-R will power the growth of digital payments in India, while the CBDC-W is expected to significantly reduce inter-bank settlement costs and risk.

India launched the pilot for CBDC-W and CBDC-R last year and has been gradually scaling up its pilots. RBI is also exploring several functionalities during the pilots; eg, offline e₹ and specific end-use restrictions.

Regulation of personal data

GOI enacted the Digital Personal Data Protection Act (DPDP Act) on 11 August 2023. The DPDP Act is a technology- and sector-agnostic umbrella framework that governs the processing of all digital personal data. Unlike the Current Data Privacy Framework (see 2.2 Regulatory Regime), there are no tiered obligations for different categories of data.

The DPDP Act is individual consent-centric. The processing of all personal data (any data about an individual who is identifiable by or in relation to such data) of an individual can largely be undertaken based on consent of such individual or, in limited circumstances, for certain legitimate uses carved out under the DPDP Act. Note that a data fiduciary (ie, the entity determining the purpose and means of processing personal data) is responsible for ensuring compliance with obligations under the DPDP Act.

Note that while the DPDP Act has been enacted, it is not currently in force. We expect the DPDP Act to come into force in phases over the next few months with sector-specific regulations. Several financial players are in the process of aligning internal consent architecture frameworks and data protection systems and controls with the requirements of the DPDP Act.

Operational difficulties for PA-CBs

A PA-CB will be treated as a reporting entity and will be obligated to undertake client due diligence, maintain a record of specified transactions for the prescribed period and report specified transactions to the FIU-IND. The requirement of obtaining the RBI’s prior approval and registration with the FIU-IND could also prove to be operationally and practically challenging for PA-CBs. While such changes will encourage transparency and reporting for cross-border transactions, the recent regulatory framework will increase compliance and operational costs for PA-CBs and result in smaller players re-thinking their business model in India.

The various fintech business models or verticals that are currently predominant in India are, broadly:

• digital payments;
• digital lending; and
• a host of intermediary services such as payment aggregation, payment gateway services, credit analysis, post-disbursement services etc, that serve to create a seamless user experience.

Products pertaining to other significant aspects of fintech, such as insurtech, regtech and wealthtech are starting to scale in the Indian market.

Digital Payments

UPI payments

The UPI is a payments platform managed and operated by NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users (see 1.1 Evolution of the Fintech Market).

Prepaid payment instruments (PPIs)

PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. Under the revised Master Directions on Prepaid Payment Instruments issued by the RBI on 27 August 2021 (PPI Master Directions), PPIs may be issued under one of the following categories:

• closed-system PPIs, for purchase of goods or services offered only by the PPI issuer (they do not require prior approval from the RBI); or
• PPIs that require RBI approval/authorisation prior to issuance are classified under two types: small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchase of goods and services. Fund transfers or cash withdrawal from such PPIs are not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments. Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for purchase of goods and services, fund transfers or cash withdrawal.

Access to central payment systems

The RBI, as part of its drive to encourage digital payments, announced that all non-bank payment system providers like PPI issuers, white label ATM operators and card networks will also be granted access to central payment systems like NEFT and RTGS. This is to promote stability and minimise risk in the payment and settlement ecosystem.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium-sized enterprises (MSME) and retail clients.

Digital Lending is under the regulatory purview of the RBI – under the Digital Lending Guidelines of 2 September 2022 (the “DL Guidelines”), prescribing a regulatory framework for the digital lending ecosystem in India.

The DL Guidelines apply to both regulated entities (REs) and the lending service providers or digital lending platforms that enter into partnership arrangements with REs to provide digital lending products to consumers.

The DL Guidelines prescribe guardrails in connection with the kinds of customer data that can be accessed and stored by lending service providers, the consent architecture that must be in place for the collection and storage of such customer data and detailed disclosure requirements to protect customer interest and prevent mis-selling of credit products. DL Guidelines also provide for indirect regulation of lending service providers through regulated lending institutions.

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers – ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as an NBFC–P2P lending platform, subject to a few identified exceptions.

Payment Intermediaries

Payment aggregators

These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators receive payments from customers, and pool and transfer them to the merchants after a period of time. The RBI has recently brought cross-border payment service providers into its regulatory purview (see 1.1 Evolution of the Fintech Market).

Payment gateways

Payment gateways are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

Payment aggregators and payment gateways are governed by the RBI’s regulatory framework (PA/PG Guidelines) requiring payment aggregators to be licensed by the RBI, while prescribing recommended technical standards for payment gateways.

The regulatory framework governing key verticals (see 2.1 Predominant Business Models) and industry participants is fragmented and spread across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.

The 2007 Payment and Settlement Systems Act (PSS Act)

This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authorisation of the RBI. Here, a payments system is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments, and other digital payment services.

The 2002 Prevention of Money Laundering Act (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products. PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (the “PML Rules”). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and anti-money laundering verifications, as well as to report suspicious transactions.

RBI Master Directions/Circulars

The RBI, as the principal financial regulator, periodically issues “master directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific master directions regulating:

• PPIs;
• NBFCs;
• P2P lending;
• payment aggregators and payment gateways (including PA-CBs);
• account aggregators; and
• other market participants and offerings.

The RBI Master Directions on KYC (dated 25 February 2016 and last amended on 4 January 2024) draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

The RBI introduced a circular dated 13 September 2021, which permits REs such as NBFCs, payment systems operators/system participants to obtain authorisation to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique identification number issued by GOI to its citizens.

NPCI Circulars

UPI payments in India are governed by the procedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the 2000 Information Technology Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Current Data Privacy Framework) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once effected, the DPDP Act will overhaul the existing data protection framework.

Separately, the RBI also issued a circular in April 2018 (Data Localisation Circular), which mandates that all payment data be stored on servers located in India. While such data can transferred outside of India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act (once brought into effect).

Compensation models across key product offerings typically take the following form:

• PPIs/debit cards/credit cards/UPI, all charge Merchant Discount Rate (MDR) – ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator. For cards, transaction interchange fee, interest and float income and card issuances act as additional income lines.
• Digital lenders charge loan processing fees and interest from their customers, which are usually linked to the volume and tenor of the loan. Digital lenders can also levy additional penal charges for defaults, in a manner that is reasonable and only for material non-compliance. Penal charges must not be used as a revenue enhancement tool.
• Payment aggregators/gateways charge the e-commerce marketplaces and merchants for their payment aggregation services and/or technological support provided. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

To promote indigenous payment instruments, GOI has mandated zero MDR for certain transactions. This could impact the cost competitiveness and revenue flows of foreign fintech players, in comparison with domestic fintech players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandates that:

• REs (such as banks and NBFCs) adopt a “fair practices code”, to be made available on their websites (in English as well as in the vernacular language), setting out the process for loan applications and the key terms and conditions associated with the lending product (including all charges, fees and interest rates);
• all lending institutions provide a “key fact statement” in a standardised format for loan processing, and such standardised format must specify the annualised percentage rate for the lending product (which is inclusive of all charges, fees and interest rates in connection with the credit product offered by them); and
• all REs (such as PPI Issuers, payment intermediaries, banks, and NBFCs) adopt suitable customer grievance redressal mechanisms and designate “nodal officers” to address customer complainants, so as to ensure fairness in operation of such products, including the compensation models employed by them.

Taking a holistic view of the regulatory framework (see 2.2 Regulatory Regime), it appears to treat both new fintech players and established players (like banks) impartially.

However, there is a significant discrepancy when it comes to banks' ability to conduct Aadhaar-based E-KYC checks for customer onboarding, a capability that is not extended to non-bank players (like NBFCs). This discrepancy imposes additional compliance costs on non-bank players. Nevertheless, the RBI has taken steps to address this issue by allowing non-bank players to obtain authorisations to conduct Aadhaar-based E-KYC authentication, enabling them to utilise the services provided by the Unique Identification Authority of India (UIDAI) for E-KYC purposes. Further, the RBI’s focus on enabling centralised KYC processes (which may be used by several kinds of regulated entities) may potentially bridge the cost disparity between banks and non-bank players.

RBI

Framework and eligibility

The RBI issued a Regulatory Sandbox Enabling Framework in August 2019 permitting eligible fintech companies to live-test their products in a controlled/modified regulatory environment, provided that such product is compliant with the designated theme for the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI to test their products in a sandbox:

• net worth of at least INR1 million;
• satisfactory credit score/history of promoters and directors;
• promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
• demonstrated ability to comply with personal data protection laws; and
• adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

The framework outlines the five stages of the sandbox process for a single cohort involving preliminary screening, finalising test designs, application assessment, closely monitored testing and lastly, assessment of the final output by the RBI. The end-to-end sandbox process practically takes more than 1.5 years for each cohort.

To date, the RBI has announced five cohorts – on retail payments (February 2021), cross-border payments (December 2020), micro, small, and medium-sized enterprise lending (October 2021), prevention and mitigation of financial frauds (June 2022) and a fifth “theme-neutral” cohort (October 2023). The successful exit of 15 applicants from the first three cohorts has led to innovations such as a purely digital cash flow-based credit underwriting process for MSMEs and a voice-based UPI payment solution that supports local languages and offline use.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandbox products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from the NPCI, the UIDAI, IRDAI and the SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

In India, the primary regulator for fintech is the RBI, which has shifted from a light-touch approach to a full-regulation model in recent years. The RBI is responsive to market changes and technological advances, and regulations have been promptly updated to account for such developments.

NPCI

The NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act and was established with a view to creating an innovative and robust payment and settlement infrastructure in India.

UIDAI

The UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. The UIDAI has been central to framing the rules governing the use of Aadhaar by fintech players as a means for customer onboarding and verification.

IRDAI

The IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, specifically for insurtech elements.

SEBI

The SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. It has jurisdiction over aspects of fintech related to robo-advisors, algorithmic trading and financial research platforms, although these areas are still nascent in India.

The permissibility of outsourcing regulated functions in the Indian fintech space is governed largely by the outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs. Broadly speaking, the core regulated activities cannot be outsourced to unregulated entities, under the extant regulatory framework. The RBI also issued Outsourcing Guidelines with respect to non-bank payment system operators on 3 August 2021 (collectively with the outsourcing guidelines applicable to banks and NBFCs, the “Outsourcing Guidelines”) in order to mitigate any risk in relation to the outsourcing of payments and settlement-related activities.

Outsourcing Guidelines

These guidelines require that banks, payment system operators and NBFCs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliance, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider must not, even in such permissible cases, be situated outside of India. Moreover, any outsourced functions have to be duly supervised by the RE outsourcing the activities.

The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

• Banks, payment system operators and NBFCs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider.
• Payment aggregators are responsible for checking the technical and security infrastructure of the merchants onboarded by them, and for assessing compliance with regulatory and industry security standards.
• Banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms and have the primary responsibility to comply with the DL Guidelines.

A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contractually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build in, to ensure the regulatory compliance of the unregulated partner or service provider.

In case of non-compliance with the regulatory framework (see 2.2 Regulatory Regime) the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act, or the PSS Act.

The RBI has stepped up its enforcement actions against REs in the last three years. Enforcement actions typically take the form of monetary fines and penalties and, in exceptional cases, revocation of the authorisations and licences granted by the RBI to the REs. The RBI recently prohibited an RE from onboarding new customers and restricted any further deposits due to their failure to comply with KYC verification requirements. The RBI has also in the past revoked NBFC licenses of entities engaging in unfair lending practices, and aggressive recovery tactics or which did not fulfill the regulatory criteria.

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services:

• the Current Data Privacy Framework requires certain REs (including banks, NBFCs, and PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy (note that the Current Data Privacy Framework will be replaced by the DPDP Act upon effectiveness);
• the Data Localisation Circular (see 2.2 Regulatory Regime);
• the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players); and
• the intermediary guidelines/rules under the 2000 Information Technology Act, require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe intellectual property, and does not violate any other prevailing laws.

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires REs to have in place several checks and balances that serve to review the functioning and operations of industry participants. By way of an indicative overview:

• Banks and NBFCs are subject to a detailed ongoing compliance framework that involves a review of their operations by external auditors/accountants.
• The RBI has set up designated ombudsman offices under its management and supervision, charged with receiving and considering complaints from customers relating to deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on REs.

These compliances represent strict regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.9 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While regulated products are offered by REs (such as banks, NBFCs and PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

Traditional credit information in India is collated by specialised REs called credit information companies (CICs). Access to traditional credit information through such CICs was originally restricted only to REs. Some non-bank entities, fulfilling the criteria prescribed by the RBI, have now been allowed to access information from CICs. However, this criterion is still quite strict (including a net worth of at least INR2 crores, Indian-owned and controlled status, at least three years of experience in data processing and a clean track record).

Due to such restricted access to traditional credit information, a market space for unregulated players to undertake non-traditional “behavioural scoring” has grown in India. These fintech entities typically utilise data that does not strictly constitute credit data and is therefore not currently subject to regulatory limitations. Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the consent requirements under the DPDP Act (once enforced) will also cover such data collection and processing.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers with a seamless customer experience.

The KYC Master Directions apply to REs (including banks, NBFCs, PPI issuers, and payment system providers). The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. REs must file reports of suspicious transactions, including transactions relating to terrorism, with the FIU-Ind. REs are also required to appoint a principal officer who is responsible for monitoring and reporting all transactions and sharing information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, payment system operators and NBFCs from outsourcing core functions such as KYC compliance.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage. While undertaking the business of investment advice requires registration with the SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. Several RE players have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach to incorporate robo-advisory services:

• acquisition or partnerships with players in the robo-advisory space; or
• development of in-house technology, using internal analytical information to provide robo-advisory, putting them in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve network creation and connectivity issues between the clients and robo-adviser platforms, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

The lending regulations in India are broadly borrower-agnostic. However, the extent of regulatory supervision differs depending on the category of lender. Both banks and NBFCs are required to comply with specific capital adequacy, asset quality and prudential norms. While banks are generally heavily regulated, NBFCs are subject to relatively less stringent regulation. Lending service providers or digital lending applications are front-end entities and are only indirectly governed by the DL Guidelines.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders – ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Furthermore, the Indian financial sector also often sees lending partnerships between banks and NBFCs, whereby the bank brings the advantage of capital, while the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

• credit score and credit reports from CICs;
• annual income and sources of income; and
• status of existing loan accounts, including any delayed repayments, defaults, etc.

Non-traditional behavioural data is increasingly being used for credit analysis (see 2.12 Conjunction of Unregulated and Regulated Products and Services). Technology platforms that already have access to some of this behavioural data have taken the lead in the development of these alternative credit scoring models.

The DL Guidelines mandate that REs undertake responsible lending by capturing the economic profile of the borrowing (including age, occupation, income, etc) to assess the borrower’s creditworthiness in an auditable way. To this end, the DL Guidelines permit collecting data that is required in connection with its operations, provided the digital service provider/regulated entity is able to demonstrate a tangible and direct link between the borrower data collected and economic profiling of the borrower enabling credit decision-making.

The RBI also dictates detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of onboarding.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end uses, such as:

• banks are prohibited from sanctioning loans against the security of its own shares;
• banks are prohibited from sanctioning such loans that are to be used for buy-back of securities; and
• banks are restricted from granting loans to their directors or their relatives, except where approved by the bank’s board of directors and subject to compliance with other specified restrictions.

NBFC

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings – ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI, which include maintenance of leverage ratio and capital adequacy norms.

The Bond Market

The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with the SEBI. In case of foreign portfolio investors, there are restrictions on end uses, in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to the issuing of debt securities, access to debt capital markets tends to be restricted to larger corporates, and these markets have not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods and end-use restrictions.

P2P Lending

The RBI also permits P2P lending via REs which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform is itself restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed for holding security for the benefit of the lending banks. The arrangement typically also involves the appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.

The RBI has mandated information sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, and establishing a system of exchange of information with respect to the borrower’s credit facilities between banks (upon obtaining appropriate consent from the borrower).

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the 1999 Foreign Exchange Management Act (FEMA) and the rules, regulations and circulars issued thereunder. FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inbound to India or outbound from India. Such transactions are undertaken by AD Banks, authorised under FEMA to deal in foreign exchange on behalf of their clients.

For personal remittances inbound to India, residents may use the facility to receive such payments through money transfer operators.

RBI-approved PA-CBs also facilitate cross-border payments in exchange for goods and services. Additionally, UPI global is the latest entrant in the cross-border payments space in India (see 1.1 Evolution of the Fintech Market).

Fund administrators/managers such as mutual funds, alternative investment funds and portfolio managers, are regulated by the SEBI. Depending on the nature and scope of their activities, entities engaged in providing investment services through mutual funds, alternative investment funds and portfolio management services, are required to obtain authorisation from the SEBI to undertake their business activities.

Fund administrators in India are directly regulated by the SEBI and are required to comply with the regulations specified by the SEBI from time to time, depending on the nature of their business. Requirements pertaining to assured performance and accuracy are primarily guided by the SEBI under regulations and not contractually between fund advisors and fund administrators.

Under Indian law, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which is registered with the SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts. Different asset classes are governed by varying regulations, depending on the nature of the asset (eg, equity-linked, debt-linked or pooled investment vehicle).

The principal regulators for stock exchanges are the SEBI, the Ministry of Finance and the RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, the RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by the RBI. Such electronic trading platforms must be registered with the RBI and must comply with minimum capital norms, technological standards and other safeguards.

See 7.1 Permissible Trading Platforms.

The RBI and GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. However, over the last year, their stance on cryptocurrency has softened from a “complete ban” to a “regulation” approach, in line with the global developments in the cryptocurrency space.

Indian regulators are therefore now focused on regulating crypto-intermediaries (including crypto-exchanges) with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements (see 1.1 Evolution of the Fintech Market). 

Additionally, advertisements dealing with cryptocurrency and/or virtual assets must contain adequate risk disclaimers and must not equate such products with regulated products, in accordance with the code issued by the Advertising Standards Council of India.

Listing standards and disclosure requirements are governed by the SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

As far as digital lending is concerned, currently there are 24 P2P lending platforms authorised by the RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

Given the extant regulatory framework and regulatory stance against cryptocurrency in India, P2P cryptocurrency trading platforms have very limited operations in India.

In 2010, the SEBI approved the smart order routing facility to improve the procedure for the execution of trades on the stock exchanges. The facility was introduced to enable brokers and trading engines to systemically choose the execution destination based on factors such as price, costs, speed, likelihood of execution and settlement, size, nature or other relevant considerations in connection with the execution of an order.

The SEBI prescribes procedural rules for processing payments for trades in listed securities. For example, in 2018, the SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee whether appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues (eg, timely reviews of the margining system).

SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

SEBI permitted institutional investors to use DMA through SEBI-registered investment managers.

In respect of algorithmic trading, SEBI issued the Broad Guidelines on Algorithmic Trading and subsequently issued additional guidelines pertaining to the same.

Additionally, SEBI issued the Measures to Strengthen Algorithmic Trading and Co-location/Proximity Hosting Framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and the free-of-charge tick-by-tick data feed (TBT Feed), order-to-trade ratio (OTR) penalties, unique identifiers for algorithms/tagging of algorithms and the testing requirements for software and algorithms. These obligations were targeted at stock exchanges (except for commodity derivatives exchanges) in the country. Recent trends of SEBI have been towards relaxing the OTR and orders per second (OPS) limits.

Recently, SEBI released a notification banning mis-selling of algorithmic strategies by making references to past performance or expected returns.

The circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers require market makers to register with the stock exchanges per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as a market maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing the trading algorithms and other electronic trading rules, lay down the following obligations on programmers:

• all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish an audit trail; and
• the testing procedures which are to be followed by market participants before deployment of software and algorithms.

While India has not yet enacted specific guidelines to regulate decentralised finance, GOI is proposing to enact a legislation governing cryptocurrencies, crypto-wallets as well as decentralised finance platforms. In the absence of specific guidelines, decentralised finance is currently governed under the extant regulations on payment systems, and payment and investment intermediaries.

The companies or individuals operating Financial Research Platforms may be required to be registered as a research analyst or research entity under the Securities and 2014 Exchange Board of India (Research Analysts) Regulations (the “Research Analyst Regulations”).

A Research Analyst requires registration if they are primarily responsible for:

• preparation or publication of the content of a research report;
• providing a research report;
• making “buy/sell/hold” recommendations;
• giving price targets; or
• offering opinions on a public offer with respect to securities that are listed or to be listed on a stock exchange.

A research entity is subject to registration if it is an intermediary registered with SEBI that is also engaged in merchant banking, investment banking, brokerage services or underwriting services and issues research reports or research analysis in its own name through the individuals employed by it as a research analyst and includes any other intermediary engaged in the issuance of research reports or research analysis.

The Research Analyst Regulations lay down the various checks and balances that ensure rigorous scrutiny of research reports and eliminate any unverified information. The Research Analyst Regulations also include obligations for acting with honesty and in good faith, conducting appropriate due diligence, and abiding by professional standards to ensure adherence to standards of conduct and procedures. Non-compliance with the prescribed code of conduct has legal repercussions under the Research Analyst Regulations.

The financial research platforms in India usually do not allow for readers to post on the platforms, but function rather as closed digital publications. However, if any unacceptable behaviour is observed, the financial research platforms usually reserve the right to modify and regulate the content being posted on their websites through their terms and conditions of use.

Additionally, liabilities for persons engaging in unacceptable behaviour such as pump and dump schemes, spreading of insider information, etc, are set out in specific regulations such as the 2015 SEBI (Prohibition of Insider Trading) Regulations, the 1860 Indian Penal Code, and the 2000 Information Technology Act.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with the IRDAI. The underwriting processes to be undertaken by insurers and insurance intermediaries are specified by the IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, and audit and reporting mechanisms.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance and vehicle insurance.

Most regtech providers in India are centered around providing KYC and related onboarding services. There is also a recent boost in regtech solutions focusing on end-to-end automation of securities and labour compliances.

There is no direct regulation governing regtech providers in India. Certain functionalities of regtechs may, however, be subject to regulatory oversight. For example, customer onboarding regtech providers in India are typically engaged as agents of the REs through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing the use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information and requirements on storage of Aadhaar, which are also relevant for regtech providers utilising the Aadhaar database for their services.

See 11.1 Regulation of Regtech Providers and 2.7 Outsourcing of Regulated Functions. Requirements pertaining to assured performance and accuracy for unregulated regtechs are contractually agreed. They usually contain a limitation of liability clause and an express “no warranty” clause as to their accuracy and completeness.

Traditional financial services players such as banks are developing interesting and effective applications for the use of blockchain in the financial services industry in India. India’s Bankchain consortium has recently launched a permission-based blockchain for integrated and shared KYC (Primechain KYC) and is exploring its use for processing letters of credit, tax invoices, and e-way bills, particularly for MSMEs.

Meanwhile, the Indian regulator is also currently exploring a blockchain-based pilot project for reducing loan frauds through its wholly-owned subsidiary.

On the private side, financial blockchain start-ups in India are primarily focused on cryptocurrency exchanges. However, there is a growing interest in newer applications for blockchain, such as supply chain financing and digital identity verification.

Unlike towards cryptocurrency, GOI and regulators have taken a positive stance towards blockchain technology. The RBI is playing an active part in collaborating with banks piloting blockchain applications and has also included applications of blockchain technologies to be tested in its sandbox.

GOI has developed a National Strategy on Blockchain to synergise stakeholder inputs and develop e-governance applications of blockchain. NITI Aayog, the policy think tank of GOI, published a report titled Blockchain: The India Strategy, highlighting the different use cases for blockchain.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as the 1860 Indian Penal Code, and the 2019 Consumer Protection Act.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 7.3 Impact of the Emergence of Cryptocurrency Exchanges and 7.7 Issues Relating to Best Execution of Customer Trades.

The current regulatory framework does not contemplate blockchain assets. The funds investing in blockchain assets are therefore unregulated.

Owing to a lack of clarity on how to classify virtual currencies (they do not fall under securities, commodities, currency, payment or security tokens), they remain excluded from most regulations. However, after the 2022 budget speech, GOI declared virtual currencies to be taxed as a separate class called “virtual digital assets”.

All income from the transfer of virtual assets including cryptocurrencies is subject to 30% tax. GOI also announced a tax deducted at source (TDS) of 1% on all cryptocurrency-based transactions. A gift of virtual digital assets is also proposed to be taxed in the hands of the recipient.

The RBI and GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. India is currently piloting the e₹, which is anticipated as a replacement for all privately owned cryptocurrencies in India after its launch. See 1.1 Evolution of the Fintech Market.

DeFi has not been defined under any regulations in India, at present. There is a regulatory vacuum with regard to DeFi platforms. Moreover, India operates a centralised finance model, with the RBI acting as the chief financial regulator, and does not recognise a DeFi system or related activities.

The regulatory landscape surrounding NFTs is unclear. However, NFTs have been recently recognised as a subclass of virtual digital assets and subject to the same taxation regime.

India has adopted a distinctive approach to open banking. It has created several comprehensive public infrastructure and standards, collectively known as the “India Stack”. The India Stack acts as a platform which brings together traditional financial institutions and fintech firms, creating a common infrastructure.

The India Stack has been developed in layers over the past decade, with a proactive role played by regulators:

• Identity layer: the Aadhar digital identity system. It facilitates identity verification and tracing of individuals' particulars across various datasets. The RBI has mandated Aadhar-interlinked KYC practices for all REs through the 2016 Master Direction – KYC Direction.
• Payments layer: the UPI, Aadhaar-enabled Payment System, and Aadhar Payments Bridge. These create a fully interoperable payment system that is subject to the supervision of the NPCI.
• Documents layer: the “Digilocker” – a cloud-based platform which enables registered governmental authorities to issue, and citizens to access, authenticated identity documents and certificates.
• Data layer: the data empowerment and protection architecture. In the financial sector this equates to the Account Aggregator (AA) framework, which is currently under development.

AAs are regulated entities, which allow users to share their financial data securely and seamlessly, and have gained traction with both financial information users (FIUs) and financial information providers (FIPs). It is an NBFC that facilitates the retrieval or collection of financial information pertaining to a customer from FIPs on the basis of explicit consent of the customer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consented FIU. The RBI licenses the AAs and registers the data providers and users under the AA framework. However, in the long run AAs are expected to be self-regulated under the industry body Sahamati, with a lighter role for the RBI.

Data protection remains the biggest concern surrounding open banking. Market players in India are generally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act.

With the expansion of digital payments, fraudulent transactions through compromised credentials, identity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to card or other payment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraudulent calls to retrieve sensitive payment credentials like card numbers, PINs, OTPs and passwords) and then using them to make payment transactions. Financial regulators are quick to react and introduce regulatory measures to protect customers, for example, in light of increasing card fraud, the RBI has introduced guidelines on the storage of customer card data and a tokenisation framework to control such fraudulent transactions.

Indian regulators primarily focus on frauds affecting retail customers and the general public (such as card frauds, fraudulent loan recoveries, unauthorised transactions) as well as frauds that have larger system-wide implications on the banking and financial ecosystem of the country (for example, wilful defaulters, diversion of bank-borrowed funds, etc). The RBI is constantly engaged in monitoring emerging fraudulent techniques in order to protect retail consumers from such threats.