India is the third largest and the fastest growing fintech market globally. India’s fintech sector has a combined market capitalisation of ~USD120 billion.

On the consumer side, Indians are the most open to adopting fintech solutions as evidenced by a fintech adoption rate of 87%, which is significantly higher than the global average of 64%. India’s investments in digital public infrastructure (DPI) and favourable demographics are the key drivers behind the growth of the Indian fintech sector.

The Past 12 Months

Over the past 12 months, several key developments have contributed to significant growth in the fintech sector.

UPI-linked innovations

India’s United Payments Interface (UPI) has enabled seamless, affordable digital payments throughout India, which has been revolutionary for the fintech sector. Over the last year, several innovative payment products have been developed, building on top of the UPI DPI.

Rural Accessibility – UPI 123 Pay and Hello!UPI

National Payments Corporation of India (NPCI) has developed products focusing on financial inclusion and accessibility to rural and other underserved areas. These include UPI123Pay and Hello!UPI, which enable instant payments for users with feature phones, with limited or no internet connectivity or through voice-enabled payment instructions in a regional language.

Interoperability – PPI on UPI TPAPs

By way of a notification dated 27 December 2024, the Reserve Bank of India (RBI) enabled interoperability across prepaid payment instruments (PPIs) using UPI. The RBI permitted full-KYC PPIs (see 2.1 Predominant Business Models) to make and accept interoperable payments through third-party applications (TPAPs). Earlier, transactions with a PPI could only be conducted through the UPI functionality in the PPI issuer’s own app and the customer could not link their PPI wallet to a UPI handle through a TPAP.

UPI Global

Through NPCI International Payments Limited (NIPL), NPCI’s dedicated wholly-owned subsidiary, NPCI has entered into global collaborations to: (i) create bilateral linkages between UPI and the payment systems available locally in offshore jurisdictions; (ii) power QR-code enabled payments by Indians to merchants abroad; and (iii) extend India’s UPI technology to nations without their own instant payment infrastructure. The NPCI International Payments NIPL is expected to expand UPI Global to ~40 jurisdictions. The limits for cross-border payments through UPI Global are the same as UPI’s domestic payment limits (ie, typically INR100,000).

ULI

The Unified Lending Interface (ULI) is a technology platform developed by a subsidiary of the RBI – the RBI Innovation Hub (RBIH) – to streamline digital lending by enabling seamless access to authenticated data from multiple sources. ULI simplifies the integration process for lenders, eliminating the need for individual connections with diverse data sources such as government authorities, fintech and techfin players, account aggregators, credit bureaus, and digital identity systems.

Dubbed the “UPI of digital lending”, ULI facilitates frictionless credit delivery, reduces operational costs, and enhances efficiency. Since its pilot launch on 17 August 2023, ULI has facilitated disbursement of loans worth INR270 billion as of 6 December 2024, with 36 regulated entities (REs) onboarded.

Streamlined KYC processes

On 6 November 2024, the RBI introduced amendments to the Master Direction - Know Your Customer (KYC) Direction, 2016 (KYC Master Directions). The KYC Master Directions require REs to allot a unique customer identification code (UCIC) to each customer. Further, once a customer’s data is uploaded to the Central KYC Registry (CKYCR), they are allotted a KYC Identifier – a 14-digit unique identification code allocated by the CKYCR.

The amendments to the KYC Master Directions include two key changes. First, for undertaking the identity verification of a customer (whether at the first instance of establishing an account-based relationship, or at the update/periodic update stage), the RE must first seek the KYC Identifier from the customer or retrieve it from the CKYCR. They can then proceed to obtain the KYC records from the centralised registry. A customer will not be required to submit the same KYC records or any other additional identification documents, except in the limited circumstances prescribed (the information retrieved being incomplete/invalid, any change in customer’s details, etc).

The amendments to the KYC Master Directions have also added the concept of “updates”, encouraging REs to ensure the real-time accuracy of CDD documentation. Furthermore, any updated KYC information from a customer must be submitted to the CKYCR within seven days of receipt. The CKYCR will subsequently notify all REs that have interacted with the customer regarding such updates and require them to revise their records accordingly. 

By maintaining updated centralised records and encouraging REs to first utilise the information from the centralised records before asking customers for further documents, the amendments to the KYC Master Directions are making KYC data accessible across REs and reducing duplication/friction in the customer onboarding process.

The Next 12 Months

Regulation of personal data

In August 2023, the Government of India (GOI) passed the Digital Personal Data Protection Act (DPDP Act). The DPDP Act is a technology-agnostic, sector-agnostic umbrella framework which governs the processing of all digital personal data. While the DPDP Act has been enacted, it is not currently in force.

On 3 January 2025, the GOI released the draft Digital Personal Data Protection Rules, 2025 (Draft Rules), together with an explanatory note for comments from the public. After completion of the consultation process, the Draft Rules may be revised and finalised by the GOI. The DPDP Act will come into force when the GOI publishes notification(s) regarding commencement of the DPDP Act and the DPDP Rules in the official gazette.

The GOI will likely adopt a staggered approach to enforcement of the DPDP Act and the DPDP Rules. Upon effectiveness, the DPDP Act will replace the currently applicable statutory framework on data privacy and data protection in India (see 2.2 Regulatory Regime).

Development of regulations for AI

The Indian fintech sector (particularly payments and wealthtech) has rapidly adopted evolving technologies such as blockchain and artificial intelligence (AI). Both bank and non-bank entities in India rely on AI-based tools to improve customer experience, especially, in the areas of product identification and matching, background and credit verification checks and CGRM.

While there are currently no comprehensive regulations specifically addressing AI in India, the financial sector regulators and the GOI have initiated steps to address the adoption of AI.

The GOI issued an advisory dated 15 March 2024, setting out due diligence norms regarding AI and other generative software to all intermediaries and platforms under the 2000 Information Technology Act (IT Act). The advisory imposes several due diligence obligations on intermediaries to ensure responsible use of such technologies. These include: (i) ensuring that AI or other generative software does not facilitate the transmission of unlawful content; (ii) clearly labelling content produced by AI tools if it is unreliable or still undergoing testing; and (iii) adding a permanent unique metadata tag to outputs that could potentially spread misinformation or generate deepfakes, enabling identification of the content's originator.

The Report on AI Governance Guidelines Development dated 6 January 2025, released for public consultation by a sub-committee of the GOI, provides an insight on the future regulations/legislation governing AI in India. It suggests an activity-based regulations approach and that effective enforcement of existing legislations can assist in mitigation of most AI-associated risks (though specific legislations may be required in areas such as copyright laws).

In December 2024, the RBI also announced the formation of an eight-member committee to develop a Framework for Responsible and Ethical Enablement of AI to recommend a robust, comprehensive, and adaptable AI framework for the financial sector.

Stringent regulatory actions

Another key issue for the Indian fintech sector is the unprecedented increase in enforcement actions by the RBI against REs over the last year, primarily by way of monetary fines, penalties, and business restrictions. In exceptional cases, the RBI has also revoked authorisations and licences granted to the defaulting REs.

Recently, the RBI restricted an RE from onboarding new customers and from carrying on any further banking operations whatsoever (except customer withdrawals), due to their failure to comply with KYC/AML requirements. It also restricted four NBFCs from sanctioning or disbursing loans, for charging usurious interest rates from retail borrowers and other unfair lending practices.

Industry players have recently expressed concerns that the stringent regulatory actions taken by the RBI will dampen market sentiment and raise investor apprehensions.

The various fintech business models or verticals that are currently predominant in India are, broadly:

• digital payments;
• digital lending; and
• a host of intermediary services such as payment aggregation, payment gateway services, credit analysis, post-disbursement services etc, that serve to create a seamless user experience.

Products pertaining to other significant aspects of fintech, such as insurtech, regtech and wealthtech are starting to scale in the Indian market.

Digital Payments

UPI payments

UPI is a payments platform managed and operated by NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users (also see 1.1 Evolution of the Fintech Market).

Prepaid Payment Instruments (PPIs)

PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. Under the revised Master Directions on Prepaid Payment Instruments issued by the RBI on 27 August 2021 (PPI Master Directions), PPIs may be issued under one of the following categories:

• closed-system PPIs, for purchase of goods or services offered only by the PPI issuer (They do not require prior approval from the RBI); or
• PPIs that require RBI approval/authorisation prior to issuance are classified under two types: small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchasing goods and services. Fund transfers or cash withdrawals from such PPIs are not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments.

Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for the purchase of goods and services, fund transfers or cash withdrawals.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium-sized enterprises (MSME) and retail clients.

Digital lending is under the regulatory purview of the RBI. The Digital Lending Guidelines dated 2 September 2022 (DL Guidelines) prescribes the regulatory framework for the digital lending ecosystem in India.

The DL Guidelines apply to both REs and the lending service providers or digital lending platforms that enter into partnership arrangements with REs to provide digital lending products to consumers.

The DL Guidelines prescribe guardrails in connection with the kinds of customer data that can be accessed and stored by lending service providers, the consent architecture that must be in place for the collection and storage of such customer data and detailed disclosure requirements to protect customer interest and prevent mis-selling of credit products. DL Guidelines also provide for indirect regulation of lending service providers through regulated lending institutions.

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers – ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as an NBFC–P2P lending platform, subject to a few identified exceptions.

P2P Platforms also came under sharp regulatory scrutiny in the last year, with the RBI expressing concerns regarding some business models where P2P Platforms performed quasi-lending and banking functions instead of acting as an intermediary.

Payment Intermediaries

Payment aggregators

These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators (PAs) receive payments from customers, and pool and transfer them to the merchants after a period of time.

Payment gateways

Payment gateways (PGs) are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

PAs and PGs are governed by the RBI’s regulatory framework (PA/PG Guidelines) requiring PAs to be licensed by the RBI, while prescribing recommended technical standards for PGs.

Payment aggregators – cross-border

The RBI has brought all entities facilitating cross-border payment transactions for the import and export of goods and services (PA-CB) under its direct regulation. All PA-CBs, except authorised dealer category-1 banks (AD Banks), will need to take prior approval of the RBI for facilitating payments involving the import and export of goods and services. Further, PA-CBs need to comply with all obligations applicable to domestic PAs.

The regulatory framework governing the key verticals (see 2.1 Predominant Business Models) of the Indian fintech sector is fragmented across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.

The 2007 Payment and Settlement Systems Act (PSS Act)

This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authorisation of the RBI. Here, a “payments system” is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments, and other digital payment services.

The 2002 Prevention of Money Laundering Act (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products. PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (PML Rules). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and anti-money laundering verifications, as well as to report suspicious transactions.

RBI Master Directions/Circulars

The RBI, as the principal financial regulator, periodically issues “master directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific master directions regulating:

• PPIs;
• NBFCs;
• P2P lending;
• PAs and PGs (including PA-CBs);
• account aggregators; and
• other market participants and offerings.

The KYC Master Directions draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

The RBI introduced a circular dated 13 September 2021, which permits REs such as NBFCs, payment systems operators/system participants to obtain authorisation to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique identification number issued by the GOI to its citizens.

NPCI Circulars

UPI payments in India are governed by the procedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the IT Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Current Data Privacy Framework) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once effected, the DPDP Act will overhaul the existing data protection framework. (see 1.1 Evolution of the Fintech Market).

Separately, the RBI has also issued a circular in April 2018 (Data Localisation Circular), which mandates that all payment data be stored on servers located in India. While such data can be transferred outside of India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act.

Compensation models across key product offerings typically take the following form:

• PPIs/debit cards/credit cards/UPI, all charge Merchant Discount Rate (MDR) – ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator (PSO). For cards, transaction interchange fee, interest and float income and card issuances act as additional income lines.
• Digital lenders charge loan processing fees and interest from their customers, which are usually linked to the volume and tenor of the loan. Digital lenders can also levy additional penal charges for defaults, in a manner that is reasonable and only for material non-compliances. Penal charges must not be used as a revenue enhancement tool.
• PAs/PGs charge the e-commerce marketplaces and merchants for their payment aggregation services and/or technological support provided. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

To promote indigenous payment instruments, GOI has mandated zero MDR for certain transactions. This could impact the cost competitiveness and revenue flows of foreign fintech players, in comparison with domestic fintech players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandates that:

• REs (such as banks and NBFCs) adopt a “fair practices code”, to be made available on their websites (in English as well as in the vernacular language), setting out the process for loan applications and the key terms and conditions associated with the lending product (including all charges, fees and interest rates);
• all lending institutions are required provide a “key fact statement” in a standardised format for loan processing; such standardised format must specify the annualised percentage rate for the lending product (which is inclusive of all charges, fees and interest rates in connection with the credit product offered by them); and
• REs (such as PPI Issuers, payment intermediaries, banks, NBFCs) adopt a suitable CGRM and designate “nodal officers” to address customer complaints, so as to ensure fairness in operation of such products, including the compensation models employed by them.

Taking a holistic view of the regulatory framework (see 2.2 Regulatory Regime), it appears to treat both new fintech players and established players (like banks) impartially.

However, there is a significant discrepancy when it comes to banks' ability to conduct Aadhaar-based E-KYC checks for customer onboarding, a capability that is not extended to non-bank players (like NBFCs). This discrepancy imposes additional compliance costs on non-bank players. Nevertheless, the RBI has taken steps to address this issue by allowing non-bank players to obtain authorisations to conduct Aadhaar-based E-KYC authentication, enabling them to utilise the services provided by the Unique Identification Authority of India (UIDAI) for E-KYC purposes. Further, the RBI’s impetus on CKYCR may potentially reduce disparity in costs between bank and non-bank players.

Access to credit information is another area where there was a significant discrepancy between REs and certain “specified entities” (which fulfil the criteria prescribed by the RBI), as against other third-party entities. (see 2.13 Conjunction of Unregulated and Regulated Products and Services) However, the RBI’s recent Master Directions on Credit Information Reporting now expressly allow third-party entities to access the credit information of persons from CICs, as the authorised representative of such persons, with their consent. The RBI has coupled this access with robust security, due diligence and monitoring measures.

RBI

Framework and eligibility

The RBI issued a Regulatory Sandbox Enabling Framework in August 2019 permitting eligible fintech companies to live-test their products in a controlled/ modified regulatory environment, provided that such product is compliant with the designated theme for the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI for testing their products in a sandbox:

• net worth of at least INR1 million;
• satisfactory credit score/history of promoters and directors;
• promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
• demonstrated ability to comply with personal data protection laws; and
• adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

The framework outlines the five stages of the sandbox process for a single cohort involving preliminary screening, finalising test designs, application assessment, closely monitored testing and lastly, assessment of the final output by the RBI. The end-to-end sandbox process practically takes more than 1.5 years for each cohort.

To date, the RBI has announced five cohorts – on retail payments (February 2021), cross-border payments (December 2020), micro, small, and medium-sized enterprise lending (October 2021), prevention and mitigation of financial frauds (June 2022) and a fifth “theme-neutral” cohort (October 2023). Of these, the successful exit of 18 applicants from the first four cohorts has led to innovations such as a purely digital cash flow-based credit underwriting process for MSMEs and a voice-based UPI payment solution that supports local languages and offline use.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandbox products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from NPCI, UIDAI, IRDAI and SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

In India, the primary regulator for fintech is the RBI, which has shifted from a light-touch approach to a full-regulation model in recent years. The RBI is responsive to market changes and technological advances, and regulations have been promptly updated to account for such developments.

NPCI

NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act and was established with a view to creating an innovative and robust payment and settlement infrastructure in India.

UIDAI

UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. UIDAI has been central to framing the rules governing the use of Aadhaar by fintech players as a means for customer onboarding and verification.

IRDAI

IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, specifically for insurtech elements.

SEBI

SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. It has jurisdiction over aspects of fintech related to robo-advisors, algorithmic trading and financial research platforms, although these areas are still nascent in India.

Financial regulators in India have typically not issued no-action letters for the fintech sector.

The RBI does not issue no-action letters, although the fintech department of the RBI holds monthly virtual meetings with fintechs – “Finteract” and “Finquiry” sessions – which provide a platform to interact with the regulator and get verbal non-binding guidance. SEBI, however, issues no-action letters in the form of non-binding informal guidance letters under the SEBI (Informal Guidance) Scheme, 2003.

The permissibility of outsourcing regulated financial and IT functions in the Indian fintech space is governed largely by outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs and (separately) to PSOs. Broadly, the core regulated activities cannot be outsourced to unregulated entities. 

Outsourcing Guidelines

These guidelines require that banks, NBFCs and PSOs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliance, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider must not, even in such permissible cases, be situated outside of India. Moreover, any outsourced functions have to be duly supervised by the RE outsourcing the activities. The RBI also prescribes mandatory contractual terms for such outsourcing contracts.

The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

• Banks, NBFCs and PSOs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider.
• PAs are responsible for checking the technical and security infrastructure of the merchants onboarded by them, and for assessing compliance with regulatory and industry security standards.
• Banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms and have the primary responsibility to comply with the DL Guidelines.

A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contractually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build in, to ensure the regulatory compliance of the unregulated partner or service provider.

In the case of non-compliance with the regulatory framework (see 2.2 Regulatory Regime), the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act, or the PSS Act.

The RBI has taken several stringent enforcement actions in the last year. (see 1.1 Evolution of the Fintech Market).

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services:

• the Current Data Privacy Framework requires certain REs (including banks, NBFCs, PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy;
• the Data Localisation Circular (see 2.2 Regulatory Regime);
• the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players); and
• the intermediary guidelines/rules under the IT Act, require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe on intellectual property, and does not violate any other prevailing laws.

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires REs to have in place several checks and balances that serve to review the functioning and operations of industry participants. By way of an indicative overview:

• Banks and NBFCs are subject to a detailed ongoing compliance framework that involves a review of their operations by external auditors/accountants.
• The RBI has set up designated ombudsman offices under its management and supervision, charged with receiving and considering complaints from customers relating to the deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on REs.

These compliances represent strict regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.10 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While regulated products are offered by REs (such as banks, NBFCs and PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

Traditional credit information in India is collated by specialised, REs called credit information companies (CICs). Access to traditional credit information through such CICs was originally restricted only to REs. Some non-bank entities, fulfilling the criteria prescribed by the RBI, have now been allowed to access information from CICs. However, this criterion is still quite strict (including, inter alia, a net worth of at least INR20 million, Indian-owned and controlled status, at least three years of experience in data processing and a clean track record).

Due to such restricted access to traditional credit information, a market space for unregulated players to undertake non-traditional “behavioural scoring” has grown in India. These fintech entities typically utilise data that does not strictly constitute credit data and is therefore not currently subject to regulatory limitations. Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the consent requirements under the DPDP Act (once enforced) will also cover such data collection and processing.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers with a seamless customer experience.

The KYC Master Directions apply to REs (including banks, NBFCs, PPI issuers, and payment system providers). The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. REs must file reports of suspicious transactions, including transactions relating to terrorism, with the FIU-Ind. REs are also required to appoint a principal officer who is responsible for monitoring and reporting all transactions and sharing information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, NBFCs and PSOs from outsourcing core functions such as KYC compliance.

Indian anti-money laundering and sanction norms are generally aligned with the FATF standards.

India does not permit otherwise regulated products and services to be offered from another jurisdiction under a reverse solicitation scenario without triggering domestic regulations. Typically, any cross-border fintech offering, regardless of the solicitation’s origin, would necessitate conformity with Indian financial, exchange control, and data protection laws.

A fintech offering in India would typically need to comply with the regulatory framework for financial services (see 2.2 Regulatory Regime), as the regulations are activity-centric. Even otherwise, the Indian foreign exchange legislation (FEMA), which imposes strict controls on cross-border transactions, will typically be applicable to any offering of cross-border payment or investment products (see 5.2 Regulation of Cross-Border Payments and Remittances). Payment products, lending offerings or investments/wealthtech products may or may not require prior RBI approval (it could be a capital account transaction or be permissible under the liberalised remittance scheme), but in any case, will need to be FEMA compliant.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage. While undertaking the business of investment advice requires registration with SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. Several RE players have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach to incorporate robo-advisory services:

• acquisition or partnerships with players in the robo-advisory space; or
• development of in-house technology, using internal analytical information to provide robo-advisory, putting them in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve network creation and connectivity issues between the clients and robo-adviser platforms, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

The lending regulations in India are broadly borrower agnostic. However, the extent of regulatory supervision differs depending on the category of lender.

Both banks and NBFCs are required to comply with specific capital adequacy, asset quality and prudential norms. While banks are generally heavily regulated, NBFCs are subject to relatively less stringent regulation. Lending service providers or digital lending applications are front-end entities and are only indirectly governed by the DL Guidelines.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders – ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Furthermore, the Indian financial sector also often sees lending partnerships between banks and NBFCs, whereby the bank brings the advantage of capital, while the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

• credit score and credit reports from CICs;
• annual income and sources of income; and
• status of existing loan accounts, including any delayed repayments, defaults, etc.

Non-traditional behavioural data is increasingly being used for credit analysis (see 2.12 Conjunction of Unregulated and Regulated Products and Services). Technology platforms that already have access to some of this behavioural data have taken the lead in the development of these alternative credit scoring models.

The DL Guidelines mandate that REs undertake responsible lending by capturing the economic profile of the borrowing (including age, occupation, income, etc) to assess the borrower’s creditworthiness in an auditable way. To this end, the DL Guidelines permit collecting data that is required in connection with its operations, provided the digital service provider/RE is able to demonstrate a tangible and direct link between the borrower data collected and economic profiling of the borrower enabling credit decision-making.

The RBI also dictates detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of onboarding.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end uses, such as:

• banks are prohibited from sanctioning loans against the security of their own shares;
• banks are prohibited from sanctioning such loans that are to be used for buy-back of securities; and
• banks are restricted from granting loans to their directors or their relatives, except where approved by the bank’s board of directors and subject to compliance with other specified restrictions.

NBFC

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings – ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI, which include maintenance of leverage ratio and capital adequacy norms.

The Bond Market

The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with SEBI. In the case of foreign portfolio investors, there are restrictions on end uses, in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to the issuing of debt securities, access to debt capital markets tends to be restricted to larger corporates and has not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods and end use restrictions.

P2P Lending

The RBI also permits P2P lending via REs which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform itself is restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed to hold security for the benefit of the lending banks. The arrangement typically also involves the appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.

The RBI has mandated information-sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, and establishing a system of exchange of information with respect to the borrower’s credit facilities between banks (upon obtaining appropriate consent from the borrower).

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the 1999 Foreign Exchange Management Act (FEMA) and the rules, regulations and circulars issued thereunder. FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inbound to India or outbound from India. Such transactions are undertaken by AD Banks, authorised under FEMA to deal in foreign exchange on behalf of their clients.

For personal remittances inbound to India, residents may use the facility to receive such payments through money transfer operators.

RBI-approved PA-CBs also facilitate cross-border payments in exchange for goods and services. Additionally, UPI global is the latest entrant in the cross-border payments space in India. (see 1.1 Evolution of the Fintech Market).

Under Indian law, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which is registered with SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts. Different asset classes are governed by varying regulations, depending on the nature of the asset (eg, equity-linked, debt-linked or pooled investment vehicle).

The principal regulators for stock exchanges are SEBI, the Ministry of Finance and RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by RBI. Such electronic trading platforms must be registered with RBI and must comply with minimum capital norms, technological standards and other safeguards.

See 6.1 Permissible Trading Platforms.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. However, over the last year, their stance on cryptocurrency has softened from a “complete ban” to a “regulation” approach, in line with the global developments in the cryptocurrency space.

Indian regulators are therefore now focused on regulating crypto-intermediaries (including crypto-exchanges) with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements. The GOI recently brought all virtual asset service providers (VASPs, which include crypto-exchanges) under the ambit of PMLA.

The Financial Intelligence Unit of India (FIU-Ind) subsequently published the AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (FIU-Ind Guidelines), which came into effect from 10 March 2023. Every VASP operating in India needs to: (i) register with the FIU-Ind; (ii) adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and (iii) comply with PMLA requirements (for example, maintaining transaction records, reporting of suspicious transactions and specified transactions to the FIU-Ind). The FIU-Ind has, in the past, served show cause notices to several crypto-exchanges for failing to register and directing the GOI to block their URLs.

Additionally, advertisements dealing with cryptocurrency and/or virtual assets must contain adequate risk disclaimers and must not equate such products with regulated products – in accordance with the code issued by the Advertising Standards Council of India.

Listing standards and disclosure requirements are governed by SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

See 2.1 Predominant Business Models. As far as digital lending is concerned, currently there are 26 P2P lending platforms authorised by RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

SEBI prescribes procedural rules for processing payments for trades in listed securities. For example, in 2018, SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee whether appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues (for example, timely reviews of the margining system).

SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

SEBI permitted institutional investors to use DMA through SEBI-registered investment managers. In respect of algorithmic trading, SEBI issued the Broad Guidelines on Algorithmic Trading and subsequently issued additional guidelines pertaining to the same. Additionally, SEBI issued the Measures to Strengthen Algorithmic Trading and Co-location/Proximity Hosting Framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and the free-of-charge tick-by-tick data feed (TBT Feed), order-to-trade ratio (OTR) penalties, unique identifiers for algorithms/tagging of algorithms and the testing requirements for software and algorithms. SEBI has recently issued a circular on Safer Participation of Retail Investors in Algorithmic Trading (Retail Algo Circular) providing clear guidelines on application-based trading, recognising it as a legitimate practice and setting guardrails around actions taken by stock brokers. The Retail Algo Circular is effective from 1 August 2025. Under the Retail Algo Circular, an algorithmic trading strategy needs to be registered with the stock exchanges if the trading frequency is above the prescribed threshold. Algo providers need to register white box solutions with the stock exchanges, whereas the algo provider needs to obtain a research analyst licence from SEBI for offering black box solutions.

These obligations are targeted at stock exchanges (except for commodity derivatives exchanges) in the country. The recent Retail Algo Circular also places obligations on the stock brokers. Recent SEBI trends have been towards relaxing the OTR and orders per second (OPS) limits. SEBI also released a notification banning mis-selling of algorithmic strategies by making references to past performance or expected returns.

These circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers (Market Maker Guidelines) require market makers to register with the stock exchanges per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as market maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing the trading algorithms and other electronic trading rules lays down the following obligations on programmers:

• all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish an audit trail; and
• the testing procedures which are to be followed by market participants before deployment of software and algorithms.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with IRDAI. The underwriting processes to be undertaken by insurers and insurance intermediaries are specified by IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, and audit and reporting mechanisms.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance and vehicle insurance.

Most regtech providers in India are centred around providing KYC and related onboarding services. There is also a recent boost in regtech solutions focusing on end-to-end automation of securities and labour compliances.

There is no direct regulation governing regtech providers in India. Certain functionalities of regtechs may, however, be subject to regulatory oversight. For example, customer onboarding regtech providers in India are typically engaged as agents of the REs through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information and requirements on storage of Aadhaar, which are also relevant for regtech providers utilising the Aadhaar database for their services.

See 9.1 Regulation of Regtech Providers and 2.8 Outsourcing of Regulated Functions. Requirements pertaining to assured performance and accuracy for unregulated regtechs are contractually agreed. As an industry norm, they usually contain a limitation of liability clause and an express “no warranty” clause as to their accuracy and completeness.

Traditional financial services players such as banks are developing interesting and effective applications for the use of blockchain for the financial services industry in India. India’s Bankchain consortium has launched a permission-based blockchain for integrated and shared KYC (Primechain KYC) and is exploring its use for processing letters of credit, tax invoices, and e-way bills, particularly for MSMEs. Meanwhile, RBIH is also currently exploring a blockchain-based pilot project for reducing loan fraud.

On the private side, financial blockchain start-ups in India are primarily focused on cryptocurrency exchanges. However, there is a growing interest in newer applications for blockchain, such as supply chain financing and digital identity verification.

Unlike with cryptocurrency, the GOI and regulators have taken a positive stance towards blockchain technology. The RBI is playing an active part in collaborating with banks piloting blockchain applications and has also included applications of blockchain technologies to be tested in its sandbox.

The GOI has developed a National Strategy on Blockchain to synergise stakeholder inputs and develop e-governance applications of blockchain. The GOI recently launched the Vishvasya blockchain technology stack to offer blockchain-as-a-service (BaaS) through a geographically distributed infrastructure designed to support various permissioned blockchain-based applications. It has also announced the creation of a blockchain sandbox platform called NBFLite. Several state governments in India are also utilising blockchain technologies for supply chain management, land registry, and public record-keeping.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as the 1860 Indian Penal Code, and the 2019 Consumer Protection Act.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

Provision of staking and lending services relating to cryptocurrencies or offering of crypto-derivatives is not governed by any separate regulation in India, though such services may attract the KYC and reporting requirements applicable to VASPs (see 6.3 Impact of the Emergence of Cryptocurrency Exchanges). Any income from such services/offerings will have a tax implication (see 10.11 Virtual Currencies).

See 10.6 Staking.

See 10.6 Staking.

India has not yet enacted specific guidelines to regulate DeFi. In the absence of specific guidelines, DeFi is currently governed under the extant regulations on payment systems, payment and investment intermediaries.

The current regulatory framework does not contemplate blockchain assets. The funds investing in blockchain assets are therefore unregulated.

Owing to a lack of clarity on how to classify virtual currencies (they do not fall under securities, commodities, currency, payment or security tokens), they remain excluded from most regulations. However, after the 2022 budget speech, the GOI declared virtual currencies to be taxed as a separate class called “virtual digital assets” (VDAs).

All income from VDAs including cryptocurrencies is subject to 30% tax (plus cess) in India. The GOI also announced a tax deducted at source (TDS) of 1% on all cryptocurrency-based transactions. A gift of VDAs is also proposed to be taxed in the hands of the recipient.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. India is currently piloting the e₹, which is anticipated as a replacement for all privately owned cryptocurrencies in India after its launch.

The regulatory landscape surrounding NFTs is unclear. However, NFTs have been recently recognised as a subclass of virtual digital assets and subject to the same taxation regime.

India has adopted a distinctive approach to open banking. It has created a comprehensive DPI and associated standards, collectively known as the “India Stack”.

The India Stack has been developed in layers over the past decade, with a proactive role played by regulators:

Identity Layer

The Aadhar digital identity system facilitates identity verification and tracing of individuals’ particulars across various datasets. The RBI has mandated Aadhar-interlinked KYC practices for all REs through the KYC Master Direction.

Payments Layer

UPI, Aadhaar-enabled Payment System, and Aadhar Payments Bridge create a fully interoperable payment system that is subject to the supervision of the NPCI.

Documents Layer

“Digilocker” is a cloud-based platform which enables registered governmental authorities to issue and citizens to access authenticated identity documents and certificates.

Data Layer

An account aggregator (AA) is an NBFC that facilitates the retrieval or collection of financial information pertaining to a customer from financial information providers on the basis of explicit consent of the customer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consented financial information user.

Data protection remains the biggest concern surrounding open banking. Market players in India are generally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act.

With the expansion of digital payments, fraudulent transactions through compromised credentials, identity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to a card, UPI pins or other payment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraudulent calls to retrieve sensitive payment credentials like card numbers, PINs, OTPs and passwords) and then using them to make payment transactions.

Financial regulators are quick to react and introduce regulatory measures to protect customers. For example, in light of increasing card frauds, the RBI introduced guidelines on storage of customer card data and a tokenisation framework to control such fraudulent transactions.

Indian regulators primarily focus on fraud affecting retail customers and the general public (such as card fraud, UPI payment fraud, fraudulent loan recoveries, unauthorised transactions) as well as fraud that has larger, system-wide implications on the banking and financial ecosystem of the country (for example, wilful defaulters, diversion of bank-borrowed funds, etc).

The RBI’s constant endeavour is to monitor emerging fraudulent techniques with the objective of protecting retail consumers from the same. The RBI is working with banks and enforcement agencies to strengthen transaction monitoring systems and ensure sharing of best practices for control of mule accounts and prevention of digital frauds. RBIH is also piloting an AI/machine learning-based model, MuleHunter.AI, to address this concern.

RBI has issued directions that limit the liability of customers in cases of unauthorised electronic payment transactions involving banks and non-bank PPIs.

If the unauthorised transaction results from contributory fraud or negligence/deficiency on the part of the RE, the RE bears the full liability. If the loss occurs due to the negligence of the customer, the customer is responsible for the entire loss until the unauthorised transaction is reported to the RE. Once reported, any subsequent loss is borne by the RE. In cases where the loss is due to factors beyond the control of both the RE and the customer (eg, systemic issues), the customer’s liability remains zero if they report the unauthorised transaction within three working days. Thereafter, the customer’s liability increases the longer the reporting is delayed.

Typically, the RE will include contractual terms to recover such amounts from its service providers if the unauthorised transaction arises due to contributory fraud or negligence/deficiency on the part of its unregulated fintech service provider.