Fintech 2025

Last Updated March 25, 2025

India

Law and Practice

Authors



Shardul Amarchand Mangaldas & Co is founded on a century of legal achievements, is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co. is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, white-collar crime, technology law and infrastructure, energy and project finance. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 800 lawyers including 177 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

India is the third largest and the fastest growing fintech market globally. India’s fintech sector has a combined market capitalisation of ~USD120 billion.

On the consumer side, Indians are the most open to adopting fintech solutions as evidenced by a fintech adoption rate of 87%, which is significantly higher than the global average of 64%. India’s investments in digital public infrastructure (DPI) and favourable demographics are the key drivers behind the growth of the Indian fintech sector.

The Past 12 Months

Over the past 12 months, several key developments have contributed to significant growth in the fintech sector.

UPI-linked innovations

India’s United Payments Interface (UPI) has enabled seamless, affordable digital payments throughout India, which has been revolutionary for the fintech sector. Over the last year, several innovative payment products have been developed, building on top of the UPI DPI.

Rural Accessibility – UPI 123 Pay and Hello!UPI

National Payments Corporation of India (NPCI) has developed products focusing on financial inclusion and accessibility to rural and other underserved areas. These include UPI123Pay and Hello!UPI, which enable instant payments for users with feature phones, with limited or no internet connectivity or through voice-enabled payment instructions in a regional language.

Interoperability – PPI on UPI TPAPs

By way of a notification dated 27 December 2024, the Reserve Bank of India (RBI) enabled interoperability across prepaid payment instruments (PPIs) using UPI. The RBI permitted full-KYC PPIs (see 2.1 Predominant Business Models) to make and accept interoperable payments through third-party applications (TPAPs). Earlier, transactions with a PPI could only be conducted through the UPI functionality in the PPI issuer’s own app and the customer could not link their PPI wallet to a UPI handle through a TPAP.

UPI Global

Through NPCI International Payments Limited (NIPL), NPCI’s dedicated wholly-owned subsidiary, NPCI has entered into global collaborations to: (i) create bilateral linkages between UPI and the payment systems available locally in offshore jurisdictions; (ii) power QR-code enabled payments by Indians to merchants abroad; and (iii) extend India’s UPI technology to nations without their own instant payment infrastructure. The NPCI International Payments NIPL is expected to expand UPI Global to ~40 jurisdictions. The limits for cross-border payments through UPI Global are the same as UPI’s domestic payment limits (ie, typically INR100,000).

ULI

The Unified Lending Interface (ULI) is a technology platform developed by a subsidiary of the RBI – the RBI Innovation Hub (RBIH) – to streamline digital lending by enabling seamless access to authenticated data from multiple sources. ULI simplifies the integration process for lenders, eliminating the need for individual connections with diverse data sources such as government authorities, fintech and techfin players, account aggregators, credit bureaus, and digital identity systems.

Dubbed the “UPI of digital lending”, ULI facilitates frictionless credit delivery, reduces operational costs, and enhances efficiency. Since its pilot launch on 17 August 2023, ULI has facilitated disbursement of loans worth INR270 billion as of 6 December 2024, with 36 regulated entities (REs) onboarded.

Streamlined KYC processes

On 6 November 2024, the RBI introduced amendments to the Master Direction - Know Your Customer (KYC) Direction, 2016 (KYC Master Directions). The KYC Master Directions require REs to allot a unique customer identification code (UCIC) to each customer. Further, once a customer’s data is uploaded to the Central KYC Registry (CKYCR), they are allotted a KYC Identifier – a 14-digit unique identification code allocated by the CKYCR.

The amendments to the KYC Master Directions include two key changes. First, for undertaking the identity verification of a customer (whether at the first instance of establishing an account-based relationship, or at the update/periodic update stage), the RE must first seek the KYC Identifier from the customer or retrieve it from the CKYCR. They can then proceed to obtain the KYC records from the centralised registry. A customer will not be required to submit the same KYC records or any other additional identification documents, except in the limited circumstances prescribed (the information retrieved being incomplete/invalid, any change in customer’s details, etc).

The amendments to the KYC Master Directions have also added the concept of “updates”, encouraging REs to ensure the real-time accuracy of CDD documentation. Furthermore, any updated KYC information from a customer must be submitted to the CKYCR within seven days of receipt. The CKYCR will subsequently notify all REs that have interacted with the customer regarding such updates and require them to revise their records accordingly. 

By maintaining updated centralised records and encouraging REs to first utilise the information from the centralised records before asking customers for further documents, the amendments to the KYC Master Directions are making KYC data accessible across REs and reducing duplication/friction in the customer onboarding process.

The Next 12 Months

Regulation of personal data

In August 2023, the Government of India (GOI) passed the Digital Personal Data Protection Act (DPDP Act). The DPDP Act is a technology-agnostic, sector-agnostic umbrella framework which governs the processing of all digital personal data. While the DPDP Act has been enacted, it is not currently in force.

On 3 January 2025, the GOI released the draft Digital Personal Data Protection Rules, 2025 (Draft Rules), together with an explanatory note for comments from the public. After completion of the consultation process, the Draft Rules may be revised and finalised by the GOI. The DPDP Act will come into force when the GOI publishes notification(s) regarding commencement of the DPDP Act and the DPDP Rules in the official gazette.

The GOI will likely adopt a staggered approach to enforcement of the DPDP Act and the DPDP Rules. Upon effectiveness, the DPDP Act will replace the currently applicable statutory framework on data privacy and data protection in India (see 2.2 Regulatory Regime).

Development of regulations for AI

The Indian fintech sector (particularly payments and wealthtech) has rapidly adopted evolving technologies such as blockchain and artificial intelligence (AI). Both bank and non-bank entities in India rely on AI-based tools to improve customer experience, especially, in the areas of product identification and matching, background and credit verification checks and CGRM.

While there are currently no comprehensive regulations specifically addressing AI in India, the financial sector regulators and the GOI have initiated steps to address the adoption of AI.

The GOI issued an advisory dated 15 March 2024, setting out due diligence norms regarding AI and other generative software to all intermediaries and platforms under the 2000 Information Technology Act (IT Act). The advisory imposes several due diligence obligations on intermediaries to ensure responsible use of such technologies. These include: (i) ensuring that AI or other generative software does not facilitate the transmission of unlawful content; (ii) clearly labelling content produced by AI tools if it is unreliable or still undergoing testing; and (iii) adding a permanent unique metadata tag to outputs that could potentially spread misinformation or generate deepfakes, enabling identification of the content's originator.

The Report on AI Governance Guidelines Development dated 6 January 2025, released for public consultation by a sub-committee of the GOI, provides an insight on the future regulations/legislation governing AI in India. It suggests an activity-based regulations approach and that effective enforcement of existing legislations can assist in mitigation of most AI-associated risks (though specific legislations may be required in areas such as copyright laws).

In December 2024, the RBI also announced the formation of an eight-member committee to develop a Framework for Responsible and Ethical Enablement of AI to recommend a robust, comprehensive, and adaptable AI framework for the financial sector.

Stringent regulatory actions

Another key issue for the Indian fintech sector is the unprecedented increase in enforcement actions by the RBI against REs over the last year, primarily by way of monetary fines, penalties, and business restrictions. In exceptional cases, the RBI has also revoked authorisations and licences granted to the defaulting REs.

Recently, the RBI restricted an RE from onboarding new customers and from carrying on any further banking operations whatsoever (except customer withdrawals), due to their failure to comply with KYC/AML requirements. It also restricted four NBFCs from sanctioning or disbursing loans, for charging usurious interest rates from retail borrowers and other unfair lending practices.

Industry players have recently expressed concerns that the stringent regulatory actions taken by the RBI will dampen market sentiment and raise investor apprehensions.

The various fintech business models or verticals that are currently predominant in India are, broadly:

  • digital payments;
  • digital lending; and
  • a host of intermediary services such as payment aggregation, payment gateway services, credit analysis, post-disbursement services etc, that serve to create a seamless user experience.

Products pertaining to other significant aspects of fintech, such as insurtech, regtech and wealthtech are starting to scale in the Indian market.

Digital Payments

UPI payments

UPI is a payments platform managed and operated by NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users (also see 1.1 Evolution of the Fintech Market).

Prepaid Payment Instruments (PPIs)

PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. Under the revised Master Directions on Prepaid Payment Instruments issued by the RBI on 27 August 2021 (PPI Master Directions), PPIs may be issued under one of the following categories:

  • closed-system PPIs, for purchase of goods or services offered only by the PPI issuer (They do not require prior approval from the RBI); or
  • PPIs that require RBI approval/authorisation prior to issuance are classified under two types: small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchasing goods and services. Fund transfers or cash withdrawals from such PPIs are not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments.

Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for the purchase of goods and services, fund transfers or cash withdrawals.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium-sized enterprises (MSME) and retail clients.

Digital lending is under the regulatory purview of the RBI. The Digital Lending Guidelines dated 2 September 2022 (DL Guidelines) prescribes the regulatory framework for the digital lending ecosystem in India.

The DL Guidelines apply to both REs and the lending service providers or digital lending platforms that enter into partnership arrangements with REs to provide digital lending products to consumers.

The DL Guidelines prescribe guardrails in connection with the kinds of customer data that can be accessed and stored by lending service providers, the consent architecture that must be in place for the collection and storage of such customer data and detailed disclosure requirements to protect customer interest and prevent mis-selling of credit products. DL Guidelines also provide for indirect regulation of lending service providers through regulated lending institutions.

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers – ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as an NBFC–P2P lending platform, subject to a few identified exceptions.

P2P Platforms also came under sharp regulatory scrutiny in the last year, with the RBI expressing concerns regarding some business models where P2P Platforms performed quasi-lending and banking functions instead of acting as an intermediary.

Payment Intermediaries

Payment aggregators

These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators (PAs) receive payments from customers, and pool and transfer them to the merchants after a period of time.

Payment gateways

Payment gateways (PGs) are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

PAs and PGs are governed by the RBI’s regulatory framework (PA/PG Guidelines) requiring PAs to be licensed by the RBI, while prescribing recommended technical standards for PGs.

Payment aggregators – cross-border

The RBI has brought all entities facilitating cross-border payment transactions for the import and export of goods and services (PA-CB) under its direct regulation. All PA-CBs, except authorised dealer category-1 banks (AD Banks), will need to take prior approval of the RBI for facilitating payments involving the import and export of goods and services. Further, PA-CBs need to comply with all obligations applicable to domestic PAs.

The regulatory framework governing the key verticals (see 2.1 Predominant Business Models) of the Indian fintech sector is fragmented across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.

The 2007 Payment and Settlement Systems Act (PSS Act)

This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authorisation of the RBI. Here, a “payments system” is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments, and other digital payment services.

The 2002 Prevention of Money Laundering Act (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products. PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (PML Rules). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and anti-money laundering verifications, as well as to report suspicious transactions.

RBI Master Directions/Circulars

The RBI, as the principal financial regulator, periodically issues “master directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific master directions regulating:

  • PPIs;
  • NBFCs;
  • P2P lending;
  • PAs and PGs (including PA-CBs);
  • account aggregators; and
  • other market participants and offerings.

The KYC Master Directions draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

The RBI introduced a circular dated 13 September 2021, which permits REs such as NBFCs, payment systems operators/system participants to obtain authorisation to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique identification number issued by the GOI to its citizens.

NPCI Circulars

UPI payments in India are governed by the procedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the IT Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Current Data Privacy Framework) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once effected, the DPDP Act will overhaul the existing data protection framework. (see 1.1 Evolution of the Fintech Market).

Separately, the RBI has also issued a circular in April 2018 (Data Localisation Circular), which mandates that all payment data be stored on servers located in India. While such data can be transferred outside of India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act.

Compensation models across key product offerings typically take the following form:

  • PPIs/debit cards/credit cards/UPI, all charge Merchant Discount Rate (MDR) – ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator (PSO). For cards, transaction interchange fee, interest and float income and card issuances act as additional income lines.
  • Digital lenders charge loan processing fees and interest from their customers, which are usually linked to the volume and tenor of the loan. Digital lenders can also levy additional penal charges for defaults, in a manner that is reasonable and only for material non-compliances. Penal charges must not be used as a revenue enhancement tool.
  • PAs/PGs charge the e-commerce marketplaces and merchants for their payment aggregation services and/or technological support provided. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

To promote indigenous payment instruments, GOI has mandated zero MDR for certain transactions. This could impact the cost competitiveness and revenue flows of foreign fintech players, in comparison with domestic fintech players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandates that:

  • REs (such as banks and NBFCs) adopt a “fair practices code”, to be made available on their websites (in English as well as in the vernacular language), setting out the process for loan applications and the key terms and conditions associated with the lending product (including all charges, fees and interest rates);
  • all lending institutions are required provide a “key fact statement” in a standardised format for loan processing; such standardised format must specify the annualised percentage rate for the lending product (which is inclusive of all charges, fees and interest rates in connection with the credit product offered by them); and
  • REs (such as PPI Issuers, payment intermediaries, banks, NBFCs) adopt a suitable CGRM and designate “nodal officers” to address customer complaints, so as to ensure fairness in operation of such products, including the compensation models employed by them.

Taking a holistic view of the regulatory framework (see 2.2 Regulatory Regime), it appears to treat both new fintech players and established players (like banks) impartially.

However, there is a significant discrepancy when it comes to banks' ability to conduct Aadhaar-based E-KYC checks for customer onboarding, a capability that is not extended to non-bank players (like NBFCs). This discrepancy imposes additional compliance costs on non-bank players. Nevertheless, the RBI has taken steps to address this issue by allowing non-bank players to obtain authorisations to conduct Aadhaar-based E-KYC authentication, enabling them to utilise the services provided by the Unique Identification Authority of India (UIDAI) for E-KYC purposes. Further, the RBI’s impetus on CKYCR may potentially reduce disparity in costs between bank and non-bank players.

Access to credit information is another area where there was a significant discrepancy between REs and certain “specified entities” (which fulfil the criteria prescribed by the RBI), as against other third-party entities. (see 2.13 Conjunction of Unregulated and Regulated Products and Services) However, the RBI’s recent Master Directions on Credit Information Reporting now expressly allow third-party entities to access the credit information of persons from CICs, as the authorised representative of such persons, with their consent. The RBI has coupled this access with robust security, due diligence and monitoring measures.

RBI

Framework and eligibility

The RBI issued a Regulatory Sandbox Enabling Framework in August 2019 permitting eligible fintech companies to live-test their products in a controlled/ modified regulatory environment, provided that such product is compliant with the designated theme for the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI for testing their products in a sandbox:

  • net worth of at least INR1 million;
  • satisfactory credit score/history of promoters and directors;
  • promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
  • demonstrated ability to comply with personal data protection laws; and
  • adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

The framework outlines the five stages of the sandbox process for a single cohort involving preliminary screening, finalising test designs, application assessment, closely monitored testing and lastly, assessment of the final output by the RBI. The end-to-end sandbox process practically takes more than 1.5 years for each cohort.

To date, the RBI has announced five cohorts – on retail payments (February 2021), cross-border payments (December 2020), micro, small, and medium-sized enterprise lending (October 2021), prevention and mitigation of financial frauds (June 2022) and a fifth “theme-neutral” cohort (October 2023). Of these, the successful exit of 18 applicants from the first four cohorts has led to innovations such as a purely digital cash flow-based credit underwriting process for MSMEs and a voice-based UPI payment solution that supports local languages and offline use.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandbox products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from NPCI, UIDAI, IRDAI and SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

In India, the primary regulator for fintech is the RBI, which has shifted from a light-touch approach to a full-regulation model in recent years. The RBI is responsive to market changes and technological advances, and regulations have been promptly updated to account for such developments.

NPCI

NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act and was established with a view to creating an innovative and robust payment and settlement infrastructure in India.

UIDAI

UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. UIDAI has been central to framing the rules governing the use of Aadhaar by fintech players as a means for customer onboarding and verification.

IRDAI

IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, specifically for insurtech elements.

SEBI

SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. It has jurisdiction over aspects of fintech related to robo-advisors, algorithmic trading and financial research platforms, although these areas are still nascent in India.

Financial regulators in India have typically not issued no-action letters for the fintech sector.

The RBI does not issue no-action letters, although the fintech department of the RBI holds monthly virtual meetings with fintechs – “Finteract” and “Finquiry” sessions – which provide a platform to interact with the regulator and get verbal non-binding guidance. SEBI, however, issues no-action letters in the form of non-binding informal guidance letters under the SEBI (Informal Guidance) Scheme, 2003.

The permissibility of outsourcing regulated financial and IT functions in the Indian fintech space is governed largely by outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs and (separately) to PSOs. Broadly, the core regulated activities cannot be outsourced to unregulated entities. 

Outsourcing Guidelines

These guidelines require that banks, NBFCs and PSOs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliance, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider must not, even in such permissible cases, be situated outside of India. Moreover, any outsourced functions have to be duly supervised by the RE outsourcing the activities. The RBI also prescribes mandatory contractual terms for such outsourcing contracts.

The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

  • Banks, NBFCs and PSOs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider.
  • PAs are responsible for checking the technical and security infrastructure of the merchants onboarded by them, and for assessing compliance with regulatory and industry security standards.
  • Banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms and have the primary responsibility to comply with the DL Guidelines.

A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contractually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build in, to ensure the regulatory compliance of the unregulated partner or service provider.

In the case of non-compliance with the regulatory framework (see 2.2 Regulatory Regime), the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act, or the PSS Act.

The RBI has taken several stringent enforcement actions in the last year. (see 1.1 Evolution of the Fintech Market).

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services:

  • the Current Data Privacy Framework requires certain REs (including banks, NBFCs, PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy;
  • the Data Localisation Circular (see 2.2 Regulatory Regime);
  • the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players); and
  • the intermediary guidelines/rules under the IT Act, require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe on intellectual property, and does not violate any other prevailing laws.

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires REs to have in place several checks and balances that serve to review the functioning and operations of industry participants. By way of an indicative overview:

  • Banks and NBFCs are subject to a detailed ongoing compliance framework that involves a review of their operations by external auditors/accountants.
  • The RBI has set up designated ombudsman offices under its management and supervision, charged with receiving and considering complaints from customers relating to the deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on REs.

These compliances represent strict regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.10 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While regulated products are offered by REs (such as banks, NBFCs and PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

Traditional credit information in India is collated by specialised, REs called credit information companies (CICs). Access to traditional credit information through such CICs was originally restricted only to REs. Some non-bank entities, fulfilling the criteria prescribed by the RBI, have now been allowed to access information from CICs. However, this criterion is still quite strict (including, inter alia, a net worth of at least INR20 million, Indian-owned and controlled status, at least three years of experience in data processing and a clean track record).

Due to such restricted access to traditional credit information, a market space for unregulated players to undertake non-traditional “behavioural scoring” has grown in India. These fintech entities typically utilise data that does not strictly constitute credit data and is therefore not currently subject to regulatory limitations. Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the consent requirements under the DPDP Act (once enforced) will also cover such data collection and processing.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers with a seamless customer experience.

The KYC Master Directions apply to REs (including banks, NBFCs, PPI issuers, and payment system providers). The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. REs must file reports of suspicious transactions, including transactions relating to terrorism, with the FIU-Ind. REs are also required to appoint a principal officer who is responsible for monitoring and reporting all transactions and sharing information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, NBFCs and PSOs from outsourcing core functions such as KYC compliance.

Indian anti-money laundering and sanction norms are generally aligned with the FATF standards.

India does not permit otherwise regulated products and services to be offered from another jurisdiction under a reverse solicitation scenario without triggering domestic regulations. Typically, any cross-border fintech offering, regardless of the solicitation’s origin, would necessitate conformity with Indian financial, exchange control, and data protection laws.

A fintech offering in India would typically need to comply with the regulatory framework for financial services (see 2.2 Regulatory Regime), as the regulations are activity-centric. Even otherwise, the Indian foreign exchange legislation (FEMA), which imposes strict controls on cross-border transactions, will typically be applicable to any offering of cross-border payment or investment products (see 5.2 Regulation of Cross-Border Payments and Remittances). Payment products, lending offerings or investments/wealthtech products may or may not require prior RBI approval (it could be a capital account transaction or be permissible under the liberalised remittance scheme), but in any case, will need to be FEMA compliant.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage. While undertaking the business of investment advice requires registration with SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. Several RE players have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach to incorporate robo-advisory services:

  • acquisition or partnerships with players in the robo-advisory space; or
  • development of in-house technology, using internal analytical information to provide robo-advisory, putting them in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve network creation and connectivity issues between the clients and robo-adviser platforms, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

The lending regulations in India are broadly borrower agnostic. However, the extent of regulatory supervision differs depending on the category of lender.

Both banks and NBFCs are required to comply with specific capital adequacy, asset quality and prudential norms. While banks are generally heavily regulated, NBFCs are subject to relatively less stringent regulation. Lending service providers or digital lending applications are front-end entities and are only indirectly governed by the DL Guidelines.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders – ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Furthermore, the Indian financial sector also often sees lending partnerships between banks and NBFCs, whereby the bank brings the advantage of capital, while the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

  • credit score and credit reports from CICs;
  • annual income and sources of income; and
  • status of existing loan accounts, including any delayed repayments, defaults, etc.

Non-traditional behavioural data is increasingly being used for credit analysis (see 2.12 Conjunction of Unregulated and Regulated Products and Services). Technology platforms that already have access to some of this behavioural data have taken the lead in the development of these alternative credit scoring models.

The DL Guidelines mandate that REs undertake responsible lending by capturing the economic profile of the borrowing (including age, occupation, income, etc) to assess the borrower’s creditworthiness in an auditable way. To this end, the DL Guidelines permit collecting data that is required in connection with its operations, provided the digital service provider/RE is able to demonstrate a tangible and direct link between the borrower data collected and economic profiling of the borrower enabling credit decision-making.

The RBI also dictates detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of onboarding.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end uses, such as:

  • banks are prohibited from sanctioning loans against the security of their own shares;
  • banks are prohibited from sanctioning such loans that are to be used for buy-back of securities; and
  • banks are restricted from granting loans to their directors or their relatives, except where approved by the bank’s board of directors and subject to compliance with other specified restrictions.

NBFC

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings – ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI, which include maintenance of leverage ratio and capital adequacy norms.

The Bond Market

The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with SEBI. In the case of foreign portfolio investors, there are restrictions on end uses, in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to the issuing of debt securities, access to debt capital markets tends to be restricted to larger corporates and has not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods and end use restrictions.

P2P Lending

The RBI also permits P2P lending via REs which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform itself is restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed to hold security for the benefit of the lending banks. The arrangement typically also involves the appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.

The RBI has mandated information-sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, and establishing a system of exchange of information with respect to the borrower’s credit facilities between banks (upon obtaining appropriate consent from the borrower).

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the 1999 Foreign Exchange Management Act (FEMA) and the rules, regulations and circulars issued thereunder. FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inbound to India or outbound from India. Such transactions are undertaken by AD Banks, authorised under FEMA to deal in foreign exchange on behalf of their clients.

For personal remittances inbound to India, residents may use the facility to receive such payments through money transfer operators.

RBI-approved PA-CBs also facilitate cross-border payments in exchange for goods and services. Additionally, UPI global is the latest entrant in the cross-border payments space in India. (see 1.1 Evolution of the Fintech Market).

Under Indian law, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which is registered with SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts. Different asset classes are governed by varying regulations, depending on the nature of the asset (eg, equity-linked, debt-linked or pooled investment vehicle).

The principal regulators for stock exchanges are SEBI, the Ministry of Finance and RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by RBI. Such electronic trading platforms must be registered with RBI and must comply with minimum capital norms, technological standards and other safeguards.

See 6.1 Permissible Trading Platforms.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. However, over the last year, their stance on cryptocurrency has softened from a “complete ban” to a “regulation” approach, in line with the global developments in the cryptocurrency space.

Indian regulators are therefore now focused on regulating crypto-intermediaries (including crypto-exchanges) with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements. The GOI recently brought all virtual asset service providers (VASPs, which include crypto-exchanges) under the ambit of PMLA.

The Financial Intelligence Unit of India (FIU-Ind) subsequently published the AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (FIU-Ind Guidelines), which came into effect from 10 March 2023. Every VASP operating in India needs to: (i) register with the FIU-Ind; (ii) adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and (iii) comply with PMLA requirements (for example, maintaining transaction records, reporting of suspicious transactions and specified transactions to the FIU-Ind). The FIU-Ind has, in the past, served show cause notices to several crypto-exchanges for failing to register and directing the GOI to block their URLs.

Additionally, advertisements dealing with cryptocurrency and/or virtual assets must contain adequate risk disclaimers and must not equate such products with regulated products – in accordance with the code issued by the Advertising Standards Council of India.

Listing standards and disclosure requirements are governed by SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

See 2.1 Predominant Business Models. As far as digital lending is concerned, currently there are 26 P2P lending platforms authorised by RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

SEBI prescribes procedural rules for processing payments for trades in listed securities. For example, in 2018, SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee whether appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues (for example, timely reviews of the margining system).

SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

SEBI permitted institutional investors to use DMA through SEBI-registered investment managers. In respect of algorithmic trading, SEBI issued the Broad Guidelines on Algorithmic Trading and subsequently issued additional guidelines pertaining to the same. Additionally, SEBI issued the Measures to Strengthen Algorithmic Trading and Co-location/Proximity Hosting Framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and the free-of-charge tick-by-tick data feed (TBT Feed), order-to-trade ratio (OTR) penalties, unique identifiers for algorithms/tagging of algorithms and the testing requirements for software and algorithms. SEBI has recently issued a circular on Safer Participation of Retail Investors in Algorithmic Trading (Retail Algo Circular) providing clear guidelines on application-based trading, recognising it as a legitimate practice and setting guardrails around actions taken by stock brokers. The Retail Algo Circular is effective from 1 August 2025. Under the Retail Algo Circular, an algorithmic trading strategy needs to be registered with the stock exchanges if the trading frequency is above the prescribed threshold. Algo providers need to register white box solutions with the stock exchanges, whereas the algo provider needs to obtain a research analyst licence from SEBI for offering black box solutions.

These obligations are targeted at stock exchanges (except for commodity derivatives exchanges) in the country. The recent Retail Algo Circular also places obligations on the stock brokers. Recent SEBI trends have been towards relaxing the OTR and orders per second (OPS) limits. SEBI also released a notification banning mis-selling of algorithmic strategies by making references to past performance or expected returns.

These circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers (Market Maker Guidelines) require market makers to register with the stock exchanges per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as market maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing the trading algorithms and other electronic trading rules lays down the following obligations on programmers:

  • all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish an audit trail; and
  • the testing procedures which are to be followed by market participants before deployment of software and algorithms.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with IRDAI. The underwriting processes to be undertaken by insurers and insurance intermediaries are specified by IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, and audit and reporting mechanisms.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance and vehicle insurance.

Most regtech providers in India are centred around providing KYC and related onboarding services. There is also a recent boost in regtech solutions focusing on end-to-end automation of securities and labour compliances.

There is no direct regulation governing regtech providers in India. Certain functionalities of regtechs may, however, be subject to regulatory oversight. For example, customer onboarding regtech providers in India are typically engaged as agents of the REs through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information and requirements on storage of Aadhaar, which are also relevant for regtech providers utilising the Aadhaar database for their services.

See 9.1 Regulation of Regtech Providers and 2.8 Outsourcing of Regulated Functions. Requirements pertaining to assured performance and accuracy for unregulated regtechs are contractually agreed. As an industry norm, they usually contain a limitation of liability clause and an express “no warranty” clause as to their accuracy and completeness.

Traditional financial services players such as banks are developing interesting and effective applications for the use of blockchain for the financial services industry in India. India’s Bankchain consortium has launched a permission-based blockchain for integrated and shared KYC (Primechain KYC) and is exploring its use for processing letters of credit, tax invoices, and e-way bills, particularly for MSMEs. Meanwhile, RBIH is also currently exploring a blockchain-based pilot project for reducing loan fraud.

On the private side, financial blockchain start-ups in India are primarily focused on cryptocurrency exchanges. However, there is a growing interest in newer applications for blockchain, such as supply chain financing and digital identity verification.

Unlike with cryptocurrency, the GOI and regulators have taken a positive stance towards blockchain technology. The RBI is playing an active part in collaborating with banks piloting blockchain applications and has also included applications of blockchain technologies to be tested in its sandbox.

The GOI has developed a National Strategy on Blockchain to synergise stakeholder inputs and develop e-governance applications of blockchain. The GOI recently launched the Vishvasya blockchain technology stack to offer blockchain-as-a-service (BaaS) through a geographically distributed infrastructure designed to support various permissioned blockchain-based applications. It has also announced the creation of a blockchain sandbox platform called NBFLite. Several state governments in India are also utilising blockchain technologies for supply chain management, land registry, and public record-keeping.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as the 1860 Indian Penal Code, and the 2019 Consumer Protection Act.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

Provision of staking and lending services relating to cryptocurrencies or offering of crypto-derivatives is not governed by any separate regulation in India, though such services may attract the KYC and reporting requirements applicable to VASPs (see 6.3 Impact of the Emergence of Cryptocurrency Exchanges). Any income from such services/offerings will have a tax implication (see 10.11 Virtual Currencies).

See 10.6 Staking.

See 10.6 Staking.

India has not yet enacted specific guidelines to regulate DeFi. In the absence of specific guidelines, DeFi is currently governed under the extant regulations on payment systems, payment and investment intermediaries.

The current regulatory framework does not contemplate blockchain assets. The funds investing in blockchain assets are therefore unregulated.

Owing to a lack of clarity on how to classify virtual currencies (they do not fall under securities, commodities, currency, payment or security tokens), they remain excluded from most regulations. However, after the 2022 budget speech, the GOI declared virtual currencies to be taxed as a separate class called “virtual digital assets” (VDAs).

All income from VDAs including cryptocurrencies is subject to 30% tax (plus cess) in India. The GOI also announced a tax deducted at source (TDS) of 1% on all cryptocurrency-based transactions. A gift of VDAs is also proposed to be taxed in the hands of the recipient.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. India is currently piloting the e₹, which is anticipated as a replacement for all privately owned cryptocurrencies in India after its launch.

The regulatory landscape surrounding NFTs is unclear. However, NFTs have been recently recognised as a subclass of virtual digital assets and subject to the same taxation regime.

India has adopted a distinctive approach to open banking. It has created a comprehensive DPI and associated standards, collectively known as the “India Stack”.

The India Stack has been developed in layers over the past decade, with a proactive role played by regulators:

Identity Layer

The Aadhar digital identity system facilitates identity verification and tracing of individuals’ particulars across various datasets. The RBI has mandated Aadhar-interlinked KYC practices for all REs through the KYC Master Direction.

Payments Layer

UPI, Aadhaar-enabled Payment System, and Aadhar Payments Bridge create a fully interoperable payment system that is subject to the supervision of the NPCI.

Documents Layer

“Digilocker” is a cloud-based platform which enables registered governmental authorities to issue and citizens to access authenticated identity documents and certificates.

Data Layer

An account aggregator (AA) is an NBFC that facilitates the retrieval or collection of financial information pertaining to a customer from financial information providers on the basis of explicit consent of the customer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consented financial information user.

Data protection remains the biggest concern surrounding open banking. Market players in India are generally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act.

With the expansion of digital payments, fraudulent transactions through compromised credentials, identity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to a card, UPI pins or other payment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraudulent calls to retrieve sensitive payment credentials like card numbers, PINs, OTPs and passwords) and then using them to make payment transactions.

Financial regulators are quick to react and introduce regulatory measures to protect customers. For example, in light of increasing card frauds, the RBI introduced guidelines on storage of customer card data and a tokenisation framework to control such fraudulent transactions.

Indian regulators primarily focus on fraud affecting retail customers and the general public (such as card fraud, UPI payment fraud, fraudulent loan recoveries, unauthorised transactions) as well as fraud that has larger, system-wide implications on the banking and financial ecosystem of the country (for example, wilful defaulters, diversion of bank-borrowed funds, etc).

The RBI’s constant endeavour is to monitor emerging fraudulent techniques with the objective of protecting retail consumers from the same. The RBI is working with banks and enforcement agencies to strengthen transaction monitoring systems and ensure sharing of best practices for control of mule accounts and prevention of digital frauds. RBIH is also piloting an AI/machine learning-based model, MuleHunter.AI, to address this concern.

RBI has issued directions that limit the liability of customers in cases of unauthorised electronic payment transactions involving banks and non-bank PPIs.

If the unauthorised transaction results from contributory fraud or negligence/deficiency on the part of the RE, the RE bears the full liability. If the loss occurs due to the negligence of the customer, the customer is responsible for the entire loss until the unauthorised transaction is reported to the RE. Once reported, any subsequent loss is borne by the RE. In cases where the loss is due to factors beyond the control of both the RE and the customer (eg, systemic issues), the customer’s liability remains zero if they report the unauthorised transaction within three working days. Thereafter, the customer’s liability increases the longer the reporting is delayed.

Typically, the RE will include contractual terms to recover such amounts from its service providers if the unauthorised transaction arises due to contributory fraud or negligence/deficiency on the part of its unregulated fintech service provider.

Shardul Amarchand Mangaldas & Co.

Amarchand Towers, 216
Okhla Phase III
Okhla Industrial Estate Phase III
New Delhi
Delhi 110020
India

+91 11 4060 6060

connect@amsshardul.com www.amsshardul.com
Author Business Card

Trends and Developments


Authors



Shardul Amarchand Mangaldas & Co is founded on a century of legal achievements, is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co. is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, white-collar crime, technology law and infrastructure, energy and project finance. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 800 lawyers including 177 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Introduction

Recent regulatory advancements in the Indian fintech sector have reshaped the landscape, addressing emerging challenges while fostering innovation. This article explores the pivotal areas that have come to dominate the fintech ecosystem, highlighting key regulatory updates and initiatives as well as industry shifts. These areas not only underscore the fintech sector’s evolution but also offer insights into the strategic direction of India’s financial technology domain.

Digital Payments

Increased adoption

The digital payments ecosystem in India has seen tremendous growth in recent years, fuelled by continuous product innovation and consumer-centric financial solutions offered by fintech service providers. These advancements have not only improved convenience but also incentivised higher consumer adoption of digital payment systems. Recognising the transformative role of digital payments in driving financial inclusion, the Reserve Bank of India (RBI) has introduced several regulatory measures over the past year. The key underlying themes fuelling regulatory intervention by the RBI over the past year have been enhancing accessibility, inclusivity and interoperability within the rapidly evolving fintech sector in India.

A notable development is the integration of FASTag and the National Common Mobility Card (NCMC) into the RBI’s e-mandate framework. This integration allows automatic replenishment of funds when balances fall below a threshold set by the user, streamlining the process for commuters.

Inclusivity has also been a focus, as seen in the Accessibility Standards and Guidelines for the Banking Sector issued by the Ministry of Finance in February 2024 (Accessibility Standards). The RBI observed that all sections of the population, including differently-abled individuals, are increasingly adopting digital payment systems. To ensure effective access to digital payments for differently-abled individuals, the RBI has urged banks and non-bank payment system providers to review and adapt their systems for increased accessibility and to incorporate applicable norms from the Accessibility Standards, while maintaining security standards.

In another significant move, the RBI increased transaction limits under the Unified Payments Interface (UPI) Lite framework, which facilitates small-value offline payments. The limit per transaction has been raised from INR500 to INR1,000, with the total limit (at any point in time) increased from INR2,000 to INR5,000, promoting wider usage of UPI Lite for everyday transactions. Additionally, in a move to further deepen interoperability in peer-to-peer payments, the RBI enabled UPI payment transactions (through linked PPI accounts) through third-party UPI applications.

These regulatory initiatives highlight the RBI’s commitment to fostering innovation, inclusivity and efficiency within the digital payments space. By addressing operational challenges and improving user experience, these measures are poised to further accelerate the adoption of digital payment systems across diverse segments of the Indian population.

Customer protection

With consumer protection being a cornerstone of its regulatory objectives, the RBI has implemented a series of measures aimed at enhancing transparency, promoting competition and safeguarding the interests of users of digital payment facilities – particularly credit and debit card users. These measures address a range of concerns related to card issuance, operational practices, data privacy and user convenience.

One of the key developments involves offering customers greater freedom in selecting their preferred card network for credit cards. Historically, the choice of a card network was determined by bilateral agreements between the card issuer and the card network(s), limiting consumer choice. Recognising the restrictive nature of these arrangements, the RBI has mandated that card issuers must not enter into agreements that prevent them from using the services of other card networks. Additionally, card issuers are now required to provide eligible customers with the option to choose from multiple card networks at the time of issuance. Existing cardholders will be given this choice during the next renewal of their credit cards. However, card issuers with fewer than 10 lakh active credit cards are exempted from the requirement to provide their customers with their option to choose from different card networks, and card issuers operating on their own authorised card network are exempt from all the said requirements.

Further, the RBI introduced several reforms to streamline the operations of business/corporate credit cards. Card issuers are now obligated to implement strict mechanisms to monitor the end use of funds associated with business credit cards. For business cards where liability rests entirely with the business entity, the timeframe for payment and/or adjustment can be mutually agreed upon by the issuer and the entity. Additionally, card issuers are now allowed to offer their cardholders the option to modify their billing cycles multiple times, but are mandated to provide such option at least once. To enhance product diversity, card issuers can offer alternative form factors, such as wearables, alongside traditional plastic cards.

The RBI has further clarified the role of co-branding partners in co-branded card arrangements in relation to storage of, and access to, transaction data. While co-branding partners are not permitted to access transaction data, if the partner intends to display transaction-related information to the customer on the co-branding partner’s platform, the data must be encrypted to ensure that the co-branding partner does not have visibility or access to the actual transaction data. Moreover, card issuers are required to ensure compliance with the RBI’s guidelines for outsourcing of information technology services, ensuring that the cardholder’s data is shared with outsourcing partners only after obtaining explicit consent and that only data that is essential for performing outsourced functions is shared.

To protect cardholders from unfair financial practices, the RBI has stipulated that interest must only be levied on the outstanding amount, adjusted for payments, refunds or reversed transactions. Card issuers are now required to advise cardholders against making payments through unauthorised methods and to list authorised payment modes on their websites and billing statements.

Further, card issuers are required to establish board-approved standard operating procedures for blocking, deactivating or suspension of cards. In such cases, immediate notification must be sent to the cardholder with details of the reasons for the action.

Collectively, these measures underscore the RBI’s commitment to fostering a consumer-friendly, transparent and secure card payment ecosystem, addressing both operational inefficiencies and customer grievances.

UPI-enabled payments

UPI is a digital payment method that facilitates quick and convenient transfer of funds, from one bank account/wallet to another, via UPI applications on a mobile device. UPI transactions have witnessed remarkable growth in recent years, emerging as the leading mode of digital payments in India by transaction volume. This surge encompasses both customer-to-merchant payments and peer-to-peer transfers, driven by advancements in mobile technology, robust network infrastructure and a seamless onboarding process for users. In 2024, UPI facilitated over 172 billion transactions, amounting to a value exceeding INR246 lakh crore.

The Bharat Bill Payment System (BBPS) serves as a unified payment ecosystem for bill payments. It provides an interoperable platform that allows customers to pay various bills, including utility bills, mobile recharges, and subscription fees, through multiple channels such as internet banking, mobile applications, ATMs, bank branches, agents and business correspondents. In 2024, BBPS processed over 2.1 billion transactions, totalling more than INR7.6 lakh crore in value, underscoring its growing adoption and utility.

Digital Lending

Customer protection

The RBI has introduced measures aimed at harmonising Key Fact Statements (KFS) and ensuring uniform disclosure of the Annual Percentage Rate (APR) across all retail and MSME term loan products offered by regulated entities (REs). These measures seek to address information asymmetry in financial products, empowering borrowers to make more informed decisions. By standardising disclosures, the RBI intends to foster greater transparency and enable borrowers to better understand the cost of credit and terms associated with loans extended by different lenders.

Following this, the RBI took further steps to address unfair interest-charging practices observed among lenders. The regulator highlighted instances where REs charged interest unfairly, such as: (i) levying interest from the date of loan sanction or execution of the loan agreement, rather than from the actual date of disbursement of funds to the borrower; (ii) calculating interest for the entire month, even when the loan was outstanding for only a portion of the month; and (iii) collecting one or more instalments in advance, while continuing to charge interest on the full loan amount.

In response, the RBI directed all REs to review their lending practices and eliminate such non-standard practices, ensuring fair treatment of borrowers. These initiatives underscore the RBI’s commitment to enhancing protection of borrower’s interest in lending activities and promoting ethical conduct among lenders, thereby fostering a fair and transparent lending ecosystem.

Credit information

In light of the rapid turnaround time required for digital credit underwriting processes, the RBI has emphasised the critical importance of up-to-date credit information. Accurate and current credit information enables lenders to make informed credit decisions, a necessity in today’s fast-paced financial ecosystem. To address this, the RBI issued directives mandating credit information companies (CICs) and credit institutions (CIs) to ensure the timely updating of credit data.

Under these directions, CICs and CIs are required to update their credit information records on at least a fortnightly basis or at shorter intervals, as mutually agreed upon between them. Furthermore, CIs must submit their credit data to CICs within seven calendar days of the relevant reporting fortnight.

These measures aim to enhance the accuracy and reliability of credit reports, thereby fostering confidence among stakeholders and supporting the efficient functioning of the digital lending ecosystem. The RBI’s directive also reflects its broader goal of ensuring transparency and accountability in the credit ecosystem.

Peer-to-peer lending

The RBI has issued further instructions to address non-compliance with its directions governing the operation and functioning of non-banking financial company peer-to-peer lending platforms (P2P Platforms). These measures aim to enhance transparency, ensure regulatory adherence by the P2P Platforms and safeguard stakeholders’ interests.

The RBI has, inter alia, clarified that P2P Platforms must maintain at least two separate escrow accounts: one for funds received from lenders and awaiting disbursal (Lenders’ Escrow Account) and the other for collecting funds from borrowers (Borrowers’ Escrow Account). Transfers from lenders’ bank accounts must flow directly into the Lenders’ Escrow Account, with disbursements permitted solely to specific borrowers’ bank accounts. Similarly, borrowers must repay loans into the Borrowers’ Escrow Account, from which funds may only be transferred to respective lenders’ accounts. Cross-use of funds between these accounts is prohibited, and all transactions must occur through bank accounts, disallowing cash transactions entirely.

The RBI further clarified that P2P Platforms must not promote peer-to-peer lending as an investment product, including offering features such as assured minimum returns, tenure-linked benefits or liquidity options – thereby preventing misrepresentation of this facility.

Further, P2P Platforms must adopt a structure based on either a fixed amount or a fixed proportion of the loan principal amount, independent of the borrowers’ repayment performance, with all fees transparently disclosed to participants. The RBI also prohibited the practice of matching or mapping participants within closed user groups. These directives collectively aim to ensure the proper functioning of P2P Platforms, emphasising fair practices, operational integrity and the protection of stakeholders involved.

Industry Developments

Self-regulatory organisation(s) for the fintech sector

At the start of 2024, the RBI had issued a draft version of its proposed framework for recognising self-regulatory organisations for India’s fintech sector (SRO-FT), inviting comments from stakeholders. After considering the feedback, the regulator notified the finalised framework (SRO-FT Framework) in mid-2024, opening invitations for applications from entities that provide technological solutions for businesses and consumers to access financial products and services or that are subject to RBI regulatory and supervisory oversight, on account of partnerships with REs or otherwise.

Recognising that regulation of the fintech sector will be a delicate balancing act, given its dynamic and prevalent nature, the regulator has introduced the SRO-FT Framework in a bid to achieve such balance.

In addition to developing industry standards and best practices and encouraging compliance by its members, SRO-FTs are poised to act as an intermediary between participants in the fintech sector and the RBI. The RBI has since granted SRO-FT recognition to the Fintech Association for Consumer Empowerment and is in the process of reviewing applications from other entities as well.

Cryptocurrency and Blockchain

Cryptocurrency

Cryptocurrencies/virtual digital assets are not recognised as legal tender in India, but the country has shifted from an earlier stance of a complete ban to one that emphasises regulation. It has been reported that the Securities and Exchange Board of India (SEBI) has recommended that rather than having a single, centralised regulator for cryptocurrencies, several regulatory bodies should supervise activities related to cryptocurrencies that are under their purview. Reportedly, SEBI has expressed that it could regulate new offerings of cryptocurrencies, known as “initial coin offerings” and cryptocurrencies related to the equity market.

The Government of India has also previously issued a notification (commonly referred to as the VASP PMLA Circular) that classified virtual asset service providers (VASPs) as reporting entities under the Prevention of Money Laundering Act, 2002 (PMLA) and its associated rules. Subsequently, the Financial Intelligence Unit-India (FIU-Ind) released a set of guidelines titled AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets. These measures reflect India’s approach to creating a more structured and transparent regulatory framework for virtual digital assets while addressing concerns related to money laundering and financial crime.

Blockchain

The Indian blockchain landscape is experiencing rapid growth and diversification. Traditionally associated with cryptocurrencies and smart contracts, blockchain technology is now expanding into areas such as supply chain optimisation, governance initiatives, and specialised financial applications.

The National Blockchain Framework (NBF) was established by the Government of India in September 2024, to encourage research and the development of applications while facilitating modern, transparent, secure, and reliable digital service delivery to the populace. Blockchain-as-a-Service is provided via the NBF technology stack, which is designed with distributed infrastructure, core framework functions, smart contracts and API gateways, which are secure and interoperable.

The Ministry of Electronics and Information Technology (MeitY) stated that the NBF will be crucial in facilitating security, trust and transparency for a range of citizen-centric applications, as part of the Government of India’s commitment to delivering trusted digital services. Stakeholders have also been urged to use blockchain technology to establish India as a worldwide leader and spread the created solutions for use throughout the world, leveraging it to drive economic growth, social development and digital empowerment.

Further, the Indian government introduced the Vishvasya-Blockchain Technology Stack and several blockchain-focused facilities, such as NBFLite, Praamaanik and the National Blockchain Portal.

With its geographically dispersed infrastructure, the Vishvasya-Blockchain Technology Stack is intended to provide Blockchain-as-a-Service for a range of permissioned blockchain-based applications.

NBFLite – Lightweight Blockchain Platform is a blockchain sandbox platform, which has been developed under the aegis of MeitY. It was created specifically for academic institutions and entrepreneurs to carry out research and capacity building as well as rapid application prototyping.

Praamaanik is an inventive blockchain-enabled method for confirming the origin of mobile applications.

Data Protection and Privacy

Draft data protection rules

At the beginning of 2025, the Indian government made the draft Digital Personal Data Protection Rules, 2025 (Draft Rules) available for public comment. The Draft Rules are intended to operationalise the provisions under the Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent in August 2023.

The Draft Rules are an important step in the Indian government’s efforts to protect citizens’ rights and their personal data in an increasingly digital economy. The Draft Rules prioritise transparency and simplicity, in order to empower the public and build confidence in India’s flourishing digital ecosystem.

One key tenet of the Draft Rules is the requirement for “data fiduciaries” to give “data principals” comprehensive and transparent notices. In addition to providing procedures for withdrawing consent and resolving grievances, these notices must describe the kinds of personal data that are collected, the reasons for processing and any related services. This strengthens the idea of informed consent by guaranteeing that people can make knowledgeable decisions regarding their data.

“Consent managers” will be responsible for enabling the smooth administration of user consent via a transparent and secure platform, keeping records and protecting this data with strong security measures. These provisions significantly simplified consent management and aim to increase public trust in digital platforms.

The Draft Rules require strict safeguards, including encryption/masking, access controls, and breach detection systems to guarantee data protection. Additionally, in the event of a data breach, data fiduciaries are required to quickly notify the Data Protection Board and the individual(s) impacted, detailing the scope of the incident and the corrective measures implemented. This two-tiered notification approach pushes enterprises to take proactive steps to stop future accidents and fosters responsibility.

The Draft Rules also establish particular guidelines for processing the data of minors and differently-abled individuals under lawful guardianships, requiring parental or guardian consent to be verified prior to data collection. Furthermore, in order to protect data sovereignty and facilitate global corporate operations, the Draft Rules address compliance standards for cross-border data transfers.

An important change in India’s approach to digital governance is represented by the Draft Rules. The Draft Rules offer an additional layer for a strong foundation for data privacy in India by giving people legal rights and placing explicit obligations on entities handling their data. As is the case with any new regulation, the Draft Rules may have some teething problems when they are first implemented, especially with regard to compliance costs and cross-border limits for small and medium-sized businesses. The successful implementation of the finalised rules will require stakeholders and legislators to work together to guarantee a safe, open and innovative digital future for India.

Shardul Amarchand Mangaldas & Co.

Amarchand Towers, 216
Okhla Phase III
Okhla Industrial Estate Phase III
New Delhi
Delhi 110020
India

+9 11 4060 6060

Connect@AMSShardul.com www.amsshardul.com
Author Business Card

Law and Practice

Authors



Shardul Amarchand Mangaldas & Co is founded on a century of legal achievements, is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co. is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, white-collar crime, technology law and infrastructure, energy and project finance. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 800 lawyers including 177 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Trends and Developments

Authors



Shardul Amarchand Mangaldas & Co is founded on a century of legal achievements, is one of India’s leading full-service law firms. The firm’s mission is to enable business by providing solutions as trusted advisers through excellence, responsiveness, innovation, and collaboration. SAM & Co. is known globally for its exceptional practices in M&A, private equity, competition law, insolvency and bankruptcy, dispute resolution, international commercial arbitration, capital markets, banking and finance, tax, intellectual property, data protection and data privacy, white-collar crime, technology law and infrastructure, energy and project finance. The firm has a pan-India presence and has been at the helm of major headline transactions and litigations in all sectors, besides advising major multinational corporates on their entry into the Indian market and their business strategy. Currently, the firm has over 800 lawyers including 177 partners, offering legal services through its offices in New Delhi, Mumbai, Gurugram, Ahmedabad, Kolkata, Bengaluru, and Chennai.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.