India is the third largest and fastest growing fintech market globally. India’s fintech sector has a combined market capitalisation of about USD120 billion.

On the consumer side, Indians are the most open to adopting fintech solutions as evidenced by a fintech adoption rate of about 87%, which is significantly higher than the global average of 64%. India’s investments in digital public infrastructure (DPI) and favourable demographics are the key drivers behind the growth of the Indian fintech sector.

The Past 12 Months

Over the past 12 months, several key developments have contributed to significant growth in the fintech sector.

UPI Global

India’s United Payments Interface (UPI) has enabled seamless, affordable digital payments throughout India, which has been revolutionary for the fintech sector. UPI’s growth has been extraordinary, with the platform handling approximately 21.6 billion transactions (valued at INR27.96 lakh crore) in December 2025 alone.

Over the last year, NPCI has actively taken UPI offshore. Through NPCI International Payments Limited (NIPL), NPCI’s dedicated wholly owned subsidiary, NPCI has entered into global collaborations to:

• create bilateral linkages between UPI and the payment systems available locally in offshore jurisdictions;
• power QR-code enabled payments by Indians to merchants abroad; and
• extend India’s UPI technology to nations without their own instant payment infrastructure.

UPI QR payments are now active in close to eight countries including Singapore, the UAE, Bhutan, France and Sri Lanka. The Reserve Bank of India (RBI) has also collaborated with the Bank for International Settlements and central banks of four ASEAN countries under Project Nexus to enable retail cross-border payments, interlinking domestic payment systems of India with those of Malaysia, Philippines, Singapore and Thailand.

The limits for cross-border payments through UPI Global are the same as UPI’s domestic payment limits (ie, typically INR100,000).

RBI pilot for tokenisation of certificates of deposit

The RBI announced a pilot to tokenise certificates of deposit as part of its wholesale central bank digital currency (CBDC) initiative. This pilot builds on the RBI’s broader conceptualisation of the Unified Markets Interface (UMI), which will have the capability to tokenise financial assets and enable settlements using wholesale CBDC. The initiative aims to facilitate real-time settlement of interbank trades and demonstrates the RBI’s growing comfort with token-based instruments in the financial markets. Based on information available in the public domain, the RBI is also exploring the potential of tokenising other money market instruments, including commercial papers.

Certificates of deposit (CDs) provide an avenue for banks to raise short-term resources, and the pilot for tokenisation of CDs represents a significant step towards modernising India’s money market infrastructure by leveraging distributed ledger technology and wholesale CBDC for atomic settlement.

Self-regulatory organisations (SROs) for fintechs

The RBI has progressively granted recognition to SROs across multiple verticals in the fintech and financial services space pursuant to its March 2024 omnibus framework for recognising SROs for its regulated entities. In August 2024, the RBI granted SRO status to the Fintech Association for Consumer Empowerment (FACE) for the fintech sector. More recently, in October 2025, the Finance Industry Development Council (FIDC) was recognised as the SRO for non-banking financial companies (NBFCs), and in November 2025 the Self-Regulated PSO Association (SRPA) was recognised as the SRO for payment system operators. This reflects the RBI’s acceptance of industry-led self-regulation, with SROs expected to develop sectoral standards, promote compliance among members and serve as an intermediary between industry participants and the regulator.

Simplified regulations

Navigating the complicated regulatory directions was a significant roadblock for fintechs and for entities regulated by the RBI (REs) in India. In November 2025, the RBI undertook a fundamental reorganisation of its regulatory instructions. The RBI consolidated more than 9,000 existing circulars and guidelines into 244 function-wise Master Directions, specific to each category of regulated entity. Following this exercise, 5,673 circulars were repealed for being obsolete (the oldest dating back to 1944). This exercise is expected to enhance the accessibility of regulatory instructions, reduce the compliance burden for REs, and improve the ease of doing business for both REs and fintechs in India.

The Next 12 Months

Regulation of personal data

On 13 November 2025, the government of India (GOI) brought into effect the Digital Personal Data Protection Rules, 2025 (the “DPDP Rules”), which operationalise the Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

The DPDP Act is a technology-agnostic, sector-agnostic umbrella framework that governs the processing of all digital personal data. The DPDP Rules establish a comprehensive regulatory framework for data governance, prescribing:

• guidelines for notices by data fiduciaries to individuals;
• requirements for registration and responsibilities of consent managers;
• protocols for processing personal data for delivering government subsidies and services;
• adoption of reasonable security safeguards;
• data breach notification procedures (within 72 hours to the Data Protection Board of India); and
• processes for individuals to exercise their data rights.

The DPDP Rules adopt a phased implementation approach. The Data Protection Board of India was instituted immediately upon notification. The process for registration of consent managers will be implemented by November 2026.

The main compliance duties (including notice requirements, security protocols, breach notifications, and protecting the rights of data principals) will apply from May 2027, giving businesses an 18-month transition window.

Upon full implementation, the DPDP Act will replace the currently applicable statutory framework on data privacy and data protection in India (see 2.2 Regulatory Regime).

Development of regulations for AI

The Indian fintech sector (particularly payments and wealthtech) has rapidly adopted evolving technologies such as blockchain and artificial intelligence (AI). Both bank and non-bank entities in India rely on AI-based tools to improve customer experience, especially in the areas of product identification and matching, background and credit verification checks and customer grievance redressal.

While there are currently no comprehensive regulations specifically addressing AI in India, the financial sector regulators and the GOI have initiated steps to address the adoption of AI.

The GOI issued an advisory dated 15 March 2024, setting out due diligence norms regarding AI and other generative software to all intermediaries and platforms under the 2000 Information Technology Act (the “IT Act”). The advisory imposes several due diligence obligations on intermediaries to ensure responsible use of such technologies. These include:

• ensuring that AI or other generative software does not facilitate the transmission of unlawful content;
• clearly labelling content produced by AI tools if it is unreliable or still undergoing testing; and
• adding a permanent unique metadata tag to outputs that could potentially spread misinformation or generate deepfakes, enabling identification of the content’s originator.

The Report on AI Governance Guidelines Development dated 6 January 2025, released for public consultation by a sub-committee of the GOI, provides insight into the future regulations/legislation governing AI in India. It suggests an activity-based regulations approach and that effective enforcement of existing legislations can assist in mitigation of most AI-associated risks (though specific legislations may be required in areas such as copyright laws).

The RBI’s committee to develop a Framework for Responsible and Ethical Enablement of AI released its report on 13 August 2025, marking the RBI’s first comprehensive attempt to chart a roadmap for responsible AI adoption in finance. The FREE-AI Framework is built around seven guiding principles (termed “Sutras”):

• trust is the foundation;
• people first;
• innovation over restraint;
• fairness and equity;
• accountability;
• understandable by design; and
• safety, resilience and sustainability.

These principles anchor 26 actionable recommendations organised across six strategic pillars:

• infrastructure;
• policy;
• capacity;
• governance;
• protection; and
• assurance.

The first three pillars focus on enabling responsible innovation through sector-wide data infrastructure, AI innovation sandboxes, indigenous financial AI models and capacity building, while the latter three address risk mitigation through board-level governance, consumer protection mechanisms (including disclosures, explainability requirements and grievance redressal) and independent assurance through audits and impact assessments. The FREE-AI Framework also addresses the growing reliance on third-party AI providers, clarifying the application of the RBI’s outsourcing guidelines and recommending AI-specific contractual safeguards around bias, accountability and data use.

Significant steps are expected to be taken towards developing a regulatory framework for addressing AI usage in India over the next 12 months.

Regulation of stablecoins and crypto-assets

India’s stance on stablecoins and crypto-assets is expected to evolve over the next 12 months. The GOI’s 2025–2026 Economic Survey has indicated consideration of a stablecoin regulatory framework, signalling a shift from pure caution to calibrated engagement. If introduced, a domestic framework is likely to be comparable to counterparts in other countries and include licensing requirements for stablecoin issuers, reserve backing norms requiring full collateralisation in high-quality liquid assets, redemption rights at par, and know-your-customer (KYC) obligations aligned with existing AML requirements under the 2002 Prevention of Money Laundering Act (PMLA).  Private initiatives such as the proposed Asset Reserve Certificate (ARC), an INR-backed stablecoin developed by Polygon for cross-border remittances, are expected to progress, potentially offering a regulated alternative to dollar-denominated stablecoins while preserving domestic liquidity and monetary sovereignty. 

However, the RBI has consistently urged caution, advocating for Central Bank Digital Currency (CBDC) prioritisation over privately issued stablecoins to preserve monetary sovereignty and financial stability. The RBI Governor has noted that India’s robust digital payments infrastructure, including UPI, reduces the urgency to embrace stablecoins as a payment solution. Any regulatory framework is therefore likely to reflect this, permitting regulated stablecoin activity for specific use cases (such as cross-border payments and trade settlements) while continuing to develop and scale the digital rupee as the primary state-backed digital currency.

Broadly speaking, the various fintech business models or verticals that are currently predominant in India are:

• UPI-based services;
• payment aggregators and gateways;
• prepaid instruments, wallets and other stored value products;
• digital lending;
• cross-border payment solutions; and
• money remittance products.

Products pertaining to other significant aspects of fintech – such as insurtech, regtech and wealthtech – are scaling in the Indian market.

UPI Payments

UPI is a payments platform managed and operated by the NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users (see also 1.1 Evolution of the Fintech Market).

Payment Aggregators

Payment aggregators (PAs) facilitate sale and purchase transactions by enabling merchants to accept payments from customers through multiple payment channels, without requiring such merchants to create separate payment integration systems. PAs receive payments from customers, pool such funds in escrow accounts and subsequently settle them with the merchants in accordance with agreed timelines.

On 15 September 2025, the RBI issued the Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025 (the “PA/PG Guidelines”), which consolidate and supersede the earlier regulatory frameworks governing PAs.

The consolidated directions formally categorise and regulate three categories of PAs:

• PA-Online (PA-O), being PAs that facilitate transactions where the acceptance device and payment instrument are not present in close proximity (such as e-commerce transactions);
• PA-Physical (PA-P), being PAs that facilitate transactions where both the acceptance device and payment instrument are physically proximate (such as point-of-sale transactions); and
• PA-Cross Border (PA-CB), being PAs that facilitate aggregation of cross-border payments for permissible current account transactions under FEMA.

The inclusion of PA-P within the regulatory framework marks a significant expansion of the RBI’s supervisory remit, as physical payment aggregation was previously unregulated.

Non-bank PA-Ps are required to apply to the RBI for authorisation by 31 December 2025, and those that fail to do so must wind up their PA-P operations by 28 February 2026. The consolidated directions also introduce stricter merchant due diligence and KYC requirements, mandate registration with the Financial Intelligence Unit-India for all non-bank PAs, and prescribe detailed requirements for escrow account operations, settlement timelines and governance.

Payment Gateways

Payment gateways (PGs) are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

PAs and PGs are governed by the PA/PG Guidelines, requiring PAs to be licensed by the RBI, while prescribing recommended technical standards for PGs.

Prepaid Payment Instruments

Prepaid Payment Instruments (PPIs) are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. Under the revised Master Directions on Prepaid Payment Instruments issued by the RBI on 27 August 2021 (the “PPI Master Directions”), PPIs may be issued under one of the following categories:

• closed-system PPIs, for purchase of goods or services offered only by the PPI issuer (they do not require prior approval from the RBI); or
• PPIs that require RBI approval/authorisation prior to issuance, which are classified under two types – small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchasing goods and services. Fund transfers or cash withdrawals from such PPIs are not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments that have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments.

Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for the purchase of goods and services, fund transfers or cash withdrawals.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium-sized enterprises (MSMEs) and retail clients.

Digital lending is under the regulatory purview of the RBI. The RBI has embedded digital lending provisions within its credit facilities directions applicable to each category of regulated entity, establishing a comprehensive regulatory framework for India’s digital lending ecosystem (the “DL Guidelines”).

The DL Guidelines apply to both REs and the lending service providers or digital lending platforms that enter into partnership arrangements with REs to provide digital lending products to consumers.

The DL Guidelines prescribe guardrails in connection with the kinds of customer data that can be accessed and stored by lending service providers, the consent architecture that must be in place for the collection and storage of such customer data and detailed disclosure requirements to protect customer interest and prevent mis-selling of credit products. The DL Guidelines also provide for indirect regulation of lending service providers through regulated lending institutions.

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers – ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as an NBFC–P2P lending platform, subject to a few identified exceptions.

P2P platforms also came under sharp regulatory scrutiny in the last year, with the RBI expressing concerns regarding some business models where P2P platforms performed quasi-lending and banking functions instead of acting as an intermediary.

Cross-Border Payment Solutions and Money Remittance Products

Cross-border payment solutions and other remittance products are governed by the RBI, and are available through a variety of routes in India, including the PA–Cross-Border, Money Transfer Service Scheme and an authorised dealer bank Category II licence.

There is active development in this sector, with products being developed using stablecoins, and a growing number of entities using the PA–Cross-Border route to offer efficient cross-border payment solutions.

The regulatory framework governing the key verticals (see 2.1 Predominant Business Models) of the Indian fintech sector is fragmented across several pieces of legislation and regulations. There are no state-specific variations in terms of the regulatory framework.

The 2007 Payment and Settlement Systems Act (the “PSS Act”)

This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authorisation of the RBI. Here, a “payments system” is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments and other digital payment services.

The 2002 Prevention of Money Laundering Act (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products. The PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (the “PML Rules”). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and AML verifications, as well as to report suspicious transactions.

RBI Master Directions/Circulars

As the principal financial regulator, the RBI periodically issues “Master Directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific Master Directions regulating:

• PPIs;
• NBFCs;
• P2P lending;
• PAs and PGs (including PA-CBs);
• account aggregators;
• KYC for all REs; and
• other market participants and offerings.

The RBI’s directions on KYC (“KYC Master Directions”) draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

REs such as NBFCs and payment systems operators/system participants can obtain authorisation from the RBI to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique identification number issued by the GOI to its citizens.

NPCI Circulars

UPI payments in India are governed by the procedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the IT Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Current Data Privacy Framework”) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once fully implemented, the DPDP Act will overhaul the existing data protection framework (see 1.1 Evolution of the Fintech Market).

Separately, the RBI also issued a circular in April 2018 (the “Data Localisation Circular”), which mandates that all payment data be stored on servers located in India. While such data can be transferred outside India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act.

Compensation models across key product offerings typically take the following forms.

• PPIs/debit cards/credit cards/UPI all charge Merchant Discount Rate (MDR) – ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator (PSO). For cards, transaction interchange fee, interest and float income, and card issuances act as additional income lines.
• Digital lenders charge loan processing fees and interest from their customers, which are usually linked to the volume and tenor of the loan. Digital lenders can also levy additional penal charges for defaults, in a manner that is reasonable and only for material non-compliances. Penal charges must not be used as a revenue enhancement tool.
• PAs/PGs charge the e-commerce marketplaces and merchants for their payment aggregation services and/or technological support provided. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

To promote indigenous payment instruments, the GOI has mandated zero MDR for certain transactions. This could impact the cost competitiveness and revenue flows of foreign fintech players, in comparison with domestic fintech players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandates that:

• REs (such as banks and NBFCs) adopt a “fair practices code”, to be made available on their websites (in English as well as in the vernacular language), setting out the process for loan applications and the key terms and conditions associated with the lending product (including all charges, fees and interest rates);
• all lending institutions provide a “key fact statement” in a standardised format for loan processing – such standardised format must specify the annualised percentage rate for the lending product (which is inclusive of all charges, fees and interest rates in connection with the credit product offered by them); and
• REs (such as PPI issuers, payment intermediaries, banks, NBFCs) adopt a suitable CGRM and designate “nodal officers” to address customer complaints, so as to ensure fairness in operation of such products, including the compensation models employed by them.

Taking a holistic view of the regulatory framework (see 2.2 Regulatory Regime), it appears to treat both new fintech players and established players (such as banks) impartially.

However, there is a significant discrepancy when it comes to banks’ ability to conduct Aadhaar-based E-KYC checks for customer onboarding, a capability that is not extended to non-bank players (such as NBFCs). This discrepancy imposes additional compliance costs on non-bank players. Nevertheless, the RBI has taken steps to address this issue by allowing non-bank players to obtain authorisations to conduct Aadhaar-based E-KYC authentication, enabling them to utilise the services provided by the Unique Identification Authority of India (UIDAI) for E-KYC purposes. Further, the RBI’s impetus on CKYCR may potentially reduce disparity in costs between bank and non-bank players.

Access to credit information is another area where there was a significant discrepancy between REs and certain “specified entities” (which fulfil the criteria prescribed by the RBI), as against other third-party entities (see 2.13 Conjunction of Unregulated and Regulated Products and Services). However, the RBI now expressly allows third-party entities to access the credit information of persons from CICs, as the authorised representative of such persons, with their consent. The RBI has coupled this access with robust security, due diligence and monitoring measures.

RBI

Framework and eligibility

The RBI issued a Regulatory Sandbox Enabling Framework in August 2019 permitting eligible fintech companies to live-test their products in a controlled/modified regulatory environment, provided that such product is compliant with the designated theme for the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI for testing their products in a sandbox:

• net worth of at least INR1 million;
• satisfactory credit score/history of promoters and directors;
• promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
• demonstrated ability to comply with personal data protection laws; and
• adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

The framework outlines the five stages of the sandbox process for a single cohort involving preliminary screening, finalising test designs, application assessment, closely monitored testing and, lastly, assessment of the final output by the RBI. In practice, the end-to-end sandbox process takes more than one and a half years for each cohort.

To date, the RBI has announced five cohorts – on retail payments (February 2021), cross-border payments (December 2020), micro, small and medium-sized enterprise (MSME) lending (October 2021), prevention and mitigation of financial frauds (June 2022) and a fifth “theme-neutral” cohort (October 2023). Of these, the successful exit of 19 applicants from the five cohorts has led to innovations such as a purely digital cash flow-based credit underwriting process for MSMEs and a voice-based UPI payment solution that supports local languages and offline use.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandbox products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

Inter-operable Regulatory Sandbox

India’s financial regulators have established an Inter-operable Regulatory Sandbox (IoRS) to facilitate testing of innovative products or services that fall within the remit of more than one financial regulator. The IoRS framework has been operationalised by the Inter-Regulatory Technical Group on FinTech (“IRTG on FinTech”), which comprises representatives from the RBI, SEBI, IRDAI, the Pension Fund Regulatory and Development Authority (PFRDA) and the International Financial Services Centres Authority (IFSCA), and is chaired by the Chief General Manager of the FinTech Department, RBI. Under the IoRS framework, an applicant identifies the principal regulator based on the product’s dominant function, while associated regulators participate in a co-ordinated evaluation and testing process. This structure ensures regulatory interoperability and reduces duplicative oversight for fintech products spanning multiple regulatory domains. The principal regulator conducts detailed scrutiny of the application based on its own framework, and subsequently co-ordinates with associated regulators regarding features that fall under their respective remits. Any issues of alignment or divergence between regulators in determining appropriate regulatory treatment are deliberated on and resolved within the IRTG on FinTech prior to commencement of live testing.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from the NPCI, UIDAI, IRDAI and SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

In India, the primary regulator for fintech is the RBI, which has shifted from a light-touch approach to a full-regulation model in recent years. The RBI is responsive to market changes and technological advances, and regulations have been promptly updated to account for such developments.

NPCI

The NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act, and was established with a view to creating an innovative and robust payment and settlement infrastructure in India.

UIDAI

UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. UIDAI has been central to framing the rules governing the use of Aadhaar by fintech players as a means for customer onboarding and verification.

IRDAI

IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, specifically for insurtech elements.

SEBI

SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. It has jurisdiction over aspects of fintech related to robo-advisers, algorithmic trading and financial research platforms, although these areas are still nascent in India.

Financial regulators in India have typically not issued no-action letters for the fintech sector.

The RBI does not issue no-action letters, although the fintech department of the RBI holds monthly virtual meetings with fintechs – “Finteract” and “Finquiry” sessions – which provide a platform to interact with the regulator and obtain verbal non-binding guidance. SEBI, however, issues no-action letters in the form of non-binding informal guidance letters under the SEBI (Informal Guidance) Scheme, 2003.

The permissibility of outsourcing regulated financial and IT functions in the Indian fintech space is governed largely by outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs and (separately) to PSOs. Broadly, the core regulated activities cannot be outsourced to unregulated entities.

Outsourcing Guidelines

The RBI has introduced guidelines for outsourcing of activities by REs (the “Outsourcing Guidelines”). These guidelines require that banks, NBFCs and PSOs have a board-approved outsourcing policy and that they do not outsource “core management functions”, including internal audit, undertaking regulatory compliance, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider must not, even in such permissible cases, be situated outside India. Moreover, any outsourced functions have to be duly supervised by the RE outsourcing the activities. The RBI also prescribes mandatory contractual terms for such outsourcing contracts.

The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

• banks, NBFCs and PSOs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider;
• PAs are responsible for checking the technical and security infrastructure of the merchants onboarded by them, and for assessing compliance with regulatory and industry security standards; and
• banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms, and have the primary responsibility to comply with the DL Guidelines.

A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contractually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build in, to ensure the regulatory compliance of the unregulated partner or service provider.

In the case of non-compliance with the regulatory framework (see 2.2 Regulatory Regime), the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act or the PSS Act.

The RBI has increased its regulatory scrutiny and corresponding enforcement actions against REs over the last three years, primarily by way of actions imposing monetary fines, penalties and business restrictions. In exceptional cases, the RBI has also revoked authorisations and licences granted to defaulting REs.

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services:

• the Current Data Privacy Framework requires certain REs (including banks, NBFCs, PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy;
• the Data Localisation Circular (see 2.2 Regulatory Regime);
• the Aadhaar framework (see 2.4 Variations Between the Regulation of Fintech and Legacy Players); and
• the intermediary guidelines/rules under the IT Act require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe on intellectual property, and does not violate any other prevailing laws.

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires REs to have in place several checks and balances that serve to review the functioning and operations of industry participants. By way of an indicative overview:

• banks and NBFCs are subject to a detailed ongoing compliance framework that involves a review of their operations by external auditors/accountants; and
• the RBI has set up designated ombudsman offices under its management and supervision, charged with receiving and considering complaints from customers relating to the deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on REs.

These compliances represent strict regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.10 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While regulated products are offered by REs (such as banks, NBFCs and PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

Traditional credit information in India is collated by specialised REs called credit information companies (CICs). Access to traditional credit information through such CICs was originally restricted only to REs. Some non-bank entities, fulfilling the criteria prescribed by the RBI, have now been allowed to access information from CICs. However, these criteria are still quite strict (including, inter alia, a net worth of at least INR20 million, Indian-owned and controlled status, at least three years of experience in data processing and a clean track record).

Owing to such restricted access to traditional credit information, a market space for unregulated players to undertake non-traditional “behavioural scoring” has grown in India. These fintech entities typically utilise data that does not strictly constitute credit data and is therefore not currently subject to regulatory limitations. Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the consent requirements under the DPDP Act (once enforced) will also cover such data collection and processing.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers with a seamless customer experience.

The KYC Master Directions apply to REs (including banks, NBFCs, PPI issuers, and payment system providers). The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. REs must file reports of suspicious transactions, including transactions relating to terrorism, with the FIU-Ind. REs are also required to appoint a principal officer who is responsible for monitoring and reporting all transactions and sharing information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, NBFCs and PSOs from outsourcing core functions such as KYC compliance.

Indian anti-money laundering and sanction norms are generally aligned with Financial Action Task Force (FATF) standards.

India does not permit otherwise regulated products and services to be offered from another jurisdiction under a reverse solicitation scenario without triggering domestic regulations. Typically, any cross-border fintech offering, regardless of the solicitation’s origin, would necessitate conformity with Indian financial, exchange control and data protection laws.

A fintech offering in India would typically need to comply with the regulatory framework for financial services (see 2.2 Regulatory Regime), as the regulations are activity-centric. Even in other cases, the Indian foreign exchange legislation (FEMA), which imposes strict controls on cross-border transactions, would typically be applicable to any offering of cross-border payment or investment products (see 5.2 Regulation of Cross-Border Payments and Remittances). Payment products, lending offerings or investments/wealthtech products may or may not require prior RBI approval (it could be a capital account transaction or be permissible under the liberalised remittance scheme), but in any case will need to be FEMA-compliant.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage. While undertaking the business of investment advice requires registration with SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India that focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. Several RE players have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach to incorporating robo-advisory services:

• acquisition or partnerships with players in the robo-advisory space; or
• development of in-house technology, using internal analytical information to provide robo-advisory, putting them in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve network creation and connectivity issues between the clients and robo-adviser platforms, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

The lending regulations in India are broadly borrower agnostic. However, the extent of regulatory supervision differs depending on the category of lender.

Both banks and NBFCs are required to comply with specific capital adequacy, asset quality and prudential norms. While banks are generally heavily regulated, NBFCs are subject to relatively less stringent regulation. Lending service providers or digital lending applications are front-end entities and are only indirectly governed by the DL Guidelines.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders – ie, entities that do not lend on their own books but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Furthermore, the Indian financial sector also often sees lending partnerships between banks and NBFCs, whereby the bank brings the advantage of capital, while the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

• credit score and credit reports from CICs;
• annual income and sources of income; and
• status of existing loan accounts, including any delayed repayments, defaults, etc.

Non-traditional behavioural data is increasingly being used for credit analysis (see 2.13 Conjunction of Unregulated and Regulated Products and Services). Technology platforms that already have access to some of this behavioural data have taken the lead in the development of these alternative credit scoring models.

The DL Guidelines mandate that REs undertake responsible lending by capturing the economic profile of the borrowing (including age, occupation, income, etc) to assess the borrower’s creditworthiness in an auditable way. To this end, the DL Guidelines permit collecting data that is required in connection with its operations, provided the digital service provider/RE is able to demonstrate a tangible and direct link between the borrower data collected and economic profiling of the borrower enabling credit decision-making.

The RBI also dictates detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of onboarding.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end uses, such as the following:

• banks are prohibited from sanctioning loans against the security of their own shares;
• banks are prohibited from sanctioning such loans that are to be used for buy-back of securities; and
• banks are restricted from granting loans to their directors or their relatives, except where approved by the bank’s board of directors and subject to compliance with other specified restrictions.

NBFCs

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings – ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI, which include maintenance of leverage ratio and capital adequacy norms.

The Bond Market

The bond market in India is growing and investors in corporate debt securities primarily include banks, mutual funds and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with SEBI. In the case of foreign portfolio investors, there are restrictions on end uses – in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to the issuing of debt securities, access to debt capital markets tends to be restricted to larger corporates and has not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods and end use restrictions.

P2P Lending

The RBI also permits P2P lending via REs which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform itself is restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure among a consortium of lending banks with a common security agent/trustee appointed to hold security for the benefit of the lending banks. The arrangement typically also involves the appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in the case of a default by the borrower and enforcement of security.

The RBI has mandated information-sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, and establishing a system of exchange of information with respect to the borrower’s credit facilities between banks (upon obtaining appropriate consent from the borrower).

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the 1999 Foreign Exchange Management Act (FEMA) and the rules, regulations and circulars issued thereunder. FEMA prescribes different regulations and compliance requirements, depending on the nature of the transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inbound to India or outbound from India. Such transactions are undertaken by AD Banks, authorised under FEMA to deal in foreign exchange on behalf of their clients.

For personal remittances inbound to India, residents may use the facility to receive such payments through money transfer operators.

RBI-approved PA-CBs also facilitate cross-border payments in exchange for goods and services. Additionally, UPI global is the latest entrant in the cross-border payments space in India (see 1.1 Evolution of the Fintech Market).

Under Indian law, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which is registered with SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts. Different asset classes are governed by varying regulations, depending on the nature of the asset (eg, equity-linked, debt-linked or pooled investment vehicle).

The principal regulators for stock exchanges are SEBI, the Ministry of Finance and the RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, the RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by the RBI. Such electronic trading platforms must be registered with the RBI and must comply with minimum capital norms, technological standards and other safeguards.

See 6.1 Permissible Trading Platforms.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. However, their stance on cryptocurrency has softened from a “complete ban” to a “regulation” approach, in line with the global developments in the cryptocurrency space.

Indian regulators are therefore now focused on regulating crypto-intermediaries (including crypto-exchanges) with rules centred around KYC requirements, consumer protection, disclosures and reporting requirements. The GOI recently brought all virtual asset service providers (VASPs, which include crypto-exchanges) under the ambit of the PMLA.

The Financial Intelligence Unit of India (FIU-Ind) subsequently published the AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (the “FIU-Ind Guidelines”), which came into effect from 10 March 2023. Every VASP operating in India needs to:

• register with the FIU-Ind;
• adopt the prescribed KYC verification processes to verify the identity of users at the time of onboarding; and
• comply with PMLA requirements (for example, maintaining transaction records, reporting of suspicious transactions and specified transactions to the FIU-Ind).

In the past, the FIU-Ind has served show cause notices to several crypto-exchanges for failing to register, and directed the GOI to block their URLs.

Additionally, advertisements dealing with cryptocurrency and/or virtual assets must contain adequate risk disclaimers and must not equate such products with regulated products – in accordance with the code issued by the Advertising Standards Council of India.

Listing standards and disclosure requirements are governed by SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

See 2.1 Predominant Business Models. As far as digital lending is concerned, currently there are about 30 P2P lending platforms authorised by the RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

SEBI prescribes procedural rules for processing payments for trades in listed securities. For example, in 2018, SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of debt securities must be routed through an escrow account or the bank account of Clearing Corporation of India Limited, and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee whether appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues (for example, timely reviews of the margining system).

By way of a circular dated 3 April 2008, SEBI introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

SEBI permitted institutional investors to use DMA through SEBI-registered investment managers. In respect of algorithmic trading, SEBI issued the Broad Guidelines on Algorithmic Trading and subsequently issued additional guidelines pertaining thereto. Additionally, SEBI issued the Measures to Strengthen Algorithmic Trading and Co-location/Proximity Hosting Framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and the free-of-charge tick-by-tick data feed (TBT Feed), order-to-trade ratio (OTR) penalties, unique identifiers for algorithms/tagging of algorithms and the testing requirements for software and algorithms.

SEBI has recently issued a circular on Safer Participation of Retail Investors in Algorithmic Trading (the “Retail Algo Circular”), providing clear guidelines on application-based trading, recognising it as a legitimate practice and setting guardrails around actions taken by stock brokers. The Retail Algo Circular came into effect on 1 August 2025. Under the Retail Algo Circular, an algorithmic trading strategy needs to be registered with the stock exchanges if the trading frequency is above the prescribed threshold. Algo providers need to register white box solutions with the stock exchanges, and need to obtain a research analyst licence from SEBI for offering black box solutions.

These obligations are targeted at stock exchanges (except for commodity derivatives exchanges) in the country. The recent Retail Algo Circular also places obligations on stock brokers. Recent SEBI trends have been towards relaxing the OTR and orders per second (OPS) limits. SEBI also released a notification banning mis-selling of algorithmic strategies by making references to past performance or expected returns.

These circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers require market makers to register with the stock exchanges per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as a market maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing trading algorithms and other electronic trading rules lays down the following obligations on programmers:

• that all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish an audit trail; and
• the testing procedures which are to be followed by market participants before deployment of software and algorithms.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with IRDAI. The underwriting processes to be undertaken by insurers and insurance intermediaries are specified by IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, and audit and reporting mechanisms.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly speaking, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance and vehicle insurance.

Most regtech providers in India are centred around providing KYC and related onboarding services. There is also a recent boost in regtech solutions focusing on end-to-end automation of securities and labour compliances.

There is no direct regulation governing regtech providers in India. Certain functionalities of regtechs may, however, be subject to regulatory oversight. For example, customer onboarding regtech providers in India are typically engaged as agents of the REs through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information and requirements on storage of Aadhaar, which are also relevant for regtech providers utilising the Aadhaar database for their services.

See 9.1 Regulation of Regtech Providers and 2.8 Outsourcing of Regulated Functions. Requirements pertaining to assured performance and accuracy for unregulated regtechs are contractually agreed. As an industry norm, they usually contain a limitation of liability clause and an express “no warranty” clause as to their accuracy and completeness.

Traditional financial services players such as banks are developing interesting and effective applications for the use of blockchain for the financial services industry in India. India’s Bankchain consortium has launched a permission-based blockchain for integrated and shared KYC (Primechain KYC) and is exploring its use for processing letters of credit, tax invoices and e-way bills, particularly for MSMEs. Meanwhile, the RBI Innovation Hub (RBIH) is also currently exploring a blockchain-based pilot project for reducing loan fraud.

On the private side, financial blockchain start-ups in India are primarily focused on cryptocurrency exchanges. However, there is a growing interest in newer applications for blockchain, such as supply chain financing and digital identity verification.

Unlike with cryptocurrency, the GOI and regulators have taken a positive stance towards blockchain technology. The RBI is playing an active part in collaborating with banks piloting blockchain applications and has also included applications of blockchain technologies to be tested in its sandbox.

The GOI has developed a National Strategy on Blockchain to synergise stakeholder inputs and develop e-governance applications of blockchain. The GOI recently launched the Vishvasya blockchain technology stack to offer blockchain-as-a-service (BaaS) through a geographically distributed infrastructure designed to support various permissioned blockchain-based applications. It has also announced the creation of a blockchain sandbox platform called NBFLite. Several state governments in India are also utilising blockchain technologies for supply chain management, land registry and public record-keeping.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislation such as the 1860 Indian Penal Code and the 2019 Consumer Protection Act.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

Provision of staking and lending services relating to cryptocurrencies or offering of crypto-derivatives is not governed by any separate regulation in India, though such services may attract the KYC and reporting requirements applicable to VASPs (see 6.3 Impact of the Emergence of Cryptocurrency Exchanges). Any income from such services/offerings will have a tax implication (see 10.11 Virtual Currencies).

See 10.6 Staking.

See 10.6 Staking.

India has not yet enacted specific guidelines to regulate DeFi. In the absence of specific guidelines, DeFi is currently governed under the extant regulations on payment systems, payment and investment intermediaries.

The current regulatory framework does not contemplate blockchain assets. Funds investing in blockchain assets are therefore unregulated.

Owing to a lack of clarity on how to classify virtual currencies (they do not fall under securities, commodities, currency, payment or security tokens), they remain excluded from most regulations. However, after the 2022 budget speech, the GOI declared virtual currencies to be taxed as a separate class called “virtual digital assets” (VDAs).

All income from VDAs including cryptocurrencies is subject to 30% tax (plus cess) in India. The GOI also announced a tax deducted at source (TDS) of 1% on all cryptocurrency-based transactions. A gift of VDAs is also proposed to be taxed in the hands of the recipient.

The RBI and the GOI exhibit a marked reluctance to acknowledge cryptocurrency as a legitimate form of currency in India. India is currently piloting the e₹, which is anticipated as a replacement for all privately owned cryptocurrencies in India after its launch.

The regulatory landscape surrounding NFTs is unclear. However, NFTs have recently been recognised as a subclass of VDAs and subject to the same taxation regime.

In India, there is no separate framework for stablecoins, and stablecoins are regulatorily treated as VDAs. See 10.11 Virtual Currencies.

While there are no regulatory norms that apply to stablecoins (eg, governing minimum asset backing or redemption rights), certain service providers dealing with stablecoins can be classified as VASPs and will be required to comply with PMLA and the FIU-Ind guidelines. See 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

India has adopted a distinctive approach to open banking. It has created a comprehensive DPI and associated standards, collectively known as the “India Stack”.

The India Stack has been developed in layers over the past decade, with a proactive role played by regulators.

Identity Layer

The Aadhar digital identity system facilitates identity verification and tracing of individuals’ particulars across various datasets. The RBI has mandated Aadhar-interlinked KYC practices for all REs through the KYC Master Direction.

Payments Layer

UPI, Aadhaar-enabled Payment System, and Aadhar Payments Bridge create a fully interoperable payment system that is subject to the supervision of the NPCI.

Documents Layer

“Digilocker” is a cloud-based platform that enables registered governmental authorities to issue and citizens to access authenticated identity documents and certificates.

Data Layer

An account aggregator (AA) is an NBFC that facilitates the retrieval or collection of financial information pertaining to a customer from financial information providers on the basis of explicit consent of the customer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consenting financial information user.

Data protection remains the biggest concern surrounding open banking. Market players in India are generally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act.

With the expansion of digital payments, fraudulent transactions through compromised credentials, identity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to a card, UPI pins or other payment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraudulent calls to retrieve sensitive payment credentials such as card numbers, PINs, OTPs and passwords) and then using them to make payment transactions.

Financial regulators are quick to react and introduce regulatory measures to protect customers. For example, in light of increasing card frauds, the RBI introduced guidelines on storage of customer card data and a tokenisation framework to control such fraudulent transactions.

Indian regulators primarily focus on fraud affecting retail customers and the general public (such as card fraud, UPI payment fraud, fraudulent loan recoveries, unauthorised transactions) as well as fraud that has larger, system-wide implications on the banking and financial ecosystem of the country (for example, wilful defaulters, diversion of bank-borrowed funds, etc).

The RBI’s constant endeavour is to monitor emerging fraudulent techniques with the objective of protecting retail consumers from them. The RBI is working with banks and enforcement agencies to strengthen transaction-monitoring systems and ensure sharing of best practices for control of mule accounts and prevention of digital frauds. The RBIH is also piloting an AI/machine learning-based model, MuleHunter.AI, to address this concern.

The RBI has issued directions that limit the liability of customers in cases of unauthorised electronic payment transactions involving banks and non-bank PPIs.

If the unauthorised transaction results from contributory fraud or negligence/deficiency on the part of the RE, the RE bears the full liability. If the loss occurs due to the negligence of the customer, the customer is responsible for the entire loss until the unauthorised transaction is reported to the RE. Once reported, any subsequent loss is borne by the RE. In cases where the loss is due to factors beyond the control of both the RE and the customer (eg, systemic issues), the customer’s liability remains zero if they report the unauthorised transaction within three working days. Thereafter, the customer’s liability increases the longer the reporting is delayed.

Typically, the RE will include contractual terms to recover such amounts from its service providers if the unauthorised transaction arises due to contributory fraud or negligence/deficiency on the part of its unregulated fintech service provider.