The Financial Technology Law Review: India


The fintech sector in India has boomed in the past decade, with increasing investments and smartphone penetration, falling data prices and supportive policy approach, and the objective of attaining a 'less-cash economy' and increased financial inclusion. Regulatory initiatives introduced to this end include market studies, regulatory sandboxes and innovation hubs, allowing stakeholders (such as regulators, incumbents and start-ups) to efficiently synergise with each other and experiment with new products, services and technology.

While developments in regulatory policies to facilitate innovation have been relatively slower in the securities and insurance markets, the Reserve Bank of India (RBI) (the central bank and regulator for banking and financial services) has been quick to accommodate and operationalise new technology-driven business models in financial services, such as in digital payments and settlement, online banking and digital lending. In fact, the RBI, recognising the immense potential for growth in this sector, has set up a fintech department to promote the fintech sector and address the challenges and opportunities associated therewith in a timely manner. Further, there has also been a shift in policy to promote customer-centric initiatives by making digital payments more affordable and accessible, strengthening grievance redressing mechanisms and easing the acceptance infrastructure for online payments across India.

At the same time, Indian regulators have been cautious and have been proactively monitoring any emerging risks in the changing fintech environment and plugging any gaps through regulatory intervention as and when needed. A growing cause for concern for regulators is that, unlike many advanced economies, a large part of the fintech sector in India operates at the edge of the regulatory regime, or entirely outside it, making it difficult to monitor and shape related activities.

Although there are no tax incentives specifically designed for fintech companies in India, start-ups that are registered under the 'Startup India' scheme of the Indian government can benefit from various incentives, such as income tax exemptions, self-certification under labour and environment laws, intellectual property rights benefits and access to government-backed fund support. The Indian government, in light of the distress caused to companies due to the covid-19 pandemic, has increased the period in which income-tax exemption can be sought by start-ups under the scheme.


i Licensing and marketing

There is no special fintech licence in India and the regulations governing offline banking and financial services are also applicable to fintech companies. These include the onerous licensing and operational guidelines applicable to banks and non-banking financial companies (NBFCs), and more generally, the domestic laws relating to contracts, information technology, data protection, intellectual property, consumer protection and anti-money laundering and counter-terrorism financing. With rising fintech penetration in financial services, specific regulations for different activities are now evolving, including for NBFCs, payment systems, online payment intermediaries, small-scale payment banks, peer-based lending platforms and account aggregators (discussed below).

The RBI is the primary regulator for most fintech activities in banking, payments and lending. The jurisdiction of other regulators may also get attracted, depending on the nature of the services being offered, including the Securities and Exchange Board of India (SEBI) when dealing in the securities market and the Insurance Regulatory and Development Authority of India for the insurance sector, as well as the Ministry of Electronics and Information Technology (MEITY) and the Ministry of Corporate Affairs, as may be applicable.

It is significant to note that a growing number of fintech entities in India operate as third-party enablers providing technology and ancillary services to licensed entities, which in turn provide the underlying regulated financial services. This gives fintech entities a distinct advantage of offering value-added services to plug any gaps in the offline ecosystem, while being at the periphery or outside the direct ambit of the regulatory framework applicable to banking and financial services. While these fintech entities are now increasingly being indirectly monitored through more onerous outsourcing guidelines, including for non-bank payment system operators, Indian regulators are at the same time studying different cases of the evolving technology and market practices to identify any emerging risks, especially with regard to unregulated fintech entities undertaking activities that ideally ought to be undertaken by regulated entities. Consequently, regulators are assessing whether a tweak in their approach is required for the increasing interplay between regulated and unregulated entities.

Rules for marketing

The field of advertising is generally subject to a multiplicity of laws and codes in India to achieve fair practices aligned with antitrust principles, prohibit misleading or inaccurate statements, and restrict obscene, immoral or objectionable content from being published in any advertisement or marketing collateral. The RBI has also issued specific guidelines on similar lines to protect the customers' right to transparency, fair and honest dealings by financial service providers (directly and under outsourcing arrangements). In addition, the RBI has recently cautioned against the levy of hidden and excessive rates of interests on digital lending platforms as well. Separately, advertisements for public offers or sale of stock market instruments must provide accurate, detailed and current information about the instruments, including the risks involved, without any exaggerated claims regarding profits. Similarly, advertisements for insurance products must contain accurate information about the coverage, exclusions and applicable premiums. Advertisements for both stock-market instruments and insurance products must also include specific disclaimers prescribed under law.

Digital advisory and asset management services

The traditional mutual funds industry in India (discussed in Section IV) is increasingly relying on fintech solutions for distributing its products, including online platforms to transact seamlessly. Further, many fintech start-ups are innovating in the financial advisory space through automated tools and algorithms for aiding in analytics and investment decisions (with reduced human intervention). Depending on the nature of services, investment advisers and asset management and mutual fund companies in India are required to comply with the securities regulations of the SEBI for investment advisers (the IA Regulations) and mutual funds (the MF Regulations), as amended periodically, and that apply uniformly to both traditional and automated service models. In fact, SEBI has clarified that investment advisers using automated tools cannot electronically acquire consent from their customers while entering into investment advisory agreements, as mandated by the IA Regulations. The SEBI has been in a consultative process of proposing to introduce special requirements for automated tools used in investment advisory services, to make these tools subject to audit and inspection, and with the ultimate responsibility being that of the investment advisers using the tools. Further, depending on the level of automation and customisation in providing stock-specific recommendations, advice or research reports could fall within the regulatory ambit of the SEBI (Research Analysts) Regulations as well.

Credit information services

The business of providing credit information services is regulated in India under the Credit Information Companies (Regulations) Act, which provides a framework to facilitate efficient distribution of credit, including a registration requirement for such companies.

ii Cross-border issues

India does not have a regulatory regime designed for foreign licences to be directly passported from another jurisdiction and used in India for providing financial services. Foreign licensed entities looking to provide similar regulated services in India need to separately seek the relevant authorisation under the applicable law in India for such activities. Although, practically, entities with an existing licence in some foreign jurisdictions may find it easier to seek the relevant authorisation in India. To this extent, the foreign direct investment (FDI) policy in India for financial services is broadly conducive, generally allowing for FDI of up to 100 per cent under the automatic route (i.e., without the approval of the Indian government) for most financial services that are regulated by the RBI and the SEBI and for activities of insurance intermediaries. This is subject to compliance with prescribed FDI-linked conditions and the sector-specific regulations.

Any restriction on offering fintech services or products from abroad without a physical presence or a local licence in India is largely dependent on whether and to what extent such activity is regulated in India. For instance, under the extant regulatory framework, many fintech services and products, such as payment wallets, peer-based lending platforms and investment advisory services, can only be provided by entities incorporated and registered in India. Similarly, foreign entities proposing to provide payment and settlement services in India need to obtain a prior authorisation from the RBI. Cross-border payments and transactions in India are strictly regulated, and only an RBI-authorised entity can deal in foreign exchange or in foreign securities as an authorised dealer, money changer or offshore banking unit. To this extent, the jurisdiction of the SEBI is limited to the Indian securities markets and services to Indian investors in relation to global markets may fall outside the SEBI's regulatory ambit.

An important cross-border issue for foreign entities providing fintech services in India is the requirement of localisation of financial data for various services on servers or hardware located in India, including by payment system providers, payment intermediaries and peer-based lending platforms. For cross-border payment transactions, financial data may temporarily be transferred abroad for the purpose of processing the transaction but would thereafter need to be deleted from the systems abroad and stored only in India. These requirements inevitably restrict the hosting of financial data on a cloud or server outside India.

A foreign company may also be required to comply with certain provisions of the Indian Companies Act where it has a 'place of business' in India (directly or through an agent), physically or through an electronic mode, and conducts any business activity in India. Further, the recently amended consumer protection regulation in India, namely the Consumer Protection Act 2019 and the Consumer Protection (E-Commerce) Rules 2020, includes specific provisions for 'e-commerce', defined broadly to include buying or selling of goods or services including digital products over digital or electronic networks. These regulations also apply to foreign-owned e-commerce entities that are not established in India, but 'systematically' offer goods or services to consumers in India, including in connection with banking, finance and insurance.

Digital identity and onboarding

India has the world's largest human digital identification number scheme. Known as 'Aadhaar', this digital identity is issued by the Indian government under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (the Aadhaar Act) through a centralised agency called the Unique Identification Authority of India (UIDAI). Aadhaar is a 12-digit random number issued by the UIDAI to duly verified Indian residents.

Any resident of India, upon submitting the requisite demographic and biometric information, is eligible for Aadhaar. Foreign nationals can obtain an Aadhaar identity after residing in India for a continuous period of 182 days. Aadhaar is used as a strategic policy tool for social and financial inclusion by linking it to several government initiatives.

The UIDAI has eased the process to satisfy know-your-customer (KYC) regulatory norms by launching the electronic KYC (e-KYC) process that allows banks, insurers and other regulated entities to digitally onboard customers. Instead of furnishing a multitude of documents to confirm demographic information, customers can now use their biometric details through Aadhaar to complete the KYC process. The RBI has also recently allowed regulated entities such as banks and NBFCs to undertake customer due diligence through a video-based customer identification process (V-CIP), which has been accorded the same recognition as face-to-face customer identification, for the purpose of onboarding new customers. Additionally, the UIDAI has recently introduced methods of offline verification of Aadhaar identity, which can also be undertaken to complete the KYC process for any individual. These methods are QR code verification, Aadhaar paperless offline e-KYC verification, e-Aadhaar verification and offline paper-based verification.

Financial service providers previously preferred using the e-KYC process historically permitted only for banks as a foundational KYC, allowing customers to open accounts with them through second-factor authentication over the phone using a one-off password. However, recently, the RBI permitted NBFCs, payment system providers and payment system participants to carry out authentication of clients' Aadhaar identities using the e-KYC facility provided by the UIDAI. This process is relatively simpler than the V-CIP process for KYC.

The SEBI set up the KYC Registration Agency (KRA) to maintain KYC records of investors centrally, where relevant investor information is shared with all registered intermediaries, as required, once an investor has undergone the KYC process with one registered intermediary. However, in-person verification is required through video. Further, broadening the scope from solely intermediaries, the government has placed the Central Registry of Securitisation Asset Reconstruction and Security Interest of India in charge of the Central KYC Record Registry that caters for data sharing between reporting entities of all major financial regulators, and has eased the process of financial transactions, in a similar manner to the KRA.

However, Aadhaar is accompanied by a host of challenges relating to data privacy, security, false identities and sale of pirated software in the black markets.

Digital markets, payment services and funding

i Collective investment vehicles

A 'mutual fund' is a highly regulated mechanism for pooling money from the public. The pooled fund is further invested into a diversified selection of asset classes and instruments in the capital market (including equity and debt securities) by a professional fund manager. Mutual funds (including agents and distributors) are strictly regulated and supervised by the SEBI under the MF Regulations and by the Association of Mutual Funds in India. The SEBI has relaxed the profit track record eligibility, paving the way for venture-backed fintech start-ups to sponsor and launch mutual funds as well,

An alternative investment fund (AIF) is a lightly regulated pooled investment vehicle of relatively significant financial commitments from sophisticated investors. AIFs are governed by the SEBI under its AIF Regulations, which prescribe general and specific set of investment restrictions for AIFs, including in relation to AIF managers. AIFs can be structured in the form of a trust, a limited liability partnership or a company, and under various defined categories depending on their investment criteria.

A residual category exists in India in the form of collective investment schemes (CIS), which are defined by the SEBI as arrangements managed by any company under which contributions by public investors are pooled and utilised for the purposes of the scheme with a view to receive profits, income, produce or property, and are strictly regulated by the SEBI under its CIS Regulations. To this extent, any pooling of funds under a scheme or arrangement involving a corpus size of approximately US$13.75 million or more, and that is not registered with the SEBI, is deemed to be a CIS. Cooperative societies, deposits by NBFCs, public deposits under the Indian Companies Act, contracts of insurance, pension schemes and mutual fund contributions do not qualify as CIS.

ii Crowdfunding and peer-to-peer lending

Alternative forms of capital raising, such as crowd-lending and crowdfunding activities, have recently gained prominence in India.

Crowd-lending platforms that facilitate peer-to-peer (P2P)-based lending activities are now regulated as NBFCs in India by the RBI under specific regulations (P2P Regulations). These regulations, which provide the registration and operational guidelines for P2P platforms, are less onerous than those applicable to other categories of NBFCs, given that P2P platforms are perceived to pose relatively less systemic risk. The role of P2P platforms is limited to acting as intermediaries or marketplace platforms that provide loan facilitation services between the participants. Several restrictions apply to these platforms, including prohibitions to:

  1. lend on their own;
  2. provide or arrange credit enhancement or guarantee;
  3. facilitate secured lending;
  4. hold funds received from the participants;
  5. permit international fund flow; or
  6. allow lending beyond the caps provided for the maturity period and exposure to a single borrower.

While crowdfunding initiatives based on rewards or donations are generally permitted in India with limited regulatory oversight, the legal position for equity-based crowdfunding is unclear. The SEBI is yet to formulate any law or its conclusive stance with respect to equity-based crowdfunding, but in the interim has issued a public statement to investors, cautioning them against online platforms facilitating fund raising. It has further stated that these digital platforms are neither authorised nor recognised under any law in India, and that dealings on these platforms would be in contravention with applicable securities law and the Indian Companies Act. Accordingly, in the absence of regulatory clarity and an enabling framework for equity-based crowdfunding, these activities remain in a regulatory grey space in India, erring on the side of being prohibited under law.

iii Payment services

Payment services (defined as clearing, payment or settlement services) are regulated in India by the RBI under the Payment and Settlement Systems Act (PSSA). Certain services of payment system operators, such as those providing prepaid payment instruments, ATM networks, clearing and settlement infrastructure, money transfers and card network operations, are required to obtain an authorisation under the PSSA and comply with the operational directions prescribed therein. However, as discussed above, a bulk of the fintech innovation in the payments space in India is taking place on the technology side, falling outside the direct regulatory ambit of the PSSA.

iv Trading in debt securities and assignment of debt

Public issue and listing of debt securities are regulated in India under the SEBI (Issue and Listing of Debt Securities) Regulations. Trading in debt securities in a secondary market is permitted after these securities are listed on one or more recognised stock exchanges and subject to compliance with the conditions prescribed in the relevant listing agreement and as specified periodically by the SEBI. Moreover, fintech companies accepting assignment of receivables, or facilitating lending against the security of receivables (barring banks and NBFCs providing debt against the security of receivables in the ordinary course of business), may trigger the Factoring Regulation Act, and may need to register as NBFC-factors.

v Data sharing

Financial institutions are generally required to adhere to the extant legal framework on information technology, cybersecurity and data confidentiality, including in outsourcing arrangements. To this extent, the RBI has issued specific restrictions with respect to sharing credit information of customers by banks and non-banking lenders to non-regulated entities (such as unregulated fintech companies), without seeking the explicit consent of customers. Under the Information Technology Act (the IT Act) and the rules issued according to this, there is also a general requirement to seek the consent of data subjects prior to collection and disclosure of their sensitive personal data.

With respect to mandatory data sharing, institutions in India are only obliged to share customer information where the disclosure is required pursuant to an order of the court, or a government body as prescribed under law. However, to balance data privacy concerns with the industry's increasing need for open data sharing, the RBI has recently operationalised a new category of NBFCs called 'account aggregators' (AAs). AAs are regulated data-access intermediaries that facilitate secure and consent-based sharing of financial data through an interoperable and technology-agnostic framework with entities providing financial services.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Currently, blockchain technologies and cryptocurrencies operate in a realm of legal uncertainty in India as there are no specific regulations governing them. In 2018, the RBI had issued a circular directing regulated entities not to deal in virtual currencies, nor provide services for facilitating, dealing with or settling virtual currencies, and to exit relationships where these services were already being provided. In 2020, the Supreme Court of India struck down this circular on the constitutional grounds of proportionality, observing that the RBI's consistent stand is that it has not banned virtual currencies, and the RBI has failed to show how regulated entities have suffered any loss on account of their interface with virtual currency exchanges. In its judgment, the Supreme Court did not give its own opinion on whether virtual currencies are or should be prohibited but deferred that to the regulators and the Parliament. Following this judgment, banks continued quoting the RBI's circular to caution customers against trading in virtual currencies. However, the RBI subsequently clarified that banks (along with payment system providers, NBFCs, etc.) can continue facilitating trade in virtual currencies, but must undertake customer due diligence measures under extant regulations and guidelines.

The Supreme Court, in its judgment, observed that although virtual currencies are not considered 'legal tender', they can perform most functions of real currency, and accordingly, certain virtual currencies can qualify as payment, securities or commodity. India's Ministry of Finance has published a report to address the lacunae in regulating virtual currencies, including tokens, where it notes that categorising tokens based on their characteristics is imperative from a regulatory standpoint. Accordingly, tokens can be grouped into utility tokens (used to grant access to a company's products) and security tokens (representations of investment in a company). Further, to determine whether tokens can be treated as securities, and thus fall within the purview of regulators, the report suggests employing the use of the Howey test. However, the report does not detail any proposed regulatory measures to govern the finer aspects, such as the linking of tokens to underlying assets or the nature of assets to which tokens can be linked. Recently, it has been reported that the central government intends to introduce a bill through which it seeks to regulate virtual digital assets in India. In fact, the Finance Minister of India, in the Budget Speech for 2022, has introduced a tax at a flat rate of 30 per cent on virtual digital assets (despite not commenting on the legitimacy of these assets), and the Finance Bill has introduced a broad definition of the term 'virtual digital assets', which also includes non-fungible tokens. Another announcement in the Budget Speech for 2022 related to the RBI launching a central bank-backed digital currency within the 2022–2023 financial year.

Cryptocurrencies have not yet been specifically addressed under the money laundering regulatory framework in India. Meanwhile, the cryptocurrency industry has formulated a code of conduct covering norms pertaining to anti-money laundering standards. The code is sought to be updated given the recent heightened scrutiny of the sector by regulators and law enforcement agencies due to suspected cases of money laundering. Regarding issues in cross-border cryptocurrency transactions, as the RBI has not notified this as official currency, ascertaining whether cryptocurrency will be a permitted capital account transaction, or current account transaction, will be difficult under applicable laws.

Other new business models

i Self-executing contracts

In India, several corporate entities are experimenting with the use of self-executing contracts for routine transactions; however, these contracts operate in a regulatory grey area. Self-executing contracts are governed by the pre-existing legal framework, particularly the Indian Contract Act, the IT Act and the Indian Evidence Act. While these contracts fulfil the basic requirements of being a consensual agreement entered into for consideration, a lacuna exists with regard to their authentication and admissibility. One such issue is that the IT Act only authorises digital signatures issued by entities certified by the government (and not self-generated digital signatures) and the Indian Evidence Act only allows the admission of those documents that are authorised by the IT Act.

Separately, the MEITY has released a report, while assessing the cases for blockchain technology underlying smart contracts, where it contemplates potential blockchain applications, which include using it for the transfer of land records and the e-Notary service, among others. In a recent update, the MEITY sought to improve the security of blockchain technology by creating a repository of known blockchain vulnerabilities, with one of these being the Smart Contract Weakness Classification and Test Cases registry. There is a push to undertake more research on interoperability, scalability and performance, consensus mechanisms, security and privacy, key management, secure smart contracts and detection of vulnerabilities in blockchain technology-based solutions. However, there is no tailor-made dispute resolution mechanism in India for disputes arising out of smart contracts.

ii Artificial intelligence in financial products

Currently, artificial intelligence (AI) is used for several financial services, including for credit scoring, risk management, wealth management, algorithmic trading and transactions. Further, third-party administrators in the health insurance arena employ the use of AI for automated risk assessment and claim adjudication, while technology service providers are developing smart contracts for health insurance settlements. However, there are no dedicated policies or governance structures regarding AI in India. To address this, consultation papers have been issued by regulators in the space of robotic financial advisers, consumer protection, data privacy and security. In this regard, it is pertinent to note that there are specific risks attracted when third-party websites carry out detailed comparisons and host advertisements of robo-advisers, in the domain of investment and trading advice, as this practice could potentially lead to the contravention of competition, consumer protection and intellectual property laws of India.

iii Other new business models

Fintech players see huge potential in the Indian market, owing to the large population and proliferation of cheap internet services. An untapped market for these players is that of the lower-income groups that require financial services but cannot avail these from traditional banks on account of poor credit scores or lack of access. This has given rise to new fintech models such as Toffee Insurance's bite-sized insurance cover for dengue or GramCover's insurance for farmers. These models are built around financial inclusion through the provision of flexible payment models. However, these ventures currently operate in a realm of legal uncertainty.

Neo-banks are a new category of banks that operate entirely online (i.e., without any physical branches). However, the RBI does not currently recognise online-only banks in India and insists on physical infrastructure. In the absence of virtual banking licences, neo-bank entities now offer various banking services by partnering with traditional banks and are thereby indirectly within the RBI's regulatory oversight. Recently, the RBI amended the regulatory framework governing prepaid wallets and even allowed non-banks to issue full-KYC wallets, which enable cash withdrawal (within a prescribed limit). Consequently, non-bank issuers (such as neo-banks and other fintech companies) can avail a licence and issue a full-KYC wallet that can support services such as cash withdrawal, which can boost the growth of neo-banks.

In the interest of financial inclusion, the RBI has permitted the operation of 'payments banks', which are small-scale banks that offer certain services such as accepting deposits and issuing ATM cards, but are prohibited from issuing credit cards or advancing loans. Previously, payments banks were restricted to holding a maximum balance of 100,000 rupees per individual customer at the end of the day, but this limit has now been revised by the RBI to 200,000 rupees per individual customer in light of furthering financial inclusion and the objective of giving more flexibility to payments banks.

The National Payments Corporation of India (NPCI) has issued regulatory and technical guidelines for each of its products (such as the Unified Payments Interface (UPI) and RuPay). The UPI is a payment system that powers multiple bank accounts into a single mobile application, thus merging several banking features. This payment system can be integrated with third-party applications such as Google Pay and WhatsApp Pay, for digital transactions. However, there have been concerns on misuse of data collected through UPI-based systems and representations have been filed in the Supreme Court of India, seeking directions from the apex court for use of such data in line with the applicable privacy and data protection norms.

Intellectual property and data protection

i Intellectual property

Intellectual property protection for software is mainly sought under copyright and patent laws in India. From a copyright perspective, fintech software solutions can be protected under the Copyright Act, as 'literary work', which includes computer programs and computer databases. Registration for copyright protection is not mandatory but is recommended from an enforcement point of view.

When it comes to copyright, the author of the work is considered as the first owner of the copyright. However, in the case of software or business models developed by the employee during the course of his or her employment under a contract of service, the employer of the establishment will be the first owner of the software in the absence of any agreement to the contrary. There is no separate compensation owed to the employee in this respect, as a general industry practice.

While 'business methods' and 'computer programs per se' are explicitly prohibited from being patented in accordance with Indian patent laws, there is slight leeway given to computer programs that are attached to inventions and are components of these inventions. Therefore, if a computer program is claimed in conjunction with a novel functionality, there is a high likelihood that it will be granted a patent. However, as compared to copyright laws, there is no corresponding provision under patent laws that provide employers the right to the inventions created by their employees during the course of employment.

Further, the government has provided myriad relaxations to technology start-ups in the intellectual property space. For instance, a start-up engaged in an eligible business, which includes innovation of new products, is entitled to tax exemptions under applicable laws, subject to fulfilment of certain criteria. The government has also launched the Support for International Patent Protection in Electronics & IT scheme to provide financial aid to technology start-ups to strengthen their competitiveness through innovation and its protection while also separately offering specific intellectual property benefits to start-ups that include fast tracking of patent applications and 80 per cent rebate in filing patents.

ii Data protection

The IT Act governs data protection and security practices in India, according to which 'sensitive personal information' is characterised as personal information relating to passwords, financial information and so on. Entities that collect, receive, possess or handle this sensitive personal information are required to provide a privacy policy, and while collecting or disclosing the information, consent will have to be obtained from the relevant user or data subject, which can be later withdrawn. Transferring this information to an entity or person within or outside India is allowed, subject to certain conditions.

Under the extant data protection and privacy framework, an entity is only required to obtain the active consent of a user in relation to the collection or usage of data, pursuant to which the entity may carry out digital profiling. However, the government has been working towards introducing a comprehensive data privacy legislation, to bring the data protection regime in India in line with more robust international standards, such as the European Union's General Data Protection Regulation. Recently, the Joint Parliamentary Committee released a report on proposed changes to the PDP Bill and has renamed it the Data Protection Bill 2021 (DPB), wherein the scope of the proposed legislation has been expanded to include non-personal data. A few other key changes to the DPB include the exclusion of non-digitised data from its scope and introducing greater restrictions on transfer of data by a data fiduciary. Once the DPB (subject to further changes) is finally enacted, fintech companies in India may be required to invest additional resources and time to be compliant with the new regime.

Year in review

Set out below are some of the key regulatory developments in the fintech sector over the past 18 months.

To address concentration risk with the NPCI dominating the growing digital payments space, the RBI has introduced a framework for authorisation of a 'new umbrella entity' (NUE). The NUE will primarily focus on new payment systems, methods and technologies (especially in the retail space), as an alternative to the NPCI. Although several stakeholders have applied for licences, which are still pending with the RBI, the very need for setting up the NUE framework has been called into question by a group of Indian and global unions and associations on grounds such as competition risk, the privatisation of digital payment infrastructural platforms, the potential for abuse of the data of users and the drawbacks of granting licences to multinational corporations and giants.

Recognising the crucial role of intermediaries in online payments (in particular, their involvement in handling funds in the transaction flow), the RBI has introduced a few changes to its guidelines regulating the activities of 'payment aggregators' in India, which are intermediaries that facilitate merchants to accept various payment instruments from their customers. These changes include restrictions on storage of card data, along with introducing new measures for tokenisation of card data.

Regulatory sandboxes have been operationalised for live testing of new products and services in a controlled regulatory environment in the financial, securities and insurance markets. The SEBI-regulated entities have been permitted to engage third-party fintech entities to experiment with fintech solutions on a limited set of real customers. The RBI's regulatory sandbox has also initiated with the first cohort of entities having started testing their mobile and offline payment solutions. Further, the second cohort of the RBI, dealing with cross-border payments and remittances, is currently in its testing phase, while the third cohort, on micro, small and medium enterprise lending, is in the application stage. Additionally, the theme of the fourth cohort has been recently announced by the RBI and is aimed at prevention and mitigation of financial fraud.

The Indian government has recently developed a regulatory framework for establishing international financial services centres (IFSCs) in India within the jurisdiction of a single regulator (i.e., the International Financial Services Centres Authority (IFSCA)), to bring India in line with global financial hubs and to attract overseas investors. IFSCs have been envisioned as special economic zones and financial centres located within India. The Gujarat International Finance Tec-City is the first and only IFSC currently operational in India. The IFSCA has, inter alia, recently notified regulations governing insurance and capital markets intermediaries, in line with its objective of offering seamless financial products services in India along with smoother conducting of cross-border business. The RBI has recently issued a framework that is applicable to non-bank payment system operators (PSOs) with respect to outsourcing of their payment and settlement-related activities. This new framework brings non-bank PSOs in line with banks and NBFCs that so far have been following similar outsourcing norms, and underpins the growing importance of non-bank PSOs in the payment ecosystem in India.

In the backdrop of increasing business conduct in the digital lending phase and to address customer protection concerns arising out of the surge in digital lending activities, the RBI published its working group report, wherein the focus has been on taking a holistic approach to the regulation of digital lending and enhancing customer protection. The key recommendations include prohibiting regulated entities from entering into arrangements involving synthetic structures, such as first loss default guarantees with unregulated entities, and treating new digital lending products such as buy now, pay later as part of lending if not in the nature of operational credit by merchants.

NBFCs in India have traditionally been subject to less rigorous regulations as compared to banks. However, in the backdrop of NBFCs' increased contribution and interconnectedness as a supplementary channel of credit intermediation, the RBI has proposed a reorientation of the regulatory framework for NBFCs with a new scale-based regulatory approach linked to their systemic risk contribution in the financial sector. Consequently, the RBI has introduced a new regulatory framework for NBFCs that classify them into four levels based on their size, activity and perceived risk.

Fintech entities in India have recently been subject to judicial scrutiny under writ and public interest litigation on issues such as violation of authorisation requirements, data localisation and data misuse. The petitions broadly seek judicial intervention to prohibit operations of fintech entities in India without a local presence and to direct regulators to develop a more comprehensive and stricter legal framework for technology and e-commerce companies operating in the financial sector in India.

Outlook and conclusions

Fintech innovation in India is now expanding beyond payments to cover other financial services, including banking, lending, insurance, broking and investment advisory. The growing strength of this sector is evident from the evolving collaborative relationship between traditional financial institutions and fintech entities, where the former is increasingly adopting technology-enabled products and delivery channels to expand market reach, gain operational efficiencies, strengthen data analytics and improve customer experience. The covid-19 pandemic accelerated trends that were already occurring in the sector, including increased fintech adoption among various stakeholders, such as consumers, small and medium businesses, government bodies, banks and other financial institutions, including first-time user cohorts that were previously resistant to fintech. In fact, there is a continuing optimism for the fintech sector in India, with an increased number of digital transactions (by volume), while it also becomes a forerunner in the country's financial inclusion campaign, resulting in fintech adoption rates surging far ahead of the global average.

In addition to the goal of a 'less-cash' economy, there is now an increased market and regulatory focus on other aspects such as business-to-business product offerings, contactless payments, offline transaction capabilities, interoperability in payment systems and development of cross-border digital payments infrastructure. Given India's large underbanked demographic with unmet financial needs, and recent changes in consumer behaviour towards e-commerce, online streaming, telemedicine and distance learning, the fintech sector presents further growth opportunities in India.


1 Avimukt Dar is a senior partner, Namita Viswanath and Shreya Suri are partners, and Shantanu Mukul, Aditya G, Nikhil Vijayanambi and Abhijit Chakrabarti are associates, at IndusLaw.

The Law Reviews content