Regulatory Framework for Fintech Companies

Home     Articles      Regulatory Framework for Fintech Companies

Regulatory Framework for Fintech Companies

March 16, 2022

FinTech is a colloquial term that refers to technology-driven start-ups that are challenging traditional
banking techniques and established financial players. Despite the absence of a universally accepted
definition, the Financial Stability Board of the Bureau of Indian Standards (BIS) defined FinTech as
“technologically enabled financial innovation that could result in new business models, applications,
processes, or products with an associated material effect on financial markets and institutions and the
provision of financial services.” [1] In other words, Fintech can be seen as a marriage between new and
innovative technology and financial companies for the purpose of developing, augmenting, and
automating the delivery and use of financial services.

Initially, Fintech was considered as the computer technology that was used only in back-end systems of
financial institutions, trading firms, and banks. Currently, Fintech is primarily connected with
providing more solution-oriented services to consumers, such as chatbots and artificial intelligence
interfaces to assist clients with basic tasks, monitoring, minimizing fraud, and also maintaining low
operating and staffing expenses. Additionally, new technologies such as machine learning/artificial
intelligence, predictive behavioral analytics, and data-driven marketing are now being used to assist
consumers in making more informed financial decisions rather than depending on speculation.

FinTech has the potential to deliver large-scale benefits in terms of increased efficiency and cost
reduction, as well as to contribute to financial inclusion by altering how people view financial
services. FinTech innovation can be broadly classified into the following categories: (i) payment
clearing and settlement; (ii) deposit lending and capital raising; (iii) market provisioning; (iv)
investment management; and (v) data analytics and risk management. [2]

Fintech is a raising market in India, with the country being the new home to the third-largest fintech-
related ecosystem globally. [3] The country is considered one of the fastest-growing Fintech markets in
the world. At present, there are around 2100+ Fintech companies in the country, with over 67% of
them being set up only in the past 5 years.[4] The market was valued at around $50-60 Bn in the
financial year 2020 and in this rate is expected to grow exponentially with an estimation of around
~$150 Bn by the year 2025. [5]

As technology advances, so does the burden of policing the products and services that Fintech
provides. It raises the number of financial crimes in the country, which causes more problems.
This industry is majorly overseen by the Reserve Bank of India (RBI), Securities Exchange Board
of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and
Ministry of Electronics and Information Technology (MEITY), and Ministry of Corporate
Affairs. These companies would be subject to regulation by the specific regulatory agency in
charge of that particular vertical’s products and services. However, RBI now regulates most
fintech enterprises that deal with account aggregation, peer-to-peer lending, cryptocurrencies,
payments, etc. [6]

In India, the FinTech regulatory landscape is very fragmented, and there is no unified set of
legislation or norms that regulate all FinTech products. Due to the absence of a consistent collection
of FinTech legislation, this landscape is challenging to navigate. Fragmented laws relating to Fintech
companies are as follows:

  1. Payment and Settlement Systems Act, 2007
    Indian payments are overseen under the Payments and Settlements Systems (PSS) Act, 2007 (PSS
    Act). According to the PSS Act, a “payment system” cannot be established or run without the prior
    approval of the RBI. When a “payment system” is defined by the PSS Act, it means “a system that
    allows payment to be made from one person to another,” [7] yet it excludes a stock exchange. [8] Payment schemes include credit card operating systems, debit card operating systems, smart card operating systems, money transfer operations, PPIs, and other types of payment. In order to commence or operate a payment system, authorization issued by RBI is essential. [9]

This Act has two regulations that have been adopted by the Reserve Bank of India, namely;
– Board of Regulation and Supervision of Payment and Settlement Systems Regulations, 2008,
– Payment and Settlement Systems Regulations, 2008

2. Regulatory Sandbox
Live testing of new products and services in a controlled setting is referred to as Regulatory Sandbox
(RS). The RS allows field testing of novel financial innovations to acquire evidence of their risks and
benefits. On August 13, 2009, the Reserve Bank established an Enabling Framework for a Regulatory
Sandbox. [10]

It is solely available to financial institutions, start-ups, and FinTech enterprises. RS typically conducts
pre-launch testing of new products and services to discover any potential flaws.

The Regulatory Sandbox is designed to accomplish the following goals, according to the IRDA
statement made in 2019:
– A well-managed expansion of the insurance industry
– Promoting inventiveness
– The safeguarding of policyholders’ rights

3. Prepaid Payment Instruments Issuance and Operation Guideline
On October 11th, 2017, the RBI issued a Master Directive on the Issue and Operation of Prepaid
Payment Instruments (PPI Master Directions), which specifies the eligibility criteria for PPI issuers,
PPI appropriate debits, and PPI credits, as well as other operating guidelines to be followed by PPI
issuers when issuing prepaid payment instruments (PPIs) for Indian customers.[11]

4. Non-Banking Finance Companies (NBFCs)

The Reserve Bank of India Act of 1934 and a collection of master directions and circulars that govern
NBFC licensing and service in India are the primary regulatory instruments that apply to NBFCs.
Certain Fintechs are regulated by RBI by way of granting them NBFC licenses, or by indirectly
regulating them via banks and NBFCs associated with Fintech. As part of the RBI’s licensing process,
the organization must meet a series of requirements. There are a large number of NBFC-approved
digital lenders in India.

5. Guidelines Regulating P2P Lending Platforms
P2P Lending Platforms have emerged as one of the leading industries in the Fintech sector. Lender
liability requirements and aggregate borrowing limitations for the country’s P2P lending platforms are
prescribed in the Master Directions – NBFC – Peer to Peer Lending Platform (Reserve Bank)
Directions 2017, which controls P2P lending platforms primarily.[12]

6. Regulations for UPI Payments by the NPCI
The UPI Procedural Guidelines and the UPI Operational and Settlement Guidelines of the National
Payments Corporation of India (NPCI) mostly govern UPI transactions in India. Currently, only banks
can use the UPI network to provide money transfer services to their consumers, which is a limitation.
Under specific eligibility and prudential conditions established by the NPCI, banks can, nevertheless,
hire technology partners to develop and run mobile applications for UPI payment purposes.

7. Guidelines Governing Payment Aggregators/Intermediaries
Legal guidelines for the operation of payment intermediaries in India were laid forth in the 24
November 2009 circular on “Directions for opening and operating accounts and settling payments for
electronic payment transactions involving intermediaries” (Payment Intermediary Circular).[13]
According to the Circular for Payment Intermediary in India, payment intermediaries, such as
payment gateways, payment aggregators, etc., are expected to adhere to the operating guidelines.

8. RBI Guidelines on Payment Banks
Regulations issued by the Reserve Bank of India (RBI) in October 2016 and November 2014 govern
the licensing and operation of payment banks in the country. Rules for payment banking institutions
include, among other things, registration eligibility criteria, appropriate activities, and other
operational guidelines.

9. Regulations Preventing Money Laundering
The Prevention of Money Laundering Act 2002 (PMLA), the Prevention of Money Laundering Rules
2005, and the KYC Master Directions are the primary regulations that provide anti-money laundering
standards and operating guidelines for organizations that provide financial services in the country.
The above legislations impose obligations on banking companies, financial institutions, and
intermediaries to verify the identity of clients, maintain records and furnish information in a
prescribed form to the Financial Intelligence Unit – India (FIU-IND).

10. Data Privacy and Security

There has been a rise in the importance of consumer data privacy and data protection as FinTech
platforms acquire and store numerous sorts of user information, including personal financial and
behavioral data. Today, India does not have a solid data privacy system. However, there are two
primary laws controlling personal data security: the Information Technology Act of 2000 (IT Act) and
the Rules 2011 on IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Fintech companies are also obligated to obey the guidelines laid out in the IT Act. Section 43A
outlines the responsibility of corporate organizations to pay damages in the case of carelessness in
maintaining fair security measures for the protection of their users’ sensitive personal data.[14] In
violation of a legitimate contract, Section 72A stipulates penalties for the revelation of details.[15]
Fintech companies rely on individuals’ personal data a lot. To prevent legal complications, it is vital to
meet the prescribed data security regulations.

11. Foreign Exchange Management Act, 1999
Additionally, developments in India’s FinTech area have resulted in the birth of various cross-border
payment products. Foreign currency transactions are regulated under the Foreign Exchange
Management Act, 1999, and the rules and regulations promulgated thereunder (“FEMA”). According
to the RBI’s guidelines issued under the FEMA, Authorised Dealer Category II Entities, i.e. money
changers, are permitted to issue foreign currency pre-paid cards in India to Indian persons in
conformity with the FEMA. Additionally, the PPI Master Directions allow for the issuance of PPIs for
cross-border transactions by qualifying organizations. Authorised Dealer Category I banks can issue
semi-closed and open-system PPIs for permissible current account transactions (including the
purchase of goods and services), provided that the PPIs are fully KYC compliant, the transactions
comply with the FEMA, and the transactions do not exceed INR 10,000 per transaction and INR
50,000 per month.
Additionally, permitted bank and non-bank PPI issuers (appointed as agents of an authorized overseas
principal) are permitted to receive inward remittances under the money transfer service scheme,
provided that the PPIs are fully KYC-compliant, reloadable, and issued in electronic form, and the
inward remittance does not exceed INR 50,000 per transaction.

12. Other general regulations
a) Consumer Protection Act, 2019: Fintech companies are service providers bringing
between in the purview of the Consumer Protection Act. “Disclosure of consumer’s
personal information given in confidence, unless required by law or in the public interest” is
considered as unfair trade practices as per Section 2(47)(ix) of Act. This is on par with
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011, wherein a consumer’s personal information
cannot be disclosed without the individual’s prior consent unless required by law. Since
Fintech companies deal with sensitive personal data of their customers, they are required to
adhere to this regulation.
b) Companies Act, 2013: Like any company in India, even Fintech companies are required to
incorporate themselves under the Companies Act 2013 and adhere to the various rules and
regulations under the Act. Fintech companies such as Paytm, Bharatpe, etc are incorporated
and registered under the Act.

c) Intellectual Property Rights: The emphasis on intellectual property protection pays off
when fintech startups seek investment or negotiate mergers. During the due diligence
process, prospective investors and buyers will carefully analyze the IP protection in place, as
these companies’ intellectual property assets are frequently their most valuable assets. Thus,
the intellectual property of a fintech company will have a significant impact on its market

i. The Copyright Act, 1957: Copyright is a critical tool for Fintech businesses to
safeguard their intellectual property, much more so when the proposed program
ensures high computing performance and utility. Copyright safeguards the program’s
source code, graphical user interface elements, audio and video instructions,
application programming interface (API), and related research and development
solutions. Companies in the Fintech sector should provide adequate protection for
programmers’ work, as they may mistakenly and without permission incorporate
third-party source codes into their work, jeopardizing the technology’s ownership and
the organization’s ability to operate.

ii. Trade Marks Act, 1999: The Act provides that every individual/owner/company
should have a trademark for the name/logo/brand. Fintech companies are strongly
advised to invest in their trademark’s reputation, as they ensure high-quality customer
service. A strong brand/name/logo enables fintech companies to differentiate their
product from their competitors’ products.

iii. The Patent Act, 1970: Any invention can be registered for acquiring a Patent. It is
essential for Fintech Companies to protect their technological innovations with a
Patent blanket to not protect if from theft but a patented technology becomes a
valuable intangible assent for fintech companies during fundraising from investors.

Financial inclusion has been considerably aided by the deployment of modern technology to provide
financial services. However, ambiguous legislation, consumer mistrust, and a small customer base all
pose challenges for the Fintech sector, particularly in comparison to traditional financial institutions.
Regulation is necessitated by the emergence of innovation.
India is on the verge of a fintech revolution, aided by government policy initiatives and the growth of
the Indian Stack. The cutting-edge products are just the beginning. Numerous difficulties emerge from
a legal perspective. Thus, the appropriate balance must be struck between encouraging emerging
technology developments and the requirement to manage them appropriately.
Along with present legislation, potential legislation such as the “Personal Data Protection Bill” will
have a direct impact on the data-driven fintech industry. Data is a lifeline for FinTech start-ups.
Modern technologies require data in order to create new products and services. Current legislation’s
inconsistency has created a slew of operational challenges for fintech startups. Fintech firms that
provide a variety of services are also subject to a variety of restrictions and regulations from a variety
of regulators. Fintech business, along with other financial institutions, anticipates that the
government’s supportive stance would provide a level playing field for them. The expansion of fintech
companies will be facilitated by “Industry 4.0” and widespread financial inclusion.


[1] RBI, Report of the Working Group on FinTech and Digital Banking (Issued on November 2017),
[2] Id.
[3] India, Home of the 3 rd Largest Fintech Ecosystem in the World, THE HANS INDIA (March 3, 2022),
[4] India-A global FinTech Superpower, INVEST INDIA (March 3, 2022),
[5] Id.

[6] Probir Roy Chowdhury & Vishnu Nair, India:FinTech Comparative Guide, MONDAQ (March 4, 2022),
[7] Payments and Settlements Systems Act 2007 ẟ 2(I).
[8] Id.
[9] Payments and Settlements Systems Act 2007 ẟ 4.
[10] Shashidhar K.J, Regulatory Sandboxes: Decoding India’s Attempt to Regulate Fintech Disruption, OBSERVER
[11] Master Directions on Prepaid Payment Instruments (PPIs), RESERVE BANK OF INDIA (March 4 2022),

[12] Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017, RESERVE BANK OF INDIA (March 4, 2022),
[13] Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, RESERVE BANK OF INDIA (March 4, 2022),

[14] Information Technology Act 2000 43A
[15] Information Technology Act 2000 72A

Author: Abhishek Gupta, Senior Associate.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.