Fintech Regulation in India, A Practitioner's Guide

India is one of the largest, fastest-growing and most innovative fintech markets in the world, and one of the most carefully regulated. Operating here requires fluency with three regulators, dozens of master directions, and a steady stream of new circulars.

The regulatory landscape

Fintech regulation in India is not consolidated in a single statute. It is distributed across three principal regulators, each with its own authorising legislation:

• The Reserve Bank of India (RBI) regulates banking, payments, lending, non-banking financial companies, foreign exchange, prepaid payment instruments and most consumer-facing fintech activity. The relevant authorising statutes include the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, the Payment and Settlement Systems Act, 2007 and the Foreign Exchange Management Act, 1999.
• The Securities and Exchange Board of India (SEBI) regulates capital markets, investment advisory, broking, alternative investment funds, portfolio management, mutual fund distribution, and increasingly, investment-tech and wealth-tech platforms.
• The International Financial Services Centres Authority (IFSCA) is the unified financial regulator for the GIFT International Financial Services Centre at Gandhinagar. IFSCA has its own framework for fintech entities operating from the IFSC, designed to position GIFT-IFSC as an offshore-onshore financial hub.

The Ministry of Electronics and Information Technology and the Ministry of Finance also play roles for specific activities, particularly in the context of intermediary liability, digital identity (Aadhaar), and tax treatment of virtual digital assets.

Digital lending

Lending in India is a regulated activity. It can be carried on only by Regulated Entities, principally banks, NBFCs (including Housing Finance Companies), co-operative banks and All-India Financial Institutions. A digital-first lender wishing to lend off its own balance sheet must hold an NBFC certificate of registration from the RBI.

The current framework for digital lending is the RBI (Digital Lending) Directions, 2025, issued on 8 May 2025. The 2025 Directions consolidated and repealed the earlier Guidelines on Digital Lending of September 2022 and the Guidelines on Default Loss Guarantee in Digital Lending of June 2023, along with associated FAQs and outsourcing instructions. Most provisions took effect immediately on 8 May 2025; the DLA reporting framework took effect on 15 June 2025 and the multi-lender LSP arrangement provisions took effect on 1 November 2025. The principal requirements include:

• All loan disbursals and repayments must flow directly between the bank account of the borrower and the bank account of the Regulated Entity. No pass-through pool accounts of Lending Service Providers (LSPs) are permitted.
• A digitally signed Key Fact Statement must be provided to the borrower in a standardised format before loan execution, capturing the Annual Percentage Rate inclusive of all charges.
• A cooling-off period of at least one day applies to every digital loan regardless of tenor, during which the borrower may exit penalty-free (subject to a disclosed one-time processing fee).
• Borrower personal data must be stored on servers in India. Where data is processed outside India, it must be deleted from foreign servers and returned to India within twenty-four hours.
• The Regulated Entity must report every Digital Lending App it deploys or joins, including those operated by its LSPs, on the RBI's Centralised Information Management System (CIMS) portal, certified by the Chief Compliance Officer.
• Where an LSP partners with multiple Regulated Entities, the LSP must present loan offers impartially and disclose the universe of available lenders to the borrower.
• Credit-limit increases require an affirmative borrower request, not mere prior consent. Automatic limit enhancements are prohibited.
• The Regulated Entity remains primarily liable for the conduct of its LSPs and for compliance with the Directions.

Payments and aggregators

Payment system operations in India are licensed under the Payment and Settlement Systems Act, 2007. On 15 September 2025, the RBI issued the RBI (Regulation of Payment Aggregators) Directions, 2025, which consolidated and superseded the 2020 and 2021 PA guidelines and the 2023 directions on Cross-Border Payment Aggregators. The 2025 Master Direction classifies Payment Aggregators into three categories:

• PA-Online (PA-O), aggregating online e-commerce payments.
• PA-Physical (PA-P), aggregating offline / point-of-sale acceptance.
• PA-Cross-Border (PA-CB), aggregating cross-border e-commerce inflows and outflows.

A Payment Aggregator facilitates merchants in accepting payments from customers and handles funds, requiring authorisation from the RBI. A Payment Gateway provides only technology infrastructure to route and authenticate payments without handling funds, and does not require an RBI licence (though it is subject to certain compliance obligations).

A non-bank entity seeking authorisation as a PA must have a minimum net worth of INR 15 crore at the time of submitting the application, and must attain a minimum net worth of INR 25 crore by the end of the third financial year from grant of authorisation. This INR 25 crore threshold must be maintained on an ongoing basis thereafter. PAs must maintain customer funds in an escrow account with a scheduled commercial bank, and meet detailed governance, KYC, merchant due-diligence, escrow operations and grievance-redressal standards. For PA-CB, the maximum value per inward or outward transaction is INR 25 lakh.

Banks operating as PAs do not require separate authorisation from the RBI. Existing PAs are required to migrate to the new framework on a phased basis, with PA-P authorisation applications due by 31 December 2025.

Prepaid Payment Instruments

Prepaid Payment Instruments (PPIs), closed wallets, semi-closed wallets and open-system wallets, are governed by the RBI's Master Directions on Prepaid Payment Instruments dated 27 August 2021, as amended from time to time. PPIs are categorised by KYC level. Full-KYC PPIs are permitted higher limits (up to INR 2 lakh balance) and broader use cases, including peer-to-peer transfers, ATM withdrawals via co-branded cards and mandatory interoperability with UPI and card networks. Small PPIs (with minimum KYC) are limited to merchant payments and subject to loading caps.

Two notable RBI developments in the PPI-UPI space have changed the operating landscape:

• Pre-sanctioned credit lines on UPI (September 2023). The RBI permitted scheduled commercial banks to make pre-sanctioned credit lines available for transactions through UPI, with prior individual customer consent. The terms of the credit line are set by the bank's board-approved policy.
• UPI access for PPIs through third-party apps (December 2024). The RBI enabled full-KYC PPI holders to make and receive UPI payments through third-party UPI applications, breaking the earlier limitation that confined PPI-based UPI use to the wallet issuer's own application.

The RBI has also taken supervisory action against several PPI issuers in recent years for KYC and onboarding lapses, reflecting heightened regulatory expectations around customer due diligence in this segment.

The Account Aggregator framework

The Account Aggregator (AA) framework is the RBI's consent-based financial-data-sharing architecture. AAs are NBFCs licensed by the RBI under the NBFC-AA category. The framework has three roles:

• Financial Information Providers (FIPs), entities that hold a customer's financial data (banks, NBFCs, insurers, asset management companies, pension funds).
• Financial Information Users (FIUs), entities that wish to use that data with the customer's consent (typically lenders, wealth managers, insurance underwriters).
• Account Aggregators, the consent-managing intermediary between the two.

The AA model has now been extended to GST data (through the GST Suvidha Providers' integration) and to digital health records. It is widely cited as the architectural template that informed the Consent Manager construct under the DPDP Act.

NBFC licensing

A fintech wishing to lend, invest, factor, or otherwise carry on the business of a financial institution must register with the RBI as a Non-Banking Financial Company (NBFC). The Scale-Based Regulation framework, in force since October 2022, classifies NBFCs into four layers (Base, Middle, Upper and Top) based on size, activity and risk profile. The principal NBFC categories relevant to fintech are:

• NBFC-Investment and Credit Company (NBFC-ICC), the default lending NBFC.
• NBFC-Account Aggregator (NBFC-AA), for the AA business.
• NBFC-Peer-to-Peer Lending Platform (NBFC-P2P), for P2P lending marketplaces.
• NBFC-Microfinance Institution (NBFC-MFI), for microfinance lending.

NBFC licensing involves a minimum Net Owned Fund (NOF) requirement, promoter and director fit-and-proper criteria, a viable business plan, and adequate IT, risk-management and compliance infrastructure. New NBFC registrations after October 2022 require INR 10 crore NOF ab initio for most categories. Existing NBFCs are subject to a glide path: INR 5 crore by 31 March 2025 and INR 10 crore by 31 March 2027. NBFC-MFI and NBFCs in the North-Eastern region have lower thresholds. The licensing process is rigorous and applications routinely take many months.

FLDG and co-lending

First Loss Default Guarantee (FLDG) arrangements were a grey-area structure for years before the RBI clarified the position in its Guidelines on Default Loss Guarantee in Digital Lending of June 2023. Those guidelines have since been consolidated into the RBI (Digital Lending) Directions, 2025, with the framework substantially preserved. The 2025 Directions permit an LSP (or another Regulated Entity acting as an LSP) to provide a Default Loss Guarantee, subject to conditions:

• The aggregate DLG cover is capped at 5% of the loan portfolio against which it is provided.
• The DLG must be backed by cash, lien-marked fixed deposit or bank guarantee. Corporate guarantees are not eligible.
• The Regulated Entity remains responsible for credit appraisal of each loan and for ongoing portfolio monitoring.
• NPA recognition continues borrower-by-borrower; the DLG cannot be netted off against bad loans.
• DLG arrangements are prohibited for revolving credit facilities offered through digital lending, for loans backed by credit guarantee schemes, and for loans extended through NBFC-P2P platforms.
• The DLG provider must be incorporated under the Companies Act, 2013, and the Regulated Entity must have a Board-approved policy governing DLG arrangements.

Co-lending arrangements between banks and NBFCs, under the RBI's revised co-lending framework, allow risk and reward sharing on jointly originated loans subject to defined parameters on NPA recognition, KYC responsibility, and customer protection.

Virtual digital assets

Cryptocurrency in India occupies an unusual space, neither banned nor blessed. Several threads of regulation now apply:

• Tax, The Finance Act, 2022 introduced Section 115BBH of the Income-tax Act, taxing income from transfer of virtual digital assets at a flat 30%, with no deduction other than cost of acquisition and no set-off of losses. Section 194S imposes 1% TDS on transfer of VDAs.
• Anti-money-laundering, Virtual Asset Service Providers (VASPs) operating in India are notified Reporting Entities under the Prevention of Money Laundering Act, 2002. They must register with the Financial Intelligence Unit-India and comply with KYC, transaction monitoring and suspicious-transaction reporting obligations.
• Advertising, The Advertising Standards Council of India guidelines on VDA advertising require prominent risk disclaimers.
• Banking-channel access, Following the Supreme Court's 2020 judgment striking down the RBI's 2018 banking-channel ban, banks may lawfully service VASPs, but many remain cautious in practice.

A comprehensive cryptocurrency statute remains under consideration but has not yet been enacted.

GIFT-IFSC and IFSCA

The International Financial Services Centres Authority is the unified regulator for the GIFT IFSC at Gandhinagar, Gujarat. IFSCA has issued progressive frameworks for fintech entities operating from the IFSC, including:

• The IFSCA (Fund Management) Regulations, 2022 for offshore fund managers.
• The IFSCA Fintech Entity Framework, which provides regulatory recognition and authorisation pathways for fintech start-ups and innovation hubs.
• The Banking Unit, Insurance and Capital Markets frameworks permitting offshore-onshore activity from the IFSC.

For fintech businesses targeting cross-border activity, GIFT-IFSC is an increasingly attractive route, offering a single-window regulator, tax incentives and a lighter regulatory perimeter than mainland India for certain activities.

Cross-border remittance

Cross-border payments in India are regulated under the Foreign Exchange Management Act, 1999 and the RBI's Liberalised Remittance Scheme. Key features of the current framework:

• The Payment Aggregator-Cross Border (PA-CB) regime, originally set out in the RBI's October 2023 directions and now consolidated into the RBI (Regulation of Payment Aggregators) Directions, 2025. PA-CB authorisation covers entities aggregating cross-border e-commerce payment flows, with a per-transaction cap of INR 25 lakh and segregated escrow accounts for inward and outward flows.
• The integration of UPI with international payment systems through NPCI International Payments Limited (NIPL), notably Singapore's PayNow (operational since February 2023, expanded in July 2025 to nineteen Indian banks), the UAE's Aani, and France through a partnership with Lyra Group. Bilateral merchant acceptance arrangements have also gone live in Nepal (Fonepay), Sri Lanka (LankaPay), Qatar, Mauritius and other markets. India is also a participant in BIS Project Nexus.
• The Master Direction, Foreign Investment in India, 2025, which clarifies that foreign investment may be made into an entity regulated by a financial sector regulator specifically to meet that regulator's minimum NOF requirement, removing an earlier bottleneck for NBFCs taking foreign capital for NOF compliance.
• The interplay between the LRS annual limit, the Tax Collection at Source obligations on certain outward remittances under Section 206C(1G) of the Income-tax Act, and reporting under the relevant FEMA Master Directions.