FINTECH IN INDIA: AN OVERVIEW OF THE CURRENT REGULATORY LANDSCAPE
I. Introduction
The financial technology (better known as ‘fintech’) landscape in India has been on an impressive growth trajectory over the past decade, spurred by a confluence of factors such as government initiatives championing digital payments, the rapid expansion and access to technology (including smartphone usage), and a surge in investment from both domestic and global backers. Recent forecasts suggest that the sector is set to maintain its momentum, and continue to grow at a compound annual growth rate of 30.55% (Thirty Point Five Five Percent), potentially reaching USD 550 billion by 2030.[1] India boasts a fintech adoption rate[2] of around 87% (Eighty Seven Percent) which is reportedly the highest worldwide, and is well clear of the global average which is estimated to be between 64% (Sixty Four Percent)[3] to 67% (Sixty Seven Percent)[4]. Coupled with the potential to leverage the world’s second highest digital population[5], fintech is poised for further growth and expansion in the coming years.
The dawn of Fintech can be traced back to innovations like ATMs and credit cards in the 1960s, electronic stock trading in the 1970s, and online banking in the 1990s. Today, the fintech ecosystem in India represents a convergence of multiple disciplines including, banking, software development, data analytics, regulatory technology, and user experience design. These innovations seek to address inefficiencies in the financial space, such as in domestic and cross-border payments, credit access, insurance distribution, wealth management, pension distribution and servicing, and so on.
India’s success in the fintech sector has been empowered by a robust digital public infrastructure and the increasing internet access and usage in India over the past decade. The Aadhaar biometric identification system alone has dramatically simplified customer onboarding for financial services, with over 1.3 billion enrolments[6]. India’s internet subscribers base has more than tripled in the past decade from 251.59 million subscribers in 2014 to 954.40 million subscribers in 2024.[7] Along with other agencies and initiatives such as the National Payments Corporation of India, Open Network for Digital Commerce, Open Credit Enablement Network and Ayushman Bharat Digital Mission, this has created a thriving ecosystem enabling businesses and startups to rapidly scale and serve diverse markets and customers across the country.
Investment in Indian Fintech
India’s fintech sector has benefitted from receiving significant financial backing from both domestic and foreign sources over the past decade with total investments from 2014 to 2023 amounting to approximately USD 30.9 billion across 3,257 funding rounds. It specifically peaked in the year 2021, during which it attracted approximately USD 8.3 billion in total funding.[8]
Foreign Direct Investment (“FDI”) especially has played a crucial role in the fintech growth story in India. Between 2016 and 2023, India's fintech sector has attracted approximately USD 25-30 billion in cumulative FDI, making India one of the most attractive investment destinations in the financial technology space globally.[9] Despite the global funding slowdown that began around late 2022, India's fintech sector managed to attract approximately USD 3 billion in foreign investments in 2023, underscoring sustained investor confidence and interest.[10] Notable foreign investors invested in fintech businesses having operations in India include Sequoia Capital (now Peak XV Partners), Tiger Global, Y Combinator, SoftBank, Ribbit Capital, Accel and many more.[11]
Payment companies and digital lending platforms have been the largest recipients of funding, accounting for nearly 55% (Fifty Five Percent) of all investments into fintech.[12] While payment companies traditionally dominated funding, attracting over USD 2.9 billion (~36% of total investments into fintech) in 2021, lending emerged as the preferred sector in 2022 with over USD 2.1 billion (~38.5% of total investments)[13] and accounted for more than USD 0.35 billion at the end of the first half of 2024 (~61.7% of total investments)[14]. Wealthtech and Insurtech businesses had also received approximately 4.86% (Four Point Eight Six Percent) and 1.9% (One Point Nine Percent) respectively at the end of the first half of 2024. Investments have also been received by businesses engaged in neo banking, blockchain enabled cryptocurrencies, digital assets businesses, and various other specialized segments.
This article aims to provide an overview of the regulatory landscape for fintech businesses in India, across three broad parts (1) an overview of the key regulators that oversee different segments of the fintech space in India ; (2) an analysis of the major fintech business models and the legal frameworks applicable; and (3) an outline on the major sector agnostic and cross-sectoral regulations such as outsourcing, know your customer (“KYC”) guidelines, consumer protection and data privacy governance that apply across the fintech ecosystem.
II. Key Regulators of Fintech Business in India
The fintech space in India is regulated by multiple authorities, and several areas of fintech involve an oversight of multiple regulators, creating a complex compliance landscape. This complex landscape often necessitates a comprehensive regulatory strategy that addresses requirements across multiple authorities based on the specific product offerings and business model. The principal regulators of fintech in India are:
Reserve Bank of India (“RBI”): The primary regulator for banking, digital payments, lending, and non-banking financial companies (“NBFC”). It regulates fintech companies involved in payments, lending, peer-to-peer lending platforms, digital wallets etc.
Securities and Exchange Board of India (“SEBI”): Regulates fintech companies dealing with financial instruments/securities, investment platforms, wealth management platforms, online mutual funds distributions, online bond platforms etc.
Insurance Regulatory and Development Authority of India (“IRDAI”): Regulates fintech startups in the insurance space, including digital insurance platforms, web- policy aggregators, and online insurance brokers.
Pension Fund Regulatory and Development Authority (“PFRDA”): Regulates the National Pension System and oversees fintech platforms that offer retirement and pension-related services.
Financial Intelligence Unit (FIU-IND): Monitors anti-money laundering compliance for fintech entities including virtual digital assets.
Apart from the above-mentioned key regulators, the National Payments Corporation of India (“NPCI”) operates and manages payments infrastructure in India, including Unified Payment Interface (“UPI”), Immediate Payment Service (IMPS), RuPay card network, Bharat Bill Payment System (BBPS), National Automated Clearing House (“NACH”), and other retail payment infrastructure.
In addition to the above, fintech entities are also required to comply with other generally applicable laws and authorities such as data security (Ministry of Electronics and Information Technology (MeitY), taxation laws (Central Board of Direct Taxes/Central Board of Indirect Taxes and Customs), anti-trust laws (Competition Commission of India), data protection and privacy (the to-be established Data Protection Board of India under the Digital Personal Data Protection Act, 2023), and foreign investment laws (RBI and the Department for Promotion of Industry and Internal Trade).
III. Major Fintech Business Models in India and Their Regulatory Framework
India’s fintech ecosystem is marked by diverse business models spanning payments, credit, wealth management, insurance, digital assets, intermediary/broking/advisory services, cryptocurrencies and more. Each of these models are subject to different regulatory regimes depending on the nature of the activity and the financial product or service involved. In this section, we look to provide an overview of the key fintech verticals and the corresponding regulatory frameworks applicable to them.
A. Payment Systems
Payment systems form the backbone of India’s digital financial ecosystem, facilitating the transfer of funds between individuals, businesses, and institutions. The regulatory framework governing payment systems in India is primarily administered by the RBI under the Payment and Settlement Systems Act, 2007 (“PSA”) and its allied rules, regulations, and guidelines. The key categories of payment systems beyond the traditional payment systems include:
Payment Aggregators and Payment Gateways
Payment Aggregators (“PA”)
Payment Aggregators are entities that provide payment solutions to merchants enabling them to accept various digital payment instruments. Importantly, PAs handle the actual flow of funds and settle transactions on behalf of the merchants. All non-bank entities operating as a PA are required to obtain specific authorization from the RBI to operate as such, as per the Guidelines on Regulation of Payment Aggregators and Payment Gateways[15][16] (“PA/PG Guidelines”).
The regulatory framework mandates non-bank entities to have certain minimum net worth requirements at the time of application, and an increased requirement to be met within three years. PAs must undertake due diligence while onboarding merchants, maintain a designated escrow account (for non-bank entities) for handling customer funds, and ensure timely settlement with merchants without any commingling of funds. They are also required to implement a robust grievance redressal mechanism, comply with stringent information technology and cybersecurity norms (including local data storage requirements), and submit periodic reports to the RBI. Importantly, PAs are prohibited from offering credit facilities or using customer funds for any purpose other than settlement.
On April 16, 2024, the RBI issued draft directions[17] to regulate offline PAs, specifically those facilitating face-to-face or proximity payments at physical points of sale which include PoS (as defined below) systems. The key amendments proposed include extending the applicability of PA guidelines to offline payment aggregators, establishing minimum net worth requirements for offline PAs, and introducing merchant onboarding standards for offline transactions. These draft directions aim to bring offline PAs under the regulatory framework previously applicable only to online PAs, ensuring a uniform standard across both online and offline payment aggregation activities. The RBI also published certain draft amendments to existing regulations for PAs. These draft guidelines are yet to be finalised or notified.
Payment Gateways (“PG”)
Payment Gateways[18] are technology service providers that offer back-end infrastructure for processing online payments. Unlike PAs, PGs do not handle funds directly. Their role is limited to the secure routing and encryption of payment information, ensuring transaction flow between the customer, the merchant, and the relevant financial institutions. While not directly regulated, PGs must adhere to certain data security and information technology governance standards and often operate in conjunction with licensed entities.
Prominent PGs in India include Razorpay, PayU, Cashfree Payments, CCAvenue, Instamojo, BillDesk, PhonePe, etc. Some of these PGs also operate as PAs.
b. Point of Sale (“PoS”) Systems
PoS systems facilitate in-store digital payments by enabling acceptance of card-based or QR-code-based payments at physical retail locations. These systems are often deployed by banks or PAs and must comply with guidelines around device certification, data security, and merchant onboarding. Over the years, PoS systems have evolved from traditional card-swiping machines to sophisticated devices supporting contactless payments, UPI QR codes, and biometric authentication.
c. Unified Payments Interface (“UPI”)
UPI is a real-time payment system developed by the NPCI that enables instant peer-to-peer and peer-to-merchant fund transfers using mobile devices, underpinned by an interoperable infrastructure regulated by the RBI.
UPI operates under a dual-layered regulatory structure, the RBI through the PSA provides overarching regulatory oversight, while NPCI manages the operational aspects, ensuring that UPI functions as a secure and efficient real-time payment system in India. Within the UPI ecosystem, several intermediaries play key roles, for example: Third-Party Application Providers (“TPAPs”) and Technology Service Providers (“TSPs”). TPAPs are fintech apps or platforms that offer the UPI interface to customers like Google Pay and PhonePe. TSPs are entities that support the backend connectivity between banks and TPAPs, ensuring reliable transaction processing, like JusPay, Setu, etc. Both TPAPs and TSPs must adhere to NPCI’s certification and compliance requirements, even though they may not be directly licensed by the RBI. Additionally, to foster an open and competitive ecosystem, the NPCI has implemented volume caps to ensure market concentration does not exceed 30% (Thirty Percent) for any single TPAP, which are required to be complied with latest by December 31, 2026.
In addition to domestic payment innovations, India has been actively expanding its UPI for cross-border transactions. These arrangements are governed under the Foreign Exchange Management Act, 1999 and its allied rules, regulations and guidelines (“FEMA”) and relevant RBI directions on cross-border remittances. Such linkages, like those with Singapore (PayNow), UAE, Bhutan, and Nepal, enable real-time, low-cost person-to-person and merchant payments while ensuring compliance with FEMA, KYC, and anti-money laundering (“AML”) requirements.
Separately, the NACH operated by the NPCI and regulated by the RBI under the PSA facilitates high-volume, recurring interbank transactions such as salary disbursements, government subsidies, EMIs, and utility payments. With its centralized clearing capability and uniform operating rules, NACH plays a key role in processing bulk transactions and furthering financial inclusion.
d. Prepaid Payment Instruments (“PPIs”)
PPIs are instruments that facilitate the purchase of goods and services, including financial services, remittance facilities, and fund transfers, against the value stored in them. PPIs in India are regulated by the RBI under the Master Directions on Prepaid Payment Instruments[19] (“MD-PPI”).
PPIs as per the MD PPI can be classified into the following categories:
(i) Full KYC PPIs: Issued post full KYC compliance of the PPI holder, these can hold up to INR 2,00,000 (Indian Rupees Two Lakhs), are reloadable, and can be used for purchases, funds transfers, and in some cases, cash withdrawals. Platforms like HDFC PayZapp, ICICI Pockets, Amazon Pay, and PhonePe are certain examples of the same.
(ii) Small PPIs: Issued after collecting minimum customer details, these are capped at INR 10,000 (Indian Rupees Ten Thousand) in outstanding value and monthly load limit and amount to be loaded during the financial year shall not exceed INR 1,20,000 (Indian Rupees One Lakh Twenty Thousand). They can only be used for purchases at identified merchant locations and must be converted into full-KYC PPIs within 24 (Twenty-Four) months of issuance. Small PPIs, such as branded gift cards and employer-issued meal cards, are issued with minimal KYC and have restricted usage and lower transaction limits.
(iii) Closed System PPIs: These can be used only for purchases from the issuing entity and are not permitted for third-party transactions or cash withdrawal. Since they are not classified as payment systems under the PSA, they are outside the direct regulatory purview of the RBI. Common examples include store value cards, gift cards restricted to a single merchant.
Among the above, Full KYC PPI and Small PPIs require the prior approval/authorisation from the RBI.
The MD-PPI also permits co-branding arrangements between PPI issuers and partners, subject to strict conditions. While the co-branding partner may facilitate customer acquisition or branding, the licensed PPI issuer remains fully responsible for regulatory compliance, including KYC, AML obligations, and customer grievance redressal. The co-branding partner's role is limited to marketing and distribution, with all financial aspects managed by the authorized PPI issuer. Co-branded prepaid cards, are generally issued in partnerships and offer targeted benefits like cashback, discounts, and expense tracking, such as ICICI Bank-Amazon Pay Card, Axis Bank-Flipkart Card, etc.
On May 20, 2025, the regulatory framework governing payment systems in India underwent a significant overhaul with the replacement of the Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008 by the Payments Regulatory Board Regulations, 2025[20]. This shift marks a strategic move towards strengthening oversight of the digital payments ecosystem. By institutionalising the Payments Regulatory Board (replacing the erstwhile Board for Regulation and Supervision of Payment and Settlement System) with assistance from the Department of Payment and Settlement Systems and by inviting persons with experience in the fields of payment and settlement systems, information technology, law, etc, the regulatory aim is to modernize the payments oversight structure, widen representation, and ensure a more agile and inclusive regulatory environment which is equipped to respond to rapid technological advancements in the financial sector.
B. Lending
Lending has emerged as one of the most dynamic verticals within India’s fintech ecosystem, offering fast, accessible, and data-driven credit products through web and mobile interfaces. These platforms leverage technology for credit assessment, onboarding, disbursal, and recovery, often targeting underserved or thin-file borrowers outside the traditional banking system. The RBI has progressively increased regulatory oversight over this space, especially in response to concerns around consumer protection, transparency, and regulatory arbitrage.
a. NBFC-Digital Lending Platforms (Direct Lenders): These platforms are licensed as Non-Banking Financial Companies (“NBFC”) by the RBI and conduct lending operations on their own balance sheet. They undertake credit risk, determine lending terms, and handle the full loan lifecycle.
NBFCs are currently regulated by the Master Direction on Non-Banking Financial Company – Scale Based Regulation Directions, 2023 (“MD-NBFC”)[21], which consolidates and harmonizes the regulatory framework for NBFCs. This directive introduces a four-tiered classification—Base Layer, Middle Layer, Upper Layer, and Top Layer—based on size, activity, and risk profile. It replaces the earlier system of categorizing NBFCs as systemically and non-systemically important. The Directions outline specific prudential norms, governance standards, and disclosure requirements for each layer, with stricter regulations for higher layers to mitigate systemic risks. Additionally, the directive mandates prior RBI approval for significant changes in shareholding and management, enhancing oversight and promoting financial stability in the NBFC sector.
b. LSP Model and BNPL Platforms
(i) LSP Model: Currently, most digital lending fintech platforms act as Lending Service Providers (“LSP”), offering technology, onboarding, and intermediary services to regulated lenders (banks or NBFCs). While they are not directly regulated, the Reserve Bank of India (Digital Lending) Directions, 2025[22] impose specific compliance obligations even on unregulated LSPs that partner with regulated entities.
Some of the key obligations under the DLG is to ensure that (a) lending must be done in the name of the regulated entity; (b) all disbursals and repayments must flow directly between the borrower and the regulated lender’s bank account without any pass-through account/ pool account of any third party; (c) mandatory disclosures on annualized interest rates, fees, and grievance redressal mechanisms; (d) LSPs cannot access borrower funds or hold funds in their own accounts; (d) cap on the default loss guarantee arrangement, which restricts default loss guarantee cover beyond five per cent of the total loan amount disbursed out of a loan portfolio at any given time by a non-regulated entity including LSP.
(ii) BNPL Platforms: Buy Now Pay Later (“BNPL”) platforms offer short-term consumer credit at the point of sale and allows consumers to buy goods and services and pay for them in instalments over a certain period. Many operate under LSP models, partnering with NBFCs or banks for credit issuance. Some BNPL players have also sought NBFC licenses. While currently operating under existing regulatory frameworks, BNPL services may eventually receive specific regulatory attention as the segment grows.
Some popular examples of LSP models and BNPL platforms are ZestMoney, LazyPay (by PayU), KreditBee, Jify.
c. Peer-to-Peer (“P2P”) Lending Platforms
These platforms match individual lenders with borrowers without using their own balance sheet. They must register as NBFC-P2P with the RBI and act purely as intermediaries. Unlike LSP models which assist regulated entities in underwriting, credit scoring, disbursement, and recovery, P2P platforms act as marketplaces that connect individual lenders with individual borrowers directly, without using their own balance sheets for lending.
P2P platforms are regulated by RBI under the Master Direction - Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017[23] (“MD P2P”). Some of the salient features of MD P2P are as follows: (a) There is an overall cap of INR 50,00,000 (Indian Rupees Fifty Lakh) per lender across platforms which should be consistent with their net worth; (b) Exposure limit of INR 50,000 (Indian Rupees Fifty Thousand) per borrower across all P2P platforms; (c) Platforms must maintain escrow accounts (managed by a bank trustee) for fund transfers.
Some examples of P2P platforms prevalent in India are Faircent, RupeeCircle, IndiaP2P, i2iFunding.
d. Invoice Discounting
Another prevalent model in the digital credit ecosystem is invoice discounting, where businesses (mostly micro, small and medium enterprises) raise short-term working capital by selling their unpaid invoices to investors or financiers at a discount. While this model resembles lending in economic substance, it is structured as a sale of receivables rather than a formal loan. As of now, invoice discounting is not governed by a dedicated regulatory framework in India. Platforms facilitating such transactions typically operate under bespoke contractual arrangements, including assignment agreements, trust structures, and escrow mechanisms to manage cash flows and mitigate risk.
e. Account Aggregators
Account Aggregators (“AA”) are RBI regulated entities that enable secure and consent-based sharing of financial data between users and financial institutions. Operating under the Master Direction Non-Banking Financial Company Account Aggregator (Reserve Bank) Directions, 2016[24], AAs act as data intermediaries and do not store or process the data themselves. Their primary role is to facilitate the transfer of financial information such as bank statements, tax data, pension details, and mutual fund holdings from financial information providers like banks to financial information users such as lenders, insurers, or investment advisors, upon the explicit consent of the user. This framework, built on data empowerment and privacy-by-design principles, is overseen by the RBI and supported by other financial sector regulators (SEBI, IRDAI, PFRDA) under the larger Financial Data Management Centre architecture. It aims to streamline digital lending, wealth management, and personal finance advisory services while ensuring user control and data security.
Ancillary Laws: In addition to the primary regulatory frameworks governing payment systems and digital lending, entities operating in this space must also comply with a range of ancillary laws issued by the RBI that address operational, technological, and customer-related risks. These include the Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks[25], which lay down principles for risk assessment, confidentiality, and contractual safeguards in outsourcing arrangements. The Master Direction on Outsourcing of Information Technology Services governs the engagement of third-party Information technology service providers and emphasizes data security, business continuity, and audit access. Further, compliance with the Master Direction – Know Your Customer (KYC) Directions, 2016[26] is mandatory to ensure customer identity verification, AML compliance, and ongoing monitoring of transactions. These ancillary regulations play a critical role in safeguarding the integrity, security, and resilience of the payment ecosystem, particularly in a technology-intensive and customer-facing domain such as fintech.
c. Digital Assets
India’s regulatory approach to digital assets remains cautious but evolving. While there is currently no comprehensive legislation that regulates or prohibits the use of digital assets, the government has introduced a partial regulatory framework primarily focused on taxation and financial monitoring, while signalling plans for a more structured law in the future.
a. Current Regulatory Treatment
(i) Tax Compliance: Tax Framework under the Income-tax Act: The Finance Act, 2022 introduced a legal definition of Virtual Digital Assets (“VDA”) and imposed a flat 30% (Thirty Percent) tax on income from the transfer of VDAs along with 1% (One Percent) TDS (Tax Deducted at Source) on transactions for transfer of such VDAs exceeding specified thresholds under Section 115BBH and Section 194S of the Income Tax Act, 1961 (“IT Act”)
Under the IT Act, VDAs include (i) any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, providing a digital representation of value exchanged (e.g., cryptocurrencies like Bitcoin, Ethereum etc), (ii) Non-Fungible Tokens, and (iii) Other digital assets as determined by the central government.
(ii) Anti-money laundering compliance: In March 2023, entities dealing in VDAs were brought under the Prevention of Money Laundering Act, 2002 (“PMLA”). This requires VDA service providers (exchanges, custodians, wallet providers) to follow KYC norms, maintain transaction records, follow reporting requirements and adhere to other obligations which also includes registration with the Financial Intelligence Unit.
b. Regulatory Plan
A comprehensive crypto regulation bill Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 was listed for introduction in the Indian Parliament, but is yet to be tabled or passed as a legislation. Since then, no formal draft has been discussed or released publicly, and the government has indicated that any future legislation may depend on development of a global regulatory consensus.
D. Investment and Wealth Management
India’s fintech ecosystem has seen rapid growth in digital platforms offering investment advisory, broking, portfolio management, and mutual fund distribution services. These entities operate as intermediaries between investors and capital markets, providing execution, research, and advisory functions through both direct-to-consumer apps and white-labelled business to business offerings. With the recent breakthroughs in artificial intelligence (AI), companies such as LotusDew and Capitalmind have already started offering AI leveraged/ automated stock analysis and portfolio creation; new services such as robo-advisory are also on the horizon. All such activities are regulated by the SEBI with strict registration, conduct, and disclosure requirements aimed at protecting investors and ensuring market integrity.
a. Registered Investment Advisers (“RIA”)
Platforms or individuals offering personalized investment advice for consideration must register as registered investment advisors under the SEBI (Investment Advisers) Regulations, 2013[27] (“RIA Regulations”). Investment advisers are individuals or entities that provide investment advice for a fee. The RIA Regulations govern registration, conduct, qualifications, and compliance requirements to ensure that investment advice is delivered in a fair, transparent, and client-centric manner.
Key requirements under the RIA Regulations include mandatory registration, strict segregation between advisory and distribution services at a group level, and prescribed qualifications and NISM certifications for individuals offering advice. RIAs must follow detailed client risk profiling and suitability assessments, adhere to fee caps and maintain transparent disclosures, especially around conflicts of interest. They are also required to keep comprehensive records for at least five years, appoint a compliance officer (in case of non-individuals), undergo regular audits, and offer grievance redressal through SEBI’s SCORES platform.
Some examples of digital RIA businesses in India are Kuvera, Scripbox, INDmoney.
b. Stockbrokers and Trading Platforms
Stockbrokers act as intermediaries between investors and the stock exchanges, facilitating transactions in listed securities, derivatives, and other market instruments. In India, they are regulated by the SEBI under the Securities and Exchange Board of India (Stock Brokers) Regulations, 1992[28], along with rules prescribed by the respective stock exchanges (e.g., National Stock Exchange, Bombay Stock Exchange).
While traditional stockbrokers typically operate through physical branches, relationship managers, and offline advisory services, digital stockbrokers rely on tech-enabled platforms to offer low-cost trading via mobile apps and web portals. Traditional brokers often cater to high-net-worth or institutional clients with personalized services, while digital brokers focus on scalability, ease of access, and low brokerage fees—appealing to a broad spectrum of retail and young and first-time investors. Despite the operational differences, both are regulated under the same SEBI framework and exchange norms, and must adhere to uniform compliance obligations around KYC, client fund segregation, disclosure, and cybersecurity. The regulatory emphasis remains consistent across both models: ensuring transparency, investor protection, and systemic stability.
Some examples of digital stockbrokers and trading platforms in India are Groww, Zerodha, Upstox.
c. Portfolio Managers
Portfolio Managers are entities that manage the investment portfolios of clients on a discretionary or non-discretionary basis, in line with the client’s objectives and risk profile. They are regulated by SEBI under the SEBI (Portfolio Managers) Regulations, 2020[29] (“PM Regulations”) that prescribes detailed eligibility, operational, and disclosure norms.
Key features of the PM Regulations include a minimum investment threshold of INR 50,00,000 (Indian Rupees Fifty Lakh) per client, a minimum net worth requirement of INR 5,00,00,000 (Indian Rupees Five Crore), mandatory registration with SEBI, and segregation of client assets through third-party custodians. Portfolio managers are required to provide quarterly performance and holding reports, disclose fee structures and conflicts of interest, and adhere to strict record-keeping and audit obligations. The regulations also distinguish between discretionary (where investment decisions are made by the manager) and non-discretionary (where the client directs decisions) services and impose robust fiduciary duties on the managers to act in the best interests of their clients.
d. Research Analysts (“RA”)
RAs are individuals or entities that prepare and publish investment research or provide recommendations concerning securities or public offers. They are regulated by the SEBI (Research Analysts) Regulations, 2014 (“RA Regulations”)[30], which aim to ensure transparency, independence, and integrity in securities research and to prevent conflicts of interest.
Under the RA Regulations, RA’s must register with SEBI before publishing or disseminating investment research or recommendations. They are required to meet prescribed qualification and certification standards (including NISM Series XV), maintain independence from business and investment banking functions, and disclose any conflicts of interest or financial interests in the securities they cover. RAs must adhere to a SEBI-mandated code of conduct, ensure fair and unbiased analysis, and are restricted from trading in covered securities within a specified time window. Further, they must maintain detailed records of their research, sources, and internal review procedures for a minimum of five years and, in the case of entities, appoint a compliance officer and undergo periodic audits.
Some examples of digital RAs in India are Stoxbox and Tijori Finance.
e. Mutual Fund Distributors
Mutual fund distributors play a crucial role in India’s investment ecosystem by facilitating the sale of mutual fund products to retail and institutional investors. Distribution may be carried out by individuals, banks, NBFCs, fintech platforms, or registered intermediaries.
Entities distributing mutual fund products either directly or through digital platforms shall be registered with the Association of Mutual Funds in India (“AMFI”), and are also required to pass the NISM V-A certification to receive an AMFI Registration Number (“ARN”). They are bound by AMFI’s Code of Conduct, requiring transparency in commissions, avoidance of mis-selling, and mandatory product suitability disclosures. All distributors must comply with grievance redressal norms and ensure clear and fair communication of investment risks and charges.
Some examples of mutual fund distribution in the fintech space include, Groww, Scripbox, Kuvera.
f. Execution Only Platforms and Online Bond Platforms
(i)Execution-Only Platforms (“EOP”) facilitate the buying and selling of mutual funds and other investment products without offering any investment advice or recommendations. These platforms operate under the SEBI framework. On June 13, 2023, SEBI introduced a regulatory framework for EOPs[31] facilitating transactions in direct plans of mutual fund schemes, classifying them into two categories: Category I EOPs, which act as agents of asset management companies and register with AMFI, and Category II EOPs, which act as agents of investors and must register as stockbrokers with SEBI. EOPs are restricted to direct plans and must not engage in distribution of regular plans. They may charge a flat fee payable by asset management companies (Category I) or investors (Category II)—subject to limits. The framework mandates strict investor-level segregation between advisory/distribution and execution services, prohibits scheme-specific advertising, and imposes KYC and cybersecurity compliance obligations. The goal is to ensure transparent, conflict-free, and technology-driven access to mutual fund investments for retail investors. Some examples of such platforms are Zerodha Coin and Kuvera.
(ii) Similarly, Online Bond Platforms (“OBP”) which facilitate the digital listing and execution of trades in listed debt securities, including non-convertible debentures and government bonds—are also regulated by SEBI. As per the SEBI circular dated November 14, 2022[32], all OBPs must register as stockbrokers (debt segment) and operate only through Online Bond Platform Providers (“OBPPs”) recognized by SEBI. These OBPPs must comply with requirements relating to investor risk disclosures, listing eligibility, transaction confirmation, and KYC norms. The regulatory framework is aimed at enhancing investor protection, improving transparency, and ensuring orderly development of digital fixed-income marketplaces. Some examples of such OBP are WintWealth and Grip invest.
g. Digital Gold
Digital gold refers to the online purchase, sale, and storage of gold through digital platforms, allowing users to invest in even fractional quantities of gold without taking physical delivery. It is typically offered by fintech platforms in partnership with entities such as MMTC-PAMP and Augmont which store the value of the equivalent physical gold in secure vaults. Currently, digital gold is not directly regulated by any financial sector regulator such as the RBI or SEBI. However, platforms offering digital gold are expected to comply with general consumer protection norms, and KYC requirements under the PMLA. SEBI has also recently warned and barred stockbrokers and RIAs from advising on or distributing digital gold, as it is not classified as a regulated financial product. The lack of formal regulation has prompted discussions around bringing digital gold under a unified regulatory framework, potentially overseen by SEBI or a dedicated commodities market authority in the future.
h. Insurance
Insurance sector has also seen a rapid growth in embracing technology. Insurtech refers to the use of technology and digital platforms to enhance the delivery, distribution, and servicing of insurance products. In India, the sector has seen significant growth through digital brokers, web aggregators, and embedded insurance offerings, with insurance companies now directly issuing e-insurance policies and undertaking digital sales of policies. These platforms are regulated primarily by IRDAI through a range of regulations depending on the business model—whether acting as brokers, agents, or web aggregators.
(i) Insurance Web Aggregators: Insurance Web Aggregators are digital platforms authorized to provide a comparative interface for insurance products offered by multiple insurers. Their role is limited to displaying standardized product information and connecting prospective customers with insurers. They do not underwrite policies or provide advice unless separately licensed. Web aggregators have become an integral part of India’s insurance ecosystem by enhancing transparency, competition, and customer access to a wide range of insurance offerings regulated under the IRDAI (Insurance Web Aggregators) Regulations, 2017 (“Web Aggregator Regulations”)[33].
Key features of the Web Aggregator Regulations include mandatory registration with IRDAI, a requirement to display product information in a neutral and unbiased format, and strict controls on lead sharing and solicitation. Web aggregators are prohibited from ranking or promoting products based on commissions and must follow a prescribed display architecture approved by the IRDAI. They can only solicit leads online and are not permitted to offer offline advisory services unless licensed under another category. Additionally, the regulations impose limits on remuneration, mandate quarterly reporting, and require the appointment of a principal officer and compliance personnel.
Some examples of insurance web aggregators are PolicyBazaar, Turtlemint, Quickinsure.
(ii) Corporate Agents: Corporate Agents are licensed by IRDAI under the IRDAI (Registration of Corporate Agents) Regulations, 2015 (“CA Regulations”)[34] to solicit and distribute insurance products on behalf of insurers. Corporate Agents that are institutional entities such as banks, NBFCs, fintech companies, or other corporate bodies typically operate as part of a larger business (e.g., a digital finance platform or a lending company) whose principal business is not related to insurance and serve as a distribution channel for insurance companies. Corporate agents play a key role in embedded insurance models, especially in lending, e-commerce, and consumer tech ecosystems.
Under the CA Regulations, corporate agents are permitted to tie up with a maximum of 9 (nine) insurers in each line of business, i.e., life, general and health. They must be registered with the IRDAI, appoint a Principal Officer, and fulfil minimum capital and net worth requirements. While corporate agents may distribute a range of products, they are restricted from providing comparative advice or advisory services unless separately licensed as brokers or investment advisers. This framework aims to promote reach and accessibility, while ensuring accountability and policyholder protection.
Some examples of Corporate Agents are PayTM, Scripbox and PhonePe.
i. Pension
In India, the pension sector is regulated by the PFRDA, which governs the National Pension System (“NPS”) and other pension schemes. To facilitate the distribution and servicing of NPS to the public, PFRDA authorizes entities known as Points of Presence (“POP”). These entities act as the first point of contact for individuals seeking to open, manage, or contribute to NPS accounts.
POPs include banks, NBFCs, insurance companies, mutual fund platforms, and fintech players. The POP framework plays a critical role in ensuring standardized service delivery, accountability and expanding NPS accessibility across India. POPs can operate (i) directly through their own branches or digital platforms, and (ii) through POP Sub-Entities (POP-SEs), which include entities such as fintechs, distributors, or wealth managers that act under the oversight of a registered POP to provide NPS related services.
Under the PFRDA (Point of Presence) Regulations, 2018[35], entities seeking to act as POPs must register with PFRDA, meet prescribed net worth and fit-and-proper criteria, and be authorized to facilitate NPS account opening, contribution processing, KYC compliance, and subscriber servicing. POPs must also adhere to transparent fee structures, maintain robust grievance redressal mechanisms, and ensure compliance with reporting, audit, and information technology system requirements prescribed by PFRDA.
Example of POP entities are CAMS and Zerodha.
E, Neo-Banks
Neobanks are digital-only financial service platforms that offer banking-like experiences through mobile apps or web interfaces—without operating as licensed banks themselves. They typically provide services such as digital savings accounts, payments, personal finance management, and small-ticket credit products.
Currently, there is no specific license or regulatory classification for neobanks under Indian law and the RBI has not yet formally recognized standalone digital banks. As a result, neobanks tend to operate in a partner-led model, where banking services (e.g., account issuance, UPI access, cards), lending products, and payment services are provided in partnership with regulated and licensed entities. regulated
While the RBI has acknowledged the innovation that neobanks bring to digital financial inclusion, it has maintained a cautious stance, preferring a model where full regulatory accountability remains with the regulated or licensed entities. There has been no formal indication of a licensing framework for full-fledged digital banks in India, although discussions around fintech licensing models, risk-sharing arrangements, and operational accountability continue to evolve.
IV. Other Key Laws and Regulations Critical in Fintech Business in India Today
In addition to sector-specific regulations issued by the above-mentioned regulators, fintech businesses in India are also subject to several foundational legal frameworks that cut across all financial sectors and business models. These key frameworks influence aspects of ownership, data governance, and customer protection, and must be factored into both structuring and day-to-day operations of fintech platforms.
FDI in India, including in any fintech businesses, is regulated under FEMA and the corresponding rules, regulations and policies (including the FDI policy released by the government from time to time). Accordingly, structuring of ownership, investments, and compliance with pricing and reporting norms are key considerations for fintechs receiving foreign capital. A snapshot of the relevant sectoral caps for FDI which fintech businesses traverse are as follows:
(i)Banking – Private sector: FDI investment up to 74% (Sevent Four Percent)[36] is permitted under FEMA. Out of this 74% (Sevent Four Percent), up to 49% (Forty Nine Percent) is permitted under the Automatic Route and the rest is permitted under the Government Route[37].
(ii) Insurance Sector: FDI investment up to 74% (Sevent Four Percent)[38] is permitted under the Automatic Route.
(iii) Insurance Intermediaries[39]: FDI investment up to 100% (One Hundred Percent) is permitted under the Automatic Route.
(iv) Pension Sector: FDI investment up to 49% (Forty Nine Percent) is permitted under the Automatic Route.
(v) Other Financial Services (which are regulated by any financial sector regulator)[40]: FDI investment up to 100% (One Hundred Percent) is permitted under the Automatic Route.
While the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been enacted, it is not yet in force as of date. Until its commencement and notification of subordinate rules, fintech companies remain governed by the Information Technology Act, 2000, specifically the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Under this framework, fintechs are required to implement reasonable security measures, obtain user consent for data collection, and disclose privacy policies, amongst others. Once the DPDP Act comes into force, it will introduce more granular obligations on fintechs as data fiduciaries or data processors, including consent-based processing, purpose limitation, data minimization, and enhanced grievance redressal mechanism, significantly reshaping data governance practices across the fintech sectors.
Lastly, fintech platforms must adhere to the Consumer Protection Act, 2019, particularly in relation to digital services, advertising standards, and unfair trade practices. The Central Consumer Protection Authority has oversight over deceptive marketing, hidden charges, and misleading claim, such areas particularly relevant to fintech platforms offering credit, insurance, or investment products online. Ensuring transparency in fee structures, disclaimers, and customer communication is therefore essential.
Collectively, these cross-cutting and sector-agnostic laws form the legal bedrock for responsible fintech innovation in India and are critical to long-term regulatory sustainability and consumer trust.
V. Conclusion
India’s fintech ecosystem is at a transformative juncture, characterized by rapid innovation and evolving regulatory frameworks. Regulators such as RBI, SEBI, PFRDA, and IRDAI have been largely proactive in their approach towards emerging business models and addressing risks and gaps.
The RBI’s recognition of the Fintech Association for Consumer Empowerment as a self-regulatory organization in August 2024 underscores a collaborative approach to governance, aiming to enhance transparency and compliance within the digital lending sector. RBI’s regulatory sandbox, launched in 2019, allows fintech firms to test innovative products and services in a controlled environment under regulator supervision, especially in areas like retail payments, digital KYC, cross-border payments, and cybersecurity. Similarly, SEBI’s regulatory sandbox, introduced in 2020, enables testing of capital markets-related innovations. These frameworks provide a structured path for responsible experimentation, bridging the gap between innovation and regulation.
India is currently home to around 24 fintech unicorns[41], third only behind USA and China in this regard, demonstrating robust growth and innovation within its digital payments and banking sectors.[42] Further, seven Indian companies featured in the CNBC’s list of top 200 fintech firms worldwide in 2023, and ten Indian companies featured in their top 250 list in 2024[43], showcasing the country's substantial role in the fintech sector.[44] As seen above, the fintech ecosystem covers a diverse range of products and services spanning from solutions for fundamental aspects of everyday commerce such as payments and lending, to specialized and niche segments such as embedded insurance products or earnings-linked credit solutions to gig workers and blue collar workers.
Fintech startups that are revolutionizing access to credit, insurance, and investment services are a testament to the philosophy, reflecting on the broader startup ecosystem, and the recent growing philosophy of the government to focus on more matured and innovative start-ups. This evolution signifies India’s commitment to nurturing a dynamic and inclusive digital financial landscape, poised to set global benchmarks in fintech innovation and regulation
As the fintech sector continues to evolve, there is a growing consensus on the need for a holistic regulatory framework that goes beyond traditional entity-based oversight. An activity-based regulatory approach, delineating clear guidelines based on the nature of financial services offered, could provide greater clarity and foster innovation while safeguarding consumer interests. Such a framework would enable fintech companies to navigate the regulatory landscape more effectively, aligning their operations with the national objectives of financial inclusion and building a robust digital economy.
Whether a start-up aiming to introduce innovative solutions or an established business seeking to leverage its goodwill to expand their range of fintech offerings, a common theme is emerging: both are likely to be subject to oversight by a multiplicity of regulators and compliance requirements. In light of this, it is essential for such businesses to proactively plan and structure their compliance strategies at every stage of their operations. Doing so will become critical to mitigating regulatory risk and ensuring that potential compliance challenges do not come in the way of an otherwise promising fintech offering.
Contributed by Anindya Ghosh, Ashwin Krishnan (Partners), Jaidrath Zaveri (Principal Associate) and Siddharth Malakar (Senior Associate).
[1] https://www.mordorintelligence.com/industry-reports/india-fintech-market
[2] ‘Fintech adoption rate’ refers to the percentage of individuals who are actively using one or more fintech solutions in addition to or in place of more conventional alternatives.
[3] https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1759602
[4] https://www.npci.org.in/PDF/npci/chairman-speeches/2024/Special-Keynote-Address-delivered-by-Shri-Ajay-Kumar-Choudhary-Non-Executive-Chairman-and-Independent-Director.pdf
[5] https://www.statista.com/statistics/262966/number-of-internet-users-in-selected-countries/
[6] https://in.nec.com/en_IN/case/uidai/index.html
[7] https://pib.gov.in/PressReleasePage.aspx?PRID=2040566
[8] https://bfsi.economictimes.indiatimes.com/news/fintech/how-indian-fintech-funding-fared-in-last-10-years/106261047?utm_source=chatgpt.com
[9] https://www.pwc.in/assets/pdfs/investing-in-indias-fintech-disruption.pdf
[10] https://economictimes.indiatimes.com/tech/funding/india-ranks-3rd-globally-in-fintech-funding-despite-33-lower-infusion-in-2024-report/articleshow/117195060.cms?from=mdr;
https://www.statista.com/topics/5666/fintech-in-india/#topicOverview
[11] https://inc42.com/features/funding-fintech-indias-top-fintech-investors/
[12] https://www.pwc.in/assets/pdfs/investing-in-indias-fintech-disruption.pdf
[13] https://www.pwc.in/assets/pdfs/investing-in-indias-fintech-disruption.pdf
[14] https://www.ibef.org/news/india-ranks-third-in-global-fintech-funding-despite-33-drop-in-2024-report
[15] Guidelines on Regulation of Payment Aggregators and Payment Gateways issued by the RBI dated March 17, 2020
[16] The PA/PG Guidelines define PAs as “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period”.
[17] Regulation of Payment Aggregators (PAs) – Draft Directions published by RBI dated April 16, 2024
[18] The PA/PG Guidelines define PGs as “entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds”
[19] Master Directions on Prepaid Payment Instruments (PPIs) issued by RBI on August 27, 2021
[20]https://egazette.gov.in/WriteReadData/2025/263277.pdf
[21] Master Direction on Non-Banking Financial Company – Scale Based Regulation Directions, 2023 issued by the RBI on October 19, 2023
[22] Reserve Bank of India (Digital Lending) Directions, 2025
[23] Master Direction - Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 issued by the RBI on October 04, 2017
[24] Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016
[25] Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks issued by RBI on November 03, 2006.
[26] Master Direction - Know Your Customer (KYC) Direction, 2016 issued by RBI on February 25, 2016.
[27] SEBI (Investment Advisers) Regulations, 2013 issued by SEBI on January 21, 2013
[28] SEBI (Stockbrokers) Regulations, 1992 issued by SEBI on October 23, 1992
[29] SEBI (Portfolio Managers) Regulations, 2020 issued by SEBI on January 16, 2020
[30] SEBI (Research Analysts) Regulations, 2014 issued by SEBI on September 01, 2014
[31] Regulatory framework for Execution Only Platforms for facilitating transactions in direct plans of schemes of Mutual Funds
[32] Registration and regulatory framework for Online Bond Platform Providers
[33] IRDAI (Insurance Web Aggregators) Regulations, 2017
[34] IRDAI (Registration of Corporate Agents) Regulations, 2015
[35] PFRDA (Point of Presence) Regulations, 2018
[36] Foreign banks regulated by the banking supervisory authority in the home country and meeting RBI’s licensing criteria will be allowed to hold 100% (One Hundred Percent) of the paid-up capital to enable them to set up a wholly-owned subsidiary in India.
[37] Under the FEMA and the FDI policy, the Automatic Route refers to FDI investment by foreign investors to invest in specified sectors without prior approval from the government, subject to sectoral caps and conditions. Whereas the Government Route requires prior approval from the concerned ministry or department before making an investment in such.
[38] In the Union Budget for 2025-26 presented on February 1, 2025, Finance Minister Nirmala Sitharaman announced a proposal to increase the FDI limit for insurance companies from 74% to 100% under the Automatic Route. At the time of writing, the implementation of this increased limit is yet to be notified.
[39] Intermediaries include ancillary participants in the insurance sector such as brokers, consultants, third party administrators etc.
[40] Financial services activities which are specifically regulated by a financial sector regulator such as RBI, SEBI, IRDAI, PFRDA, or any other financial sector regulator notified by the government would be covered under this sector. These would include activities of registered NBFCs, stockbrokers, payment aggregators, prepaid payment instruments, registered investment advisers, registered analysts, etc.
[41] https://fintechnews.sg/108940/fintech-india/the-complete-list-of-india-fintech-unicorns-2025/
[42] https://www.cnbc.com/2023/10/26/top-fintech-companies-2023-us-china-lead-on-most-valuable- firms.html
[43] https://www.cnbc.com/the-worlds-top-250-fintech-companies-2024/
[44] https://www.cnbc.com/2023/08/02/here-are-the-worlds-top-200-fintechs-cnbc-and-statista.html
06 June 2025
