COMPARATIVE GUIDE
14 May 2024

FinTech Comparative Guide

GL
G&W Legal

Contributor

G&W Legal logo
G&W Legal is a full-service business law firm in India helping companies establish, (re)structure and scale Indian operations, design compliance and commercial strategies, and resolve disputes. With multiple ranked practices, G&W is reputed for work in transactions; IP; anti-corruption; antitrust; regulatory; privacy; employment; franchising; foreign investment; TMT and emerging issues.
Explore
FinTech Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries
India Technology
Photo of Shivalik Chandan
Photo of Dhruv Singh
Photo of Arjun Khurana
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Several laws govern various aspects of the fintech industry in India, depending on the nature of the activities carried out by the relevant entity. The major sources of regulation of the fintech space in India include the following:

  • Payment and Settlement Systems Act, 2007: This is the principal statute governing 'payment systems', defined as systems that enable payments to be effected between payer and beneficiary. The definition:
    • specifically includes credit cards, debit cards, smart cards, money transfers and other similar operations; and
    • specifically excludes stock exchanges.
  • Under the Payment and Settlement Systems Act, all payment systems require the approval of the Reserve Bank of India (RBI), India's central bank and regulator. The Payment and Settlement Systems Act also imposes obligations on payment system providers and allows the RBI to frame additional directions and guidelines which payment systems are bound to comply with.
  • RBI Act, 1934: The RBI Act contains provisions on the governance of non-banking financial companies (NBFCs), defined as non-banks that carry out activities including providing loans and insurance and acquiring securities. NBFCs must:
    • register with the RBI;
    • maintain a net owned fund of at least INR 2.5 million or such amount as is prescribed by the RBI; and
    • maintain a reserve fund in which at least 20% of the profits of the NBFC are deposited on an annual basis.
  • The RBI, by way of notifications, has amended the net-owned fund requirement for NBFCs. Most categories of NBFCs must maintain a net owned fund of at least INR 100 million. Certain categories of NBFCs also have higher or lower net-owned fund requirements as prescribed by the RBI.
  • The RBI Act grants the RBI the power to issue directions/policies applicable to NBFCs regarding a number of specified topics.
  • Banking Regulation Act, 1949: This act governs aspects of running a banking business in India. It:
    • prescribes various requirements and obligations for entities wishing to open and operate a bank in India;
    • grants the RBI multifaceted powers for governance, including powers over managerial control and supersession of the boards of directors of banking companies; and
    • prescribes the procedures for the winding up of banking businesses.
  • Regulations/directions issued by the RBI:
    • Master Directions on Prepaid Payment Instruments (PPIs), 2022: The RBI issued these master directions in 2022 to replace the earlier master directions issued in 2017 to regulate PPIs (ie, payment instruments through which goods or services can be purchased against the value stored on the instrument) in India. The 2022 master directions classify PPIs into:
      • closed system PPIs;
      • small PPIs;
      • full know-your-customer PPIs; and
      • certain specific types of PPIs (eg, gift PPIs and PPIs for mass transit).
    • Different requirements apply in each case. The master directions also allow non-banks to seek authorisation to operate and provide a PPI.
  • RBI Payment Intermediary Guidelines on opening and operating accounts and settling payments for electronic payment transactions involving intermediaries: These guidelines were issued by the RBI in 2009 in response to the growing popularity of electronic/online payment methods. They impose obligations on 'intermediaries' (ie, entities that facilitate payments between payers and beneficiaries).
  • Guidelines on the Regulation of Payment Aggregators and Payment Gateways: These were issued by the RBI in 2020 pursuant to the RBI Payment Intermediary Guidelines. Among other things, they:
    • provide a regulatory framework for payment aggregators (ie, entities which facilitate e-commerce merchants to accept payments without creating a payment system of their own); and
    • set out technology recommendations which must be adopted by payment aggregators and serve as baseline recommendations for payment gateways (ie, entities that provide technology infrastructure for payment systems without being involved in the transfer of funds).
  • Among other things, the guidelines mandate minimum capital requirements and the maintenance of an escrow account for all payment aggregators.
  • Master Directions – Credit Card and Debit Card – Issuance and Conduct Directions, 2022: These apply to:
    • all banks that issue credit and debit cards; and
    • all NBFCs that issue credit cards.
  • They prescribe requirements for being permitted to issue credit and debit cards, and for associated compliance with the operation of both systems.
  • Tokenisation – Card Transactions Circular: As per the Guidelines on the Regulation of Payment Aggregators and Payment Gateways, payment aggregators are not permitted to store customer card details in their databases or on servers accessed by merchants. As a result, card payments (and recurring transactions) will be implemented through card tokenisation. This circular (together with additional directions issued by the RBI) prescribes the conditions and compliance obligations associated with offering card tokenisation services, such as requirements for:
    • explicit consent through additional factor authentication from the cardholder;
    • the secure storage of tokens; and
    • consumer dispute resolution.
  • Guidelines for the Licensing of Payments Banks: Payments banks offer financial services with the aim of promoting financial inclusion by providing small savings accounts and catering to disadvantaged sections of the population. The RBI issued these guidelines in 2014 to impose eligibility and compliance requirements on such payments banks. Additionally, the RBI has issued Operating Guidelines for Payments Banks, which specify the procedural mandates that payments banks must adhere to.
  • Circulars issued by the Securities and Exchange Board of India (SEBI): The Payment and Settlement Systems Act specifically excludes stock exchanges from its ambit. Regarding the regulation of securities and entities that provide related services to consumers, SEBI has issued several circulars covering various aspects of this space in the Indian fintech industry. These include master circulars on:
  • mutual funds;
  • stock exchanges and clearing corporations;
  • know-your-customer norms for the securities market; and
  • the surveillance of the securities market.
  • Guidelines on Insurance E-commerce, 2017: The Insurance Regulatory and Development Authority of India (IRDAI), the statutory body that governs the insurance industry, has issued these guidelines with a view to regulating the growing incidences of entities offering insurance services through e-commerce channels. The guidelines:
  • require entities to obtain authorisation from the IRDAI before setting up an insurance self-network platform (ie, a platform that offers insurance services through electronic media); and
  • impose requirements relating to, among other things:
    • internal monitoring of systems;
    • review of operations;
    • obligations towards policyholders; and
    • modes of operations.
  • Information Technology Act, 2000 and rules issued thereunder: This is the primary statute governing cybersecurity and data protection. It also affords legal validity to electronic documents and records. It sets out specific cybersecurity offences and the associated penalties (including imprisonment for certain offences), as well as the payment of compensation to affected parties in certain cases.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These govern the currently applicable personal data protection regime in India. They are slated to be replaced by a comprehensive data protection law, the Digital Personal Data Protection Act, 2023, which has been passed by the Indian legislature and will come into force upon notification by the Indian government to that effect. This is expected to happen sometime in 2024, although no official indications as to timelines have been provided by officials.
  • Indian Contract Act, 1872: This governs all contractual relationships in India, and as such its provisions also apply to any fintech entities offering goods/services for consideration. It:
  • prescribes the conditions for a valid contract;
  • specifies certain provisions which will be void if included in a contract (eg, a provision restricting one party from suing the other party if such right to sue is provided for under Indian law); and
  • sets out the consequences of a breach of contract and the options for redressal available to affected parties for breaches.

1.2 Do any special regimes apply to specific areas of the fintech space?

The laws and regulations outlined in question 1.1 apply to the relevant sectors of the fintech space in India and operate as a network of interrelated regulatory regimes.

While no Indian law categorically defines the term 'fintech', the RBI does have a special Fintech Division/Department that was set up in 2022 to focus on innovation in this sector. The regulator does not, however, follow a consistent formula in dealing with the unique and innovative regulatory issues presented by fintech. It has largely adopted a permissive approach towards fintech.

In October 2023, the RBI brought into effect directions on the outsourcing of IT services. Among other things, the directions made clear that a regulated entity engaging in outsourcing:

  • will remain primarily responsible;
  • must put in place a robust customer grievance redressal mechanism; and
  • may outsource only once it has put in place a comprehensive IT outsourcing policy approved by its board of directors.

The directions also cover:

  • due diligence requirements;
  • contractual requirements; and
  • items to be included within any IT outsourcing agreement.

In addition, India has implemented a digital cashless payment system called the United Payments Interface (UPI) which:

  • allows users to instantly transfer funds to vendors; and
  • facilitates peer-to-peer transfers of funds.

Since its introduction in 2016, the UPI has enjoyed widespread adoption across the country. Government reports suggest that UPI transactions accounted for 52% of all digital transactions in India in the financial year 2022-2023.

The National Payments Corporation of India has been incorporated as a not-for-profit company to act as an umbrella organisation for operating retail payments and settlement systems in India. It is also responsible for operating and running the UPI ecosystem (in addition to other responsibilities, including the Rupay card network).

In addition, the data protection and cybersecurity regimes of India (which also include provisions that apply specifically to parts of the fintech sector) are also relevant to the fintech industry (please see question 5).

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

India has several statutory bodies which regulate and govern various aspects of the country's fintech industry, as follows.

RBI: As the regulator of the Indian banking and payment systems, the RBI has been granted certain powers with regard to enforcement. Under the Payment and Settlement Systems Act, the RBI is empowered to impose penalties for specific contraventions, including the contravention of any regulations/orders/directions/conditions imposed by it. As such, contravention of the various directions of the RBI applicable to the fintech sector (as discussed in question 1.1) could see the imposition of:

  • a penalty by the RBI of up to INR 1 million or twice the value of a quantifiable contravention/default, whichever is greater; and
  • an additional penalty of up to INR 25,000 for each day on which the contravention continues.

Under the RBI Act, the RBI has also been granted specific powers relating to the enforcement of regulations imposed on NBFCs. The RBI is empowered to regulate or prohibit the issue of a prospectus or ad by an NBFC seeking deposits of money from the public. It may also issue an order to remove a director of an NBFC from office if it believes that such an order is necessary:

  • in the public interest; or
  • to prevent the affairs of the NBFC being conducted in a manner that is detrimental to the interests of depositors and creditors.

SEBI: SEBI regulates the capital markets in India and has been granted multifaceted powers of enforcement. The SEBI Act, 1992 empowers SEBI to conduct enquiries and issue directions to entities where it is satisfied that this is necessary:

  • for the interests of investors or the orderly development of the securities market; or
  • to secure the proper management of capital markets entities.

Directions for the disgorgement of an amount equal to a quantifiable wrongful gain may also be issued by SEBI.

In addition, SEBI has been granted adjudicatory power for contraventions of the other penal provisions of the SEBI Act, such as:

  • failure to furnish information or returns required under the law;
  • failure to redress investor grievances;
  • defaults in mutual funds;
  • insider trading; and
  • fraudulent and unfair trade practices.

These contraventions are punishable by monetary penalties, with the maximum amount being INR 2.5 million.

Criminal actions may also be initiated for contraventions of the SEBI Act exclusively through a complaint made by SEBI to a court of competent jurisdiction (the SEBI Act also provides for the establishment of special courts to adjudicate upon such actions).

IRDAI: The IRDAI is the regulatory authority for the insurance sector and has been granted adjudicatory powers relating to certain specified contraventions under the Insurance Act, 1938.

The IRDAI may suspend or cancel the registration of insurance service providers for violating any regulations issued under the auspices of the Insurance Act. Additionally, cognisance of any contraventions of the Insurance Act or regulations issued thereunder can be taken by a court only where a complaint is brought in that regard by the IRDAI.

1.4 What is the regulators' general approach to fintech?

Several aspects of the fintech space have been embraced by regulators and policy decisions have been made to promote these sectors – the most notable being the UPI ecosystem (see question 1.2). Conversely, there has also been significant pushback (both in the general approach and in policy decisions) in some sectors of the fintech industry, such as cryptocurrency.

Overall, the Indian regulators seem to recognise:

  • the significant value that the fintech industry brings to the Indian economy; and
  • the convenience that it offers to the public.

1.5 Are there any trade associations for the fintech sector?

Several independent bodies have been established to function as trade associations for the fintech sector in India. Notable names include the following:

  • The Fintech Association for Consumer Empowerment is focused on engaging with stakeholders and policymakers to ensure a high quality of consumer engagement and empowerment.
  • The Digital Lenders' Association of India aims to promote developments in the Indian digital lending market.
  • The Fintech Convergence Council represents entities in various sectors, including fintech, banking and financial services. It has set up various sub-committees to focus on policy recommendations in the fields of digital lending, insurtech, investment and peer-to-peer lending, among others.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

India has seen the widespread adoption of fintech services over the past few years. Consumer interest in efficient, easy-to-use financial services is clearly evidenced by the rapidly growing popularity of the United Payments Interface (UPI) ecosystem. Reports suggest that India's fintech industry is expected to reach $70 billion in annual revenue by 2030. An increase in the accessibility of mobile internet services has also likely contributed to this trend.

The UPI's success is due to factors such as:

  • negligible merchant discount fees;
  • immediate transaction settlement; and
  • the fact that point of sale machines can be done away with.

Payment aggregators and gateways have seen exponential growth in India as, due to the specialised requirements for acting as a payment system operator, e-commerce entities utilise these aggregators and gateways to receive money from consumers. In addition, loans (including peer-to-peer loans) and insurance policies are being offered on digital platforms. Although in its infancy, the roboadvice sector has also seen a few startups enter the market recently. However, due to a lack of regulatory oversight, this sector has not seen much growth as yet.

The cryptocurrency industry has also been growing, with several Indian crypto exchanges beginning operations in recent years. However, the government's stance on the crypto industry (as detailed in question 3.6) has been a source of some apprehension.

2.2 What products and services are offered?

A large number of products and services are offered by fintechs, including:

  • payment services (eg, bill payments, quick-response code payments, payment aggregation services);
  • lending services (eg, personal loans, salary loans, gold loans, corporate loans, peer-to-peer lending, trade finance);
  • insurance services (eg, insurance comparison platforms, insurance education, digital insurers); and
  • wealth management services (eg, expense management tools and platforms, roboadvice, discount brokers, mutual fund investment platforms, research platforms, alternative investment platforms).

Other services includes:

  • payment security services;
  • collection management services;
  • credit bureau services; and
  • claims management services.

2.3 How are fintech players generally structured?

Most fintech players are structured as limited liability companies under the Companies Act, 2013. In many cases, the law mandates that a fintech be set up as a limited liability company. Certain fintechs which are not mandated by law to set up as a company may also be incorporated as a limited liability partnership under the Limited Liability Partnership Act, 2008.

2.4 How are they generally financed?

Most fintechs are primarily financed by way of equity capital. Fintechs can also seek loan from shareholders and financial institutions.

2.5 How are they positioned within the broader financial services landscape?

In India, fintech now plays a critical role in the financial services landscape. Fintechs, enabled by the UPI, have made significant gains in the payments space. Digital payments have soared, with UPI monthly transactions reaching approximately $220 billion (as of December 2023). While payment service providers have established leading positions in the domestic payments space, emerging players in the areas of lending, weathtech, insurtech and neo-banking are likely to dominate the fintech sector in India. According to a report published by Bain & Co, it is estimated that Indian fintechs currently contribute about $100 billion of enterprise value. India has seen a significant rise in fintech investment: in a recent report by Tracxn, India ranked third globally in 2023 in terms of fintech startup funding.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Many startups outsource back office or non-core activities to third-party service providers and India has a well-developed market for many outsourcing activities.

The Reserve Bank of India (RBI) has framed the Master Directions on Outsourcing of Information Technology Services, which apply to banks, non-banking financial companies and credit information companies. These regulations have been framed to prevent fintechs from the risks associated with outsourcing IT-enabled services to third parties. The regulations require fintechs, among other things, to:

  • put in place a comprehensive IT outsourcing policy, which must incorporate, among other things:
    • the roles and responsibilities of the board, committees of the board (if any) and senior management in respect of outsourcing of IT services; and
    • criteria for the selection of outsourcing activities as well as service providers;
  • include provisions in contracts with service providers under which the service provider undertakes to:
    • seek permission before subcontracting any outsourced work;
    • permit the RBI to carry out audits; and
    • implement a business continuity plan;
  • carry out appropriate due diligence on service providers; and
  • have in place a management structure to monitor and control its outsourced IT activities.

The regulations include specific provisions on the outsourcing of:

  • cloud computing services; and
  • security operations centres.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

The Guidelines on the Regulation of Payment Aggregators and Payment Gateways issued by the Reserve Bank of India (RBI) are tangentially relevant to the internet e-commerce industry in India, as most e-commerce providers utilise third-party payment aggregators and payment gateways to facilitate payments from consumers.

(b) Mobile (m-commerce)

No distinction is drawn in India between e-commerce and m-commerce, and most service providers offer e-commerce services simultaneously on computer and mobile platforms.

(c) Big data (mining)

The current legislative framework does not address data mining. The Digital Personal Data Protection Act 2023 specifically excludes any personal data which has been made publicly available by the data principal from its scope of application. However, the terms of service of most websites prohibit the automated scraping of the contents of websites. Additionally, the IT Act:

  • states that if a person accesses a computer network without the permission of the owner of that network, it may be liable to pay damages; and
  • imposes penal provisions where such access is dishonest or fraudulent.

As such, data mining without the consent of the owner of the data may be regarded as a contravention of the IT Act; however, there is no judicial precedent in Indian courts supporting such an interpretation.

(d) Cloud computing

There is no specific legislative framework in India governing cloud computing. General provisions regarding personal data and cybersecurity (as detailed in question 5) will apply to such services.

(e) Artificial intelligence

India has no regulations governing artificial intelligence (AI) technologies, either generally or specifically in the fintech space. However, the need for such a regulatory framework has been recognised by the government in various reports published by regulatory bodies. The upcoming Digital India Act (discussed in question 10.1) will likely include provisions governing the implementation and use of AI technologies in India.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

In 2018, the RBI issued a circular that prohibited any entities regulated by it from dealing in virtual currencies or facilitating persons from engaging in such dealings, after various notifications cautioning users about the risks involved in this space.

However, this circular was quashed by a judgment of the Indian Supreme Court in 2020, as the Supreme Court held that there was not enough evidence presented by the RBI to show that such virtual currencies and their trading presented a risk to the Indian banking system.

Currently, cryptocurrencies and their trading are unregulated in India. However, the government has indirectly acknowledged the impact of this industry in several ways. In the 2022 Budget, a tax of 30% was introduced on all gains realised through selling 'virtual digital assets' (including cryptocurrencies and non-fungible tokens). The RBI has also initiated a pilot project for the 'e-rupee' – a blockchain-backed digital currency regulated by the RBI at both the wholesale and the retail level. After publishing a concept note on the topic in October 2022, the pilot project was launched in four cities in December 2022.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

The Reserve Bank of India (RBI) has issued the Master Directions for Non-Banking Financial Companies engaging in Peer-to-Peer Lending Platforms, which regulate non-banking financial institutions (NBFCs) that wish to establish such peer-to-peer (P2P) platforms.

The directions mandatorily require that any NBFC wishing to engage in this business must:

  • obtain a certificate of registration from the RBI; and
  • maintain a net owned fund of at least INR 20 million.

The aggregate exposure of a lender across all P2P platforms has been capped at INR 5 million and the aggregate loans that a borrower may take across all platforms are capped at INR 1 million.

Additional issues are also covered in the regulations, including:

  • the scope of activities;
  • prudential norms;
  • declaration of dividends;
  • fund transfer mechanisms; and
  • transparency and disclosure requirements.

(b) Online lending and other forms of alternative finance

The Guidelines on Default Loss Guarantees in Digital Lending issued by the RBI in 2023 permit such arrangements as long as they meet the requirements set out in the guidelines. These include a requirement for a formal contractual arrangement that clarifies the amount of cover guaranteed and timelines. The guidelines also:

  • limit the quantum of the guarantee to 5% of the loan; and
  • cover:
    • disclosure requirements;
    • due diligence requirements; and
    • exceptions.

In 2022, the RBI also issued the Guidelines on Digital Lending to regulate digital lending – a field which has grown significantly in India over the past few years. The guidelines apply to all banks and NBFCs that provide consumers with digital lending services, defined as "remote and automated lending process[es]" that largely use digital technologies for "customer acquisition, credit assessment, loan approval, disbursement, recovery, and associated customer service[s]". The RBI has clarified that even if some physical interfacing with the consumer is involved in providing the lending services, an entity will still be regulated by the guidelines if the majority of the process utilises digital technologies.

The guidelines impose several compliance conditions on regulated entities. All disbursals and repayments are to be made directly between the bank accounts of the regulated entity and the consumer (with a few specified exceptions). A grievance redressal mechanism (including the appointment of a grievance officer) must be put in place by all regulated entities, as well as the lending service providers that they engage.

Regulated entities are also required to provide a cooling off/look-up period for all loans issued by them during which the consumer can exit the digital loan by paying back the principal and the proportionate annual percentage rate (to be provided as an all-inclusive cost of the loan to the consumer) without any penalty being levied. This period is to be determined by the board of the regulated entity and may not be:

  • less than three days for loans with a tenure of seven days or more; or
  • less than one day for loans with a tenure of under seven days.

Regulated entities must also make available a key fact statement to consumers in a prescribed format, including, among other things:

  • the annual percentage rate;
  • details of the grievance redressal mechanism;
  • the cooling off/look-up period; and
  • the recovery mechanism.

Additional obligations imposed by the Guidelines on Digital Lending include those relating to:

  • the assessment of creditworthiness;
  • the recovery mechanism;
  • due diligence of lending service providers;
  • the use and disclosure of data obtained by regulated entities, including specific restrictions on mobile apps accessing the phone's resources (eg, files and media, call logs, contacts);
  • restrictions on the storage of data (by regulated entities and their lending service providers); and
  • a requirement for regulated entities and their lending service providers to put in place a comprehensive privacy policy.

Compliance with the guidelines by lending service providers must be ensured by the regulated entities that engage them. Additionally, the guidelines issued by the RBI on outsourcing (as discussed in question 1.2) continue to apply to regulated entities regarding their engagement of a lending service provider.

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

Most merchants involved in e-commerce utilise the services of payment aggregators and payment gateways to facilitate payments from consumers. Notable exceptions are Amazon and Google, which have been granted in-principle approval by the RBI to function as payment aggregators themselves.

(d) Forex

Forex trading in India is governed primarily through the Foreign Exchange Management Act, 1999 and various additional regulations issued by the RBI in this regard.

Specifically, the RBI has notified the Electronic Trading Platforms (Reserve Bank) Directions, 2018, under which electronic trading platforms (ETPs) must be authorised by the RBI before they can provide forex trading services to customers. The directions provide eligibility criteria for authorisation (including financial and technological criteria) and notably state that the ETP must be a company incorporated in India.

The regulations also mandate the operating framework for the platforms, and notably include testing and transparency requirements for algorithm-based systems. ETPs are also subject to certain reporting requirements to the RBI.

(e) Trading

This space is regulated by the Securities and Exchange Board of India (SEBI), in accordance with various circulars and directions as issued from time to time.

(f) Investment and asset management

The SEBI (Investment Advisors) Regulations, 2013 govern parties offering investment advice and investment/asset management services. The regulations require all investment advisers to obtain SEBI registration to conduct their business in India, with certain exemptions, including for:

  • general good-faith comments;
  • advisers governed by the Insurance Regulatory and Development Authority of India; and
  • advisers catering exclusively to clients based outside India.

Educational and professional qualification mandates as well as net worth requirements must also be met to be eligible for registration.

The regulations impose various obligations on investment advisers, including in relation to:

  • client risk profiling;
  • suitability;
  • disclosures to clients;
  • maintenance of records; and
  • grievance redressal mechanisms.

Additionally, the SEBI (Foreign Portfolio Investors) Regulations, 2014 provide the primary regulatory framework for trading in foreign portfolios in India.

(g) Risk management

No specific regulations regarding risk management services have been issued in India, as such services would fall under the ambit of the SEBI (Investment Advisors) Regulations discussed in question 4.6.

(h) Roboadvice

There is no specific regulation governing roboadvice. However, in 2020, SEBI acknowledged that roboadvisers will be classified as investment advisers and hence will be governed by the SEBI (Investment Advisors) Regulations as discussed in question 4.6.

(i) Insurtech

No specific regulatory framework has been put in place for insurtech other than that discussed in question 1.1.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

The data protection regime in India is governed by the Information Technology Act, 2000 and the rules framed thereunder – specifically the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The rules provide for specific types of personal data – including financial information – to be classified as 'sensitive personal information'. All bodies corporate processing such sensitive personal information must obtain consent in writing from the data subject prior to such processing. The rules also require bodies corporate to:

  • allow data subjects to review and correct/update their personal information;
  • retain the information only for as long as is necessary for the purpose of processing or as required under applicable law;
  • appoint a grievance officer to address grievances of data subjects; and
  • adopt security safeguards (the IS/ISO/IEC 27001 Standard is highlighted in the rules as being compliant with "reasonable security practices and procedures").

In addition, the Indian Computer Emergency Response Team (CERT-In) set up by the Ministry of Electronics and Information Technology requires all entities to report specified cybersecurity incidents (including data breaches and data leaks) within six hours of becoming aware of the incident.

In August 2023, the Indian legislature passed the new Digital Personal Data Protection Act, 2023 (DPDP Act). The act has received presidential assent and has gone through the entire legislative process in order to become law and will come into force at a future date to be notified by the Indian government.

The DPDP Act imposes the same standards and requirements on all categories of personal data, unlike the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. Personal data may be processed only under a lawful basis as provided in the DPDP Act and consent remains the primary lawful basis for processing data. Consent under the DPDP Act must meet specified conditions – it must:

  • be provided through a positive action by the data subject; and
  • be free, specific, informed, unconditional and unambiguous.

Data subjects (referred to as 'data principals' in the legislation) are also provided with enhanced rights, including:

  • the right to request a summary of the processing of their personal data and entities with which the personal data has been shared;
  • the right to access, review and correct their personal data;
  • the right to withdraw consent;
  • the right to request the deletion of their personal data; and
  • the right to a grievance redressal mechanism.

The DPDP Act distinguishes between data controllers (referred to as 'data fiduciaries') and data processors; all compliance obligations fall squarely on data fiduciaries. Data fiduciaries must ensure that the above rights are provided to data principals and comply with the other requirements (eg, a data breach notification requirement in addition to that put in place by CERT-In). Contraventions of the DPDP Act will be examined by the Data Protection Board of India (a regulatory body set up through the DPDP Act) and are punishable with fines of up to INR 2.5 billion.

Once notified, the DPDP Act will repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules and will be the primary statute governing the data protection regime in India.

Specific to the fintech sector, in 2018, the Reserve Bank of India (RBI) issued a circular that requires all payment system providers to store all data relating to the payment systems operated by them (including personal data) on systems located in India. The enactment of the DPDP Act will not render this requirement ineffective and it will remain in force along with the DPDP Act.

Additionally, the Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015 require that:

  • all insurers maintain records of their issued policies and claims; and
  • these records, whether maintained electronically or otherwise, be maintained in India only.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The Information Technology Act sets out the current cybersecurity regime in India. The Information Technology Act has extraterritorial jurisdiction and contravention by non-Indian entities will also theoretically be punishable under the act. However, enforcement of its provisions against non-Indian entities presents implementational challenges.

The Information Technology Act classifies the following acts done without permission of the owner as "damage to a computer or computer system", for which the contravening party will be liable to compensate the affected party by way of damages:

  • accessing a computer system, network or resource, or accessing/downloading/copying any data stored on such infrastructure;
  • introducing a computer virus or similar contaminant to the infrastructure;
  • causing damage or disruption to the infrastructure, or deleting/altering any data stored therein;
  • denying access to any person authorised to access the infrastructure;
  • charging services availed of by a person to another person's account by tampering with or manipulating the network; or
  • stealing, concealing or destroying any computer source code with the intention of causing damage;

If any of the above acts is done "dishonestly or fraudulently", it is additionally punishable by imprisonment of up to three years, a fine of up to INR 500,000 or both.

In June 2023, the RBI published the draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators for public consultation and feedback.

These draft directions are intended to apply to all payment system operators regulated by the RBI in India and impose various compliance requirements with a view to increasing cyber resilience. Among other things, these requirements relate to:

  • inventory management;
  • access management;
  • network security and testing;
  • vendor risk management;
  • data security;
  • incident response protocols; and
  • employee training.

Additionally, specific controls are proposed for various types of digital payments (ie, mobile, card and prepaid payment instrument payments). There has been no indication from the RBI as to:

  • a timeline for implementation; or
  • whether the directions (if and when implemented) will differ in any way from the draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators.

In July 2023, a Standing Committee constituted by the Ministry of Finance published a Report on Cyber Security and Rising Incidence of Cyber/White Collar Crimes, which highlighted the increasing number of cybercrimes constituting financial fraud over the past few years. The report made certain recommendations to address these issues and bolster the Indian cybersecurity regime with regard to the fintech space, including:

  • the enhancement of regulatory powers afforded to the RBI with regard to payment service providers;
  • the establishment of a new regulatory framework regarding cybersecurity, as the current regime is unsuited to tackle advancements in technology;
  • the institution of a centralised authority to implement and enforce cybersecurity policies in the country; and
  • a revamp of the compensation structure for persons affected by financial fraud.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

Regulated entities are subject to various obligations in this regard under:

  • India's chief anti-money laundering statute, the Prevention of Money Laundering Act, 2002 (PMLA) and rules made thereunder; and
  • master directions issued by the Reserve Bank of India (RBI).

The PMLA prevents any entity from 'knowingly' enabling any party from being able to use the proceeds of a crime. The Prevention of Money Laundering (Maintenance of Records) Rules, 2005 made under the PMLA require regulated entities (including most fintech companies) to follow certain customer identification procedures while opening accounts and through a process of ongoing monitoring.

Under the RBI's master directions on know-your-customer requirements, regulated entities must undertake due diligence and adopt a risk-based approach for the periodic updating of customer information, with the aim of:

  • combating money laundering through 'mules'; and
  • preventing access to deposits of proceeds from criminal activity.

Regulated entities are accordingly required to report suspicious activity to a specific department of the Indian central government.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

At the moment, fintech is governed by the standard Indian competition law, the Competition Act 2002. This covers ex-ante regulation for mergers and acquisitions and ex-post enforcement for abuse of dominance and anti-competitive agreements. There are no industry-specific provisions that are specifically tailored to the fintech industry; however, fintech received its fair share of attention in Harshita Chawla v WhatsApp, in which the regulator found that WhatsApp's integration of a United Payments Interface payments app did not constitute an abuse of dominance. This may be justified by the fact that WhatsApp Payments has failed to capture significant market share in comparison to established players such as PhonePe, Google Pay and Paytm.

The competition regulator has also penalised Google, among other things, for requiring app developers listed on the Play Store to use its Google Play Billing System.

The Competition Commission of India is about to set up a Digital Markets Unit to assess conduct and practices in digital businesses (including fintechs). Ex-ante regulation of unique competition concerns created by big-tech in digital markets is also under consideration.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Conventionally, through intellectual property, as follows:

  • Trademarks, both as a common law right and as a statutory right (when registered), protect brands, names, logos and so on.
  • Copyright protects computer programs and codes. Generally, India does not recognise software patents.
  • Information and know-how leaks can be prevented through strong non-disclosure agreements.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Currently, there are no fiscal incentives available specifically for fintech players. However, the government is paying significant attention to digital ecosystem and efforts are being made to frame the well-defined regulations that foster the development of fintech players and digital economy.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Established employment regulations are fairly industry agnostic and do not differ for fintechs. The applicable employment law provisions are usually region specific and based on the location of offices in India.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Generally speaking, no special provisions apply to fintech companies as distinct from any other industry in this regard.

India has an abundance of skilled workers and government policy is to prefer the employment of Indian nationals over foreign nationals. Employment visas risk being refused by the Indian government where qualified Indians are available for employment; decisions to grant/refuse visas fall exclusively within the government's domain.

The Foreigners Act and the Registration of Foreigners Act enable the government to control the flow of foreign nationals into India.

In order to be granted an employment visa, a foreign national must draw an annual salary in excess of $25,000 (except in the case of ethnic cooks, embassy staff and language teachers). Employment visas may be granted for a period of up to five years, depending on:

  • the specific tasks for which employment is foreseen; and
  • any bilateral agreements in place between India and the relevant foreign country.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

As detailed in question 5.1, the new Digital Personal Data Protection Act, 2023 (DPDP Act) is slated to replace the current regime and will then become the primary data protection statute in India. It will apply to all fintech entities, in addition to the specific data protection requirements imposed under other regulations. Delegated legislation under the DPDP Act is yet to be published and notified, and will establish many of the procedural and implementational requirements associated with the DPDP Act.

In addition, the new Digital India Act is being developed by the Indian legislature to overhaul and replace the current Information Technology Act. While no versions of the law have as yet been made available to the public, the government has expressed its intent to shape the Digital India Act to regulate the rapid developments in the technology industry in the 20-plus years since the Information Technology Act was instituted.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

The laws regulating fintech business are evolving and complex, and there are still regulatory uncertainties in specific areas as the laws are not yet well defined. Furthermore, there are several restrictions on cross-border transactions. Fintech players that wish to enter India must thoroughly analyse and understand the legal regime in connection with their proposed business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Shivalik Chandan
Shivalik Chandan
Photo of Dhruv Singh
Dhruv Singh
Photo of Arjun Khurana
Arjun Khurana
Your Author LinkedIn Connections
COMPARATIVE GUIDE
14 May 2024

FinTech Comparative Guide

India Technology

Contributor

G&W Legal logo
G&W Legal is a full-service business law firm in India helping companies establish, (re)structure and scale Indian operations, design compliance and commercial strategies, and resolve disputes. With multiple ranked practices, G&W is reputed for work in transactions; IP; anti-corruption; antitrust; regulatory; privacy; employment; franchising; foreign investment; TMT and emerging issues.
Explore
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More