Fintechs in India – Regulation
R Kannan
The regulatory landscape for fintechs in India operates under
a sectoral approach rather than a single unified authority.
Here is the breakdown of how fintechs are regulated, the
current legislative standing, and the reality of Self-Regulatory Organisations
(SROs) in India.
Regulators of Fintechs
There is no single "Fintech Regulator." Instead,
fintech companies are regulated by existing statutory financial regulators
based on the nature of the financial service they provide.
- Reserve
Bank of India (RBI): The primary regulator for the vast majority of fintechs. It
oversees digital payments, digital wallets, payment aggregators,
peer-to-peer (P2P) lending, digital banking units (DBUs), and Neo-banks or
Non-Banking Financial Companies (NBFCs) operating digitally.
- Securities
and Exchange Board of India (SEBI): Regulates wealth-tech platforms, robo-advisors, online
bond platforms, and algorithmic trading applications.
- Insurance
Regulatory and Development Authority of India (IRDAI): Oversees insurtech companies,
online insurance brokers, and policy web-aggregators.
- Pension
Fund Regulatory and Development Authority (PFRDA): Regulates digital platforms
distributing pension products like the National Pension System (NPS).
- International
Financial Services Centres Authority (IFSCA): Acts as a unified regulator
specifically for fintech entities operating out of the GIFT City
International Financial Services Centre in Gujarat.
Legislation for Fintechs
There is no standalone "Fintech Act" or
comprehensive specific legislation.
Instead, fintechs must comply with a combination of
traditional financial laws, technology laws, and a continuous stream of master
directions, circulars, and guidelines issued by the respective regulators. Key
pieces of legislation that bind fintechs include:
- Payment
and Settlement Systems Act, 2007 (PSS Act): Governs payment gateways,
aggregators, prepaid payment instruments (PPIs), and systems like UPI
(overseen operationally by the NPCI).
- Banking
Regulation Act, 1949 & RBI Act, 1934: Governs digital lending,
co-lending arrangements, and NBFC fintechs.
- Information
Technology Act, 2000 (and subsequent Data Protection rules): Dictates cyber security, data
localization, systems safety, and electronic signatures.
- Prevention
of Money Laundering Act, 2002 (PMLA): Applies strict Anti-Money Laundering (AML) and
Know Your Customer (KYC) compliance frameworks, notably expanding recently
to include Virtual Digital Asset (VDA) or crypto platforms.
Self-Regulatory Organisations (SROs)
The "proposal" phase has successfully transitioned
into practical implementation. The RBI formally introduced a structured
framework for recognizing Self-Regulatory Organisations in the FinTech Sector (SRO-FT).
Rather than acting as an direct statutory enforcement hand,
an SRO-FT functions as a two-way bridge between the industry and the central
bank—setting baseline industry standards, promoting ethical codes of conduct,
and monitoring market behaviour.
Current Implementation Status
The RBI has actively recognized specific industry bodies
under this framework to ensure decentralized compliance:
- FACE
(Fintech Association for Consumer Empowerment): Formally recognized by the RBI
as an SRO-FT. It focuses heavily on establishing consumer protection
standards, transparency, and data privacy guidelines for digital lending
platforms.
- SRPA
(Self-Regulated PSO Association): Recognized by the RBI as an SRO specifically tailored
for Payment System Operators.
Additional applications from other fintech industry
associations remain under evaluation or formatting changes by the RBI to
establish sector-specific self-regulation (such as wealth management or digital
assets) moving forward.
Operational Responsibilities: The SRO as a Frontline Watchdog
The SRO functions as a proactive supervisor, standardizing
industry health and addressing operational issues before they scale into
systemic crises. Its responsibilities span four core operational domains:
- Formulation
of Code of Conduct and Standards: The SRO codifies binding, industry-wide ethical
benchmarks, creating uniform disclosure norms and fair pricing models. It
also standardizes technical interfaces and cybersecurity protocols,
ensuring interoperability across the digital ecosystem.
- Monitoring,
Surveillance, and Early Warnings: Through regular compliance audits and market
monitoring, the SRO identifies predatory lending patterns, digital fraud
networks, and liquidity risks early. An early-warning desk ensures that
bad-faith actors or unlicensed applications are reported promptly to law
enforcement and the apex regulator.
- Dispute
Resolution and Consumer Grievance Arbitration: The SRO offers a low-cost
framework for resolving business-to-business (B2B) disputes between
FinTech firms and partner financial institutions. It also operates a
fast-track consumer redressal tribunal, resolving customer complaints
regarding transaction issues or collection practices before they strain
public courts.
- Capacity
Building, Training, and Regulatory Interface: The SRO runs mandatory
certification programs for executives, compliance officers, and field
agents regarding data privacy laws and consumer protection. It also
compiles market data and presents empirical findings to the government,
supporting evidence-based policymaking.
The Compliance Takeaway: Because India utilizes an activity-based regulatory
mechanism rather than an entity-based one, a single fintech conglomerate
offering payments, lending, and mutual funds must simultaneously adhere to
separate frameworks prescribed by the RBI, SEBI, and their respective SROs.
