Fintech

The licences you need depend on what your product does. Payment aggregators require RBI authorisation under the Payment and Settlement Systems Act. Digital lenders must comply with the RBI’s Digital Lending Guidelines issued in September 2022. NBFCs require RBI registration. Payment banks and small finance banks have their own licensing requirements. Companies dealing in virtual digital assets must register with the FIU-IND. Insurance technology products may require IRDAI approvals. Account aggregators operate under the RBI’s Account Aggregator framework. We help fintech companies map their product to the applicable regulatory framework and obtain the necessary licences and registrations.

The RBI’s Digital Lending Guidelines, issued in September 2022, regulate digital lending activities by regulated entities (banks and NBFCs) and lending service providers (LSPs). Key requirements include mandatory disclosure of all fees and charges upfront, disbursement and repayment only through the borrower’s bank account (not through a third-party pass-through), explicit borrower consent for data collection, restrictions on accessing the borrower’s phone contacts, photos, and other data, a mandatory cooling-off period for borrowers, and a grievance redressal framework. If you operate as an LSP or a digital lending platform, these guidelines apply to you even if you do not hold an NBFC licence yourself.

No. Accepting public deposits or lending money as a business requires RBI authorisation. Operating without it is an offence under the RBI Act. Peer-to-peer lending platforms require registration as NBFC-P2P. Some business models, such as buy-now-pay-later products, exist in a regulatory grey area and are increasingly subject to RBI scrutiny. The safest approach is to partner with a licensed NBFC or bank and operate as a technology or lending service provider within the digital lending framework. We advise startups on structuring their business model to be regulatorily compliant from the outset.

Fintech companies handle sensitive financial and personal data and are subject to both general data protection laws and sector-specific requirements. The DPDP Act applies to all personal data processing. The RBI’s data localisation directive requires payment system data to be stored in India. The digital lending guidelines restrict the collection of borrower data and require explicit consent. The Account Aggregator framework has its own data sharing and consent architecture. PCI DSS compliance is required for entities handling card data. We advise fintech companies on building a unified data compliance framework that addresses all applicable requirements without creating operational complexity.