India is one of the world's largest and most dynamic fintech markets. The UPI ecosystem, the proliferation of digital lending platforms, the growth of wealth management apps, and the emergence of account aggregators have created an industry that is simultaneously celebrated for its innovation and increasingly scrutinised for its compliance. For fintech companies, regulatory compliance is not a background function — it is core business infrastructure.
The RBI PA-PG Framework: The Licence That Defines Your Business
The Reserve Bank of India's March 2020 guidelines on payment aggregators (PAs) and payment gateways (PGs) are the foundational regulatory document for most fintech payment companies. The guidelines require entities facilitating online payment transactions between merchants and customers to obtain RBI authorisation as payment aggregators. The distinction between PA and PG is operationally important: PAs handle funds (and therefore must obtain authorisation), while PGs merely provide technology infrastructure without handling funds.
Key PA licence requirements include: net worth of ₹25 crore at the time of application (increasing to ₹100 crore by March 2023 for existing PAs); mandatory escrow accounts for merchant settlements; KYC/AML compliance for merchants; data storage requirements (all payment data to be stored in India); and a mandatory information security audit. Applications are submitted to the RBI's Department of Payment and Settlement Systems.
Digital Lending: FLDG, Onboarding, and the RBI's Framework
The RBI's September 2022 guidelines on digital lending significantly restructured how banks and NBFCs could partner with Lending Service Providers (LSPs) and Digital Lending Apps (DLAs). First Loss Default Guarantees (FLDGs) — previously used extensively by fintech companies as credit enhancement tools — are now permitted only up to 5% of the loan portfolio, and only from regulated entities. End-to-end disbursement and repayment must happen directly to/from the borrower's bank account, without routing through the DLA. The Annual Percentage Rate must be disclosed in a standardised key fact statement.
Account Aggregator Framework: Opportunity and Compliance Obligations
The Account Aggregator (AA) framework — established by the RBI under the Master Direction for Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 — creates a consent-based data sharing infrastructure that allows customers to share their financial data (bank statements, investment portfolios, insurance policies) with Financial Information Users (FIUs) for credit assessment, wealth management, and other purposes. AAs are regulated entities requiring RBI registration. FIUs — banks, NBFCs, mutual funds, insurance companies — need to become Technical Service Providers (TSPs) or build their own AA integrations.
DPDPA: The New Data Privacy Imperative
The Digital Personal Data Protection Act, 2023 imposes significant new compliance obligations on fintechs. Key requirements include: obtaining and maintaining clear, specific, and informed consent for processing personal data; implementing technical and organisational measures to protect data; notifying data principals and the Data Protection Board of personal data breaches; honouring data principal rights (access, correction, erasure, grievance redressal); and — for "significant data fiduciaries" designated by the government — appointing a Data Protection Officer, conducting data protection impact assessments, and submitting to periodic audits.
Fintech companies that process large volumes of sensitive financial data will almost certainly be designated as significant data fiduciaries. Building DPDPA compliance into product architecture from the outset is far less expensive than retrofitting it later.
FEMA and Cross-Border Fintech Operations
Fintech companies with cross-border operations — accepting payments from foreign customers, remitting to foreign accounts, or operating through overseas subsidiaries — must comply with FEMA 1999 and the Foreign Exchange Management (Mode of Payment and Reporting of Non-Debt Instruments) Rules, 2019. Foreign investment in fintech companies classified as NBFCs, payment system operators, or insurance intermediaries is subject to sector-specific caps and approval requirements. Cross-border data flows of financial data may require government approval under DPDPA once the relevant provisions come into force.
Our Fintech Practice
Satyam Dwivedi and DC Law Offices advise fintech companies, payment aggregators, digital lenders, and account aggregators on regulatory compliance, RBI licensing, SEBI regulations, and data protection. We have assisted fintechs with PA licence applications, RBI inspection responses, DPDPA readiness assessments, and commercial disputes with merchant clients. For a consultation, contact us here.