Fintech in India 2024

Fintech in India 2024

FINTECH 2024

INDIA

Probir Roy Chowdhury, Yajas Setlur, Kumarmanglam Vijay, Pratish Kumar, Nikhil George

(JSA)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

1. What is the general state of fintech innovation in your jurisdiction?

India is one of the fastest-growing fintech markets in the world with a wide range of constantly innovating and evolving sub-segments, including payments, cryptocurrency, digital banking, embedded finance, open banking, digital lending, personal finance management, and wealth, insurance and regulatory technology.

While some types of fintech are extensively regulated (such as those operating payment systems), others (such as those in the cryptocurrency space) operate in regulatory limbo.

Government and regulatory support

2. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

Programs

The Reserve Bank of India (RBI) has set up the Reserve Bank Innovation Hub (RBIH) to promote and facilitate an environment that accelerates innovation across the financial sector. The RBIH has also signed a memorandum of understanding (MoU) with certain entities to promote fintech innovation. Some notable partnerships include:

• an MoU with IIT Madras Incubation Cell to provide incubation support and nurture early-stage start-ups and empower them to transform India’s fintech landscape; and
• an MoU with the India Post Payments Bank for innovations in financial products and services.

RBI has also launched HaRBInger – a global hackathon – with a view to encourage and promote fintech innovation. The theme for the 2023 edition is inclusive digital services.

The National Payments Corporation of India also plays a pivotal role in fintech innovation through its txn-nxt platform.

Regulatory sandboxes

The RBI has introduced regulatory sandboxes for testing new innovations in a controlled environment. So far, these sandboxes have been on retail payments, cross-border payments and micro, small and medium enterprise (MSME) lending and prevention and mitigation of financial fraud. As part of the fifth cohort of regulatory sandboxes, the RBI maintained a neutral theme and invited applications for innovative products, services and technologies cutting across various functions in the RBI’s regulatory domain. Similarly, the Insurance Regulatory and Development Authority of India and the Securities and Exchange Board of India have also set up regulatory sandboxes for innovation in the insurance sector and the securities market ecosystem, respectively.

Incentives

The International Financial Services Centers Authority has announced its fintech incentive scheme through which monetary grants are proposed to be given to fintech companies to support their activities.

Arrangements with foreign regulators

The RBI is a member of the Global Financial Innovation Network, a network that will enable innovative firms to interact with regulators, helping them navigate between countries as they look to scale new ideas.

FINANCIAL REGULATION

Regulatory bodies

3. Which bodies regulate the provision of fintech products and services?

India does not have a single regulator for all fintech products and services. While most areas of fintech (such as payments, digital banking and digital lending) are regulated by the Reserve Bank of India (RBI), fintech products and services that relate to insurance and securities are regulated by the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI), respectively.

Notably, the Ministry of Electronics and Information Technology also acts as the nodal ministry to oversee all IT and internet-related products, services, developments and policies.

Regulated activities

4. Which activities trigger a licensing requirement in your jurisdiction?

Licensing requirements depend on the specific sectoral regulator’s regulations.

Under the SEBI, activities such as securities broking and investment advising trigger licensing requirements under the SEBI (Stock Brokers) Regulations 1992 and the SEBI (Investment Advisers) Regulations 2013 (the IA Regulations), respectively.

Under the IRDAI, insurance web aggregators, brokers and agents are required to be licensed under the IRDAI (Insurance Web Aggregators) Regulations 2017, the IRDAI (Insurance Brokers) Regulations 2018 and the IRDAI (Registration of Corporate Agents) Regulations 2015, respectively.

Under the RBI, all non-bank payment systems operators (PSOs) are required to seek authorization from the RBI under the Payment and Settlement Systems Act 2007 (PSSA) before commencing operations. Examples of PSOs include payment aggregators, prepaid payment instrument (PPI) issuers and card networks. These PSOs are subject to additional regulations, circulars and directions issued by the RBI under the PSSA. For instance, payment aggregators are governed by the Guidelines on Regulation of Payment Aggregators and Payment Gateways and PPI issuers are governed by the Master Directions on Prepaid Payment Instruments 2021.

The RBI also requires non-bank lenders and factors to seek authorization as non-banking financial companies (NBFCs).

Consumer lending

5. Is consumer lending regulated in your jurisdiction?

Yes. The main entities engaged in consumer lending are commercial banks and NBFCs. The RBI is the regulator with jurisdiction over these entities and their consumer lending businesses. Entities in this sector are broadly regulated under the Reserve Bank of India Act 1934 and the Banking Regulation Act 1949, as well as the various circulars, directions and regulations issued by the RBI under these laws. This body of law governs various aspects of consumer lending, including know-your-customer and anti-money laundering requirements, fair practices and procedures, and prudential norms applicable to lenders.

The RBI has also notified the Guidelines on Digital Lending (DL Guidelines) to specifically regulate digital lending, based on the report of a working group on digital lending.

The DL Guidelines apply to lending which largely uses digital technology. They primarily govern RBI-regulated entities such as banks and NBFCs. However, they also indirectly impose obligations on lending service providers (LSPs), who act as agents of regulated entities and perform some of the lender’s functions on their behalf, as well as digital lending applications (DLAs), which are mobile or web-based applications facilitating digital lending.

Some obligations imposed by the DL Guidelines include:

• Disclosure-related obligations: the DL Guidelines require regulated entities to disclose all loan-related details in a key fact statement. This statement should include information such as the annual percentage rate (the annual cost of the loan), the recovery mechanism, cooling-off period and other relevant details.
• Data-related obligations: the DL Guidelines specify that LSPs and DLAs can only store a minimal amount of personal data necessary to fulfil their obligations. This may include the customer’s name, contact details and address. However, regulated entities bear the ultimate responsibility for ensuring the privacy of such data.
• The guidelines also impose data localization requirements, meaning that all data collected as part of the digital lending process must be stored within India. Further, all regulated entities, DLAs and LSPs are required to have a comprehensive privacy policy in place, which aligns with the RBI guidelines and other legal requirements.
• Grievance redressal: the DL Guidelines mandate that every regulated entity and LSP interacting with customers must establish an effective grievance redressal mechanism to resolve customer disputes. They are also required to appoint grievance redressal officers and prominently display their contact details on their website and key fact statement.
• Fund flow: the DL Guidelines stipulate that all loan amounts (including repayments) must be directly disbursed from the regulated entity’s account to the borrower’s account. The involvement of any third-party pass-through account or pool account is expressly prohibited. That said, an exemption is granted in the case of advance salaries. In those cases, the employer is permitted to repay the loan by debiting the borrower’s bank account.

Overall, the DL Guidelines aim to regulate digital lending activities, ensuring transparency, privacy protection and fair practices for customers.

Secondary market loan trading

6. Are there restrictions on trading loans in the secondary market in your jurisdiction?

Assignment of loan exposures of a financial institution to another financial institution or for securitization is regulated by the RBI. All on-balance sheet exposures that are in the nature of loans and advances, and are standard (i.e, performing without default) – except specified prohibited exposures – are allowed to be assigned or securitized in accordance with the applicable guidelines. The sale of non-performing assets (which are in default) is regulated by the RBI.

Assignment of loan exposures is primarily governed by Master Direction – RBI (Transfer of Loan Exposures) Directions 2021. Securitization of standard assets in India is primarily governed by Master Direction – RBI (Securitization of Standard Assets) Directions 2021 (Securitization MD).

Notably, the securitization of non-performing loan assets is governed by the Master Direction – RBI (Securitization of Standard Assets) Directions 2021, in addition to:

• the Securitization and Reconstruction of Financial Assets and Enforcement of Security Interest Act 2002; and
• the Securitization Companies and Reconstruction Companies (Reserve Bank)Guidelines and Directions 2003.

Separately, the SEBI (Issue and Listing of Securitized Debt Instruments and Security Receipts) Regulations 2008 will apply if the securitization papers or instruments are listed.

In addition, the DL Guidelines clarify that for first loan default guarantee (a mechanism under which a third party takes up the risk exposure of the loan portfolio of the regulated lender), regulated entities must adhere to the Securitization MD.

Collective investment schemes

7. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Collective investment schemes in India are regulated by the SEBI under the SEBI (Collective Investment Scheme) Regulations 1999 and ordinarily require registration. For a scheme or arrangement to be considered a collective investment scheme, it must satisfy the following conditions:

• payments or contributions made by investors are pooled and utilized for the purpose of the scheme or arrangement;
• such contributions are made by the investors with a view to receive returns in the form of profits, income, produce or property from such a scheme;
• the property or contribution forming part of the scheme is managed on behalf of the investors; and
• the investors do not have day-to-day control over the management and operation of the scheme or arrangement.

Alternative investment funds

8. Are managers of alternative investment funds regulated?

Alternative investment funds (AIFs) are regulated by the SEBI. All AIFs are required to register with the SEBI under the SEBI (Alternative Investment Funds) Regulations 2012 (the AIF Regulations).

AIFs are broadly classified into three categories, depending on the nature of their investments. Category I AIFs invest in start-ups and early-stage ventures that are considered socially or economically desirable by the Indian government (and would include venture capital funds). Category II AIFs include funds that do not fall under Category I, but do not undertake leverage or borrowing (and would include private equity funds). Finally, Category III AIFs are funds that employ diverse or complex trading strategies and employ leverage through investment in derivatives (and would include hedge funds and private investment in public equity funds).

The AIF Regulations describe in detail the ongoing forms of compliance and requirements applicable to AIFs, including the minimum corpus for each AIF scheme, the minimum ticket size of an investor in the scheme and the minimum continuing interest or investment by the manager of the fund.

Peer-to-peer and marketplace lending

9. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Peer-to-peer (P2P) lending platforms can only be operated by NBFCs that have obtained specific authorization from the RBI (NBFC-P2Ps) under its Master Directions on Peer to Peer Lending Platforms 2017. The role of NBFC-P2Ps is restricted to that of an intermediary providing a platform to retail lenders and borrowers. They are also required to abide by prudential norms prescribed by the RBI and to put in place board-approved policies regarding the eligibility criteria of participants, operations, fair practice, IT frameworks, data security and business continuity.

The RBI requires fund transfers between lenders and borrowers to be facilitated only through escrow accounts operated by a bank-promoted trustee. No cash transactions are permitted.

Crowdfunding

10. Describe any specific regulation of crowdfunding in your jurisdiction.

Equity-based crowdfunding

Funds are raised by a business by offering a share in its equity in return for investments. There is presently no specific legal or regulatory framework governing equity-based crowdfunding. In response to notices issued by the SEBI, several popular crowdfunding platforms have applied to the regulator to register themselves as AIFs.

Reward-based crowdfunding

In consideration for their contributions, contributors receive an existing or a future tangible reward, such as early access to products or exclusive merchandise, among other things. Such crowdfunding is not prohibited or specifically regulated in India.

Donation crowdfunding

Here, funds are donated without any expectation of anything in return. Such donations could be for a social cause or artistic purposes, among others, and are not generally prohibited in India. However, foreign donations will need to comply with the provisions of the Foreign Contribution (Regulation) Act 2010.

Invoice trading

11. Describe any specific regulation of invoice trading in your jurisdiction.

In India, invoice trading (factoring) is undertaken by specified NBFCs and banks. To commence the factoring business, an NBFC has to obtain a certificate of registration from the RBI. With a view to simplifying discounting for trade receivables of micro, small and medium enterprises (MSMEs), the RBI has introduced the Trade Receivables Discounting System (TReDS) Scheme, which provides for the establishment of online platforms on which MSMEs can discount their invoices drawn on to banks and NBFC factors. There are three such platforms currently licensed to operate by the RBI:

• the Receivables Exchange of India;
• the M1xchange; and
• Invoicemart.

Regulations have also been issued by the International Financial Services Centers Authority, which regulates the Gujarat International Finance Tec-city in relation to online factoring platforms.

Payment services

12. Are payment services regulated in your jurisdiction?

Broadly, payment systems are regulated by the PSSA and the regulations made thereunder. Under the PSSA, no person can commence or operate a payment system in India without prior authorization from the RBI. The following payment systems are regulated by the RBI:

• electronic fund transfers;
• prepaid payment instruments;
• the centralized electronic clearing system;
• point of sale terminals and online transactions using credit, debit or prepaid cards issued by card payment networks;
• paper-based payment systems such as cheque truncation, cash payments, automated teller machines (ATMs) and white label ATMs;
• mobile banking services;
• the Bharat Bill Payment System;
• the TReDS Scheme; and
• payment aggregators and payment gateways.

The RBI has issued different directions and circulars to each of the above prescribing authorization requirements, minimum net worth and codes of conduct, among others.

Open banking

13. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

The RBI, through its Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions 2016, has come up with an open banking initiative by enabling intermediaries (account aggregators) to consolidate and share the financial information of a given customer held with different financial entities.

Account aggregators are NBFCs that have received authorization from the RBI to undertake account aggregation. They act as a bridge between financial information providers (such as banks, banking companies, NBFCs and asset management companies) and financial information users (entities registered with and regulated by any financial sector regulator). Information flow, in this case, takes place through appropriate APIs and is subject to the explicit consent of the customer to whom the information relates.

Robo-advice

14. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

Robo-advice is not specifically regulated by the SEBI. However, all investment advisers are required to be registered with the SEBI under the IA Regulations. In its consultation papers on the IA Regulations, the SEBI has clarified that the use of automated advice tools by registered investment advisers is not expressly prohibited. However, at present, the SEBI’s requirement for physical agreements between investment advisers and clients has made it difficult for investment advisers to provide robo-adviser services.

Notably, the SEBI has also discussed the possibility of amendments to the IA Regulations to require robo-advising investment advisers to comply with audit, disclosure and targeting requirements. However, no such amendment has taken place to date.

Insurance products

15. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Fintech companies engaged in the sale or marketing of insurance products are regulated by the IRDAI.

Fintech companies that operate websites to act as intermediaries between insurance companies and prospective policy buyers by collecting, compiling and comparing various policies are called web aggregators. Web aggregators must obtain a certificate of registration from the IRDAI and comply with the IRDAI (Insurance Web Aggregators) Regulations 2017.

Every insurer or insurance broker (also required to be licensed by the IRDAI) that markets insurance products must adopt fair, honest and transparent practices while issuing advertisements and avoid practices that tend to impair the confidence of the public. Such advertisements must prominently disclose the registered name of the entity.

Credit references

16. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

In India, credit information can be obtained from credit information companies (CICs), which are independent third-party agencies that collect the financial data of individuals pertaining to their loans, credit cards and other related information, and share it with their members. CICs are regulated by the RBI under the Credit Information Companies (Regulation) Act 2005 (the CIC Act), and the rules and regulations made thereunder.

CICs are permitted to reveal credit information only to specified users, which include credit institutions, certain entities regulated by the IRDAI and the SEBI, and telecom companies. Notably, credit information can also be provided to entities that process such information for the support or benefit of credit institutions, provided that they satisfy the following criteria:

• the entity should be a company incorporated in India;
• the memorandum of association of the entity should allow the business of processing of information for the benefit of credit institutions;
• the entity should have a net worth of not less than 20 million Indian rupees according to the latest balance sheet;
• the entity should be owned and controlled by India-resident citizens or a company owned and controlled by India-resident citizens;
• the ownership of the entity should be well-diversified;
• the entity should have at least three years of experience in running the business or activity of processing information for the support or benefit of credit institutions and should have a clean track record;
• the entity, or its promoters or directors, should not have been convicted of any offence involving moral turpitude or any economic offence; and
• the entity should have a certification from a Certified Information Systems Auditor that it has a robust and secure IT system in place for preserving and protecting the data related to credit information.

Apart from the exhaustive list of specified users provided under the CIC Act and regulations made thereunder, credit information cannot be disclosed to any other person. The CIC Act also expressly prohibits specified users who receive credit information from further disclosing such information to third parties.

CROSS-BORDER REGULATION

Passporting

17. Can regulated activities be passported into your jurisdiction?

No.

Requirement for a local presence

18. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

The Reserve Bank of India’s directions for most regulated fintech products and services (such as peer-to-peer lending platforms, prepaid payment instruments and payment aggregators) require financial service providers to be incorporated in India – that is, to establish a local presence. Notably, even foreign entities operating as online payment gateway service providers are required to open a liaison office in India before commencing operations.

However, unregulated financial services, such as crowdfunding platforms (except for equity crowdfunding), may be undertaken without a local presence. For example, Kickstarter offers its platform in India without a local presence.

SALES AND MARKETING

Restrictions

19. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

From a consumer protection perspective, advertisements must not be misleading, and sellers and marketers are prohibited from engaging in any fraudulent activities.

However, the sale and marketing of most financial products are specifically regulated as well. Notably, for investment-related products such as mutual funds or investment in securities, the following disclaimer has to be displayed in every advertisement accompanied by a voice-over reiteration: ‘Investment in securities or mutual funds market are subject to market risks, read all the related documents carefully before investing.’

Additionally, the Advertising Standards Council of India prohibits advertisements that invite the public to invest money from containing statements that may mislead consumers in respect of the securities offered and rates of return or terms of amortization. Where any of the foregoing elements are contingent upon any conditions or assumptions, such conditions or assumptions must be clearly indicated in the advertisement.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

20. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

Currently, distributed ledger technology is not regulated in India.

Cryptoassets

21. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

Currently, there are no specific laws in India that regulate the use of cryptoassets.

However, India’s income tax laws were recently amended to tax income earned from cryptoassets at a rate of 30 percent. Notably, no deductions are allowed while computing such income except the cost of acquiring such cryptoassets. Additionally, a 1 percent tax deducted at source (TDS) is also required to be charged on certain transactions involving cryptoassets. Further, non-payment of the above-mentioned TDS is also subject to a penalty that may be equal to the amount of unpaid TDS.

Regarding the promotion of cryptoassets, the Advertising Standards Council of India has issued Guidelines for Advertising and Promotion of Virtual Digital Assets and Services, which require all advertisements for cryptoassets to contain mandatory disclosures and disclaimers intended to prevent opaque and misleading advertisements.

Token issuance

22. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

The issuance of tokens is not regulated in India.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

23. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

While the use of artificial intelligence (AI) is not regulated, the Securities and Exchange Board of India (SEBI) has directed all registered mutual funds using applications or software based on AI or machine learning (ML) to report and make quarterly submissions to the Association of Mutual Funds in India who will, in turn, consolidate the information and submit it to the SEBI. The purpose behind this regulatory requirement is to help the SEBI understand AI and ML adoption by the Indian financial markets and formulate future policies.

CHANGE OF CONTROL

Notification and consent

24. Describe any rules relating to notification or consent requirements if a regulated business changes control.

The rules for notification or consent for change in control vary based on the kind of service provided.

For instance, non-banking financial companies (NBFCs), account aggregators and NBFC peer-to-peer (P2P) lending platforms (NBFC-P2Ps) must obtain prior written permission from the Reserve Bank of India (RBI) in the case of:

• a takeover or acquisition of control;
• a change in shareholding that would result in the acquisition of 26 percent or more of the paid-up equity capital;
• a change in management that would result in a change of more than 30 percent of the directors; or
• any change in shareholding that would give an acquirer the right to appoint a director.

The concerned NBFC, NBFC-P2P or account aggregator, along with the acquiring party, is also required to issue a public notice of any change in its control or management at least 30 days before effecting the sale or transfer of ownership or control.

Similarly, non-bank payment systems operators (PSOs) are required to seek RBI approval prior to:

• any takeover or acquisition of control; or
• a sale or transfer of their payment system businesses to an entity not authorized by the RBI to undertake a similar activity.

Following RBI approval, the non-bank PSO and acquiring entity are also required to issue a public notice 15 days before effecting the sale or transfer of ownership or control.

Notably, in cases where a non-bank PSO undergoes a change in management or directors, or is selling or transferring its payment system business to an entity authorized by the RBI to undertake a similar activity, the PSO is only required to notify the RBI of this after the fact (within 15 days).

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

25. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Bribery

Bribery in India is regulated by the Prevention of Corruption Act 1988. It expressly penalizes persons, including commercial organizations, for bribing or promising to bribe a public servant. Additionally, companies in India are obligated to provide a vigil mechanism and audit committee the scope of which, among other things, should include anti-bribery policies.

Money laundering

The primary legislation governing money laundering in India is the Prevention of Money Laundering Act 2002 (PMLA). The PMLA particularly imposes obligations on all banks, financial institutions (including payment systems operators) and regulated financial intermediaries as follows:

• to verify the identity of their clients using their Aadhaar or passport;
• to appoint designated directors and a principal officer to ensure overall compliance with the PMLA; and
• to maintain records of all transactions the value of which is over 1 million Indian rupees (or as prescribed by the rules under the PMLA) for a period of five years as of the date of the transaction and furnish such information to the director appointed by the central government.

Notably, in 2020, the Financial Intelligence Unit imposed a penalty of 9.6 million Indian rupees on PayPal (an online payment gateway service provider) for not complying with reporting obligations under the PMLA. This case is noteworthy because PayPal does not undertake directly regulated financial services under a license or authorization, but instead acts as a technology provider that collaborates with licensed or regulated institutions (namely, banks and payment system providers). PayPal has challenged this penalty before the Delhi High Court and the matter is ongoing.

Guidance

26. Is there regulatory or industry anti-financial crime guidance for fintech companies?

Each sectoral regulator has incorporated the provisions of the PMLA into directions for their regulated entities. Pursuant to the PMLA, the sectoral regulators have also incorporated the requirements under it into know-your-customer (KYC), anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations, including the Reserve Bank of India’s KYC Directions 2016, the Insurance Regulatory and Development Authority of India’s Master Circular on AML-CFT, and the Securities and Exchange Board of India’s Guidelines on AML Standards and CFT.

DATA PROTECTION AND CYBERSECURITY

Data protection

27. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

General law

Transfer and processing of data are primarily governed by the Information Technology Act 2000 and the rules made under it, particularly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the SPDI Rules). The SPDI Rules impose an obligation on corporates handling the sensitive personal data of an individual – such as their password, financial information and biometric information, among others – to maintain reasonable security practices and procedures such as IS/ISO/IEC 27001 or such other requirements as approved and notified by the central government.

Such data is permitted to be transferred within and outside India when necessary for lawful contracts and after obtaining consent from the data subject. However, when such a transfer takes place, the obligation to maintain reasonable security practices and procedures is also extended to the recipient of the data.

The Indian government has also published India’s proposed data protection regime – the Digital Personal Data Protection Bill (DPDP Bill). Once enacted, the DPDP Bill will replace the SPDI Rules. The DPDP Bill empowers the Indian government to notify territories to which data may be transferred and prescribe the terms and conditions subject to which such data can be transferred. Thus, additional terms and conditions may be imposed by the Indian government for the transfer of data to certain countries once the DPDP Bill is enacted.

Special law (sector-specific)

Notably, in relation to payment data, the Reserve Bank of India (RBI) requires all such data to be stored only in India. Only in the case of cross-border transactions is a copy of data permitted to be stored offshore (in addition to being stored in India). While the RBI directions do not prohibit the processing of payment system data abroad, such data is not allowed to be stored abroad and, after processing, it must be sent back to India and deleted from foreign servers.

Further, the Guidelines on Digital Lending also impose an obligation on the RBI-regulated entities who engage a lending service provider (LSP) or a DLA to provide loans to ensure that such LSP or DLA:

• only collect and store basic minimal data of the customer (namely, their name, contact details, address, etc); and
• store all data collected under such digital lending activity is only in servers located in India and in compliance with Indian laws.

The Insurance Regulatory and Development Authority of India (IRDAI) also requires all electronic maintenance of core business records to be hosted within India.

Cybersecurity

28. What cybersecurity regulations or standards apply to fintech businesses?

Entities regulated by the RBI, the Securities and Exchange Board of India (SEBI) and the IRDAI are required to comply with the regulators’ outsourcing frameworks, policies and guidelines, and put in place board-approved cybersecurity and cyber resilience policies to ensure that critical assets, business functions and processes are protected against compromise and are constantly monitored to detect threats. The policies must also assess vulnerabilities, and ensure quick response and recovery. Such entities are also required to report cybersecurity incidents in the manner specified by their applicable regulators.

Some of the cybersecurity regulations issued by the regulators include:

• the RBI’s Master Direction – Information Technology Framework for the NBFCSect or;
• the SEBI’s: Cyber Security & Cyber Resilience framework for Stock Brokers /Depository Participants and Cyber Security and Cyber Resilience framework for Mutual Funds / Asset Management Companies; and
• the IRDAI’s Information and Cyber Security Guidelines.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

29. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

Outsourcing by financial services companies is regulated by sectoral regulators.

The Reserve Bank of India (RBI) does not permit banks, non-banking financial companies and payment system operators to outsource their core management and decision-making functions. Similarly, the Securities and Exchange Board of India does not permit its intermediaries to outsource core business activities and compliance functions. The Insurance Regulatory and Development Authority of India also prohibits insurance intermediaries from outsourcing investment functions, fund management, and know-your-customer and anti-money laundering compliance.

While outsourcing of other activities is permitted, regulated entities continue to bear the ultimate responsibility for the acts and omissions of their outsourced service providers. They must also put in place board-approved outsourcing policies and include certain key provisions in their outsourcing agreements to ensure stringent confidentiality and security standards.

Where financial services companies outsource activities to offshore service providers, they need to also ensure that all original records are maintained in India, and the relevant offshore regulator or applicable law of the foreign jurisdiction will not prevent them from exercising appropriate control, supervision and compliance with Indian law.

Cloud computing

30. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

The regulatory guidelines issued by sectoral regulators on outsourcing and data protection apply to the use of cloud computing. Additionally, on 10 April 2023, the RBI notified the Master Direction on Outsourcing of Information Technology Services (IT MD), which provides that entities must adopt and demonstrate a well-established and documented cloud adoption policy. This policy should:

• identify the activities that can be moved to the cloud;
• enable and support the protection of various stakeholder interests; and
• ensure compliance with regulatory requirements on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification.

Such a policy must also provide for appropriate due diligence to manage and continually monitor the risks associated with cloud service providers (CSPs). The IT MD clarifies that cloud security is a shared responsibility between the outsourcing entity and the CSP.

Further, while adopting a CSP, entities must also undertake a comprehensive risk assessment of the CSP including an assessment of its cyber security capabilities.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

31. Which intellectual property rights are available to protect software, and how do you obtain those rights?

In India, computer code is included within the definition of a literary work and, therefore, may be protected under copyright law. Acquisition of copyright is automatic and does not require any formal procedure. However, obtaining a certificate of registration of copyright acts as prima facie evidence in disputes regarding ownership.

On the other hand, under the Patents Act 1970, a computer program is not patentable. Nevertheless, software can be patented if it is attached to an invention and if it is a component of such an invention. For an invention to be patentable, it must involve an inventive step (namely, it must be non-obvious, technically advanced or have economic significance, and must be capable of industrial application). To obtain a patent, the true and first inventor or their assignee must file an application with the Indian Controller of Patents along with the specifications of the invention.

IP developed by employees and contractors

32. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

When a copyrightable work is made during the course of the author’s employment under a contract of service, provided that there is no contract to the contrary, the employer will be the owner of the copyright. Thus, the ownership of the copyright belongs to the employer over anything produced or done by the employee in the course of employment.

As for patents, however, the inventor is regarded as the true and first owner of the patent, regardless of whether it was invented in the course of employment. The law does not provide for granting ownership rights to the employer. However, the employee may assign their invention to the employer and may be contractually obligated to do so under their employment agreement.

For IP developed by contractors or consultants, the ownership of such IP will remain with the consultant or contractor unless there is an agreement that states otherwise.

Joint ownership

33. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

For joint owners of patents, each co-owner’s consent is required for licensing and assigning (among other things) the patent.

Similarly, in relation to copyrights, the courts in India have laid down that a joint owner of a copyright cannot, without the consent of the other joint owner, grant a license or interest in the copyright to a third party.

Trade secrets

34. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

India does not have any special piece of legislation protecting trade secrets. However, they are protected through the law of contracts and other civil proceedings, such as breach of confidence. As there is no law governing its protection, when the trade secret is in itself the subject matter of the suit, for the court to be able to determine breach, the secret will have to be revealed to the court.

Branding

35. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

In India, branding is protected under the Trade Marks Act 1999. Every ‘mark’ (the definition of which includes brands) that can be represented graphically and that is capable of distinguishing the goods or services of one person from another can be trademarked.

To obtain a trademark, any person claiming to be the proprietor of the mark or who proposes to use a mark can apply to the Registrar of Trademarks for registration of the mark. In the application, the applicant must also specify the class or classes of goods or services under which an application is being made.

Upon acceptance of the application, the Registrar of Trademarks will place a public advertisement to invite any opposition from individuals who may claim to be owners of the mark or a similar mark. Once opposition proceedings, if any, are completed, the Registrar of Trademarks will grant or refuse to grant the trademark. A trademark, once granted, will be valid for a period of 10 years and can then be renewed periodically.

Fintech businesses (and others) can run a class-wise trademark search on the government of India’s public search of trademarks website to ensure that they do not infringe the rights of existing brands.

Remedies for infringement of IP

36. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

If a company’s or an individual’s IP rights are infringed, such a person may file a civil suit for infringement before the courts. When an IP right is infringed upon, the owner of the right can apply to the courts for an injunction (restraining the person from using the IP), an account of profits, damages and the destruction of goods.

Notably, the Copyright Act 1957 and the Trademarks Act 1999 also provide for criminal penalties. However, intention to infringe is an important factor considered by the courts when imposing such criminal penalties.

COMPETITION 

Sector-specific issues

37. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

The Competition Commission of India regulates competition and antitrust issues in India, including anti-competitive agreements, abuse of dominance and M&A. In the recent past, CCI has investigated several M&A deals in the fintech space and has given its nod to the biggest takeover in the fintech space. CCI has also been conducting probes into a major mobile app store’s payments and billing policies.

TAX

Incentives

38. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

Under the Indian income tax laws, a deduction of 100 percent of the total income derived by an eligible start-up from an eligible business is allowable for three consecutive assessment years out of 10 years as of the date the start-up is incorporated. An eligible start-up is a company or limited liability partnership:

• that was incorporated after 1 May 2016 and before 1 May 2023;
• the total turnover of which does not exceed 1 billion Indian rupees for the year the deduction is claimed; and
• that holds a certificate of eligible business from the Inter-Ministerial Board of Certification as notified by the Indian government.

The term ‘eligible business’ means a business carried out by an eligible start-up engaged in innovation, development or improvement of products, processes or services, or a scalable business model with a high potential for employment generation or wealth creation.

In addition to the above, some of the following benefits may be available if the fintech company is located in an international financial services center (IFSC):

• a deduction of 100 percent of the gross total income earned by a unit in an IFSC is allowed for 10 consecutive years out of 15 years subject to the satisfaction of certain conditions;
• a unit located in an IFSC can opt for payment of tax at a concessional tax rate of 17 percent in addition to claiming a benefit of a 100 percent deduction of the income derived from operations in an IFSC; and
• a concessional minimum alternate (tax on book profits) tax rate of 9 percent is applicable to a unit or company located in an IFSC that derives its income solely from convertible foreign exchange.

Increased tax burden

39. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

Equalization levy

A digital tax in the form of an equalization levy (EL) is levied on payments received by a non-resident service provider. EL is charged at 2 percent on the consideration received or receivable by an e-commerce operator without a permanent establishment in India from e-commerce supply or services made, provided or facilitated to:

• Indian residents;
• non-residents when the e-commerce supply or services made, provided or facilitated by the e-commerce operator is in the nature of:
• sale of advertisement, which targets a customer who is resident in India or a customer who accesses the advertisement through an internet protocol address located in India; or
• sale of data, collected from a person who is resident in India or from a person who uses an internet protocol address located in India; or
• a person (irrespective of being resident or non-resident in India) who buys such goods or services, or both, using an internet protocol address located in India.

EL shall not be applicable where:

• the e-commerce operator has a permanent establishment in India and such services are effectively connected with the permanent establishment; or
• the total consideration received by the e-commerce operator from the e-commerce supply or services made, provided or facilitated by it to persons is less than 20 million Indian rupees during the previous year.

Significant economic presence

A non-resident person is subject to tax in India in respect of income that accrues or arises in India, or is deemed to accrue or arise in India. Any income accruing or arising directly or indirectly, through or from a business connection in India, any asset or source of income in India, or transfer of capital situated in India is deemed to accrue or arise in India.

A non-resident in India is deemed to constitute a business connection in India through a significant economic presence (SEP) if:

• the non-resident carries out transactions in any goods, services or property with any Indian resident including the provision or download of data or software in India, if the value of the aggregate payments exceeds 20 million Indian rupees; or
• the non-resident engages in systematic and continuous soliciting of business, or is in interaction with a minimum of 300,000 users in India.

The income generated by a non-resident from such SEP will be taxable in India.

Note that SEP status will be constituted irrespective of whether the agreements are entered, or services are rendered, in India or outside India. The SEP-based nexus rule is not only limited to digital transactions and applies equally to cross-border transactions executed offline.

However, this is subject to the provisions of the tax treaty entered into between India and the foreign country where the non-resident with a SEP is a tax resident.

IMMIGRATION

Sector-specific schemes

40. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

No.

UPDATE AND TRENDS IN FINTECH IN INDIA

Current developments

41. Are there any other current developments or emerging trends to note?

One of the latest fintech trends in India is apps that provide access to multiple financial and other services, all in a single app. Big Tech companies that are tailoring their products in India to incorporate these innovations are following suit. One such example is WhatsApp, a messaging platform that is now also offering Unified Payments Interface (UPI) services.

Other notable trends include:

the rise of neo-banks, which offer all banking services efficiently, with no physical branches, using artificial intelligence;

• UPI Lite, an on-device wallet that will enable quick response code-based payments offline;
• credit cards linked to UPI;
• embedded lending; and
• the electronic version of the physical rupee (central bank digital currency) backed by blockchain technology.

However, maintaining a balance between the interests of fintech companies and traditional banks is proving to be tricky for the Reserve Bank of India, especially in relation to neo-banks and digital lending.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

LEGAL CONSULTING SERVICES

090.252.4567

HÃY CLICK ĐỂ LẠI SĐT CHÚNG TÔI SẼ GỌI NGAY CHO BẠN MIỄN PHÍ

NT INTERNATIONAL LAW FIRM

• Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
• Phone: 090 252 4567
• Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam