INDIA Law and Practice Contributed by: Shilpa Mankar Ahluwalia, Purva Anand and Ansh Jain, Shardul Amarchand Mangaldas & Co
The Next 12 Months Regulation of personal data
ing the potential of tokenising other money market instruments, including commercial papers. Certificates of deposit (CDs) provide an avenue for banks to raise short-term resources, and the pilot for tokenisation of CDs represents a significant step towards modernising India’s money market infrastruc - ture by leveraging distributed ledger technology and wholesale CBDC for atomic settlement. Self-regulatory organisations (SROs) for fintechs The RBI has progressively granted recognition to SROs across multiple verticals in the fintech and financial services space pursuant to its March 2024 omnibus framework for recognising SROs for its regulated enti - ties. In August 2024, the RBI granted SRO status to the Fintech Association for Consumer Empowerment (FACE) for the fintech sector. More recently, in Octo - ber 2025, the Finance Industry Development Council (FIDC) was recognised as the SRO for non-banking financial companies (NBFCs), and in November 2025 the Self-Regulated PSO Association (SRPA) was rec - ognised as the SRO for payment system operators. This reflects the RBI’s acceptance of industry-led self- regulation, with SROs expected to develop sectoral standards, promote compliance among members and serve as an intermediary between industry par - ticipants and the regulator. Simplified regulations Navigating the complicated regulatory directions was a significant roadblock for fintechs and for enti - ties regulated by the RBI (REs) in India. In November 2025, the RBI undertook a fundamental reorganisation of its regulatory instructions. The RBI consolidated more than 9,000 existing circulars and guidelines into 244 function-wise Master Directions, specific to each category of regulated entity. Following this exercise, 5,673 circulars were repealed for being obsolete (the oldest dating back to 1944). This exercise is expected to enhance the accessibility of regulatory instructions, reduce the compliance burden for REs, and improve the ease of doing business for both REs and fintechs in India.
On 13 November 2025, the government of India (GOI) brought into effect the Digital Personal Data Protec - tion Rules, 2025 (the “DPDP Rules”), which operation - alise the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act is a technology-agnostic, sector- agnostic umbrella framework that governs the pro - cessing of all digital personal data. The DPDP Rules establish a comprehensive regulatory framework for data governance, prescribing: • guidelines for notices by data fiduciaries to indi - viduals; • requirements for registration and responsibilities of consent managers; • protocols for processing personal data for deliver - ing government subsidies and services; • adoption of reasonable security safeguards; • data breach notification procedures (within 72 hours to the Data Protection Board of India); and • processes for individuals to exercise their data rights. The DPDP Rules adopt a phased implementation approach. The Data Protection Board of India was instituted immediately upon notification. The process for registration of consent managers will be imple - mented by November 2026. The main compliance duties (including notice require - ments, security protocols, breach notifications, and protecting the rights of data principals) will apply from May 2027, giving businesses an 18-month transition window. Upon full implementation, the DPDP Act will replace the currently applicable statutory framework on data privacy and data protection in India (see 2.2 Regula- tory Regime ). Development of regulations for AI The Indian fintech sector (particularly payments and wealthtech) has rapidly adopted evolving technolo - gies such as blockchain and artificial intelligence (AI). Both bank and non-bank entities in India rely on AI-
357 CHAMBERS.COM
Powered by FlippingBook