Fintech 2025

INDIA Law and Practice Contributed by: Shilpa Mankar Ahluwalia, Himanshu Malhotra and Purva Anand, Shardul Amarchand Mangaldas & Co

and services. Further, PA-CBs need to comply with all obligations applicable to domestic PAs. 2.2 Regulatory Regime The regulatory framework governing the key ver - ticals (see 2.1 Predominant Business Models ) of the Indian fintech sector is fragmented across several legislations and regulations. There are no state-specific variations in terms of the regula - tory framework. The 2007 Payment and Settlement Systems Act (PSS Act) This is the principal legislation regulating pay - ments in India. The PSS Act prohibits the com - mencement and operation of a payment sys - tem without prior authorisation of the RBI. Here, “payments system” is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settle - ment services, and excluding stock exchanges. This includes card network operations, PPIs, UPI payments, and other digital payment services. The 2002 Prevention of Money Laundering Act (PMLA) This is the primary anti-money laundering regulation governing entities offering financial products. PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (PML Rules). Together, they provide detailed procedures for financial sector entities to follow in order to conduct KYC and anti-money laundering verifications, as well as

• PPIs; • NBFCs; • P2P lending; • PAs and PGs (including PA-CBs); • account aggregators; and • other market participants and offerings. The KYC Master Directions draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account- based relationship or other prescribed transac - tions with such customers. The RBI introduced a circular dated 13 Septem - ber 2021, which permits REs such as NBFCs, payment systems operators/system participants to obtain authorisation to conduct Aadhaar- based E-KYC authentication of their custom - ers. Aadhaar is a 12-digit unique identification number issued by the GOI to its citizens. NPCI Circulars UPI payments in India are governed by the pro - cedural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc. Data Protection Framework Currently, the IT Act and the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Infor - mation) Rules (Current Data Privacy Framework) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been rec - ognised as outdated and insufficient – and, once

to report suspicious transactions. RBI Master Directions/Circulars

The RBI, as the principal financial regulator, peri - odically issues “master directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject- specific master directions regulating:

303 CHAMBERS.COM

Powered by