Fintech Startup Compliance in India: RBI Regulations You Must Follow
India's fintech sector is one of the most vibrant in the world, with over 10,000 fintech startups operating across payments, lending, insurance, wealth management, and banking infrastructure. However, fintech is one of the most heavily regulated sectors in India, with the Reserve Bank of India (RBI) at the center of the regulatory framework. This guide covers every RBI regulation and compliance requirement that fintech founders must understand before launching their startup in 2026.
Understanding the Fintech Regulatory Landscape
The regulatory framework for fintech in India is shaped by multiple regulators, with the RBI being the primary regulator for payments, lending, and banking-related activities. Understanding which regulator governs your specific fintech activity is the first step.
Regulators and Their Scope
| Regulator | Scope | Fintech Activities Covered |
|---|---|---|
| RBI | Banking, payments, lending, NBFCs | Payment aggregators, wallets, digital lending, neobanking, P2P lending |
| SEBI | Securities, investment, mutual funds | Wealthtech, robo-advisory, investment platforms, stock broking apps |
| IRDAI | Insurance | Insurtech, insurance web aggregators, corporate agents |
| PFRDA | Pension | Pension distribution, NPS aggregation |
| NPCI | Retail payments infrastructure | UPI apps (TPAPs), RuPay, IMPS, BBPS |
| FIU-IND | Anti-money laundering | All financial service providers for PMLA compliance |
Key RBI Licenses for Fintech Startups
The type of RBI license or authorization your fintech needs depends entirely on the financial activity being performed. Here is a breakdown of the major license types:
Payment Aggregator (PA) License
The PA license is the most common RBI authorization sought by fintech startups that facilitate online payments.
- Who needs it: Any entity that collects payments on behalf of merchants, pools funds, and settles them
- Minimum net worth: Rs. 15 crore (Rs. 25 crore by March 2028)
- Eligibility: Must be a company registered under the Companies Act, 2013
- Key requirements: Escrow account with a scheduled commercial bank, robust technology infrastructure, KYC/AML framework, and Board-approved information security policy
- Timeline: 12 to 24 months from application to final authorization
NBFC Registration
Required for fintech companies that lend from their own balance sheet or engage in financial asset acquisition.
- Who needs it: Companies where financial activity (lending, investment) is the principal business
- Minimum net worth: Rs. 10 crore for new NBFC applications
- Types: NBFC-ICC (Investment and Credit), NBFC-P2P (Peer-to-Peer Lending), NBFC-AA (Account Aggregator), NBFC-MFI (Microfinance)
- Key requirements: Fit and proper criteria for directors, CRAR maintenance, asset classification norms, fair practice code
- Apply: Through NBFC registration services
PPI License
Required for issuing wallets, prepaid cards, and other stored-value instruments.
- Who needs it: Companies issuing digital wallets, prepaid cards, meal vouchers, or gift cards (except closed-system PPIs)
- Minimum net worth: Rs. 5 crore
- Key requirements: KYC infrastructure, interoperability with other payment systems (mandatory for full-KYC PPIs), escrow account, and technology audit
Digital Lending Guidelines
The RBI's Digital Lending Guidelines (September 2022) brought transformative changes to the lending fintech ecosystem. Every fintech involved in lending, whether as a lender, platform, or service provider, must comply.
Key Requirements
| Requirement | Details | Impact |
|---|---|---|
| Direct Disbursement | Loan must go directly to borrower's bank account | Eliminates pass-through lending via apps |
| Key Fact Statement (KFS) | Must disclose APR, all fees, and total cost of borrowing | Ensures pricing transparency for borrowers |
| Cooling-Off Period | Borrower can return the loan within the stipulated period | Consumer protection against impulse borrowing |
| Lender Disclosure | Name and details of regulated entity must be shown upfront | No anonymous lending through apps |
| Data Minimization | Apps can access only essential data with explicit consent | No access to contacts, photos, or call logs |
| Automatic Data Deletion | Data must be deleted when loan is repaid or consent is withdrawn | Limits data retention and misuse |
| Recovery Practices | No harassment, abusive language, or threats in collection | Customer dignity and fair treatment |
Under the guidelines, fintech platforms that assist in lending are classified as Lending Service Providers (LSPs). They do not need a separate RBI license but must be engaged by a regulated entity (bank or NBFC) through a written agreement. LSPs must comply with all customer-facing requirements of the guidelines, including KFS disclosure and data minimization.
Registration Process for Fintech Companies
- Register as a Private Limited Company: Apply for company registration with an appropriate object clause covering fintech activities (10 to 15 working days)
- Obtain GST registration: Apply for GST registration to enable invoicing (3 to 7 working days)
- Open a company bank account: Choose a bank that understands fintech; you will need banking relationships for escrow accounts later
- Build compliance infrastructure: Set up KYC systems, AML monitoring, data localization, and CERT-In compliance before applying for licenses
- Apply for the required license: Based on your activity (PA, NBFC, PPI), submit the application to RBI with all required documentation
- Engage compliance professionals: Appoint a Chartered Accountant for audits, Company Secretary for ROC compliance, and legal advisor for regulatory matters
- Apply for Startup India: File for DPIIT recognition to access the 3-year tax holiday on business income
- Implement cybersecurity framework: Deploy security infrastructure as per RBI and CERT-In requirements before going live
Data Localization and Privacy
Data handling is one of the most scrutinized areas in fintech regulation. The RBI has taken a firm stance on data localization for payment and financial data.
Data Storage Requirements
- Payment data: Must be stored exclusively within India. This includes transaction details, cardholder data, and payment credentials. RBI mandated this in 2018 and has strictly enforced it
- Card-on-file tokenization: Merchants and PAs are prohibited from storing actual card details. All card data must be tokenized through the card network (Visa, Mastercard) or token service provider
- NBFC/Lending data: Borrower data, loan records, and credit assessments must be stored on servers located in India
- DPDPA 2023 compliance: Personal data of Indian citizens must be processed and stored in accordance with DPDPA, with explicit consent and purpose limitation
Cybersecurity Framework for Fintech
Cybersecurity is a core regulatory requirement for all fintech companies, especially those handling payment data or customer funds.
Mandatory Security Measures
- Board-approved IS Policy: An Information Security Policy approved by the Board of Directors, reviewed annually
- Vulnerability Assessment and Penetration Testing (VAPT): Conduct VAPT at least annually and after significant system changes
- Multi-Factor Authentication (MFA): Mandatory for all financial transactions and admin access
- Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit
- Incident Response Plan: Documented and tested plan for responding to security incidents, with CERT-In notification within 6 hours
- Business Continuity and Disaster Recovery (BCDR): Tested annually with defined recovery time and point objectives
- PCI DSS compliance: Mandatory if handling card payment data
- ISO 27001 certification: Strongly recommended through certification services
Grievance Redressal Requirements
RBI mandates a structured grievance redressal framework for all regulated entities, which protects consumers and builds trust.
Three-Tier Grievance Framework
- Tier 1 (Internal): The fintech must resolve complaints within 15 to 30 days through its Nodal Officer. Contact details must be prominently displayed on the website, app, and all customer communications
- Tier 2 (RBI Ombudsman): If the complaint is not resolved at Tier 1, the customer can escalate to the RBI Integrated Ombudsman Scheme (RBIOS) through the CMS portal or at 14448
- Tier 3 (Appellate Authority): If unsatisfied with the Ombudsman's decision, the customer can appeal to the Appellate Authority at RBI
Annual Compliance Calendar
| Compliance | Deadline/Frequency | Filing |
|---|---|---|
| Board Meetings | Min 4/year (max 120-day gap) | Board minutes |
| AGM | By September 30 | AGM minutes |
| Financial Statements (AOC-4) | Within 30 days of AGM | MCA portal |
| Annual Return (MGT-7A) | Within 60 days of AGM | MCA portal |
| Income Tax Return | October 31 | ITR-6 |
| GST Returns | Monthly | GSTR-1, GSTR-3B |
| Director KYC | September 30 | DIR-3 KYC |
| RBI Returns (PA/NBFC/PPI) | Quarterly/Monthly (license-specific) | RBI portal |
| VAPT Audit | Annually + after major changes | Audit report to RBI |
| IS Audit | Annually | Information Systems audit report |
Conclusion
Fintech is one of the most rewarding yet complex sectors to build in, primarily because of the regulatory depth required. The RBI's evolving framework, from the Payment Aggregator guidelines to Digital Lending rules, demonstrates a clear intent to foster innovation while protecting consumers and financial stability.
For fintech founders, the key takeaway is that compliance is not a barrier but a moat. Companies that invest in proper licensing, robust KYC infrastructure, data protection, and cybersecurity from day one build a regulatory moat that protects them from competition and positions them for institutional partnerships and funding. Cutting corners on compliance in fintech leads to penalties, platform shutdowns, and loss of banking relationships.
At IncorpX, we help fintech startups with company registration, NBFC applications, compliance management, GST filing, trademark protection, and ongoing regulatory support. Our team understands the intersection of technology and financial regulation, ensuring your fintech is built on a solid legal foundation.
Frequently Asked Questions
What is a fintech company and does it need special licensing in India?
A fintech company is a technology-driven business that provides financial services such as payments, lending, insurance distribution, wealth management, or banking infrastructure. Whether special licensing is needed depends on the activity: payment aggregators need RBI authorization, lending platforms must comply with digital lending guidelines, NBFCs need RBI registration, and insurance distribution needs IRDAI licensing. Some fintech models like financial SaaS, accounting tools, or comparison platforms do not need financial sector licenses but must still comply with data protection and general business laws.
What is a Payment Aggregator (PA) license and who needs it?
A Payment Aggregator (PA) license is an authorization from the RBI that allows a company to collect payments from customers on behalf of merchants and settle the funds to merchant accounts. You need a PA license if your platform handles, pools, or settles funds between buyers and sellers. Examples include e-commerce marketplaces, payment gateways, and subscription billing platforms. The PA license requires a minimum net worth of Rs. 15 crore (increasing to Rs. 25 crore by March 2028) and comprehensive KYC, AML, and technology infrastructure.
What is the difference between a Payment Aggregator and Payment Gateway?
A Payment Aggregator (PA) handles funds in the payment flow, collecting money from customers, holding it in an escrow account, and settling it to merchants. A Payment Gateway (PG) provides only the technology infrastructure for processing payments without handling the funds. PAs require RBI authorization while PGs do not need a separate license (but must be authorized by a PA or bank). If your fintech only provides technology for payment processing without touching the funds, you may operate as a PG without the PA license.
What are the RBI's Digital Lending Guidelines?
The RBI's Digital Lending Guidelines (September 2022) regulate all lending activities facilitated through digital platforms. Key requirements include: all loan disbursals must be made directly to the borrower's bank account (not through the app), Lending Service Providers (LSPs) must disclose the name of the regulated entity (bank/NBFC) providing the funds, Key Fact Statement (KFS) must be shared with borrowers showing the Annual Percentage Rate (APR) and all charges, a cooling-off period must be provided for loan cancellation, and all data must be stored in servers located in India.
Does my fintech startup need NBFC registration?
Your fintech needs NBFC registration from RBI if it engages in lending, investment, or asset financing as a principal business. If your platform facilitates loans by connecting borrowers with registered banks or NBFCs (acting as a Lending Service Provider or LSP), you do not need NBFC registration yourself, but you must comply with the Digital Lending Guidelines. Key indicators that you need NBFC registration: you lend from your own funds, you provide guarantees on loans, or lending income exceeds 50% of your total income.
What is the minimum net worth requirement for different fintech licenses?
Net worth requirements vary by license type: Payment Aggregator: Rs. 15 crore (increasing to Rs. 25 crore by March 2028), NBFC: Rs. 2 crore minimum (Rs. 10 crore for new applications as per recent RBI guidelines), NBFC-P2P (Peer-to-Peer Lending): Rs. 2 crore, NBFC-Account Aggregator: Rs. 2 crore, Prepaid Payment Instrument (PPI) Issuer: Rs. 5 crore, Bharat Bill Payment Operating Unit (BBPOU): Rs. 100 crore. These requirements ensure that only financially stable entities operate in the financial services space.
What is the best business structure for a fintech startup?
A Private Limited Company is mandatory for most fintech activities requiring RBI licensing. The PA license, NBFC registration, and PPI issuance all require the applicant to be a company registered under the Companies Act. An LLP or proprietorship cannot obtain these licenses. For fintech SaaS companies that provide technology to financial institutions without directly handling finance, an LLP may work, but a Pvt Ltd is still recommended for VC fundraising and credibility. Register under Startup India for tax benefits.
What are the KYC requirements for fintech companies?
Fintech companies must implement tiered KYC based on the service: Full KYC (Aadhaar-based eKYC, video KYC, or in-person verification) for bank accounts, loans, and high-value wallets, Minimum KYC for small-value PPIs (name, mobile, self-declaration), and CKYC compliance (uploading KYC records to the Central KYC Registry). For digital lending, the LSP must verify borrower identity before loan disbursement. KYC records must be maintained for 5 years after the relationship ends under PMLA.
What data localization requirements apply to fintech companies?
RBI mandates that all payment system data must be stored exclusively in India (within Indian territory). This applies to end-to-end transaction data, customer data, payment credentials, and transaction logs. The data can be processed outside India if required for completing cross-border transactions, but a copy must be stored in India within 24 hours. For NBFC and lending data, the RBI requires server locations within India. The DPDPA 2023 adds further requirements for processing personal data of Indian citizens.
How does UPI regulation affect fintech companies?
UPI (Unified Payments Interface) is regulated by NPCI (National Payments Corporation of India) under RBI oversight. Fintech companies can participate in UPI as: Third Party Application Providers (TPAPs) (like PhonePe, Google Pay) which requires NPCI approval and a sponsor bank, PSP banks (banks that provide UPI services), or merchants accepting UPI payments. TPAPs must comply with NPCI's market share cap of 30% of total UPI transaction volume, data storage requirements, and technology standards specified by NPCI.
What is a Regulatory Sandbox and how can fintech startups apply?
The RBI Regulatory Sandbox allows fintech startups to test innovative products in a controlled environment with relaxed regulatory requirements for a limited period. The sandbox operates in thematic cohorts (e.g., retail payments, cross-border payments, MSME lending). To apply, the startup must be a registered company in India, have a working prototype, demonstrate innovation, and show consumer benefit. The sandbox period is typically 6 months (extendable), after which successful products can apply for full regulatory approval.
What are Prepaid Payment Instruments (PPIs) and when is a license needed?
PPIs are instruments that store monetary value paid in advance (wallets, prepaid cards, gift cards). You need an RBI license to issue PPIs if you hold customer funds on your platform. PPIs are categorized as: Small PPIs (up to Rs. 10,000, minimum KYC), Full KYC PPIs (up to Rs. 2 lakh for wallets, Rs. 2 lakh for cards), and Gift cards (up to Rs. 10,000). Closed-system PPIs (usable only at the issuing entity, like store cards) do not require RBI approval, but open and semi-closed PPIs do.
What is an Account Aggregator and how does it work?
An Account Aggregator (AA) is an RBI-registered NBFC that enables consent-based sharing of financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs). AAs like CAMS Finserv and Finvu allow users to share their bank statements, tax records, and insurance data with lenders or wealth managers securely. To become an AA, you need NBFC-AA registration from RBI with a minimum net worth of Rs. 2 crore. AAs cannot store, process, or sell user data; they only facilitate consent and data transfer.
How are fintech companies regulated under the Consumer Protection Act?
Fintech companies must comply with the Consumer Protection Act, 2019 which provides strong protections for financial consumers: unfair trade practices (misleading interest rate advertisements, hidden charges) are prohibited, unfair contracts (one-sided terms that significantly disadvantage consumers) can be declared void, consumers can file complaints through the e-daakhil portal online, and the Central Consumer Protection Authority (CCPA) can suo motu investigate unfair practices. Fintech companies must also comply with the RBI's Fair Practices Code for lending and collection activities.
What compliance is needed for a fintech company offering insurance?
Fintech companies in the insurance space (insurtech) must comply with IRDAI (Insurance Regulatory and Development Authority) regulations: to sell insurance, you need licensing as a Corporate Agent, Insurance Broker, or Web Aggregator. IRDAI's sandbox framework allows testing innovative insurance products. Insurance Web Aggregators can compare and display insurance products online with IRDAI approval (minimum capital Rs. 25 lakh). All insurance advertisements, pricing, and product disclosures must comply with IRDAI guidelines.
What are the anti-money laundering obligations for fintech companies?
Fintech companies handling financial transactions must comply with PMLA (Prevention of Money Laundering Act) and RBI's KYC Master Direction: implement a robust Customer Due Diligence (CDD) program, conduct Enhanced Due Diligence (EDD) for high-risk customers and PEPs (Politically Exposed Persons), implement transaction monitoring systems to detect suspicious patterns, file Suspicious Transaction Reports (STRs) with FIU-IND, maintain transaction records for 5 years, and appoint a Principal Officer for PMLA compliance.
Can foreign companies operate fintech businesses in India?
Yes, foreign companies can operate fintech businesses in India. FDI up to 100% is permitted under the automatic route for most fintech activities including payment aggregation, lending technology, and insurance distribution. Foreign companies typically set up an Indian subsidiary (Pvt Ltd company with at least one resident director) for regulatory compliance. For the PA license, the RBI requires the applicant to be a company incorporated in India. Cross-border fintech operations must also comply with FEMA regulations for fund flows.
What is the RBI's framework for digital banking units?
The RBI has promoted Digital Banking Units (DBUs) as a step toward digital-first banking. While DBUs are currently operated by commercial banks (not fintech startups directly), fintechs can partner with banks to power DBU infrastructure. The RBI's Banking Regulation (Amendment) Act provisions and neobanking guidelines require that all customer-facing banking services, even if delivered through a fintech interface, must be provided by a licensed bank. Neobanks in India operate as technology partners to licensed banks, not as independent banks.
How should a fintech startup handle grievance redressal?
RBI mandates that all regulated entities (including PAs and NBFCs) implement a robust grievance redressal mechanism: appoint a Nodal Officer whose contact details are displayed prominently, implement a complaint management system with ticketing and tracking, resolve complaints within 30 days (15 days for payment-related issues), if unresolved, the customer can escalate to the RBI Integrated Ombudsman Scheme (RBIOS), and maintain records of all complaints and resolutions for regulatory inspection. Non-compliance can result in penalties from RBI.
What cyber security framework must fintech companies follow?
Fintech companies must comply with multiple cybersecurity frameworks: the RBI's Cyber Security Framework for Banks and Payment Systems (applicable to PAs), CERT-In guidelines (incident reporting within 6 hours), PCI DSS compliance (if handling card data), ISO 27001 certification (recommended through ISO certification services), implementation of multi-factor authentication for financial transactions, regular Vulnerability Assessment and Penetration Testing (VAPT), and a Board-approved Information Security Policy. RBI can inspect IT systems of regulated entities.
What is the Lending Service Provider (LSP) framework?
Under the RBI's Digital Lending Guidelines, a Lending Service Provider (LSP) is an entity that performs lending functions (customer acquisition, underwriting, loan servicing) on behalf of a regulated lender (bank or NBFC). LSPs do not need a separate RBI license but must comply with the guidelines: disclose the identity of the lending institution, ensure all loan disbursements go directly to the borrower's bank account, not charge borrowers directly (fees must be paid by the regulated lender), provide a Key Fact Statement, and follow the prescribed cooling-off period.
What are the rules for fintech companies collecting customer data?
Fintech companies must follow strict data collection rules: collect only data that is necessary for the service (purpose limitation), obtain explicit consent before collecting biometric, financial, or health data, store data within Indian servers (data localization), delete data when the purpose is fulfilled or when requested by the user, not share data with third parties without consent, and comply with the DPDPA 2023 requirements. The RBI additionally requires that regulated entities not store full card data (card-on-file tokenization is mandatory).
How is revenue from fintech services taxed?
Fintech business income is taxed as regular corporate income at 25% (for companies with turnover up to Rs. 400 crore). Specific tax considerations: interest income from lending (NBFCs) is business income, commission/platform fees are taxable as service income, GST at 18% applies to financial services (with some exemptions for interest on loans), Startup India tax holiday (3 years under Section 80-IAC) is available for DPIIT-recognized startups. NBFCs must also comply with RBI's Income Recognition and Asset Classification (IRAC) norms. Maintain proper records with professional accounting services.
What is the process for applying for a Payment Aggregator license?
The PA license application process involves: Stage 1: Apply to RBI with the company's audited financials, net worth certificate (minimum Rs. 15 crore), business plan, technology architecture, KYC/AML framework, and information security policy. Stage 2: RBI conducts system audits (IT, Security, Process) and reviews the application over 6 to 12 months. Stage 3: If approved, RBI issues an in-principle authorization (6 months to operationalize). Stage 4: After compliance verification, RBI grants the final Certificate of Authorization. The process typically takes 12 to 24 months.
Can fintech startups use the RBI Regulatory Sandbox to test products?
Yes, RBI actively encourages fintech startups to participate in the Regulatory Sandbox. Benefits include: ability to test innovative products without full licensing during the sandbox period, regulatory guidance from RBI during testing, exemption from certain regulatory requirements (as decided by RBI for each cohort), and a clear path to full authorization if the product is successful. Eligibility: the company must be incorporated in India, have a minimum net worth of Rs. 25 lakh, demonstrate how the product is innovative and consumer-friendly, and have a working prototype.
What are the annual compliance requirements for fintech companies?
A fintech Pvt Ltd company must complete: ROC annual filing (AOC-4, MGT-7A) through professional services, income tax return, GST returns (monthly or quarterly), DIR-3 KYC for directors, statutory audit, board meetings (min 4/year) and AGM, RBI regulatory returns (specific to license type), PMLA reporting to FIU-IND, and CKYC uploads. NBFCs have additional requirements like NBS returns, CRILC reporting, and asset classification. Get comprehensive compliance management.
What is the future direction of fintech regulation in India?
Key regulatory trends for fintech in India include: Digital India Act expected to modernize the IT Act framework, Self-Regulatory Organization (SRO) for fintech announced by RBI to self-regulate the industry, stricter digital lending oversight with RBI expanding the scope of guidelines, CBDC (Digital Rupee) integration creating new opportunities for fintech platforms, Open Credit Enablement Network (OCEN) enabling new lending models, continued Account Aggregator adoption enabling consent-based data sharing, and cross-border payment innovation through UPI-like linkages globally.
What reporting is required for cross-border fintech transactions?
Cross-border fintech transactions require: Form 15CA/15CB for outward remittances exceeding specified thresholds, FEMA reporting (FC-GPR, FC-TRS) for foreign investment inflows, LRS (Liberalised Remittance Scheme) compliance for individual outward remittances, Authorized Dealer (AD) bank reporting for all forex transactions, transfer pricing documentation for related-party cross-border transactions, and withholding tax compliance under relevant DTAAs for payments to foreign entities. IEC registration is needed for receiving foreign remittances in certain cases.
How can fintech companies ensure regulatory compliance at scale?
Fintech companies scaling operations should implement: RegTech solutions (automated compliance monitoring, reporting, and KYC tools), compliance management systems with dashboards and alerts, regular internal audits (quarterly minimum), Board-level compliance committees, dedicated Chief Compliance Officer (CCO) role, employee training programs on regulatory changes, legal technology for contract management and regulatory tracking, and partnership with compliance advisory firms for ongoing regulatory guidance. Proactive compliance is cheaper than reactive penalty management.
What is the penalty for operating without required fintech licenses?
Penalties for operating without required authorizations: for unauthorized payment system operation, imprisonment up to 3 years or fine up to double the transaction amount under the PSS Act, for NBFC activities without registration, imprisonment up to 5 years and fine under the RBI Act, for PMLA non-compliance, penalties up to Rs. 2 lakh per month, for FEMA violations, penalty up to 3x the amount involved, and for data protection violations, penalties up to Rs. 250 crore under the DPDPA 2023. RBI can also issue cease and desist orders and block access to platforms.
What intellectual property should a fintech company protect?
Fintech companies should protect: Trademark (platform name, brand, logo, app icon), Copyright (source code, APIs, UI/UX design, content), Patents (novel algorithms for credit scoring, fraud detection, payment processing), and trade secrets (proprietary underwriting models, risk assessment frameworks). API specifications and SDK documentation should be protected through copyright and licensing terms. Employee agreements must include strong IP assignment and non-compete clauses.
What insurance should fintech companies carry?
Fintech companies should consider: Cyber liability insurance (mandatory for regulated entities; covers data breaches, hacking, ransom), Professional Indemnity/E&O insurance (covers claims from software errors, incorrect financial advice), Directors and Officers (D&O) insurance (critical after VC funding), Fidelity/Crime insurance (covers employee fraud and theft), Business Interruption insurance (covers losses during system outages), and Key Person insurance. RBI requires PAs and PPIs to maintain adequate insurance coverage as part of the licensing conditions.
How should fintech companies handle outsourcing and third-party risks?
RBI's outsourcing guidelines for regulated entities require: Board-approved outsourcing policy, due diligence on all third-party service providers, contractual provisions for RBI audit rights over outsourced functions, business continuity plans for critical outsourced services, regular performance monitoring of service providers, data security requirements in vendor contracts, prohibition on outsourcing core management functions (decision-making, compliance, internal audit), and maintenance of an outsourcing register. Cloud service providers must have data centers in India for payment data.
