Fintech Newsletter: recent legal developments and market updates from India - 3rd edition 2 July 2025

INTRODUCTION

The first quarter of 2025 witnessed dynamic and reformative regulatory activity with key financial sector regulators in India introducing significant frameworks aimed at enhancing investor protection, strengthening cybersecurity resilience, improving compliance frameworks, and streamlining operational procedures across various segments of the financial ecosystem.

Among the key highlights are the Reserve Bank of India’s (“RBI”) proposed security enhancements in the form of introducing Additional Factor of Authentication requirement for cross-border card-not-present transactions and extending the Unified Payment Interface (“UPI”) framework to include pre-sanctioned credit lines issued by small finance banks. The RBI also issued the Framework for Recognising Self-Regulatory Organisations for the Account Aggregator ecosystem, establishing a governance and compliance architecture intended to support responsible data sharing and innovation in financial information services. On the securities market front, the Securities and Exchange Board of India (“SEBI”) has introduced multiple regulatory measures targeting innovation and investor safety. These include the long-anticipated framework to enable retail participation in algorithmic trading and new obligations for the use of artificial intelligence and machine learning by regulated intermediaries.  

This edition of the newsletter highlights significant shifts in regulations, prevailing industry hurdles, and noteworthy market dynamics within the realm of the Indian FinTech sector, spanning the period from February 01, 2025, to March 31, 2025.

RECENT LEGAL & REGULATORY DEVELOPMENTS

RBI Issues Draft Additional Factor of Authentication for Cross-Border Card Not Present Transactions (Link)

RBI, through a draft circular issued under the Payment and Settlement Systems Act, 2007, has proposed to mandate the implementation of an Additional Factor of Authentication (“AFA”) for cross-border Card Not Present (“CNP”) transactions. This move aligns with the RBI’s Payments Vision 2025, which seeks to extend domestic-level security standards to international card-based transactions.

While AFA has been a mandatory requirement for domestic card transactions since 2009, including for domestic CNP transactions, cross-border CNP transactions have remained outside the purview of this mandate. The proposed framework aims to introduce a similar level of authentication to enhance security and reduce fraud in international e-commerce and digital payments involving Indian-issued cards.

Under the draft directions, card issuers will be required to: (a) register their Bank Identification Numbers with card networks to enable AFA validation; (b) validate AFA for non-recurring cross-border CNP transactions whenever a request for such authentication is initiated by the overseas merchant or acquirer; and (c) implement a risk-based framework to manage all cross-border CNP transactions, thereby allowing flexibility while maintaining robust risk controls.

Extension of the Scope of UPI for the Usage of Credit Lines Provided by Small Finance Banks (Link)

The RBI recently amended its circular dated September 04, 2023, to extend the facility of using the UPI for operating pre-sanctioned credit lines to also include those issued by small finance banks. Previously, this facility was limited to credit lines provided by scheduled commercial banks.[1]

The RBI has explained in its Statement on Developmental and Regulatory Policies,[2] that such a step is necessary to make low-ticket, low-tenor products to ‘new-to-credit’ customers and to allow small finance banks to leverage UPI to reach the last mile customer.  

SEBI Issues Framework for Safer Retail Participation in Algorithmic Trading (Link)

SEBI has issued a regulatory framework to facilitate safer participation of retail investors in algorithmic trading (“Algo Trading”), with brokers (“Brokers”) and stock exchanges (“Exchanges”) playing a central role in implementing safeguards and ensuring effective risk management.

Given the increasing interest in Algo Trading by retail investors, SEBI has now formalised a comprehensive set of measures aimed at protecting investor interests and preserving market integrity. The framework clearly delineates the rights and responsibilities of key stakeholders, namely, investors, Brokers, Exchanges, and fintech firms, vendors, or individuals that offer Algo Trading services using Application Programming Interface (“API”) access through Brokers (“Algo Providers”), to ensure safe and structured access to Algo Trading facilities.

The proposed framework, inter alia, outlines the following:

• Brokers providing Algo Trading facilities must act as principals, with any Algo Provider acting as their agent.
• All algo orders routed through Broker-provided APIs must carry a unique identifier issued by the Exchange to ensure traceability.
• Brokers are required to implement stringent controls, including static IP whitelisting, vendor-specific API keys, open Auth-based authentication, and two-factor authentication mechanisms.
• Brokers are expected to conduct due diligence before onboarding any empanelled Algo Provider and must ensure transparency in fee structures and commercial arrangements with such providers.
• Brokers are required to establish robust monitoring systems to identify and tag algo orders and must engage only with empanelled Algo Providers.
• All investor grievances related to algo trading must be handled by the Broker, who remains responsible for compliance with SEBI’s outsourcing guidelines.
• Brokers must seek prior approval from the Exchange for all algos and any subsequent modifications.
• While Algo Providers will not be directly regulated by SEBI, they must be empanelled with the Exchanges in accordance with criteria specified by the Exchanges.
• Retail investors developing their own algos using programming knowledge may continue to do so, subject to getting registered with the Exchange through their Broker if their usage crosses a specified threshold.  
• Exchanges will retain oversight of Algo Trading activity, including formulating Standard Operating Procedures for algo testing, maintaining surveillance and simulation capabilities, and retaining kill-switch functionality for dealing with malfunctioning algos.
• Algos will be classified into two categories: Execution or “White Box” algos, where the trading logic is disclosed and replicable; and “Black Box” algos, where the logic is not known to the user. For Black Box algos, the Algo Provider must register as a Research Analyst and maintain detailed research reports for each algo. Any modification to the logic will require a fresh registration and supporting documentation.

In line with the directions of this circular, National Stock Exchange of India Limited and Bombay Stock Exchange Limited have released implementation standards for algorithmic trading.[3] The provisions of this circular are proposed to take effect from August 1, 2025.

SEBI Introduces MITRA Platform to Trace Inactive and Unclaimed Mutual Fund Folios (Link)

By its circular dated February 12, 2025 (“SEBI Circular”), SEBI introduced the Mutual Fund Investment Tracing and Retrieval Assistant (“MITRA”), a centralised platform designed to assist investors in identifying and recovering inactive and unclaimed Mutual Fund folios. The platform has been jointly developed and will be hosted by the two Qualified Registrar and Transfer Agents (“QRTAs”), Computer Age Management Services Limited (“CAMS”) and KFin Technologies Limited, acting as agents of the Asset Management Companies (“AMCs”).

The initiative aims to address long-standing concerns around investors losing track of investments made with incomplete KYC, in physical form, or without valid contact details—often resulting in such folios remaining dormant and susceptible to fraudulent redemptions.

Under the SEBI Circular, a folio is classified as inactive where no investor-initiated transactions (financial or non-financial) have occurred in the last ten years, while units remain invested. The MITRA platform, made available through MF Central, the websites of AMCs, AMFI, SEBI, and the QRTAs, is inter alia intended to enable investors and rightful claimants to locate forgotten or overlooked investments, promote KYC compliance, reduce the quantum of unclaimed folios, and establish safeguards against potential misuse or fraud.

The QRTAs are jointly and severally responsible for ensuring regulatory compliance, including adherence to the SEBI Master Circular on Mutual Funds dated June 27, 2024, in respect of cyber security, system audits, and business continuity planning.

SEBI Introduces Framework on Use of Artificial Intelligence by Intermediaries (Link)

By way of the SEBI (Intermediaries) (Amendment) Regulations, 2025 (“Amendment Regulations”), SEBI has inserted a new Chapter IIIB under the SEBI (Intermediaries) Regulations, 2008 (“Intermediaries Regulations”), to introduce a regulatory framework governing the use of artificial intelligence (“AI”) and machine learning (“ML”) tools and techniques by SEBI-regulated intermediaries.

The Amendment Regulations place the onus of responsibility on the regulated intermediaries for any use of AI and ML tools in their business operations and investor servicing. This responsibility exists irrespective of whether the tools are developed in-house or sourced from third-party technology service providers. Regulated entities are required to ensure that investor and stakeholder data, especially data held in a fiduciary capacity, is handled with full regard for privacy, security, and integrity. These entities are also held accountable for the outputs generated by AI/ML tools and for ensuring that their use is in full compliance with applicable legal and regulatory requirements. SEBI has also retained the power to take appropriate enforcement action in cases of non-compliance.

A notable aspect of the Amendment Regulations is the expansive and inclusive definition given to AI and ML tools. The term “artificial intelligence and machine learning tools and techniques” includes any application, software program, executable system, or a combination thereof that is either used internally by the regulated entity for business purposes or offered to investors and stakeholders as part of their services. The scope of use is intentionally broad and encompasses tools deployed for facilitating investments or trading activities, disseminating investment strategies or advice, fulfilling compliance obligations, or supporting business operations such as risk management, client servicing, or internal decision-making. Importantly, this definition captures not only those tools that are directly visible to end users but also those functioning behind the scenes, such as AI-enabled surveillance systems, automated compliance tools, fraud detection mechanisms, and data analytics engines. The regulation is designed to include any AI/ML system portrayed as being part of the intermediary’s offering to the public or used in any operational or compliance capacity internally.

With these Amendment Regulations, SEBI aims to strike a balance between fostering technological innovation and ensuring market integrity and investor protection. The clear allocation of responsibility ensures that regulated intermediaries remain accountable for the use and impact of AI/ML in all aspects of their operations, reinforcing trust while enabling the growth of data-driven technologies in the securities market.

SEBI Issues MITCs for Investment Advisers and Research Analysts (Link)

In furtherance of the amendments made to the SEBI (Investment Advisers) Regulations, 2013 and the SEBI (Research Analysts) Regulations, 2014 in December, 2024[4] and the guidelines issued by SEBI for Investment Advisers (“IAs”)[5] and Research Analysts (“RAs”)[6] dated January 08, 2025, SEBI has issued the Most Important Terms and Conditions (“MITCs”) to be agreed between IAs/RAs and their clients.

The MITCs issued for IAs require IAs to incorporate terms with respect to (a) acceptance of payments only towards its fees for providing investment advisory services and non-acceptance of funds or securities on behalf of the client; (b) not guaranteeing assured/fixed returns, accuracy, or risk-free investments; (c) providing disclosures regarding any advice provided for non-securities products which are outside the purview of SEBI; (d) providing details of grievance redressal mechanism and escalation matrix; and (e) charging of fees within the limits prescribed by SEBI among others.

Similarly, the MITCs issued for RAs require RAs to incorporate terms with respect to (a) not allowing RAs to execute/carry out any trade on behalf of its clients; (b) charging of fees within the limits prescribed by SEBI; (c) not guaranteeing assured/fixed returns, accuracy, or risk-free investments; (d) making disclosures with respect to the risks involved in making investments based on the recommendations of the RA in research reports; and (e) providing details of grievance redressal mechanism among others.  

SEBI Updates Investor Charter for Stockbrokers (Link)

SEBI, through a circular dated February 21, 2025, has updated the investor charter for stockbrokers, which was issued in 2021,[7] for publication by stockbrokers on their websites. SEBI has stated that the investor charter has been updated to account for recent developments in the securities market including the introduction of the Online Dispute Resolution platform and SCORES 2.0 for grievance redressal. The investor charter so prescribed under the said circular summarises the services provided by stockbrokers to their clients, rights of investors, timelines prescribed on stockbrokers for completion of various processes such as KYC, client onboarding, order execution, grievance redressal, etc., Do’s and Don’ts for investors, among others.

Additionally, the aforesaid circular also requires that stockbrokers disclose the data on complaints received against them or against issues dealt with by them and redressal thereof on a monthly basis in the format prescribed therein.

SEBI Proposes Technology-Based Framework to Secure Trading and Demat Accounts (Link)

On February 18, 2025, SEBI released a consultation paper titled “Consultation Paper on Technology based Measures to Secure Trading Environment and to Prevent Unauthorised Transactions in Trading/Demat Account of Investors.” The consultation paper proposes key changes aimed at strengthening the security infrastructure of the trading and demat ecosystem and preventing unauthorised access and transactions.

The paper outlines a series of technology-driven measures in response to the rising instances of SIM spoofing, unauthorised trading, account modifications, and erroneous share transfers reported in recent times. SEBI noted that with increasing dependence on mobile and web-based trading applications, the absence of robust security protocols has rendered these platforms vulnerable to fraud, hacking, and identity theft.

To address these risks, SEBI constituted a working group to review the current framework and suggest improvements. Based on the recommendations received, the consultation paper proposes the implementation of several key measures aimed at fortifying the trading ecosystem through enhanced authentication protocols and better access controls.

One of the core proposals is the introduction of a SIM-binding mechanism that would link the Unique Client Code (“UCC”) of an investor with a specific mobile device and SIM card, similar to the model followed by UPI payment applications. Under this proposal, trading access would only be granted through a registered device recognised by the trading application based on a combination of UCC, SIM, and device information.

Further, the consultation paper suggests incorporating biometric authentication (such as fingerprint or facial recognition) for login, QR code-based proximity and time-sensitive login for access on desktops/laptops, and provisions to link multiple family member UCCs to a single device based on client authorisation.

In addition to login authentication, the paper proposes a range of access control mechanisms. These include allowing investors to place a temporary lock on their trading accounts, monitor and revoke sessions active on other devices, and set parameters such as volume or instrument restrictions.

To address operational concerns around call-and-trade and walk-in trading services, the consultation paper proposes allowing such trades only via centralised, dedicated communication channels of the broker, authenticated by OTPs or tamper-proof audio-visual systems.

With regard to demat accounts, SEBI has suggested measures to prevent erroneous or unintended transfers. These include mandatory verification of target account names prior to off-market transactions and two-step entry of beneficiary account numbers to validate details. For clients using basic phones, SEBI recommends Interactive Voice Response System-based OTP authentication.

The implementation of the proposed framework will be carried out in a phased manner. Initially, the top 10 (ten) qualified stockbrokers will be required to adopt the SIM-binding and related authentication mechanisms within 6 (six) months of the issuance of the circular. While the secure login protocol will be optional at first, SEBI proposes to make it mandatory over time. All other provisions of the framework will apply to all stockbrokers and depository participants.

IRDAI Issues Circular on Premium Payment via UPI One-Time Mandate for Bima-ASBA (Link)

The Insurance Regulatory and Development Authority (“IRDAI”), through a circular dated February 18, 2025 (“Bima-ASBA Circular”), introduced a framework to facilitate premium payments for life and health insurance policies using a UPI-based One-Time Mandate (“OTM”), referred to as Bima-ASBA. Under this framework, policyholders are permitted to block the premium amount in their bank accounts at the time of proposal submission, with the actual debit occurring only upon the issuance of the insurance policy. In instances where the policy is not issued, the blocked amount would need to be released back to the customer in full.

All distribution channels, including corporate agents and other intermediaries, are required to ensure that proposal forms—whether digital or physical—are updated to incorporate a standard declaration authorising the insurer to initiate the UPI-based mandate. Distributors must clearly communicate the nature of the Bima-ASBA arrangement to prospective policyholders, including the fact that the mandate only results in blocking, and not debiting of funds until the policy is accepted.

IFSCA Mandates FIU-IND Portal Registration (Link)

The International Financial Services Centres Authority (“IFSCA”), through a circular dated February 25, 2025 (“Registration Circular”), has reiterated and clarified the obligation of all regulated entities operating in GIFT-IFSC to register on the FIU-IND FINGate 2.0 portal for compliance with the IFSCA (Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022. This circular is in continuation of an earlier communication dated March 14, 2024, and aims to streamline the reporting and compliance framework under the Prevention of Money Laundering Act, 2002, by ensuring all regulated entities are onboarded to the designated financial intelligence portal maintained by the Financial Intelligence Unit - India (“FIU-IND”).

As per the Registration Circular, all regulated entities are required to complete their registration on the FIU-IND FINGate 2.0 portal prior to the commencement of business. In exceptional cases where business operations begin urgently, registration must be completed within 30 (thirty) days from the date of commencement.

The Registration Circular further clarifies that any changes or additions to a regulated entity’s line of business must also be updated on the FIU-IND portal within 30 (thirty) days of commencement of the new activity. If an entity is unable to register or update its information on the portal due to reasons beyond its control, it must still fulfil its reporting obligations under the Prevention of Money Laundering Act, 2002 by submitting the relevant filings via email. Notably, compliance with these requirements is deemed a condition of the entity’s registration, recognition, license, or authorisation under IFSCA regulations.

IFSCA Issues International Financial Services Centres Authority (Fund Management) Regulations, 2025 (Link)

The IFSCA, through a circular dated February 19, 2025, has notified the IFSCA (Fund Management) Regulations, 2025 (“FM Regulations 2025”), following a comprehensive review of the earlier 2022 framework.

Key reforms inter alia include a reduction in the minimum corpus for both retail and non-retail schemes from USD 5 (five) million to USD 3 (three) million, and an extension in the validity of the Private Placement Memorandum to 12 (twelve) months. For large fund management entities (“FMEs”) with assets under management exceeding USD 1 (one) billion (excluding fund-of-funds), an additional Key Managerial Personnel appointment is now required. Portfolio management services have also been liberalised with the minimum investment threshold halved to USD 75,000 (seventy-five thousand).

Additionally, FMEs have been permitted to establish offshore marketing offices without prior IFSCA approval, by only providing prior notice to IFSCA.

IRDAI Issues Directive on Cyber Security (Link)

The IRDAI on March 24, 2025, issued a directive to all regulated entities by the IRDAI with respect to cyber security (“IRDAI Directive”). The IRDAI, inter alia reiterated (a) the requirement of reporting cyber incidents to IRDAI in the prescribed format within 6 (six) hours of noticing or being brought to notice about such incidents; (b) maintaining and monitoring information and communications technology infrastructure infrastructure and application logs for a rolling period of 180 (one hundred and eighty) days; and (c) performance of forensic investigation for severe information security incidents, and that of Chief Information Security Officer to engage external certified and competent forensic experts.

The IRDAI additionally mandated all IRDAI-regulated entities to (a) establish well defined procedure/practice to ensure that forensic auditor(s) are empanelled in advance and can be onboarded to conduct forensics and root cause analysis of cyber incident(s) without any delay; (b) ensure that the vendor handling Security Operation Centre (SOC), attack surface monitoring, Red teaming, or conducting the annual assurance audit or any cyber security aspect of the IRDAI regulated entity is not engaged as the forensic auditor for the incident, in order to avoid a conflict of interest; and (c) demonstrate compliance to the aforementioned requirements to such entities’ board of directors in the ensuing board meeting and submit the minutes of such meeting to the IRDAI, for its records.

SEBI Issues Consultation Paper on Activities of Stock Brokers in GIFT-IFSC (Link)

On March 21, 2025, SEBI issued a consultation paper on ‘facilitation to SEBI registered Stock Brokers to undertake securities market related activities in Gujarat International Finance Tech-city – International Financial Services Centre (“GIFT-IFSC”) under a Separate Business Unit (“SBU”)’, and invited public comments on the same (“Consultation Paper”).

With an intent of ensuring ease of doing business, SEBI, vide the recommendations in the Consultation Paper, intends to do away with the requirements under the extant norms pertaining to the captioned subject. Extant norms require SEBI-registered stock brokers (“Stock Brokers”) to obtain approval from SEBI in the form of a no-objection certificate (NOC) to float subsidiaries or to enter into a joint venture to undertake securities market related activities in GIFT-IFSC. 

In furtherance of such recommendation, SEBI in the Consultation Paper has also issued a draft circular in this regard. The draft circular states that policy, eligibility criteria, risk management, investor grievances, inspection, enforcement, claims, etc., related matters for SBUs in GIFT-IFSC would be set out under a regulatory framework issued by a specific regulatory authority for this, and the SBUs' activities in GIFT-IFSC would be under the jurisdiction of such authority. Further, with the intent of demarcating regulatory obligations and ring-fencing the activities of the Stock Brokers in Indian securities market and that of SBUs in GIFT-IFSC, SEBI has proposed prescribing certain safeguards which inter alia include: (a) requirement of Stock Brokers to ensure that securities market related activities of the SBUs in GIFT-IFSC are segregated and ring-fenced from such Stock Broker’s Indian securities market related activities, and arms-length relationship is maintained between these activities; (b) ensuring that the SBU in  GIFT-IFSC is exclusively engaged in providing securities market related activities in GIFT-IFSC only; (c) maintaining a separate account for the SBU on arms-length basis, and keeping the net worth of the SBU segregated from the net worth of the Stock Broker in the Indian securities market. SEBI also noted that, given that the SBU will be governed by another regulatory authority, grievance redressal mechanism and the Investor Protection Fund (IPF) of stock exchanges and SCORES would not be available for investors availing services of the SBU. In the event Stock Brokers have already floated a subsidiary or entered into a joint venture to undertake securities market related activities in GIFT-IFSC after obtaining SEBI’s approval, SEBI has proposed that such Stock Brokers would be permitted to dismantle such subsidiary/joint venture and carry out services under an SBU of the stock broking entity.

SEBI Issues Advisory to Intermediaries on Advertisements (Link)

In light of increasing fraud in relation to the securities market on social media platforms such as YouTube, Facebook, Instagram, WhatsApp, etc. (“SMPs”), SEBI, on March 21, 2025, has issued an advisory to SEBI-registered intermediaries (“Advisory”). SEBI noted that SMPs are being used by perpetrators to entice victims in the name of providing online trading courses, seminars, giving misleading or deceptive testimonials, promising or guaranteeing of assured or risk-free return, etc. With a view to curb such fraudulent activities and enhancing transparency, SEBI, in consultation with providers of SMPs (“SMPPs”), has decided that all SEBI-registered intermediaries uploading/publishing advertisements on SMPPs like Google/Meta (to begin with), would mandatorily have to register on such SMP using their email IDs and mobile numbers registered on the SEBI intermediary portal. Consequent to this, such SMPPs would have to undertake advertiser verification of SEBI-registered intermediaries, on completion of which, such intermediaries would be allowed to upload/publish advertisements on these SMPPs. SEBI accordingly issued directions to registered intermediaries interested in engaging in such publication of advertisements to update their contact details in the intermediary database on the SEBI intermediary portal by April 30, 2025.

IFSCA Issues Guidelines on Cyber Security and Cyber Resilience (Link)

The International Financial Services Centres Authority (“IFSCA”) on March 10, 2025, issued the Guidelines on cyber security and cyber resilience for regulated entities in the International Financial Service Centres (“IFSC”) (“IFSCA Guidelines”), with an intent of laying down the broad cyber security and cyber resilience related expectations it has from such entities, that are licensed, recognised, registered or authorised by the IFSCA. The IFSCA Guidelines are intended to be implemented in accordance with the principle of proportionality, after considering (a) scale, complexity of operations, and nature of activity the entity engages in; and (b) interconnectedness of such entity with the financial and corresponding cyber risks the entity is exposed to.

In terms of governance, such regulated entities are required to have an oversight body, which shall be responsible for governance of the entities’ cyber risk management mechanism, and which shall include 1 (one) or more of the following: (a) a governing board,  or (b) senior management personnel (such as the Managing Director, Chief Executive Officer, Chief Technology Officer, Chief Information Security Officer (CISO), or  (c) committees involving or designated by such persons for technology or cyber risk management. There is also a requirement to appoint a CISO or designate a senior personnel, who shall be referred to as the ‘Designated Officer’ and would be responsible for assessing, identifying, reducing cyber risks, responding to incidents, and establishing appropriate controls.

Such entities are also required to maintain a cyber security and cyber resilience framework, which should inter alia (a) promotes the entities’  ability to anticipate, withstand, contain, and recover from cyber-attacks; (b) conduct a risk assessment to evaluate any potential cyber threats including third party risks;   (c) defines the entities’ cyber risk appetite and cyber resilience objectives; and (d) establishes roles and responsibilities of the ‘Oversight Body’, the ‘Designated Officer’, employees and other stakeholders. As a part of such framework, an information security (IS) policy should be formulated by the regulated entities which shall inter alia follow the principles of (a) maintaining a detailed inventory of the information technology assets and carrying out a risk assessment to classify such assets based on their sensitivity, criticality and potential impact on other systems, if compromised; (b) implementing appropriate security controls, aligned with international best practices and standards such as ISO 27000, and ensuring that such controls are proportionate to the entities’ threat landscape and risk appetite; (c) ensuring access to IT assets and systems are on a need-to-know basis, with robust authentication measures;  (d) ensuring adequate physical security of IT assets through taking steps to restrict access to data centres and server rooms, and securing location of critical data, and having recovery policies and procedures to limit losses in case of business disruptions, and to provide services on an ongoing basis; (e) conduct a vulnerability assessment and penetration testing (VAPT) for all critical systems, infrastructure components and other IT systems annually; and (f) ensuring an audit trail existed for its IT assets.

Entities have also been mandated to adopt a risk-based approach for the review of their third-party vendors and to carry out appropriate assessments. The risk assessments for third parties, which are required by the regulated entity for its core operations or to whom access has been granted to its critical applications, shall be done every 6 (six) months. There is also a requirement for entities to undertake internal audits annually by a CERT-in empanelled auditor, or independent auditors with certifications such as Certified Information Security Auditor or Certified Information Security Manager, or through an auditor with prior relevant experience. In cases of cyber security incidents, entities are required to report it to IFSCA within 6 (six) hours of detection of such incident, along with an interim report within 3 (three) days, and a root cause analysis within 30 (thirty) days, and with an obligation to take mitigation measures within 7 (seven) days.

The IFSCA has exempted the following from complying with the IFSCA Guidelines: (a)  regulated entities operating in the form of a branch of a regulated Indian or foreign entity; (b) regulated entities providing services to their group entities only; (c) regulated entities which have less than 10 (ten) employees; (d) foreign universities set up in IFSCs.
The exemptions are subject to the entities fulfilling conditions which include: (a) regulated entities adopting the ‘Cyber Security and Cyber Resilience framework’ and ‘IS
Policy of its parent entity; (b) CISO of the parent entity acting as the Designated Officer of such regulated entities; (c) parent entity (whether Indian or overseas) of such entities being regulated by a financial 
sector regulator in its home jurisdiction and such parent entity’s cyber security and cyber resilience framework, including the IFSC entity within its scope. The IFSCA Guidelines have come into effect since April 01, 2025.

NPCI Issues Additional Guidance for Implementation of Numeric UPI IDs (Link)

The National Payments Corporation of India (“NPCI”), on March 03, 2025, has issued additional guidance (“NPCI Circular”) on its July 2021 directive on Numeric UPI ID.^[8] Vide the July 2021 directive, the NPCI had introduced a Numeric UPI ID Mapper, which would map the UPI number against the respective UPI ID.

Vide this NPCI Circular, the NPCI has inter alia mandated that banks and payment systems providers (“PSPs”) map their databases against the mobile number revocation list (MNRL, which is published by the Telecom Regulatory Authority of India) and digital intelligence platform (DIP, developed by the Department of Telecommunications), on a weekly basis to ensure recycled and churned numbers are accurately recorded. The NPCI has also issued guidance on user consent and has stated that user-consent for seeding or porting a UPI number must be explicit and be provided by an opt-in mechanism. Further, such consent should not be obtained before or during a transaction, and any communication pertaining to seeing or porting should not contain any miscommunication. There is also a reporting obligation on PSPs and UPI apps, which from April 1, 2025, have been mandated to furnish reporting on a monthly basis to the NPCI, which should inter alia contain a total number of UPI number seedings, total UPI-based transactions, and deregistered UPI numbers. In addition, there is also a requirement to share raw transaction data with NPCI. The NPCI has issued instructions to ensure compliance with the NPCI Circular by March 31, 2025.

INDUSTRY DEVELOPMENTS

SEBI Releases Industry Standards Recognition Manual (Link)

SEBI has issued the Industry Standards Recognition Manual (“Manual”) to institutionalize a structured mechanism for setting industry implementation standards, aimed at improving regulatory compliance and consistency across market participants.

The Manual provides a comprehensive framework for recognizing and governing Industry Standards Forums (“ISFs”), which will be responsible for formulating standardized procedures to implement SEBI’s regulatory directions. This initiative builds on a pilot conducted during FY 2023-24 and is designed to facilitate easier, uniform adoption of SEBI’s regulations by entities such as Market Infrastructure Institutions (“MIIs”), intermediaries, mutual funds, stockbrokers, investment advisers, and listed companies.

Key features of the Manual include:

• Purpose of ISFs: ISFs are tasked with creating specific checklists, Standard Operating Procedures, and other tools aligned with SEBI’s regulatory intent to aid market participants in complying with regulatory requirements. ISFs, however, are not empowered to draft or amend regulations or circulars and are not considered as Self-Regulatory Organisations (“SROs”), but rather as committees.
• Recognition Criteria: For SEBI to recognize industry standards proposed by an ISF, such standards must be precise, unambiguous, aligned with regulatory intent, and accompanied by implementation steps and reporting formats. ISFs must also demonstrate adequate industry representation, especially from small and medium participants, and maintain a minimum proportion of practitioners among their members.
• Functioning and Reporting: ISFs must maintain detailed records (digitally preserved for eight years), consult SEBI at key stages of standard development, and complete their work within a reasonable period, generally not exceeding three months. Periodic reporting to SEBI is mandated to evidence compliance with recognition criteria.
• Publishing and Compliance: Recognized implementation standards must be published on the websites of the ISF, MIIs, and/or industry associations. Once in effect, these standards are mandatory for industry participants, and compliance with them is considered equivalent to compliance with the underlying SEBI regulation. It is important to note that SEBI retains the right to investigate fraudulent conduct regardless.
• Transition for Pilot ISFs: Existing pilot ISFs must align with the new Manual within six months of its publication. Until then, their recognized standards remain valid unless otherwise specified by SEBI.

The Manual marks a step toward collaborative regulatory implementation, ensuring that industry-specific knowledge is effectively leveraged while preserving SEBI’s supervisory authority.

RBI issues SRO-AA Framework (Link)

RBI, on March 12, 2025, issued the Framework for recognising SROs for the Account Aggregator (“AA”) Ecosystem (“SRO AA Framework”). The objective behind having an SRO for the AA ecosystem (“SRO-AA”) is to promote a culture of regulatory compliance within the ecosystem, and for such SRO to act as a collective voice for members in the ecosystem, and aid RBI in policymaking by collecting and sharing relevant information.

The RBI has inter alia prescribed that SROs should (a) be a true representative of the AA ecosystem, be inclusive, and represent all entities acting as NBFC-AAs, financial information provider (“FIP”), and financial information user (“FIU”) that are regulated by financial sector regulators; (b) prescribe professional, ethical and governance codes for participation in the AA ecosystem; (c) operate independently, devoid of any influence from its members, and ensure unbiased oversight over its members; (d) adopt a development focused approach contributing to the growth and evolution of the ecosystem; and (e) devise procedures for handling disputes among members.

Entities desirous of applying to qualify as an SRO-AA are inter alia required to (a) set up as a not-for-profit company registered under Section 8 of the Companies Act, 2013; (b) have or demonstrate that it can achieve a minimum net worth of INR 2,00,00,000 (Indian Rupees Two crores) within a period of 1 (one) year after recognition as an SRO-AA by the RBI, or before commencement of operations as an SRO-AA, whichever is earlier, and maintain such minimum net worth on an ongoing basis; (c) ensure that no entity holds 10% (ten per cent) or more of its paid-up share capital, either singly or acting in concert.

An SRO-AA is intended to be open for membership for all financial sector regulated entities participating in the AA ecosystem as NBFC-AAs, FIPs, and FIUs; such membership would be on a voluntary basis. Further, to ensure a fair representation, SRO-AA shall have at least 25 (twenty-five) unique entities from FIP and FIU as its members at all times. Failure to maintain such balanced representation would render the SRO-AA liable for revocation of the recognition that has been granted.

In terms of compliance, SRO-AAs, are inter alia required to ensure (a) it is professionally managed, with its articles of association / bye-laws, specifying its functions as one of its main objects; (b) directors fulfil the fit and proper criteria determined by its board on an ongoing basis, and have professional competence and general reputation of fairness and integrity to the satisfaction of the RBI; (c) each board-level committees constituted by the SRO-AA focussed on specific areas has an independent chairperson, to the extent feasible; and (d) that its members are compliant with all applicable RBI regulations as well as regulations issued by other financial sector regulators.

The RBI has also entrusted the SRO-AA with several functions and responsibilities which inter alia includes (a) framing codes of conduct for its members as well as their outsourced service providers, and frame standard formats for agreements (for specific use-cases) such as agreement between an FIU or FIP with an NBFC-AA, or with outsourced service providers; (b) ensuring strict confidentiality of personal data, complying with relevant data protection laws, collecting only such data that is necessary for development of the ecosystem; (c) developing best practices and assist AA ecosystem participants with adoption of technical specifications; (d) working in collaboration with the RBI to ensure members of the AA ecosystem responsibly use financial information; and (e) keeping RBI informed of developments in the AA ecosystem, and promptly intimating the RBI and other financial sector regulators of non-compliance by its members of applicable regulations, and submitting periodic reports and returns to the RBI and engaging in periodic interactions with the RBI.

In light of the foregoing, the RBI has invited applications to get recognised as an SRO-AA, which, along with the required documentation, must be submitted by June 15, 2025. The RBI would review the application, and once it deems that an applicant is suitable, it would grant a letter of recommendation (“LoR”) to such applicant. Such LoR would inter alia be subject to (a) information submitted by the SRO-AA being true, and not misleading in material aspects; (b) the SRO AA Framework being adhered to on an ongoing basis; (c) ensuring no activity which creates a conflict of interest with the main objectives of the SRO-AA is undertaken. If the SRO-AA is deemed to be functioning in a manner detrimental to public interest or other stakeholders, or if it is found to be operating in a manner non-compliant with its objectives, RBI reserves the right to revoke the LoR, after providing such SRO-AA an opportunity to be heard.

SEBI Cancels Certificates of Karvy Capital Alternative Investment Trust and KCAP Alternative Investment Fund (Link)

SEBI, on March 25, 2025, issued an order in the matter of Karvy Capital Alternative Investment Trust (“KCAIT”) and KCAP Alternative Investment Fund (“KCAP AIF”), which are Category II and Category III Alternative Investment Funds (“AIFs”) respectively, cancelling such AIFs' certification. This action was taken by SEBI due to the AIFs’ failure to meet the ‘fit and proper person’ criteria, which is a requirement for AIF registration that extends to those controlling the applicant/intermediary.

The said issue arose in light of SEBI’s action against Karvy Stock Broking Limited (“KSBL”), the parent company of Karvy Capital Limited (“KCL”), which is the manager/sponsor of the KCAIT and KCAP AIF. SEBI had barred KBSL from accessing the securities market for a period of 7 (seven) years vide order dated April 28, 2023,^[9] and had cancelled KSBL’s stockbroker certificate of registration vide an order dated May 31, 2023.^[10]

SEBI noted that as per Clause  3(b)(iii)  of  Schedule  II  of  SEBI (Intermediaries) Regulations, 2008 (“Intermediaries Regulations”), for the purpose of determining whether one is a ‘fit and proper person’, SEBI can take into consideration an order (which is in force) of restraint, prohibition or debarment that has been passed by SEBI or any other regulatory authority or enforcement agency against such person in matters relating to securities laws or financial markets.  Cancellation of the certificate of registration was interpreted by SEBI to be within the purview of the aforementioned provision.

SEBI noted that as per the Intermediaries Regulations and SEBI Alternative Investment Funds) Regulations, 2012 (“AIF Regulations”) ‘fit and proper person’ criteria must be maintained on a continuous basis, and promoters or persons holding controlling interest or persons exercising control over the intermediary must comply with the ‘fit and proper person’ criteria. Further, in case of an unlisted intermediary, any person holding 20% (twenty per cent) or more voting rights, would be required to fulfill the ‘fit and proper person’ criteria, and in case any such person fails to satisfy ‘fit and proper person’ criteria, the intermediary shall ensure that such person does not exercise any voting rights and that such person divests their holding within 6 (six) months from the date of such disqualification failing which the ‘fit and proper person’ criteria may be invoked against such intermediary.

In light of the foregoing, SEBI noted that KCAIT, KCAP AIF, and KCL are unlisted entities. In the given case, KSBL, which had more than 20% (twenty per cent) stake in KCL (thereby, had controlling interest), and was not a ‘fit and proper person’, was required to divest its holding within 6 (six) months from the date of its disqualification. SEBI noted that such action was not undertaken, and accordingly, KCAIT and KCAP AIF were not compliant with the ‘fit and proper person’ criteria codified in the SEBI AIF Regulations and Intermediaries Regulations. In light of the same, SEBI cancelled KCAIT’s and KCAP AIF’s certificate of registration.

MARKET UPDATES

SEBI Proposes Unique UPI Handles for Registered Market Intermediaries[11]

SEBI has proposed a framework for assigning unique UPI addresses to market intermediaries, aimed at enhancing investor confidence by ensuring payments are made only to legitimate, SEBI-registered entities. Under this proposal, each intermediary will have an alphanumeric username linked to their business segment, followed by a unique handle “@payright” combined with their bank name. For example, a broker’s complete UPI handle would appear as “abc.bkr@payrighthdfc.”

This initiative follows SEBI's efforts to combat unregistered entities misleading investors and misappropriating funds. It also builds upon SEBI’s 2019 move to introduce UPI as a payment method in the securities market, initially for initial public offering purchases. The proposed system is designed to authenticate registered intermediaries and provide a clear, trustworthy payment channel for investors.

SEBI Clarifies Provisions on Association with Persons Engaged in Prohibited Activities[12]

SEBI has expanded its regulatory ambit to further restrict the association of all persons regulated by the board, including market infrastructure institutions like stock exchanges, clearing corporations, and depositories, as well as their agents, with entities or individuals engaged in prohibited activities, including financial influencers (finfluencers).

SEBI has emphasized that regulated entities and their agents cannot associate with individuals or entities that provide unregistered advice or recommendations related to securities. Similarly, associations with those making claims about returns or performance related to securities, without SEBI approval, are also prohibited. Furthermore, SEBI restricts educators and influencers from using recent market price data to make or imply predictions about securities, even through indirect means like code names.

RBI Launches RBIDATA Mobile App[13]

The RBI has launched the RBIDATA mobile app, providing access to over 11,000 economic and financial data series related to the Indian economy. The app offers users an easy-to-use interface to view time series data, download reports, and explore visual charts and graphs.

Key features include access to popular reports, a search function for quick data retrieval, and a banking outlet locator to find nearby facilities. It also offers data on South Asian Association for Regional Cooperation (SAARC) countries and connects to the RBI's Database on the Indian Economy.

RBI lifts restrictions on Kotak Mahindra Bank’s digital onboarding and credit card issuance[14]

The RBI has lifted the supervisory restrictions imposed on Kotak Mahindra Bank in April 2024, which barred it from onboarding new customers via online and mobile banking and from issuing new credit cards. The move follows the bank’s remedial measures to address regulatory concerns, including the commissioning of an external audit with RBI approval. After reviewing the compliance submissions, the RBI found them satisfactory and has allowed the bank to resume these operations.

Easebuzz Receives RBI Authorisation as Payment Aggregator[15]

Easebuzz, a full-stack digital payments platform, has received final authorisation from the RBI to operate as a Payment Aggregator under the Payment and Settlement Systems Act, 2007.

The approval enables Easebuzz to continue facilitating digital transactions for businesses across sectors, including e-commerce, education, real estate, and travel. The company currently serves over 2 (two) lakh merchants, including SMEs and startups, and processes an annualised Gross Transaction Value of USD 30 (thirty) billion.

PhonePe to Exit Account Aggregator Business[16] 

PhonePe Group has decided to exit the Account Aggregator (“AA”) space and will surrender its NBFC-AA licence to the RBI. The company cited shifting priorities and plans to partner with existing AAs instead of running its own platform.

Launched in 2023 via its subsidiary PhonePe Technology Services, the AA service had onboarded nearly 5 (five) crore users. However, limited onboarding of financial data providers led to the decision to wind down operations.

PhonePe Launches Device Tokenisation for Cards[17]

PhonePe has introduced device tokenisation for credit and debit cards, allowing users to securely store and use card tokens for payments across various services like bill payments, recharges, and travel bookings via PhonePe’s Payment Gateway. The feature aims to enhance security, reduce fraud, and improve transaction speeds.

Visa cards will be the first to be supported, with plans for further expansion. Merchants will benefit from higher conversion rates and a smoother checkout process.

Univest Launches Discount Broking Platform[18]

Wealthtech startup Univest has launched ‘Univest Broking’, entering the discount broking space with features like free demat account opening, in-app trading, and automated trade tracking.

This move expands Univest from an AI-led advisory platform into a full-stack trading ecosystem.

RBI Imposes a Monetary Penalty on HDFC Bank Limited for Breach of KYC Directions^[19]

The RBI imposed a monetary penalty of INR 75,00,000 (Indian Rupees seventy-five lakhs) on HDFC Bank Limited for non-compliance with Know Your Customer (KYC) directions issued by the RBI.

The RBI conducted a Statutory Inspection for Supervisory Evaluation (ISE 2023) of the bank with reference to its financial position as on March 31, 2023. Based on its findings of non-compliance with RBI directions and related correspondence in that regard, the RBI issued a notice to the bank advising it to show cause as to why a penalty should not be imposed on it for its failure to comply with these directions.

After considering the bank’s reply to the notice and additional submissions made by it, the RBI found, inter alia, that the bank: (i) did not categorise certain customers into low, medium, or high risk categories based on its assessment and risk perception; and (ii) it allotted multiple customer identification codes to certain customers instead of a Unique Customer Identification Code (UCIC) for each customer. Accordingly, the RBI imposed a monetary penalty on the bank.

RBI Imposes a Monetary Penalty on Fintechs for Non-Compliance with the P2P Lending Directions

The RBI imposed a monetary penalty of INR 40,00,000 (Indian Rupees forty lakhs) on Fairassets Technologies India Private Limited, operating as ‘Faircent’, for non-compliance with certain provisions of the RBI Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (“P2P Lending Directions”).

A scrutiny of the company was conducted by the RBI in September 2023. Based on supervisory findings of non-compliance with RBI directions and related correspondence in that regard, a notice was issued to the company advising it to show cause as to why a penalty should not be imposed on it for its failure to comply with the said directions.

After considering the company’s reply to the notice and submissions made by it, the RBI found that Faircent: (i) disbursed loans without the specific approval of individual lenders; (ii) did not undertake and disclose credit assessment and risk profile of the borrowers to the prospective lenders; (iii) took partial credit risk by foregoing the management fee partially / fully, which was not provided under the ‘Scope of Activities’ for Banking Financial Company Peer-to-Peer companies; and (iv) did not comply with RBI’s directions on ‘Fund Transfer Mechanism’, when it allowed repayments to lenders from fresh funds provided by new / existing lenders or through repayments pooled from the borrowers, rather than from a specific borrower to a specific lender.

The RBI also imposed penalties on other financial technology companies, namely Bridge Fintech Solutions Private Limited, operating as ‘Finzy’,^[20] Visionary Financepeer Private Limited,^[21] and Rang De P2P Financial Services Limited,^[22] for violations of the P2P Lending Directions.

RBI Cancels Certificates of Registration of 13 NBFCs

3 (three) Non-Banking Financial Companies (“NBFCs”), namely Walton Street India Finance Private Limited, Panghat Finance Company Private Limited, and RV Techno Investments Private Limited, surrendered the Certificate of Registration (“CoR”) granted to them by the RBI due to their exit from the Non-Banking Financial Institution business. The RBI, in exercise of powers conferred on it under Section 45-IA(6) of the Reserve Bank of India Act, 1934, therefore cancelled their CoRs.^[23]

Exercising the same powers, the RBI also cancelled the CoRs of the following 10 (ten) NBFCs: ^[24]

• Doyen Vyapaar Private Limited;
• Gaja Fincorp Private Limited;
• Torrent Merchandise Private Limited;
• Lokpriya Trade and Agency Private Limited;
• Ranisati Merchandise Private Limited;
• Mahima Commercial Company Private Limited;
• Yoyoma Trading Private Limited;
• Veshnawy Vyapaar Private Limited;
• Easey Credit Private Limited; and
• Raikot Finance and Investment Private Limited.

RBI Observes the 5^th Digital Payments Awareness Week (DPAW)^[25]

The 5^th Digital Payments Awareness Week (“DPAW”) was observed from March 10 to 16, 2025. It is an initiative to highlight the impact and importance of digital payments and to create awareness about the safe usage of digital payment products. The RBI, along with payment system operators, banks, and other stakeholders, conducted nationwide awareness activities, including multimedia campaigns, on-ground educational programs, and social media-based outreach. Under the mission ‘Har Payment Digital’, the theme for the current year is ‘India Pays Digitally’. This theme reflects India’s transformative journey toward a digitally empowered citizenry, with the ubiquity and convenience of digital payments.

RBI Governor Shri Sanjay Malhotra commended the efforts made so far for increased adoption of digital payments and observed that there was still significant potential for expansion of digital payments in the country. He urged members of the payment industry, banks, media, and users to encourage the use of digital payments.

As part of the awareness initiative, the RBI also announced 2 (two) competitions, namely the Har Payment Digital Short Video Contest^[26] and the Har Payment Digital Comic Strip Contest,^[27] which are open for public participation and intend to encourage creative expressions while promoting awareness.

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12532&Mode=0.

[2] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59245.

[3] https://nsearchives.nseindia.com/content/circulars/INVG67858.pdf; https://www.bseindia.com/markets/MarketInfo/DispNewNoticesCirculars.aspx?page=20250506-3.

[4] https://www.sebi.gov.in/legal/regulations/feb-2025/securities-and-exchange-board-of-india-investment-advisers-regulations-2013-last-amended-on-february-10-2025-_92319.html ; https://www.sebi.gov.in/legal/regulations/feb-2025/securities-and-exchange-board-of-india-research-analysts-regulations-2014-last-amended-on-february-10-2025-_92320.html.

[5] https://www.sebi.gov.in/legal/circulars/jan-2025/guidelines-for-investment-advisers_90632.html.

[6] https://www.sebi.gov.in/legal/circulars/jan-2025/guidelines-for-research-analysts_90634.html.

[7] https://www.sebi.gov.in/legal/circulars/dec-2021/publishing-investor-charter-and-disclosure-of-investor-complaints-by-stock-brokers-on-their-websites_54402.html .

[8] https://www.npci.org.in/PDF/npci/upi/circular/2021/NPCI-UPI-OC-115-Rollout%20of-Numeric-UPI-ID-Mapper-to-enable-UPI-Number.pdf.

[9] https://www.sebi.gov.in/enforcement/orders/apr-2023/final-order-in-the-matter-of-karvy-stock-broking-limited_70734.html.

[10] https://www.sebi.gov.in/enforcement/orders/may-2023/order-in-the-matter-of-karvy-stock-broking-ltd-_72054.html.

[11] https://www.sebi.gov.in/reports-and-statistics/reports/jan-2025/consultation-paper-on-draft-circular-for-safe-and-efficient-transfers-on-upi-_91432.html.

[12] https://www.sebi.gov.in/legal/circulars/jan-2025/details-clarifications-on-provisions-related-to-association-of-persons-regulated-by-the-board-miis-and-their-agents-with-persons-engaged-in-prohibited-activities_91356.html.

[13] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59791.

[14] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=59737.

[15] https://economictimes.indiatimes.com/industry/banking/finance/banking/easebuzz-gets-rbi-authorisation-to-operate-as-online-payment-aggregator/articleshow/118146378.cms?from=mdr.

[16] https://www.moneycontrol.com/news/business/startup/phonepe-to-exit-account-aggregator-business-will-partner-with-other-aas-12933808.html.

[17] https://inc42.com/buzz/phonepe-launches-device-tokenisation-for-users-to-pay-securely-via-cards/.

[18] https://inc42.com/buzz/wealthtech-startup-univest-forays-into-broking-segment/.

[19] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=60066.

[20] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59930.

[21] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59931.

[22] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59933.

[23] https://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=59990.

[24] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59991.

[25] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=59944.

[26] https://rbidocs.rbi.org.in/rdocs/content/pdfs/HarPayment10032025.pdf.

[27] https://rbidocs.rbi.org.in/rdocs/content/pdfs/HarPayment10032025.pdf.