INTRODUCTION
The first quarter of 2025 witnessed dynamic and reformative regulatory activity with key financial sector regulators in India introducing significant frameworks aimed at enhancing investor protection, strengthening cybersecurity resilience, improving compliance frameworks, and streamlining operational procedures across various segments of the financial ecosystem.
Among the key highlights are the Reserve Bank of India's ("RBI") proposed security enhancements in the form of introducing Additional Factor of Authentication requirement for cross-border card-not-present transactions and extending the Unified Payment Interface ("UPI") framework to include pre-sanctioned credit lines issued by small finance banks. The RBI also issued the Framework for Recognising Self-Regulatory Organisations for the Account Aggregator ecosystem, establishing a governance and compliance architecture intended to support responsible data sharing and innovation in financial information services. On the securities market front, the Securities and Exchange Board of India ("SEBI") has introduced multiple regulatory measures targeting innovation and investor safety. These include the long-anticipated framework to enable retail participation in algorithmic trading and new obligations for the use of artificial intelligence and machine learning by regulated intermediaries. This edition of the newsletter highlights significant shifts in regulations, prevailing industry hurdles, and noteworthy market dynamics within the realm of the Indian FinTech sector, spanning the period from February 01, 2025, to March 31, 2025.
RECENT LEGAL & REGULATORY DEVELOPMENTS
RBI Issues Draft Additional Factor of Authentication for Cross-Border Card Not Present Transactions
RBI, through a draft circular issued under the Payment and Settlement Systems Act, 2007, has proposed to mandate the implementation of an Additional Factor of Authentication ("AFA") for cross-border Card Not Present ("CNP") transactions. This move aligns with the RBI's Payments Vision 2025, which seeks to extend domestic-level security standards to international cardbased transactions.
While AFA has been a mandatory requirement for domestic card transactions since 2009, including for domestic CNP transactions, cross-border CNP transactions have remained outside the purview of this mandate. The proposed framework aims to introduce a similar level of authentication to enhance security and reduce fraud in international e-commerce and digital payments involving Indian-issued cards.
Under the draft directions, card issuers will be required to: (a) register their Bank Identification Numbers with card networks to enable AFA validation; (b) validate AFA for non-recurring cross-border CNP transactions whenever a request for such authentication is initiated by the overseas merchant or acquirer; and (c) implement a risk-based framework to manage all cross-border CNP transactions, thereby allowing flexibility while maintaining robust risk controls.
Extension of the Scope of UPI for the Usage of Credit Lines Provided by Small Finance Banks
The RBI recently amended its circular dated September 04, 2023, to extend the facility of using the UPI for operating pre-sanctioned credit lines to also include those issued by small finance banks. Previously, this facility was limited to credit lines provided by scheduled commercial banks.1
The RBI has explained in its Statement on Developmental and Regulatory Policies,2 that such a step is necessary to make low-ticket, low-tenor products to 'new-to-credit' customers and to allow small finance banks to leverage UPI to reach the last mile customer.
SEBI Issues Framework for Safer Retail Participation in Algorithmic Trading
SEBI has issued a regulatory framework to facilitate safer participation of retail investors in algorithmic trading ("Algo Trading"), with brokers ("Brokers") and stock exchanges ("Exchanges") playing a central role in implementing safeguards and ensuring effective risk management.
Given the increasing interest in Algo Trading by retail investors, SEBI has now formalised a comprehensive set of measures aimed at protecting investor interests and preserving market integrity. The framework clearly delineates the rights and responsibilities of key stakeholders, namely, investors, Brokers, Exchanges, and fintech firms, vendors, or individuals that offer Algo Trading services using Application Programming Interface ("API") access through Brokers ("Algo Providers"), to ensure safe and structured access to Algo Trading facilities.
The proposed framework, inter alia, outlines the following:
- Brokers providing Algo Trading facilities must act as principals, with any Algo Provider acting as their agent.
- All algo orders routed through Broker-provided APIs must carry a unique identifier issued by the Exchange to ensure traceability.
- Brokers are required to implement stringent controls, including static IP whitelisting, vendor-specific API keys, open Auth-based authentication, and twofactor authentication mechanisms.
- Brokers are expected to conduct due diligence before onboarding any empanelled Algo Provider and must ensure transparency in fee structures and commercial arrangements with such providers.
- Brokers are required to establish robust monitoring systems to identify and tag algo orders and must engage only with empanelled Algo Providers.
- All investor grievances related to algo trading must be handled by the Broker, who remains responsible for compliance with SEBI's outsourcing guidelines.
- Brokers must seek prior approval from the Exchanges for all algos and any subsequent modifications.
- While Algo Providers will not be directly regulated by SEBI, they must be empanelled with the Exchanges in accordance with criteria specified by the Exchanges.
- Retail investors developing their own algos using programming knowledge may continue to do so, subject to getting registered with the Exchange through their Broker if their usage crosses a specified threshold.
- Exchanges will retain oversight of Algo Trading activity, including formulating Standard Operating Procedures for algo testing, maintaining surveillance and simulation capabilities, and retaining kill-switch functionality for dealing with malfunctioning algos.
- Algos will be classified into two categories: Execution or "White Box" algos, where the trading logic is disclosed and replicable; and "Black Box" algos, where the logic is not known to the user. For Black Box algos, the Algo Provider must register as a Research Analyst and maintain detailed research reports for each algo. Any modification to the logic will require a fresh registration and supporting documentation.
- In line with the directions of this circular, National Stock Exchange of India Limited and BSE limited have released implementation standards for algorithmic trading.3 The provisions of this circular are proposed to take effect from August 1, 2025.
EBI Introduces MITRA Platform to Trace Inactive and Unclaimed Mutual Fund Folios
By its circular dated February 12, 2025 ("SEBI Circular"), SEBI introduced the Mutual Fund Investment Tracing and Retrieval Assistant ("MITRA"), a centralised platform designed to assist investors in identifying and recovering inactive and unclaimed Mutual Fund folios. The platform has been jointly developed and will be hosted by the two Qualified Registrar and Transfer Agents ("QRTAs"), Computer Age Management Services Limited ("CAMS") and KFin Technologies Limited, acting as agents of the Asset Management Companies ("AMCs").
The initiative aims to address long-standing concerns around investors losing track of investments made with incomplete KYC, in physical form, or without valid contact details—often resulting in such folios remaining dormant and susceptible to fraudulent redemptions.
Under the SEBI Circular, a folio is classified as inactive where no investor-initiated transactions (financial or nonfinancial) have occurred in the last ten years, while units remain invested. The MITRA platform, made available through MF Central, the websites of AMCs, AMFI, SEBI, and the QRTAs, is inter alia intended to enable investors and rightful claimants to locate forgotten or overlooked investments, promote KYC compliance, reduce the quantum of unclaimed folios, and establish safeguards against potential misuse or fraud.
The QRTAs are jointly and severally responsible for ensuring regulatory compliance, including adherence to the SEBI Master Circular on Mutual Funds dated June 27, 2024, in respect of cyber security, system audits, and business continuity planning.
SEBI Introduces Framework on Use of Artificial Intelligence by Intermediaries
By way of the SEBI (Intermediaries) (Amendment) Regulations, 2025 ("Amendment Regulations"), SEBI has inserted a new Chapter IIIB under the SEBI (Intermediaries) Regulations, 2008 ("Intermediaries Regulations"), to introduce a regulatory framework governing the use of artificial intelligence ("AI") and machine learning ("ML") tools and techniques by SEBIregulated intermediaries.
The Amendment Regulations place the onus of responsibility on the regulated intermediaries for any use of AI and ML tools in their business operations and investor servicing. This responsibility exists irrespective of whether the tools are developed in-house or sourced from third-party technology service providers. Regulated entities are required to ensure that investor and stakeholder data, especially data held in a fiduciary capacity, is handled with full regard for privacy, security, and integrity. These entities are also held accountable for the outputs generated by AI/ML tools and for ensuring that their use is in full compliance with applicable legal and regulatory requirements. SEBI has also retained the power to take appropriate enforcement action in cases of non-compliance.
A notable aspect of the Amendment Regulations is the expansive and inclusive definition given to AI and ML tools. The term "artificial intelligence and machine learning tools and techniques" includes any application, software program, executable system, or a combination thereof that is either used internally by the regulated entity for business purposes or offered to investors and stakeholders as part of their services. The scope of use is intentionally broad and encompasses tools deployed for facilitating investments or trading activities, disseminating investment strategies or advice, fulfilling compliance obligations, or supporting business operations such as risk management, client servicing, or internal decisionmaking. Importantly, this definition captures not only those tools that are directly visible to end users but also those functioning behind the scenes, such as AI-enabled surveillance systems, automated compliance tools, fraud detection mechanisms, and data analytics engines. The regulation is designed to include any AI/ML system portrayed as being part of the intermediary's offering to the public or used in any operational or compliance capacity internally.
With these Amendment Regulations, SEBI aims to strike a balance between fostering technological innovation and ensuring market integrity and investor protection. The clear allocation of responsibility ensures that regulated intermediaries remain accountable for the use and impact of AI/ML in all aspects of their operations, reinforcing trust while enabling the growth of data-driven technologies in the securities market.
BI Issues MITCs for Investment Advisers and Research Analysts
In furtherance of the amendments made to the SEBI (Investment Advisers) Regulations, 2013 and the SEBI (Research Analysts) Regulations, 2014 in December, 20244 and the guidelines issued by SEBI for Investment Advisers ("IAs")5 and Research Analysts ("RAs")6 dated January 08, 2025, SEBI has issued the Most Important Terms and Conditions ("MITCs") to be agreed between IAs/RAs and their clients.
The MITCs issued for IAs require IAs to incorporate terms with respect to (a) acceptance of payments only towards its fees for providing investment advisory services and nonacceptance of funds or securities on behalf of the client; (b) not guaranteeing assured/fixed returns, accuracy, or risk-free investments; (c) providing disclosures regarding any advice provided for non-securities products which are outside the purview of SEBI; (d) providing details of grievance redressal mechanism and escalation matrix; and (e) charging of fees within the limits prescribed by SEBI among others.
Similarly, the MITCs issued for RAs require RAs to incorporate terms with respect to (a) not allowing RAs to execute/carry out any trade on behalf of its clients; (b) charging of fees within the limits prescribed by SEBI; (c) not guaranteeing assured/fixed returns, accuracy, or risk-free investments; (d) making disclosures with respect to the risks involved in making investments based on the recommendations of the RA in research reports; and (e) providing details of grievance redressal mechanism among others.
SEBI Updates Investor Charter for Stockbrokers
SEBI, through a circular dated February 21, 2025, has updated the investor charter for stockbrokers, which was issued in 2021,7 for publication by stockbrokers on their websites. SEBI has stated that the investor charter has been updated to account for recent developments in the securities market including the introduction of the Online Dispute Resolution platform and SCORES 2.0 for grievance redressal. The investor charter so prescribed under the said circular summarises the services provided by stockbrokers to their clients, rights of investors, timelines prescribed on stockbrokers for completion of various processes such as KYC, client onboarding, order execution, grievance redressal, etc., Do's and Don'ts for investors, among others.
Additionally, the aforesaid circular also requires that stockbrokers disclose the data on complaints received against them or against issues dealt with by them and redressal thereof on a monthly basis in the format prescribed therein.
SEBI Proposes Technology-Based Framework to Secure Trading and Demat Accounts
On February 18, 2025, SEBI released a consultation paper titled "Consultation Paper on Technology based Measures to Secure Trading Environment and to Prevent Unauthorised Transactions in Trading/Demat Account of Investors." The consultation paper proposes key changes aimed at strengthening the security infrastructure of the trading and demat ecosystem and preventing unauthorised access and transactions.
The paper outlines a series of technology-driven measures in response to the rising instances of SIM spoofing, unauthorised trading, account modifications, and erroneous share transfers reported in recent times. SEBI noted that with increasing dependence on mobile and web-based trading applications, the absence of robust security protocols has rendered these platforms vulnerable to fraud, hacking, and identity theft.
To address these risks, SEBI constituted a working group to review the current framework and suggest improvements. Based on the recommendations received, the consultation paper proposes the implementation of several key measures aimed at fortifying the trading ecosystem through enhanced authentication protocols and better access controls.
One of the core proposals is the introduction of a SIMbinding mechanism that would link the Unique Client Code ("UCC") of an investor with a specific mobile device and SIM card, similar to the model followed by UPI payment applications. Under this proposal, trading access would only be granted through a registered device recognised by the trading application based on a combination of UCC, SIM, and device information.
Further, the consultation paper suggests incorporating biometric authentication (such as fingerprint or facial recognition) for login, QR code-based proximity and time-sensitive login for access on desktops/laptops, and provisions to link multiple family member UCCs to a single device based on client authorisation.
In addition to login authentication, the paper proposes a range of access control mechanisms. These include allowing investors to place a temporary lock on their trading accounts, monitor and revoke sessions active on other devices, and set parameters such as volume or instrument restrictions.
To address operational concerns around call-and-trade and walk-in trading services, the consultation paper proposes allowing such trades only via centralised, dedicated communication channels of the broker, authenticated by OTPs or tamper-proof audio-visual systems.
With regard to demat accounts, SEBI has suggested measures to prevent erroneous or unintended transfers. These include mandatory verification of target account names prior to off-market transactions and two-step entry of beneficiary account numbers to validate details. For clients using basic phones, SEBI recommends Interactive Voice Response System-based OTP authentication.
The implementation of the proposed framework will be carried out in a phased manner. Initially, the top 10 (ten) qualified stockbrokers will be required to adopt the SIM-binding and related authentication mechanisms within 6 (six) months of the issuance of the circular. While the secure login protocol will be optional at first, SEBI proposes to make it mandatory over time. All other provisions of the framework will apply to all stockbrokers and depository participants.
IRDAI Issues Circular on Premium Payment via UPI One-Time Mandate for Bima-ASBA
The Insurance Regulatory and Development Authority ("IRDAI"), through a circular dated February 18, 2025 ("Bima-ASBA Circular"), introduced a framework to facilitate premium payments for life and health insurance policies using a UPI-based One-Time Mandate ("OTM"), referred to as Bima-ASBA. Under this framework, policyholders are permitted to block the premium amount in their bank accounts at the time of proposal submission, with the actual debit occurring only upon the issuance of the insurance policy. In instances where the policy is not issued, the blocked amount would need to be released back to the customer in full.
All distribution channels, including corporate agents and other intermediaries, are required to ensure that proposal forms—whether digital or physical—are updated to incorporate a standard declaration authorising the insurer to initiate the UPI-based mandate. Distributors must clearly communicate the nature of the Bima-ASBA arrangement to prospective policyholders, including the fact that the mandate only results in blocking, and not debiting of funds until the policy is accepted.
IFSCA Mandates FIU-IND Portal Registration
The International Financial Services Centres Authority ("IFSCA"), through a circular dated February 25, 2025 ("Registration Circular"), has reiterated and clarified the obligation of all regulated entities operating in GIFTIFSC to register on the FIU-IND FINGate 2.0 portal for compliance with the IFSCA (Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022. This circular is in continuation of an earlier communication dated March 14, 2024, and aims to streamline the reporting and compliance framework under the Prevention of Money Laundering Act, 2002, by ensuring all regulated entities are onboarded to the designated financial intelligence portal maintained by the Financial Intelligence Unit - India ("FIU-IND").
As per the Registration Circular, all regulated entities are required to complete their registration on the FIUIND FINGate 2.0 portal prior to the commencement of business. In exceptional cases where business operations begin urgently, registration must be completed within 30 (thirty) days from the date of commencement.
The Registration Circular further clarifies that any changes or additions to a regulated entity's line of business must also be updated on the FIU-IND portal within 30 (thirty) days of commencement of the new activity. If an entity is unable to register or update its information on the portal due to reasons beyond its control, it must still fulfil its reporting obligations under the Prevention of Money Laundering Act, 2002 by submitting the relevant filings via email. Notably, compliance with these requirements is deemed a condition of the entity's registration, recognition, license, or authorisation under IFSCA regulations.
IFSCA Issues International Financial Services Centres Authority (Fund Management) Regulations, 2025
The IFSCA, through a circular dated February 19, 2025, has notified the IFSCA (Fund Management) Regulations, 2025 ("FM Regulations 2025"), following a comprehensive review of the earlier 2022 framework.
Key reforms inter alia include a reduction in the minimum corpus for both retail and non-retail schemes from USD 5 (five) million to USD 3 (three) million, and an extension in the validity of the Private Placement Memorandum to 12 (twelve) months. For large fund management entities ("FMEs") with assets under management exceeding USD 1 (one) billion (excluding fund-of-funds), an additional Key Managerial Personnel appointment is now required. Portfolio management services have also been liberalised with the minimum investment threshold halved to USD 75,000 (seventy-five thousand).
Additionally, FMEs have been permitted to establish offshore marketing offices without prior IFSCA approval, by only providing prior notice to IFSCA.
IRDAI Issues Directive on Cyber Security
The IRDAI on March 24, 2025, issued a directive to all regulated entities by the IRDAI with respect to cyber security ("IRDAI Directive"). The IRDAI, inter alia reiterated (a) the requirement of reporting cyber incidents to IRDAI in the prescribed format within 6 (six) hours of noticing or being brought to notice about such incidents; (b) maintaining and monitoring information and communications technology infrastructure infrastructure and application logs for a rolling period of 180 (one hundred and eighty) days; and (c) performance of forensic investigation for severe information security incidents, and that of Chief Information Security Officer to engage external certified and competent forensic experts.
The IRDAI additionally mandated all IRDAI-regulated entities to (a) establish well defined procedure/practice to ensure that forensic auditor(s) are empanelled in advance and can be onboarded to conduct forensics and root cause analysis of cyber incident(s) without any delay; (b) ensure that the vendor handling Security Operation Centre (SOC), attack surface monitoring, Red teaming, or conducting the annual assurance audit or any cyber security aspect of the IRDAI regulated entity is not engaged as the forensic auditor for the incident, in order to avoid a conflict of interest; and (c) demonstrate compliance to the aforementioned requirements to such entities' board of directors in the ensuing board meeting and submit the minutes of such meeting to the IRDAI, for its records.
SEBI Issues Consultation Paper on Activities of Stock Brokers in GIFT-IFSC
On March 21, 2025, SEBI issued a consultation paper on 'facilitation to SEBI registered Stock Brokers to undertake securities market related activities in Gujarat International Finance Tech-city – International Financial Services Centre ("GIFT-IFSC") under a Separate Business Unit ("SBU"), and invited public comments on the same ("Consultation Paper").
With an intent of ensuring ease of doing business, SEBI, vide the recommendations in the Consultation Paper, intends to do away with the requirements under the extant norms pertaining to the captioned subject. Extant norms require SEBI-registered stock brokers ("Stock Brokers") to obtain approval from SEBI in the form of a no-objection certificate (NOC) to float subsidiaries or to enter into a joint venture to undertake securities market related activities in GIFT-IFSC.
In furtherance of such recommendation, SEBI in the Consultation Paper has also issued a draft circular in this regard. The draft circular states that policy, eligibility criteria, risk management, investor grievances, inspection, enforcement, claims, etc., related matters for SBUs in GIFT-IFSC would be set out under a regulatory framework issued by a specific regulatory authority for this, and the SBUs' activities in GIFT-IFSC would be under the jurisdiction of such authority. Further, with the intent of demarcating regulatory obligations and ring-fencing the activities of the Stock Brokers in Indian securities market and that of SBUs in GIFT-IFSC, SEBI has proposed prescribing certain safeguards which inter alia include: (a) requirement of Stock Brokers to ensure that securities market related activities of the SBUs in GIFT-IFSC are segregated and ring-fenced from such Stock Broker's Indian securities market related activities, and arms-length relationship is maintained between these activities; (b) ensuring that the SBU in GIFT-IFSC is exclusively engaged in providing securities market related activities in GIFT-IFSC only; (c) maintaining a separate account for the SBU on arms-length basis, and keeping the net worth of the SBU segregated from the net worth of the Stock Broker in the Indian securities market. SEBI also noted that, given that the SBU will be governed by another regulatory authority, grievance redressal mechanism and the Investor Protection Fund (IPF) of stock exchanges and SCORES would not be available for investors availing services of the SBU. In the event Stock Brokers have already floated a subsidiary or entered into a joint venture to undertake securities market related activities in GIFT-IFSC after obtaining SEBI's approval, SEBI has proposed that such Stock Brokers would be permitted to dismantle such subsidiary/joint venture and carry out services under an SBU of the stock broking entity.
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
