ARTICLE
16 July 2025

FinTech Newsletter: Recent Legal Developments And Market Updates From India - Fourth Edition 2025

I
IndusLaw

Contributor

IndusLaw logo
INDUSLAW is a multi-speciality Indian law firm, advising a wide range of international and domestic clients from Fortune 500 companies to start-ups, and government and regulatory bodies.
Explore Firm Details
April 2025 marked a regulatory-heavy month for India's fintech sector, with the Securities and Exchange Board of India ("SEBI") and the Reserve Bank of India ("RBI") driving pivotal reforms to fortify investor protection, operational resilience, and market credibility.
India Technology
Namita Viswanath,Nikhil Vijayanambi, and Sakshi Sharma
Your Author LinkedIn Connections

INTRODUCTION

April 2025 marked a regulatory-heavy month for India's fintech sector, with the Securities and Exchange Board of India ("SEBI") and the Reserve Bank of India ("RBI") driving pivotal reforms to fortify investor protection, operational resilience, and market credibility. These developments reflect the regulators' commitment to balancing innovation with robust governance in a fast- evolving digital financial landscape.

This is the fourth edition of the Fintech Newsletter for the year 2025, outlining key updates in the fintech sector for the month of April along with other regulatory and industry developments in the Indian fintech ecosystem.

RECENT LEGAL & REGULATORY DEVELOPMENTS

SEBI advises its regulated entities to use '1600' phone number series to prevent fraud and enhance investor protection

SEBI has advised all its regulated/registered entities ("RE(s)") to adopt the '1600' phone number series for service and transactional voice calls to their existing customers. This directive aligns with the guidelines issued by the Telecom Regulatory Authority of India ("TRAI"),1 with Department of Telecommunications allocating the 1600 (sixteen hundred) series numbers for any service/transactional calls and aims to strengthen investor protection and curb fraudulent practices in the securities market.

Under the notification, REs must exclusively use the '1600' (sixteen hundred) series when contacting existing customers. Investors are advised to treat such calls as legitimate and exercise caution when receiving calls from regular 10 (ten)-digit mobile numbers, which may be used by fraudsters. The objective of using this number series as allocated is to prevent fraudulent practices by creating a clear identifier for authentic communications.

SEBI operationalises the PaRRVA Framework for Verified Risk-Return Metrics

SEBI has announced the recognition and operationalisation of the Past Risk and Return Verification Agency ("PaRRVA"). This is in terms of the Regulations 16D and 16E under the SEBI (Intermediaries) Regulations, 20082, which provide for verification of risk and return metrics by PaRRVA.

As per the circular issued on April 4, 2025, PaRRVA will verify risk-return metrics used by investment advisers ("IAs"), research analysts ("RAs"), and algorithmic trading providers. This initiative is intended to curb misleading claims and enable investors to make informed decisions based on independently validated performance data.

The key aspects of the SEBI circular are:

  • A Credit Rating Agency ("CRA") with at least 15 (fifteen) years of existence, INR 100 (hundred) crore net worth, and a track record of rating 250 (two hundred and fifty)+ issuers can apply to become a PaRRVA. It must collaborate with a recognised Stock Exchange acting as the PaRRVA Data Centre ("PDC"), which hosts the verification system. The CRA holds principal responsibility for the verification process, while the PDC operates as its agent.
  • The recognition process involves two stages: in- principle approval, followed by final recognition after infrastructure and cybersecurity standards are met.
  • A 2 (two)-month pilot phase will precede full operationalisation, during which feedback from stakeholders will be collected and public access to verified metrics will be restricted.
  • The system will function through real-time and end- of-day data flows from intermediaries and market infrastructure institutions. Verified risk-return data will be publicly disseminated via PaRRVA's platform, with strict presentation and disclaimer guidelines to prevent selective or misleading use.
  • SEBI has amended relevant clauses in its Master Circulars for IAs,3 RAs,4 and Stock Brokers,5 now permitting them to reference past performance in advertisements only if verified by PaRRVA and presented as per SEBI's guidelines.
  • An oversight committee comprising directors, public interest representatives, and investor associations will monitor PaRRVA and PDC operations, ensure data integrity, resolve disputes, and recommend improvements.

The circular has come into effect immediately on its date of issue.

RBI issues the draft RBI (Non-Fund Based Credit Facilities) Directions, 2025

RBI had released the Draft RBI (Non-Fund Based Credit Facilities) Directions, 2025 ("NFBC Directions") to establish a comprehensive and uniform regulatory framework governing non-fund based ("NFB") credit exposures across REs. The draft was open for public and stakeholder comments until May 12, 2025.

The NFBC Directions apply to Commercial Banks, Regional Rural Banks ("RRBs"), Local Area Banks ("LABs"), Urban Co-operative Banks ("UCBs"), State and Central Co-operative Banks, All India Financial Institutions ("AIFIs"), Non-Banking Financial Companies ("NBFCs"), and Housing Finance Companies ("HFCs"). However, derivative exposures and assets already covered under the RBI's stressed asset resolution framework are excluded.

Key provisions include:

  • REs may issue NFB credit facilities only to customers with an existing business relationship. Board- approved credit policies must clearly outline the types of NFB facilities offered, limits granted, credit appraisal, controls, fraud prevention and overall monitoring mechanism etc. The credit assessment must match the rigour applied to funded credit facilities.
  • Guarantees are categorised as either financial or performance guarantees, with all guarantees required to be irrevocable, unconditional, and incontrovertible (i.e. invoked guarantees must be honoured promptly). A detailed board-approved policy must govern the type and nature of guarantee, credit appraisal, limits on exposure, and invocation-settlement mechanism, etc.
  • Only scheduled UCBs and NBFCs in the middle or upper regulatory layer may issue performance guarantees. For NBFCs, UCBs, RRBs and RCBs, the total volume of guarantee exposure to be capped at 5% (five percent) of total assets with a 25% (twenty- five percent) sub-cap for unsecured guarantees. The maximum tenor for the guarantees extended by these REs is 10 (ten) years.
  • REs are encouraged to adopt electronic guarantees, supported by strong process controls to ensure security and auditability.
  • Specified REs (including SCBs, AIFIs, NBFCs in Top, Upper and Middle Layers and HFCs) may offer Partial Credit Enhancements ("PCE") to bonds issued by corporates or Special Purpose Vehicles, including large NBFCs (asset size of more than INR 1,000 (one thousand) crore), to help improve credit ratings and enable better bond market access.
  • PCEs may be provided as irrevocable contingent credit lines for bond servicing purposes. The aggregate PCE exposure of an RE should not exceed 50% (fifty percent) of the bond issue size and is permitted only for bonds rated 'BBB' minus or above by two external credit rating agencies.
  • REs must publish standardised financial disclosures as of March 31 each year, detailing contingent liabilities and clearly distinguishing secured from unsecured guarantees.

RBI empowers NPCI to revise UPI Limits for P2M Transactions

The RBI has permitted the National Payments Corporation of India ("NPCI") to revise transaction limits for person-to- merchant ("P2M") payments through Unified Payments Interface ("UPI"). The move aims to accommodate higher-value transactions in select merchant categories. With this change, NPCI will be able to adjust transaction limits for P2M payments, in consultation with banks and other stakeholders. However, person-to-person ("P2P") transactions will continue to remain capped at INR 1 (one) lakh.

Currently, UPI transactions for both P2P and P2M are generally capped at INR 1 (one) lakh, with exceptions for specific merchant categories like education and healthcare, where the limits are higher, ranging from INR 2 (two) Lakh to INR 5 (five) Lakh. The RBI has stated that banks shall continue to have the discretion to decide their own internal limits within the limits announced by NPCI.

This move comes at a time when the government is deliberating on bringing back the merchant discount rate ("MDR") in the payment industry. The government withdrew MDR in the FY22 Budget to promote digital payments. Currently, no MDR is levied on UPI and RuPay debit card payments, which the payment industry feels should be reinstated for merchants with an annual turnover exceeding INR 40 (forty) Lakh.6

NPCI issues a circular on strengthening beneficiary name verification and display during UPI Transactions

NPCI has issued an addendum to its earlier directive7 mandating stricter display norms for beneficiary names during UPI transactions. The new norms outlined in the circular aim to reduce fraud through identification of the correct beneficiary and by improving customer trust during P2P and P2M transactions.

Key directives to be implemented:

  • Only the ultimate beneficiary's banking name fetched from the Validate Address API must be shown to the user as part of details in the pre-transaction phase, and in the transaction statement/history.
  • Names extracted from QR codes, or any user-defined names of the payee must not be displayed to the payer.
  • Users should not be allowed to modify the beneficiary's name in the app interface for any transaction purpose.
  • The circular shall become effective from June 30, 2025, and failure to adhere beyond the deadline will be treated as non-compliance.

IFSCA notifies regulations for KYC Registration Agencies in IFSC

The International Financial Services Centres Authority ("IFSCA") has notified the IFSCA (KYC Registration Agency) Regulations, 2025 on April 11, 2025, introducing a comprehensive framework for the registration, regulation, and functioning of KYC Registration Agencies ("KRAs") within International Financial Services Centres ("IFSCs"). These regulations aim to standardise KYC processes, ensure secure and interoperable storage of client data.

Key provisions of the regulations are:

  • Eligibility Criteria: Entities must be IFSC-based companies or branches/subsidiaries of SEBI- registered entities (set up to undertake activities similar to those of a KRA), with a minimum net worth of USD 1 (one) million at all times.
  • Human Resource Norms: KRAs must appoint a Principal Officer, and a separate Compliance Officer based out of IFSC.
  • Mandatory KYC Upload by Regulated Entities: All IFSCA-regulated entities are required to perform initial KYC/due diligence and upload client KYC data to KRAs within 3 (three) working days of completion of KYC process.
  • Functions of KRAs: KRAs will validate, store, safeguard, the KYC documents. They must establish interoperability with other KRAs, maintain secure transmission links, and enable regulated entities to access records only with client consent.
  • Compliance and Reporting: KRAs must maintain records for at least 8 (eight) years, implement mechanisms of cybersecurity and business continuity plans, and conduct annual audits and risk assessments.
  • Code of Conduct: KRAs are required to act in the best interests of clients, maintain confidentiality, avoid conflicts of interest, and follow fair market practices.
  • Data Protection: All KRAs must ensure compliance with applicable data protection laws and maintain audit trails for every upload, modification, or access of KYC records.

SEBI extends timeline for algorithmic trading implementation standards

SEBI has extended the timeline for finalising and implementing standards under its circular titled "Safer participation of retail investors in Algorithmic trading", originally issued on February 4, 2025 ("Original Circular"),8 which outlined the framework for algorithmic trading by persons using application programming interfaces extended by stock brokers.

The extension comes after requests from stock exchanges citing the need for further deliberation with the Brokers' Industry Standards Forum ("BISF"). The circular has been issued under powers granted by Section 11(1) of the SEBI Act, 1992, and Section 30 of the SEBI (Stock Brokers) Regulations, 1992.

Key updates in the circular include:

  • Implementation standards, to be formulated by the BISF under the aegis of stock exchanges in consultation with SEBI, had come into effect from May 1, 2025.
  • The broader provisions of the Original Circular will be applicable from August 1, 2025.

SEBI issues circular on clarifications to Cybersecurity and Cyber Resilience Framework

SEBI has issued a circular titled "Clarifications to Cybersecurity and Cyber Resilience Framework ("CSCRF") for SEBI-REs. The CSCRF, which was issued by SEBI vide circular dated August 20, 2024,9 established key obligations for SEBI-REs to enhance their cyber preparedness. It obliges REs to strengthen vendor contracts with clear cybersecurity obligations, audit rights, and defined liabilities; maintain a comprehensive inventory and classification of IT assets; conduct regular vulnerability assessments and penetration testing with strict timelines for remediation; carry out periodic cyber audits; submit cyber capability metrics and also sets strict requirements around data encryption.

The main objective of this circular issuing clarifications to the CSCRF is to provide clarity, revised thresholds, and categorisation norms for different SEBI-REs, and ensure that cybersecurity requirements are applied proportionately based on the size and nature of the entity.

Key provisions of the circular include:

  • REs are to be categorised at the beginning of the financial year based on previous year data and will remain in that category throughout the year.
  • Stock Brokers: Categorised into Qualified, Mid-size, Small-size, or Self-certification REs based on number of clients and annual trading volume, with brokers having fewer than 1,000 (one thousand) clients and INR 1,000 (one thousand) crore volume exempted from CSCRF.
  • Depository Participants ("DPs"): Classified based on their registration, with DPs also registered as stockbrokers following stockbroker norms, and those with fewer than 100 (one hundred) clients exempted from Security Operations Centers ("SOC") services or onboarding to market SOCs ("M-SOC").
  • IAs: Standalone IAs are exempted from CSCRF, while those registered in other capacities must follow the highest applicable category.
  • RAs: Follow the same exemption and classification approach as IAs, with BSE Ltd. designated as the reporting authority for both IAs and RAs for 5 (five) years from July 25, 2024.
  • KRAs: Reclassified from Market Infrastructure Institutions (MIIs) to Qualified REs.
  • Portfolio Managers: Categorised based on AUM, with those managing INR 3,000 (three thousand) crore or less and having fewer than 100 (one hundred) clients exempted from M-SOC requirements.
  • AIFs and VCFs: Categorisation is determined at the manager level based on total corpus, and managers with fewer than 100 (one hundred) clients under the self-certification category are exempted from M-SOC.
  • Merchant Bankers (MBs): Those handling issue management activities are classified as mid-size REs, while all others fall under the small-size RE category.
  • Registrar to an Issue and Share Transfer Agents ("RTAs"): RTAs with fewer than 100 (one hundred) clients are exempted from SOC or M-SOC obligations.
  • Multi-registered Entities: Entities registered in more than one category must comply with the highest applicable classification.

The deadline for adoption of the CSCRF by the REs remains June 30, 2025, which was extended via SEBI circular dated March 28, 2025,10 following industry representations seeking more time to align internal processes.11

To read this article in full, please click here.

Footnotes

1. https://www.trai.gov.in/sites/default/files/2025-02/Regulation_12022025.pdf

2. https://www.sebi.gov.in/legal/regulations/aug-2022/securities-and-exchange-board-of-india-intermediaries-regulations-2008-last-amended-on-august-1-2022-_61700.html

3. Please refer to Section 10.1 (c)(xii) of the SEBI – Master Circular for Investment Advisors, available here.

4. Please refer to Section 21 of the SEBI – Master Circular for Research Analysts, available here.

5. Please refer to Sections 59.13 and 59.14 of the SEBI – Master Circular for Stock Brokers, available here.

6. https://inc42.com/buzz/rbi-allows-npci-to-revise-upi-limits-for-p2m-transactions/

7. https://www.npci.org.in/PDF/npci/upi/circular/2021/Circular-Ultimate-Beneficiary.pdf

8. https://www.sebi.gov.in/legal/circulars/feb-2025/safer-participation-of-retail-investors-in-algorithmic-trading_91614.html?trk=public_post_comment-text

9. https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html

10. https://www.sebi.gov.in/legal/circulars/mar-2025/extension-towards-adoption-and-implementation-of-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93146.html

11. https://www.sebi.gov.in/legal/circulars/mar-2025/extension-towards-adoption-and-implementation-of-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93146.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Namita Viswanath
Namita Viswanath
Photo of Nikhil Vijayanambi
Nikhil Vijayanambi
Photo of Sakshi Sharma
Sakshi Sharma
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More