Introduction
The month of May saw a wave of regulatory activity and targeted reforms across key financial sector regulators, with both the Securities and Exchange Board of India ("SEBI") and the Reserve Bank of India ("RBI") releasing measures that reflect a continued emphasis on investor protection, ease of doing business and enhanced transparency, while also addressing emerging market practices.
There has also been a push towards greater accessibility and regulatory clarity, such as the clarifications issued by SEBI to the Cybersecurity and Cyber Resilience Framework ("CSCRF") which aim to streamline compliance by bringing more certainty to how SEBI regulated entities ("SEBI REs") are categorised, addressing operational concerns raised by REs, and the RBI's Digital Lending Directions, 2025 harmonising the framework applicable to digital lending. The Supreme Court's recognition of digital access as a fundamental right has also resulted in regulatory action from SEBI, moving towards greater inclusivity and accessibility in digital onboarding and Know-Your- Customer ("KYC") processes.
In this fifth edition of our fintech newsletter for the year 2025, we explore the key developments in the Indian fintech space from May 01, 2025, to May 31, 2025, highlighting the interplay between regulatory measures, compliance requirements, and industry developments in this space.
Recent Legal & Regulatory Developments
SEBI Introduces measures for ease of doing business for registered stockbrokers to undertake securities market related activities in GIFT-IFSC under a Separate Business Unit ("SBU")
SEBI removed the requirement for SEBI registered stockbrokers to obtain its specific approval to undertake securities market related activities in Gujarat International Finance Tech-city – International Financial Services Centre ("GIFT-IFSC"). SEBI registered stockbrokers proposing to undertake such activities in GIFT-IFSC may now do so under an SBU of the stockbroker, or if the branch qualifies as an SBU.
Stockbrokers may also continue using an existing subsidiary structure, and the manner of operating is up to their discretion. In this regard, to ringfence the activities of the stockbrokers in the Indian securities market and that of the SBU in GIFT-IFSC, SEBI has issued certain key safeguards which inter alia include:
- Ensuring arms-length relationship, segregation and ring-fencing between the securities market related activities of the SBU in GIFT-IFSC and the Indian securities market related activities.
- The SBU can only undertake securities market related activities as permitted by the IFSCA.
RBI issues the Digital Lending Directions, 2025
The RBI has issued the Reserve Bank of India (Digital Lending) Directions, 2025 ("DL Directions") marking a significant step in formalising and strengthening the regulatory framework for digital lending in India. The DL Directions consolidate earlier guidelines on digital lending and introduce new measures to address emerging risks in the digital lending ecosystem and enhance consumer protection. The DL Directions introduce new and enhanced measures with the overall goal of increasing transparency – such as streamlining arrangements involving Lending Service Providers ("LSPs") partnering with multiple RBI regulated entities ("RBI REs") for disbursing loans, the establishment of a public directory of digital lenders, etc. These measures require RBI REs to, amongst other things, ensure that:
- There is a formal contract between REs and LSPs, clearly outlining roles, rights, and obligations of each party, in line with the RBI's outsourcing guidelines.
- LSPs who have agreements with multiple RBI REs, must present a digital view of all matching loan offers through the Digital Lending Apps ("DLA"), clearly disclosing key terms such as the names of the RBI REs extending the loan offer, amount and tenor of loan, Annual Percentage Rate (APR), monthly repayment obligation and any penal charges so as to allow the borrower to make a fair comparison between multiple offers.
- The RBI RE and any LSP onboarded by it must respect the right to be forgotten that is exercisable by the data principal, including for instances where LSPs provide services to REs without the presence of a DLA.1
SEBI updates the Investor Charter for Registrars to an Issue and Share Transfer Agents ("RTA")
On May 14, 2025, SEBI updated the investor charter for RTAs, which was issued in 2021, with the view to enhance financial consumer protection along with enhanced financial inclusion and literacy. The changes inter alia include: (i) decrease in expected timeline for responding to the investor inquiries and grievance redressal from 30 (thirty) days to 21 (twenty one) days; (ii) inclusion of additional investor rights such as right to fair and equitable treatment, right to ask for and receive information about all the statutory and regulatory disclosures, right to sell/transfer securities with minimal documentation, right to get access to services in a suitable manner even if differently abled; and (iii) provided a new SMARTODR platform as a mode to file complaints for online dispute resolution. SEBI has made such updates in view of recent developments in the securities market including the introduction of the Online Dispute Resolution platform and SCORES 2.0 for grievance redressal. Registered RTAs have been directed to take necessary steps to bring the Investor Charter to the notice of existing and new shareholders, which includes disseminating this through email. The provisions of the circular are to come into force with immediate effect.
DEA, Ministry of Finance Amends Rule 8 of the Securities Contracts (Regulation) Rules
The Department of Economic Affairs, Ministry of Finance ("DEA") recently amended Rule 8 of the Security Contract (Regulation) Rules, 1957 ("SCRR"), clarifying when a member of a registered stock exchange can be construed as undertaking business activities that are prohibited for such members. Rule 8 of the SCRR sets out the qualification for a person to be elected as, and continue as, a member of a recognised stock exchange. As per the amendment, investments made by a member will not be considered as 'business' except when such investments involve client funds or client securities or relate to arrangements which create a financial liability on the stockbroker. This amendment was issued after taking notice of concerns raised by stakeholders regarding certain provisions in the SCRR and as part of the government's continued efforts towards enhancing ease of business in the financial sector.
NPCI issues guidelines on usage of UPI API
On May 21, 2025, the National Payments Corporation of India ("NPCI") issued additional guidelines on usage of UPI (Unified Payments Interface) API (Application programming interface) to be adhered by all UPI ecosystem members, which are in addition to the directions issued by the NPCI to PSP (Payment Service Provider) banks / acquiring banks to ensure that all API requests sent to UPI are monitored and moderated in terms of appropriate usage. These guidelines have been issued with the objective of improving UPI performance, and include the following requirements: (i) balance enquiry requests to check balance available through UPI applications must only be initiated by the customer, and UPI applications may limit or stop balance enquiry requests if required to reduce the load; (ii) requests by PSP to the NPCI for the list of public keys must be done only during non-peak hours (i.e. any time other than peak hours during the day when UPI financial transactions are the highest transactions per second, which is observed from 10 AM to 1 PM and from 5 PM to 9:30 PM); (iii) customer requests for list of accounts linked to their mobile number should only be initiated once the customer selects the issuer bank in the UPI application, and in the event the account is failed to be listed, every repeat attempt should be done only with customer consent; (iv) PSPs are to ensure that UPI autopay executions are initiated in non-peak hours and at moderated transactions per second; and (v) validation of UPI IDs or Virtual Payment Addresses before initiating a payment or transaction, must be done only when the customer intends to pay and the appropriate credentials of the initiator should be populated in payer details. NPCI also re-iterated that PSPs need to monitor usage of UPI APIs and that the stand-alone use of APIs for purposes other than intended is prohibited, unless approved specifically by NPCI.
RBI issues the KYC (Amendment) Directions, 2025
The RBI issued a draft circular on the updation / periodic updation of KYC, as contained under Paragraph 38 of the RBI Master Direction - Know Your Customer (KYC) Direction, 2016 ("RBI KYC Master Directions"), that requires REs to carry out periodic updation of KYC of customers based on their risk classification. The RBI had observed a large pendency in the periodic updation of KYC including in the accounts opened for Direct Benefit Transfer ("DBT") / Electronic Benefit Transfer ("EBT") under government schemes to facilitate credit of DBTs and / or scholarship amount (DBT / EBT/ scholarship beneficiaries) and accounts opened under the Pradhan Mantri Jan-Dhan Yojana. The RBI had also been receiving complaints regarding challenges faced by the customers in periodic updation of their KYC. To mitigate these issues and to ease the KYC process for customers, the RBI has decided to amend the RBI KYC Master Directions by issuing the RBI (Know Your Customer (KYC)) (Amendment) Directions, 2025, for which the RBI invited public comments that may be submitted until June 6, 2025. The proposed amendments include: (i) allowing all transactions undertaken by individual customers categorized as low risk and updating of KYC within one year of its falling due or up to June 30, 2026, whichever is later. Such customer accounts will also be regularly monitored by the REs; (ii) permitting banks to avail the services of bank authorised business correspondent for obtaining self-declaration from customers in case of no change in KYC information or change only in the address details; and (iii) mandating at least three advance intimations, including at least one intimation by letter, at appropriate intervals to customers through available communication options, for complying with the requirement of periodic updation of KYC. Subsequent to the due date, at least three reminders are to be given, including one by way of letter, for customers who still have not complied with the requirements despite advance intimations.
RBI issues revised Draft Directions on Investment by RBI REs in AIFs
On May 19, 2025, the RBI issued the Revised Draft Directions on Investment by RBI REs in Alternate Investment Funds ("AIFs") ("Revised Draft Directions"). Previously, the RBI had issued guidelines1 relating to investment by REs in AIFs on December 19, 2023, to address concerns relating to possible evergreening through this route, and had thereafter issued clarifications2 to the same on March 27, 2024. Further, SEBI has also issued guidelines requiring specific due diligence with respect to investors and investments of the AIFs. In light of the aforementioned developments, the RBI has issued the Revised Draft Directions. The key proposals of the Revised Draft Directions include: (i) capping of a single RE's contribution to any AIF scheme at 10% of its corpus; (ii) a ceiling of 15% for investment by all REs in an AIF scheme collectively; and (iii) investments by REs in an AIF scheme of up to 5% of the corpus without any restrictions and specific conditions in the event the investment goes beyond 5%. The Revised Draft Directions will be made applicable prospectively.
SEBI issues norms for internal audit mechanism and composition of the audit committee of Market Infrastructure Institutions ("MIIs").
SEBI issued a circular dated May 19, 2025, prescribing norms for internal audit mechanism and composition of audit committee of MIIs. With respect to the mechanism for internal audits, MIIs are required to (i) conduct an internal audit of all its functions and activities at least once in a financial year; (ii) have in place a policy for appointment of internal auditors (which is to be an independent audit firm(s)) approved by the Audit Committee and governing board of the MII, and such internal auditors are to report only to the audit committee of the MII; (iii) send the observations of the internal auditor to the respective heads of departments for their comments in a time bound manner, post which the internal auditor after incorporating the comments share the report with the Audit Committee in a timebound manner. In relation to the composition of the audit committee, the circular states inter alia that (a) the audit committee must not contain any executive director (including the managing director of the MII); and (b) the auditors of the MII and the key management personnel shall have the right to be heard in the meetings of the audit committee, when it considers the audit report, but shall not have the right to vote.
To view the full article please click here.
Footnote
1. For more detailed insights into the DL Directions, refer to our article, here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
