FinTech: RBI Licensing, NBFC, Regulatory Sandbox

Why India's Fintech Sector Attracts Record Foreign Investment

India's fintech ecosystem is the world's third-largest by funding volume and second-largest by number of startups. With over 2,100 active fintech firms, UPI processing more than 16 billion transactions monthly, and a digital payments market projected to exceed USD 10 trillion by 2027, the opportunity for foreign investors is enormous. The regulatory landscape, however, requires careful navigation through multiple licensing regimes administered by the Reserve Bank of India (RBI) and other financial regulators.

For foreign companies, the good news is that 100% FDI is permitted under the automatic route for fintech businesses categorized as "other financial services" — provided they are regulated by a recognized financial sector regulator. This means no prior government approval is needed, but the entity must secure the appropriate RBI license before commencing operations. This guide covers every licensing pathway, capital requirement, and compliance framework a foreign fintech investor needs to understand in 2025-2026.

The Indian government has actively promoted financial inclusion through initiatives like Jan Dhan Yojana (which brought over 500 million unbanked Indians into the formal financial system), Aadhaar-based eKYC, and the India Stack — a set of open APIs that enable digital identity verification, electronic document storage, and instant payment settlement. These infrastructure layers have created a fertile environment for fintech innovation, with the total addressable market for digital financial services estimated at USD 1.3 trillion by 2030.

FDI Framework for Fintech in India

Automatic Route Eligibility

Under the Consolidated FDI Policy (updated October 2020 and subsequent circulars), 100% FDI is permitted under the automatic route for activities categorized as "other financial services" — but only if the activity is regulated by a financial sector regulator such as the RBI, SEBI, IRDAI, or PFRDA. This covers NBFCs, payment aggregators, payment banks, and insurance-linked fintech platforms.

Foreign investors from countries sharing a land border with India (China, Pakistan, Bangladesh, Nepal, Myanmar, Bhutan, Afghanistan) must use the government approval route under Press Note 3 (2020), which requires prior approval from the Department for Promotion of Industry and Internal Trade (DPIIT). This restriction applies regardless of the beneficial ownership percentage.

Entity Structure Requirements

A fintech company seeking an RBI license must be incorporated as a Private Limited Company or Public Limited Company under the Companies Act, 2013. LLPs, sole proprietorships, and partnerships are not eligible for NBFC registration or payment aggregator authorization. The entity must have at least one resident director — an individual who has stayed in India for at least 182 days during the financial year.

For a wholly-owned subsidiary, the foreign parent subscribes to the entire share capital. The investment must be reported to the RBI via FC-GPR within 30 days of share allotment, and the company must file the annual FLA Return by July 15 each year.

NBFC Registration: The Core Fintech License

What Qualifies as an NBFC

A Non-Banking Financial Company (NBFC) is a company registered under the Companies Act that engages in lending, investment, acquisition of shares/stocks/bonds, or any financial activity. Any fintech company that lends from its own balance sheet, provides credit facilities, or conducts leasing or hire-purchase must hold an NBFC license from the RBI.

Net Owned Fund Requirements (2025-2026)

The minimum Net Owned Fund (NOF) requirement for a new NBFC registration is INR 10 crore (approximately USD 1.2 million). This was raised from INR 2 crore in a phased manner, with the final threshold of INR 10 crore applicable from April 2025 onward for all new registrations.

Scale-Based Regulation Framework

Since October 2022, the RBI has classified NBFCs into four layers under its Scale-Based Regulation (SBR) framework. This classification determines the intensity of regulatory supervision:

• Base Layer (NBFC-BL): Non-deposit-taking NBFCs with assets below INR 1,000 crore. These face the lightest regulatory requirements. Capital adequacy requirement is 15% CRAR.
• Middle Layer (NBFC-ML): All deposit-taking NBFCs, non-deposit-taking NBFCs with assets of INR 1,000 crore and above, and specific NBFC categories (NBFC-HFC, NBFC-IFC, CICs). CRAR of 15% with Tier-I at minimum 10%.
• Upper Layer (NBFC-UL): The top 10 NBFCs by asset size, plus any others identified by the RBI based on systemic risk parameters. Subject to enhanced governance norms, common equity Tier-1 of 9%, and listing requirements within 3 years.
• Top Layer: Intended to remain empty. NBFCs elevated here if the RBI perceives specific risk, subject to bank-like supervision.

2026 Amendment: Unregistered Type I NBFCs

In a significant regulatory shift, the RBI amended its NBFC Directions effective April 1, 2026, introducing the concept of "Unregistered Type I NBFCs." Companies that do not access public funds, have no customer interface, and hold assets below INR 1,000 crore may be exempt from NBFC registration. Existing registered NBFCs meeting these criteria have until September 30, 2026, to surrender their Certificate of Registration. This change is relevant for holding companies and captive finance entities but does not apply to customer-facing fintech companies.

NBFC Registration Process

1. Incorporate the company under the Companies Act, 2013 with "financial activity" as a principal business object in the Memorandum of Association.
2. Ensure minimum NOF of INR 10 crore is available. The capital must be fully paid up — not just authorized.
3. Submit online application via the RBI's COSMOS portal with Form A, business plan (5-year projections), director profiles, and audited financials.
4. Director due diligence: At least one-third of directors must have prior experience in the finance industry. The RBI conducts background checks on all directors and significant shareholders.
5. RBI inspection and approval: The RBI reviews the application, may seek additional information, and conducts a fit-and-proper assessment. Timeline: 3 to 6 months from complete submission.
6. Certificate of Registration (CoR): Once approved, the RBI issues a CoR specifying the NBFC category. The NBFC can commence business only after receiving this certificate.

Payment Aggregator Authorization

New Master Directions (September 2025)

On September 15, 2025, the RBI issued the consolidated Master Direction on Regulation of Payment Aggregators, superseding all previous circulars from 2020, 2021, and 2023. This framework now categorizes payment aggregators into three distinct types:

• PA-O (Online): Aggregators facilitating e-commerce and online payment transactions
• PA-P (Physical): Aggregators where both the payment device and instrument are physically co-located (POS terminals)
• PA-CB (Cross-Border): Aggregators handling international payment transactions

Capital Requirements for Payment Aggregators

Entities that failed to apply by December 31, 2025, were required to wind down PA operations by February 28, 2026. The net worth calculation follows Companies Act standards, excluding deferred tax assets but allowing compulsorily convertible preference shares.

Key Compliance Obligations

Payment aggregators must maintain an escrow account with a scheduled commercial bank, settle merchant payments within T+1 business day (for online PAs), implement two-factor authentication for all transactions, and submit monthly reports to the RBI. Annual net worth certification by a statutory auditor is mandatory with the application and ongoing.

Merchant Onboarding and Due Diligence

PAs are required to perform background checks on all merchants before onboarding them. This includes verifying the merchant's legal status, business model, financial standing, and compliance history. For high-risk merchants — such as those dealing in gambling, forex trading, or adult content — enhanced due diligence is required. PAs must also implement a merchant categorization and risk-scoring framework, de-board non-compliant merchants promptly, and maintain records of all merchant due diligence for a minimum of 10 years after the merchant relationship ends.

Information Security Requirements

Payment aggregators must undergo an annual information systems (IS) audit conducted by a CERT-In empaneled auditor. The audit covers network security, data protection, access controls, incident response procedures, business continuity planning, and vulnerability assessment. PAs must also comply with the Payment Card Industry Data Security Standard (PCI DSS) if they handle card data, maintain a Security Operations Centre (SOC) for real-time threat monitoring, and submit a compliance certificate to the RBI annually. For cross-border PAs (PA-CB), additional compliance with anti-money laundering (AML) and combating the financing of terrorism (CFT) guidelines is mandatory, including transaction monitoring, suspicious transaction reporting to the Financial Intelligence Unit (FIU), and sanctions screening.

RBI Regulatory Sandbox: Testing Innovation

Framework Overview

The RBI Regulatory Sandbox (RS) allows fintech companies to live-test innovative products in a controlled environment with relaxed regulatory requirements for a limited period. Launched in 2019, the sandbox has completed five themed cohorts covering retail payments, cross-border payments, MSME lending, prevention of financial fraud, and a theme-neutral cohort.

Shift to On-Tap, Theme-Neutral Model (2025)

In a landmark change, the RBI moved from cohort-based to an "On-Tap" application model in 2025. This means fintech companies can now apply to the sandbox at any time, without waiting for a specific cohort window. The sandbox is also now permanently theme-neutral — companies can test innovations across any regulated financial services domain.

Key parameters of the sandbox:

• Tenure: Up to 9 months (extended from the original 7 months)
• Customer cap: Maximum 10,000 customers during the test phase
• Transaction cap: INR 1 lakh per customer for individual transactions
• Exit options: If successful, transition to full regulatory compliance; if unsuccessful, orderly wind-down with customer protection

Who Can Apply

Companies incorporated in India, including wholly-owned subsidiaries of foreign companies, can apply. The entity must have a minimum net worth of INR 50 lakh. FinTech firms focused on blockchain (non-crypto), AI-based lending, RegTech, InsurTech, and open banking are prime candidates. Crypto assets, credit scoring without consent, and products violating existing laws are explicitly excluded.

DPDP Act Compliance

All sandbox entities must now comply with the Digital Personal Data Protection (DPDP) Act, 2023, as mandated by the RBI post-2025 framework revision. This includes obtaining explicit consent for data processing, implementing data minimization principles, and appointing a Data Protection Officer.

Digital Lending Compliance

Lending Service Provider (LSP) Model

Most fintech platforms in India operate as Lending Service Providers (LSPs) — technology intermediaries that partner with banks or NBFCs to originate and service loans. Under the RBI's Digital Lending Directions (2025 updated), LSPs must comply with several obligations even though they are not directly regulated entities:

• All loan disbursements and repayments must flow directly between the borrower and the regulated entity's bank account — LSPs cannot touch loan funds
• Key Fact Statements (KFS) must disclose the Annual Percentage Rate (APR), all fees, and the identity of the regulated lender
• Borrower data cannot be shared with third parties without explicit, granular consent
• No automatic access to borrower phone contacts, galleries, or other personal data
• Cooling-off period: Borrowers can exit digital loans without penalty within a specified window

First Loss Default Guarantee (FLDG)

The RBI permits FLDG arrangements where an LSP or fintech guarantees a portion of the loan portfolio against defaults. The guarantee cap is 5% of the total loan portfolio generated under the arrangement. The guarantee must be in the form of a cash deposit, fixed deposit, or bank guarantee — corporate guarantees or unencumbered assets are not acceptable.

Account Aggregator Framework

India's Account Aggregator (AA) framework is a consent-based data-sharing infrastructure that allows fintech companies to access financial data from banks, insurance companies, mutual funds, and tax authorities — with the customer's explicit consent. For foreign fintech companies, integrating with the AA ecosystem can significantly reduce customer acquisition costs and improve credit underwriting. To become an AA, a company must obtain a license from the RBI. AAs are registered as NBFCs (NBFC-AA category) with a minimum NOF of INR 2 crore, and they can only access and share data — they cannot store, process, or sell it. Financial Information Providers (banks, AMCs) and Financial Information Users (lenders, insurers) connect to the AA network via standardized APIs.

AML and KYC Requirements

All RBI-regulated fintech entities must implement comprehensive Anti-Money Laundering (AML) and Know Your Customer (KYC) frameworks in compliance with the Prevention of Money Laundering Act, 2002 (PMLA) and RBI's Master Direction on KYC. This includes Customer Due Diligence (CDD) at the time of account opening, ongoing transaction monitoring for suspicious activity, Enhanced Due Diligence (EDD) for high-risk customers including Politically Exposed Persons (PEPs), and periodic KYC updates. Video-based Customer Identification Process (V-CIP) is now permitted for remote onboarding, which is particularly useful for fintech platforms onboarding customers digitally. However, the V-CIP process must be conducted by trained officials of the regulated entity — not outsourced to the LSP or technology partner.

SEBI SWAGAT-FI Framework (2026)

For fintech companies that also interact with securities markets — robo-advisory platforms, WealthTech, or investment aggregation services — SEBI formally notified the SWAGAT-FI regulations on December 1, 2025, effective June 1, 2026. This creates a single-window digital gateway for foreign investor onboarding and compliance in Indian securities markets, significantly reducing the time and documentation required for cross-border fintech platforms dealing with portfolio investments.

Compliance Cost Breakdown

Tax Implications for Foreign-Owned Fintech Companies

Foreign-owned fintech companies operating in India are subject to corporate tax at an effective 25.17% (a 22% base plus surcharge and cess) where they opt for the concessional regime under Section 115BAA; the Section 115BAB rate of 17.16% (15% base) applies only to new manufacturing companies and is not available to fintech entities (the window to commence manufacturing under 115BAB closed on March 31, 2024). Additionally, transfer pricing regulations apply to all transactions between the Indian subsidiary and the foreign parent company — technology licensing fees, management service charges, and intercompany loans must be documented at arm's length prices under Section 92 of the Income Tax Act.

Dividend distributions to the foreign parent are subject to withholding tax at 20% (or the applicable DTAA rate, which can be as low as 5-10% for countries like Singapore, Netherlands, and the UK). Interest payments on ECBs from the parent are subject to withholding at 5% under Section 194LC for qualifying borrowings. The Indian subsidiary must issue Form 15CA/15CB for every cross-border remittance, certified by a chartered accountant confirming tax compliance and DTAA applicability.

Common Mistakes Foreign Fintech Investors Make

• Operating without a license: Running a lending platform as an LSP without ensuring the partner bank/NBFC has proper authorization. The RBI can shut down operations and impose penalties.
• Underestimating capital requirements: The INR 10 crore NOF for NBFCs and INR 15 crore for PAs are substantial. These must be fully paid-up equity, not committed capital.
• Ignoring FEMA reporting: Failing to file FC-GPR within 30 days of share allotment or missing the FLA Return deadline of July 15. Penalties compound quickly.
• Press Note 3 violations: Chinese or other land-border-country investors attempting automatic route investments without DPIIT approval. These transactions are void.
• Data localization non-compliance: RBI mandates that all payment data must be stored exclusively in India. Mirrors, backups, or processing of live data outside India are prohibited for payment system operators.

Insurance and WealthTech Regulatory Pathways

InsurTech Licensing

Fintech companies operating in the insurance distribution space — comparison platforms, policy aggregators, claims processing tools — must be registered as either an insurance broker (IRDAI license, minimum capital INR 5 crore) or an insurance web aggregator (IRDAI registration, minimum net worth INR 50 lakh). Insurance web aggregators can only display and compare insurance products from different insurers — they cannot advise, solicit, or process policies. The IRDAI Sandbox framework runs parallel to the RBI sandbox, allowing InsurTech companies to test innovative insurance products for up to 36 months.

WealthTech and Robo-Advisory

Fintech platforms offering investment advisory services must register with SEBI as Registered Investment Advisors (RIA) under SEBI (Investment Advisers) Regulations, 2013. The minimum net worth requirement is INR 50 lakh for individuals and INR 1 crore for non-individual entities. Robo-advisory platforms that provide algorithm-based investment recommendations must comply with all RIA regulations including suitability assessments, risk profiling of clients, and periodic portfolio reviews. SEBI has clarified that AI-driven advisory tools do not receive exemption from the RIA framework — the use of technology does not change the regulatory classification of the activity.

Step-by-Step: Launching a Fintech Company in India as a Foreign Investor

1. Define the business model: Determine whether you are building an NBFC (lending from own balance sheet), LSP (technology intermediary), payment aggregator, or a hybrid model.
2. Incorporate in India: Register a Private Limited Company via SPICe+ with financial services in the MOA objects clause.
3. Capitalize the entity: Remit the required capital (minimum INR 10 crore for NBFC, INR 15 crore for PA) via banking channels. File FC-GPR within 30 days.
4. Appoint compliant board: Ensure one-third of directors have finance industry experience. Appoint a resident director.
5. Apply for RBI license: Submit the application via COSMOS portal with business plan, director profiles, and audited financials.
6. Obtain ancillary registrations: GST registration, PAN, TAN, and professional tax registrations while the RBI application is being processed.
7. Build compliance infrastructure: Set up the IT security audit framework, data localization, AML/KYC systems, and grievance redressal mechanism.
8. Commence operations: Begin business only after receiving the Certificate of Registration from the RBI.

Key Takeaways

• 100% FDI is allowed under the automatic route for regulated fintech activities — but you must hold the appropriate RBI license before operating.
• NBFC registration requires INR 10 crore NOF; payment aggregator authorization requires INR 15 crore net worth (rising to INR 25 crore). Budget these capital requirements early.
• The RBI Regulatory Sandbox is now on-tap and theme-neutral — foreign-owned subsidiaries can apply anytime to test innovative products with up to 10,000 customers.
• Digital lending platforms operating as LSPs face comprehensive RBI compliance obligations even though they are not directly licensed entities.
• Data localization, DPDP Act compliance, and FEMA reporting (FC-GPR, FLA Return) are non-negotiable requirements that foreign investors frequently underestimate. Engage specialized FEMA and RBI compliance advisors early in the process.