India Sandbox Regulations: RBI, SEBI & IRDAI Sandboxes for Foreign Fintech

Why India's Regulatory Sandbox Landscape Matters for Foreign Fintech

India is the world's third-largest fintech ecosystem, with over 10,000 fintech companies and a digital payments infrastructure — UPI — that processed 16.6 billion transactions in a single month (December 2025). For foreign fintech companies, the opportunity is enormous but the regulatory complexity is equally formidable.

India does not have a single unified financial regulator. Instead, four separate regulators — the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and the International Financial Services Centres Authority (IFSCA) — each operate their own regulatory sandbox frameworks. Each sandbox has different eligibility criteria, application processes, testing durations, and rules about foreign entity participation.

Understanding which sandbox applies to your product, whether your foreign entity is eligible to apply, and how to navigate the application process is the first strategic decision any foreign fintech must make before entering the Indian market. Getting this wrong means wasted months and potentially building for a regulatory pathway that does not exist.

The Four Regulatory Sandboxes: A Comparative Overview

Before diving into each sandbox individually, here is a high-level comparison of India's four regulatory sandbox frameworks:

RBI Regulatory Sandbox: Banking and Payments

The Reserve Bank of India launched its Enabling Framework for Regulatory Sandbox in August 2019, making it India's first major financial regulatory sandbox. Over five cohorts, the RBI has tested innovations spanning retail payments, cross-border payments, MSME lending, financial fraud prevention, and theme-neutral solutions.

Cohort History and Themes

The Shift to On-Tap and Theme Neutral (2025-2026)

In a significant evolution announced in April 2025, the RBI declared that its Regulatory Sandbox would become permanently theme neutral and on-tap. This means:

• Fintech companies can apply at any time — no waiting for specific cohort windows
• Any innovation within the RBI's regulatory ambit qualifies — no restriction to pre-defined themes
• The application and testing process remains structured but the entry barrier has been substantially reduced

Eligibility for Foreign Fintech Companies

The RBI sandbox framework requires applicants to be incorporated or registered in India. A foreign fintech company cannot directly apply to the RBI sandbox — it must first establish an Indian entity. This typically means:

• Incorporating a private limited company in India as a wholly owned subsidiary
• Registering with the Department for Promotion of Industry and Internal Trade (DPIIT) as a startup (optional but beneficial)
• Obtaining necessary RBI registrations depending on the product category (e.g., payment aggregator licence, NBFC registration)

The Indian entity applies to the sandbox, with the foreign parent providing technology, capital, and expertise. Foreign Direct Investment in the Indian subsidiary must comply with applicable FDI sectoral caps — most fintech activities fall under the automatic route with 100% FDI permitted.

Application and Testing Process

1. Application Submission: Online application detailing the innovation, target market, testing parameters, and regulatory relaxations sought
2. Evaluation: RBI evaluates the application for genuineness of innovation, potential consumer benefit, and applicant readiness
3. Approval: Selected entities receive an in-principle approval with specific testing conditions and boundaries
4. Testing Phase: Live testing with real customers for up to 12 months, with mandatory reporting to RBI
5. Exit: At test completion, successful innovations may proceed to full regulatory approval; unsuccessful ones must wind down customer exposure

SEBI Sandbox: Securities and Capital Markets

SEBI operates two distinct testing frameworks — the Innovation Sandbox for offline testing and the Regulatory Sandbox for live market testing. Foreign fintech companies targeting India's capital markets need to understand both.

Innovation Sandbox (Offline Testing)

Launched in June 2020 and revised in 2021, the Innovation Sandbox provides access to market data and test environments for offline product development. Key features:

• Eligibility: Open to Indian citizens, entities registered in India, financial institutions, fintech firms, startups, and individuals — including entities not currently regulated by SEBI
• Access: SEBI provides historical market data and test infrastructure through designated exchanges and depositories
• No Live Customers: All testing is offline — products interact with simulated market conditions, not real investors or transactions
• Duration: Up to 12 months

Regulatory Sandbox (Live Testing)

The Regulatory Sandbox, revised in June 2021, permits live testing of innovations in the securities market with real participants. More stringent eligibility applies:

• Applicants must be registered with SEBI or be entities regulated under securities law
• Products must demonstrate genuine innovation — incremental improvements to existing services do not qualify
• Applicants need adequate technical and financial resources to conduct testing and protect participant interests

Foreign Entity Eligibility for SEBI Sandboxes

SEBI's frameworks generally require Indian registration or citizenship. A foreign fintech company must:

1. Incorporate an Indian subsidiary
2. Obtain relevant SEBI registrations (e.g., as a stockbroker, investment adviser, or research analyst) if applying for the Regulatory Sandbox
3. Apply through the Indian entity with demonstrated technology capabilities

The one exception is through the Inter-operable Regulatory Sandbox (IoRS), discussed below, where IFSCA acts as the principal regulator for cross-border innovations.

IRDAI Sandbox: Insurance Sector Innovation

The Insurance Regulatory and Development Authority of India notified the IRDAI (Regulatory Sandbox) Regulations, 2025 on January 3, 2025, with effect from the same date. These regulations replaced the older 2019 framework and represent a significant modernization of India's insurance innovation testing environment.

Key Features of the 2025 Framework

• Broader Scope: The new regulations expand the scope of innovations that can be tested — including new insurance products, distribution channels, underwriting models, and claims processes
• Inter-Regulatory Provision: An enabling provision allows filing of Inter-Regulatory Sandbox proposals that cut across multiple financial sectors — for example, an embedded insurance product distributed through a banking platform
• Policyholder Protection: Despite the sandbox's relaxed regulatory environment, core policyholder protection requirements remain in force
• DPDP Compliance: All sandbox participants must comply with India's Digital Personal Data Protection Act requirements
• Extended Testing: Testing periods of up to 36 months — significantly longer than the 12 months offered by RBI and SEBI sandboxes

Eligible Applicants

Eligible applicants include insurers, insurance intermediaries, and specified entities meeting criteria set by the IRDAI. The framework does not explicitly provide a separate pathway for foreign entities — participation requires an Indian-registered entity with appropriate insurance sector registrations or partnerships.

100% FDI in Insurance: The 2025 Game-Changer

The Sabka Bima Sabki Raksha (Amendment of Insurance Laws) Act, 2025, which received Presidential assent on December 20, 2025 and was brought into force from February 5, 2026, raised the FDI cap in insurance companies from 74% to 100% under the automatic route. This landmark change means foreign insurtechs can now establish wholly owned subsidiaries in India's insurance sector — a path previously blocked by the 74% FDI ceiling.

For foreign insurtechs, the combination of 100% FDI and the modernized IRDAI sandbox creates a clear entry pathway: incorporate a wholly owned subsidiary, apply for relevant IRDAI registrations, and submit a sandbox application for product testing.

IFSCA Sandbox: The Gateway for Foreign Fintech

The International Financial Services Centres Authority (IFSCA) operates what is arguably the most foreign-friendly sandbox framework in India. Established in October 2020 and updated through a comprehensive circular on March 16, 2026, the IFSCA sandbox is specifically designed to accommodate cross-border financial innovation.

Why IFSCA Is Different

Unlike RBI, SEBI, and IRDAI sandboxes — which require Indian entity registration — the IFSCA sandbox is explicitly open to foreign entities from FATF-compliant jurisdictions. This means a fintech company incorporated in the United States, United Kingdom, Singapore, or any other FATF member can apply directly without first establishing an Indian subsidiary.

March 2026 Framework Update

The updated framework provides access to multiple testing environments:

• Regulatory Sandbox: Live testing of innovations within IFSC jurisdiction
• Innovation Sandbox: Offline testing with simulated environments
• Inter-Operable Regulatory Sandbox (IoRS): For innovations that span multiple regulators — IFSCA acts as principal regulator for cross-border applications
• Overseas Regulatory Referral Mechanism: Pathway for foreign fintechs already sandbox-approved in their home jurisdiction to gain accelerated access to the Indian market

Application Process via SWIT

The IFSCA sandbox application is submitted through the Single Window IT System (SWIT). The process follows structured stages:

1. Application: Submit through SWIT with detailed product documentation, testing parameters, and risk mitigation framework
2. Evaluation: IFSCA evaluates the innovation's relevance, viability, and compliance readiness
3. In-Principle Approval: Approved applicants receive conditional authorization with specified testing boundaries
4. Limited Use Authorisation: Permission to test with controlled user groups for up to 12 months (extendable by 6 months)
5. Exit or Full Authorization: Successful innovations transition to full IFSCA authorization; unsuccessful ones wind down

GIFT City as the Operational Base

All IFSCA-regulated activities operate within the Gujarat International Finance Tec-City (GIFT City) — India's first International Financial Services Centre. Foreign fintechs accessing the IFSCA sandbox would operate from GIFT City, benefiting from:

• Competitive tax regime (10% corporate tax for IFSC units for 10 years out of 15)
• Exemption from GST on financial services
• Simplified FEMA compliance for foreign exchange transactions
• Single-window clearance through IFSCA

Inter-Operable Regulatory Sandbox (IoRS)

Recognizing that fintech innovations frequently span multiple regulatory domains — a payment-linked insurance product, for example, involves both RBI and IRDAI jurisdiction — India's financial regulators established the Inter-Operable Regulatory Sandbox in 2022.

How IoRS Works

When a fintech innovation falls under the purview of more than one financial regulator, the IoRS designates a principal regulator based on the dominant component of the innovation. The principal regulator leads the sandbox process, coordinating with other relevant regulators:

• A payment-linked lending product would have RBI as principal regulator, with SEBI consulted if securities market components exist
• An embedded insurance-banking product would have RBI or IRDAI as principal regulator depending on the dominant function
• Cross-border innovations with foreign entities would have IFSCA as the principal regulator

Foreign Entity Pathway Through IoRS

For foreign fintechs whose products span multiple regulatory domains, the IoRS through IFSCA provides the most accessible entry point. The foreign entity applies to IFSCA, which coordinates with domestic regulators as needed. This avoids the requirement to separately engage with RBI, SEBI, or IRDAI — each of which requires Indian entity registration for direct sandbox participation.

Practical Entry Strategy for Foreign Fintech

Based on the regulatory landscape, here is a decision framework for foreign fintech companies evaluating India market entry through the sandbox route:

Step 1: Identify Your Primary Regulator

• Payments, lending, deposits: RBI
• Securities trading, advisory, wealth management: SEBI
• Insurance products and distribution: IRDAI
• Cross-border financial services: IFSCA

Step 2: Choose Your Entry Structure

• If IFSCA is the primary regulator: Apply directly as a foreign entity from a FATF-compliant jurisdiction — no Indian subsidiary required initially
• If RBI, SEBI, or IRDAI is the primary regulator: Incorporate an Indian private limited company as a wholly-owned subsidiary, then apply through the Indian entity
• If the product spans multiple regulators: Consider the IoRS pathway through IFSCA

Step 3: Prepare for Compliance

Regardless of the sandbox pathway, prepare for these baseline compliance requirements:

• FDI compliance including FC-GPR filing within 30 days of share allotment
• Data localization requirements — RBI mandates that payment data be stored exclusively in India
• Digital Personal Data Protection Act compliance for all user data processing
• AML/KYC framework aligned with Indian regulatory requirements

Step 4: Budget Realistically

A realistic budget for sandbox participation through an Indian subsidiary includes:

For assistance with incorporating your Indian entity and navigating the regulatory sandbox application process, explore our company registration services and FDI advisory.

Common Pitfalls for Foreign Fintech Applicants

Based on publicly available information from completed sandbox cohorts and regulatory feedback, foreign fintech companies commonly encounter these obstacles when pursuing Indian sandbox participation:

Underestimating Incorporation Timelines

Incorporating an Indian private limited company takes 15-30 days when all documentation is in order. However, foreign directors need Digital Signature Certificates, Director Identification Numbers (DINs), and apostilled identity documents from their home country. The complete pre-incorporation process for a foreign-owned entity typically takes 45-60 days. Add another 30-60 days for bank account opening and regulatory registrations. Companies that begin sandbox applications without accounting for this timeline lose 3-4 months before they can even submit.

Data Localization Requirements

The RBI mandates that all payment system data must be stored exclusively within India. Foreign fintech companies accustomed to cloud architectures hosted outside India must establish India-based infrastructure before testing payment-related innovations. This includes not just transaction data but also metadata, audit trails, and backup data. Failure to comply with data localization during sandbox testing will result in immediate termination of the sandbox authorisation.

Overlooking State-Level Licensing

Depending on the product, state-level registrations may be required in addition to central regulatory approvals. Money lending activities, for example, may require state-specific money lender licences in addition to RBI authorisation. Insurance distribution may require IRDAI agent or broker registration alongside sandbox participation. Map all licensing requirements before committing to a sandbox application timeline.

Insufficient Consumer Protection Framework

All Indian sandbox frameworks require robust consumer or investor protection mechanisms. Applications that focus exclusively on the innovation without detailing grievance redressal, refund mechanisms, data privacy safeguards, and customer communication protocols are routinely rejected. Build the protection framework as an integral part of the sandbox application, not as an afterthought.

Key Takeaways

• Four separate sandboxes exist with different rules — RBI (banking/payments), SEBI (capital markets), IRDAI (insurance), and IFSCA (cross-border) each operate independently with distinct eligibility criteria and testing frameworks.
• IFSCA is the only direct-access sandbox for foreign entities — RBI, SEBI, and IRDAI all require Indian entity registration. Only IFSCA accepts applications from foreign companies in FATF-compliant jurisdictions without requiring an Indian subsidiary.
• RBI has shifted to on-tap, theme-neutral applications — foreign fintechs no longer need to wait for specific cohort windows. Applications can be submitted at any time for innovations in any area of RBI's regulatory domain.
• 100% FDI in insurance changes the game — the February 2026 implementation of 100% FDI in insurance means foreign insurtechs can now establish wholly owned subsidiaries and access the IRDAI sandbox directly.
• The IoRS provides a multi-regulator pathway — innovations spanning banking, securities, and insurance can use the Inter-Operable Regulatory Sandbox with IFSCA as the principal regulator for cross-border applications.