Skip to main content
Sector Licensing

RBI License for NBFC, Payment Aggregator & Fintech Operations

A comprehensive guide for foreign companies seeking RBI licenses to operate as NBFCs, payment aggregators, or other fintech entities in India, covering regulatory frameworks, capital requirements, FDI eligibility, and the 2025 Master Direction updates.

By Manu RaoMarch 20, 202610 min read
10 min readLast updated May 16, 2026

Why Foreign Fintechs Need RBI Licensing in India

India's fintech sector processed over USD 3 trillion in digital transactions in FY 2024-25, making it the world's fastest-growing digital payments market. For foreign companies looking to enter this space, the Reserve Bank of India (RBI) is the gatekeeper. Whether you plan to operate as a Non-Banking Financial Company (NBFC), a payment aggregator, a peer-to-peer lending platform, or an account aggregator, RBI licensing is mandatory before commencing operations.

The regulatory landscape has shifted significantly in 2025-2026. The RBI issued a new Master Direction on Regulation of Payment Aggregators on September 15, 2025, replacing all earlier guidelines from 2020, 2021, and 2023. Simultaneously, the NBFC regulatory framework has been overhauled through the Scale-Based Regulation (SBR) Amendment Directions 2025, effective November 28, 2025, and further amendments effective April 1, 2026. For foreign fintech companies, understanding which license applies and what the FDI implications are is essential before investing capital into an Indian entity.

This guide covers the three primary RBI-regulated fintech pathways: NBFC registration, payment aggregator authorisation, and specialised fintech licenses. Each comes with distinct capital requirements, compliance obligations, and foreign investment rules under FEMA.

Article illustration

NBFC Registration: The Foundation License for Fintech Lending

What Activities Require NBFC Registration

Any company that wants to engage in lending, investment, asset finance, factoring, or other financial activities as its principal business must register as an NBFC with the RBI. This includes foreign-owned Indian subsidiaries that plan to offer digital lending products, buy-now-pay-later (BNPL) services, invoice discounting, or micro-finance through technology platforms.

The RBI classifies NBFCs into several categories based on activity type:

  • NBFC-ICC (Investment and Credit Company): The most common category, combining lending, investment, and asset finance activities. Most fintech lenders fall here.
  • NBFC-MFI (Micro Finance Institution): For entities providing microloans to low-income borrowers without collateral.
  • NBFC-Factor: For companies engaged in factoring and invoice discounting.
  • NBFC-P2P (Peer-to-Peer Lending): Digital platforms connecting individual lenders with borrowers.
  • NBFC-AA (Account Aggregator): Entities that facilitate consent-based financial data sharing across institutions.
  • NBFC-IFC (Infrastructure Finance Company): Specialised in infrastructure lending.

Minimum Net Owned Fund (NOF) Requirements

The RBI has progressively increased NOF requirements under the Scale-Based Regulation framework:

NBFC CategoryNOF by March 31, 2025NOF by March 31, 2027
NBFC-ICC (new registration)INR 10 crore (ab initio)INR 10 crore
NBFC-ICC (existing)INR 5 croreINR 10 crore
NBFC-MFIINR 7 croreINR 10 crore
NBFC-MFI (North East)INR 5 croreINR 10 crore
NBFC-FactorINR 5 croreINR 10 crore
NBFC-P2PINR 2 croreINR 2 crore
NBFC-AAINR 2 croreINR 2 crore

For foreign companies planning a new NBFC, the minimum NOF is INR 10 crore from the date of registration. Non-compliance with NOF timelines can result in cancellation of the Certificate of Registration (CoR).

NBFC Registration Process

The process involves:

  1. Company incorporation: The NBFC must be incorporated as an Indian company under the Companies Act, 2013, either as a private limited company or public limited company. LLPs cannot be registered as NBFCs.
  2. Capital infusion: Bring in the required NOF through FDI. File FC-GPR within 30 days of share allotment.
  3. Online application: Submit the application on the RBI's COSMOS portal with company details, board composition, business plan, and financial projections.
  4. Document submission: Provide certificates of incorporation, MOA/AOA, board resolution, director details, auditor certificates for NOF, and a detailed business plan covering 5-year projections.
  5. RBI due diligence: The RBI conducts background checks on promoters and directors, verifies the business model's viability, and assesses the company's ability to meet ongoing compliance.
  6. In-principle approval: If satisfied, RBI issues an in-principle approval, after which the company must fulfil remaining conditions within 12 months.
  7. Certificate of Registration: Final CoR is issued once all conditions are met and verified.

The entire process typically takes 6-12 months from application to final CoR.

Scale-Based Regulation: The Four-Layer Framework

The RBI's SBR framework categorises all NBFCs into four layers based on asset size, systemic risk, and complexity:

  • Base Layer (BL): Non-deposit-taking NBFCs with assets below INR 1,000 crore. Includes NBFC-P2P and NBFC-AA platforms. Lightest regulatory burden.
  • Middle Layer (ML): Deposit-taking NBFCs and non-deposit NBFCs with assets above INR 1,000 crore. Higher governance and disclosure requirements.
  • Upper Layer (UL): NBFCs identified by RBI based on systemic importance and interconnectedness. Enhanced supervision, including stricter capital adequacy and large exposure norms.
  • Top Layer: Reserved for NBFCs posing extreme systemic risk. Currently empty; serves as a regulatory deterrent.

2026 Amendment: New Exemption Category

Effective April 1, 2026, the RBI has introduced a significant change: NBFCs that neither accept public funds nor have a customer interface, and have assets below INR 1,000 crore, are now exempt from mandatory registration. Existing registered NBFCs fitting this criteria have a one-time window until September 30, 2026 to surrender their Certificate of Registration. This is particularly relevant for captive finance subsidiaries of foreign companies that only provide intra-group funding.

Article illustration

Payment Aggregator (PA) Authorisation

Who Needs PA Authorisation

A payment aggregator is an entity that facilitates e-commerce transactions by aggregating payments from customers and settling them with merchants. If a foreign company wants to operate a payment gateway, checkout platform, or merchant payment solution in India, it needs PA authorisation from the RBI under the Payment and Settlement Systems Act, 2007.

The RBI's Master Direction on Regulation of Payment Aggregators, 2025 (issued September 15, 2025) classifies PAs into three categories:

  • PA-Online: Entities facilitating online digital payments between customers and merchants.
  • PA-Physical: Entities facilitating physical point-of-sale transactions through card machines, QR codes, or other physical means.
  • PA-Cross Border: Entities facilitating cross-border payment transactions involving Indian merchants and overseas customers, or vice versa.

Net Worth Requirements for Payment Aggregators

The capital requirements for PAs are significantly higher than many NBFC categories:

MilestoneNet Worth Requirement
At time of applicationINR 15 crore minimum
By end of 3rd financial year from authorisationINR 25 crore minimum

The net worth must be certified by the entity's statutory auditor, and the certificate must be submitted along with the application on the RBI's PRAVAAH portal.

PA Application Process

  1. Entity structure: The PA must be incorporated as an Indian company. Foreign companies must set up a wholly owned subsidiary or a joint venture in India.
  2. Net worth certification: Obtain a statutory auditor's certificate confirming net worth of at least INR 15 crore.
  3. PRAVAAH portal application: Submit the application on RBI's PRAVAAH portal with Form A, business plan, KYC documents, technology infrastructure details, and information security policies.
  4. Director declaration and KYC: All directors must submit declarations and KYC documents. The RBI publishes the application for public comments after initial acceptance.
  5. Technical assessment: The RBI evaluates the applicant's technology infrastructure, cybersecurity measures, data localisation compliance, and fraud prevention systems.
  6. Escrow account setup: Before authorisation, the PA must establish escrow accounts with Scheduled Commercial Banks. Merchant funds must be kept separate from operating funds. For cross-border PAs, separate Inward Collection Accounts (InCA) and Outward Collection Accounts (OCA) are required.
  7. Authorisation grant: Processing typically takes 4-6 months from application submission.

Critical Deadlines

Under the 2025 Master Direction, all non-bank entities operating as payment aggregators must have applied for fresh RBI approval by December 31, 2025. Entities that failed to apply by this date must wind down PA operations by February 28, 2026. This deadline applies even to entities that previously operated under older guidelines.

Ongoing Compliance for Payment Aggregators

Authorised PAs must maintain:

  • Annual cybersecurity and systems audits by CERT-IN empanelled auditors
  • Board-approved information security policies reviewed annually
  • Transaction monitoring and fraud prevention tools with real-time alert mechanisms
  • FIU-IND registration for Anti-Money Laundering (AML) reporting
  • Data localisation: All payment data must be stored within India
  • Merchant onboarding due diligence with KYC verification
  • Quarterly reporting to RBI on transaction volumes, settlement timelines, and fraud incidents
Article illustration

FDI Rules for Fintech Entities

Automatic Route Eligibility

FDI up to 100% is permitted under the automatic route for 18 specified NBFC activities, including lending, investment, asset finance, factoring, and financial consultancy. This means foreign companies do not need prior government approval to invest in an Indian NBFC, provided the activity falls within the permitted list.

For payment aggregators, FDI is also permitted under the automatic route, subject to compliance with FEMA regulations and the Consolidated FDI Policy.

Foreign Investment for NOF Compliance

A significant regulatory relief came in 2025 when the RBI amended the Master Directions on Foreign Investment. The amendment grants general permission for foreign investment into entities engaged in regulated financial activities, specifically for meeting Net Owned Fund (NOF) requirements. Previously, foreign companies faced administrative bottlenecks when trying to infuse capital into their Indian NBFC subsidiaries to meet escalating NOF thresholds. The 2025 amendment removes this friction, but with a condition: if the license or registration is not granted, the foreign investment must be repatriated.

FEMA Compliance Obligations

All fintech entities with foreign investment must comply with:

  • FC-GPR filing within 30 days of share allotment to foreign investors
  • FLA return filed annually by July 15 with the RBI
  • Transfer pricing documentation for all related-party transactions with the foreign parent
  • Downstream investment reporting if the Indian NBFC further invests in other Indian entities
  • Annual reporting to the AD bank on foreign investment utilisation
Article illustration

Specialised Fintech Licenses

NBFC-P2P (Peer-to-Peer Lending)

P2P lending platforms connect individual lenders directly with borrowers through a digital marketplace. The RBI regulates these as NBFC-P2P under the Master Direction on NBFC-Peer to Peer Lending Platform. Key requirements include:

  • Minimum NOF: INR 2 crore
  • Aggregate exposure of a lender across all P2P platforms: capped at INR 50 lakh
  • Single borrower exposure cap for a lender: INR 50,000 (may be higher for certain lender categories)
  • Mandatory fund escrow through a bank-operated escrow account
  • Prohibition on lending from the platform's own balance sheet
  • Prohibition on cross-selling or credit enhancement

NBFC-Account Aggregator

Account aggregators enable consent-based sharing of financial data across banks, insurance companies, mutual funds, and other financial institutions. The RBI's Account Aggregator framework requires:

  • Minimum NOF: INR 2 crore
  • The entity must only function as a data intermediary; it cannot access, store, or use the financial data
  • Explicit customer consent is required for every data-sharing instance
  • Technology infrastructure must meet RBI's data security standards
  • Annual technology audits by certified auditors

Prepaid Payment Instruments (PPI)

Companies issuing digital wallets, prepaid cards, or stored-value instruments need a PPI license from the RBI. Minimum net worth for non-bank PPI issuers is INR 5 crore, with an obligation to reach INR 15 crore within 3 years of authorisation. Foreign companies can enter this space through their Indian subsidiaries, subject to FDI compliance.

Digital Lending Platforms

The RBI issued comprehensive Digital Lending Guidelines in September 2022 (updated in 2024) that apply to all entities operating as digital lending platforms. Key requirements include: all loan disbursals and repayments must flow directly between the borrower's and the regulated entity's bank accounts (no pass-through wallets), first loss default guarantee (FLDG) arrangements between fintechs and regulated lenders are capped at 5% of the loan portfolio, and all digital lending agents must disclose the name of the NBFC or bank on whose behalf they are lending. Foreign fintechs that partner with Indian NBFCs or banks for a lending-as-a-service model must ensure the regulated Indian entity maintains full compliance with these digital lending norms.

Regulatory Sandbox Pathway

The RBI operates a Regulatory Sandbox (RS) framework that allows fintech companies to test innovative products in a controlled environment before seeking full licensing. The sandbox accepts applications in specified cohorts, including cross-border payments, MSME lending, and financial inclusion. Foreign fintechs can participate through their Indian entities. Successful sandbox testing can accelerate the subsequent license application process, as the RBI has already evaluated the product during the sandbox phase. Each cohort runs for approximately 6-12 months, with the possibility of extension. However, sandbox participation does not guarantee a license; it merely de-risks the regulatory approval process.

Article illustration

Common Mistakes Foreign Fintechs Make

Mistake 1: Starting Operations Before Licensing

Some foreign companies begin pilot operations or "beta testing" payment services in India before obtaining RBI authorisation. This is a direct violation of the Payment and Settlement Systems Act. The RBI has issued enforcement actions and fined entities operating without authorisation. Always secure the license first.

Mistake 2: Underestimating Capital Requirements

A foreign company planning a payment aggregator must commit at least INR 15 crore (approximately USD 1.8 million) upfront, increasing to INR 25 crore (approximately USD 3 million) within three years. For NBFCs, the minimum is INR 10 crore for new registrations. These are not just regulatory thresholds; the RBI expects the entity to have working capital beyond the minimum NOF.

Mistake 3: Ignoring Data Localisation

All payment system data must be stored exclusively in India. Foreign fintechs accustomed to centralised cloud infrastructure outside India must establish India-based data centres or use Indian cloud providers. The RBI conducts audits to verify data localisation compliance.

Mistake 4: Treating the Indian Entity as a Branch

The RBI expects the Indian NBFC or PA entity to have genuine operational independence, including a local management team, an independent board with at least one resident director, and local decision-making authority. Entities that function as mere pass-throughs for foreign parent companies face regulatory scrutiny during renewal and compliance reviews.

Mistake 5: Neglecting Ongoing Compliance Costs

Foreign fintechs often budget for the initial license acquisition but underestimate the ongoing compliance burden. NBFCs must maintain capital adequacy ratios (minimum 15% for most categories), file quarterly and annual returns with the RBI, conduct annual statutory audits, maintain asset classification and provisioning norms, and comply with fair practices codes for customer interactions. Payment aggregators face additional obligations including annual cybersecurity audits, quarterly reporting to the RBI, and mandatory merchant due diligence processes. Budget at least INR 10-30 lakh annually for compliance costs, separate from operational expenses.

Cost Breakdown for Foreign Fintech Entry

ItemNBFC (Lending)Payment AggregatorNBFC-P2P / NBFC-AA
Minimum capital (NOF)INR 10 croreINR 15-25 croreINR 2 crore
Company incorporationINR 15,000-25,000INR 15,000-25,000INR 15,000-25,000
RBI application feeINR 10,000-50,000As prescribed by RBIINR 10,000-50,000
Legal and compliance advisoryINR 5-15 lakhINR 10-25 lakhINR 3-8 lakh
Technology infrastructureINR 10-50 lakhINR 25 lakh-1 croreINR 15-50 lakh
Annual compliance costsINR 5-15 lakh/yearINR 10-30 lakh/yearINR 3-10 lakh/year
Timeline to license6-12 months4-6 months6-12 months

Key Takeaways

  • Foreign companies entering India's fintech sector need RBI licensing. The three primary pathways are NBFC registration (for lending and financial services), payment aggregator authorisation (for merchant payments), and specialised licenses like NBFC-P2P or NBFC-AA.
  • Capital requirements vary significantly: INR 10 crore for new NBFCs, INR 15-25 crore for payment aggregators, and INR 2 crore for P2P and account aggregator platforms. Plan your funding strategy before incorporating the Indian entity.
  • FDI up to 100% is allowed under the automatic route for most fintech activities. The 2025 FEMA amendments specifically ease foreign investment for meeting NOF requirements, removing previous bottlenecks.
  • The September 2025 Master Direction on Payment Aggregators introduced fresh application requirements and an absolute deadline of December 31, 2025 for existing operators. Post-February 28, 2026, unauthorised entities must cease operations.
  • Engage a professional FDI advisory and FEMA-RBI compliance team early. The licensing process involves regulatory filings, technology audits, and capital structuring that require specialised expertise in India's fintech regulations.
FAQ

Frequently Asked Questions

Can a foreign company directly apply for an NBFC license in India?

No. A foreign company must first incorporate an Indian subsidiary (private limited or public limited company) under the Companies Act, 2013. The Indian entity then applies for NBFC registration with the RBI. FDI up to 100% is permitted under the automatic route for 18 specified NBFC activities, including lending, investment, asset finance, and factoring. The foreign parent company's credentials and financial standing are scrutinised as part of the RBI's promoter due diligence process.

What is the minimum capital required to start a payment aggregator in India?

A payment aggregator must have a minimum net worth of INR 15 crore (approximately USD 1.8 million) at the time of application, increasing to INR 25 crore (approximately USD 3 million) by the end of the third financial year from the date of authorisation. This net worth must be certified by the entity's statutory auditor and submitted along with the application on the RBI's PRAVAAH portal. The requirement applies to all non-bank PAs, whether domestically or foreign-owned.

How long does it take to get an RBI NBFC license?

The NBFC registration process typically takes 6-12 months from application to final Certificate of Registration. This timeline includes company incorporation (if not already done), capital infusion, RBI application submission, due diligence on promoters and directors, in-principle approval, and final CoR issuance. Payment aggregator authorisation can be faster, typically 4-6 months, depending on documentation completeness and technology infrastructure readiness.

Is data localisation mandatory for fintech companies in India?

Yes. The RBI mandates that all payment system data must be stored exclusively within India. This applies to payment aggregators, NBFCs processing digital transactions, and all other entities operating under RBI's payment system regulations. Foreign fintechs accustomed to centralised cloud infrastructure outside India must establish India-based data centres or use Indian cloud regions. The RBI conducts periodic audits to verify compliance with data localisation norms.

What happens if an NBFC fails to meet the increased NOF requirement by the deadline?

The RBI can cancel the Certificate of Registration of NBFCs that fail to meet NOF deadlines. Under the phased implementation, existing NBFCs must reach INR 5 crore by March 31, 2025, and INR 10 crore by March 31, 2027. The 2025 FEMA amendment eases this by granting general permission for foreign investment specifically for meeting NOF requirements, allowing foreign parents to infuse capital without additional regulatory approvals.

Can a foreign fintech operate as a payment aggregator through a branch office in India?

No. Payment aggregator authorisation requires the entity to be incorporated as an Indian company under the Companies Act, 2013. A branch office or liaison office of a foreign company cannot obtain PA authorisation. The foreign company must establish a wholly owned subsidiary or a joint venture with an Indian partner. The Indian entity then applies for PA authorisation in its own name, subject to meeting all capital and compliance requirements.

What is the difference between NBFC-P2P and a regular NBFC lending license?

An NBFC-P2P only operates a digital platform connecting individual lenders with borrowers and is prohibited from lending from its own balance sheet. The minimum NOF is INR 2 crore, and aggregate lender exposure across all P2P platforms is capped at INR 50 lakh. A regular NBFC (NBFC-ICC) can lend directly from its balance sheet, requires a minimum NOF of INR 10 crore for new registrations, and has broader compliance obligations under the RBI's Scale-Based Regulation framework, including capital adequacy ratios and asset classification norms.

Topics
rbi licensenbfc registrationpayment aggregatorfintech indiafdi fintechscale based regulation
Related Reading

Fintech Company Setup with Foreign Investment: RBI & FEMA

A practical guide for foreign investors setting up a fintech company in India. Covers FDI routes, RBI licensing requirements for NBFCs, payment aggregators, and digital lending platforms, FEMA compliance obligations, capital requirements, and the regulatory approvals needed before you can operate.

6 Common Reasons RBI Rejects Foreign Investment Applications

The RBI rejects or returns foreign investment filings more often than most companies expect. This article breaks down the 6 most common rejection reasons — document mismatches, valuation errors, sectoral violations, Press Note 3 gaps, late filings, and pricing failures — with specific fixes for each.

Opening an Indian Bank Account as a Foreign Company: Process & Pitfalls

A practical guide for foreign companies navigating the process of opening a corporate bank account in India, covering entity prerequisites, documentation requirements, FEMA compliance, account types (current vs. SNRR), and the most common pitfalls that delay account activation.

Need Help With Your India Strategy?

Talk to us. No commitment, no generic sales pitch. We will walk you through the structure, timeline, and costs specific to your situation.

WhatsApp UsEmail Us