01
Digital Lending
Structuring lending and co-lending models against the RBI digital lending framework, including the role of lending service providers, the flow of funds and the borrower disclosure and consent requirements.
We advise lenders, payment companies, NBFCs and platforms across the financial-sector perimeter, the licence or registration the activity requires, the regulatory guidelines the product must satisfy, the outsourcing and partnership structures that the rules permit, and the data and consumer obligations that now travel with every digital financial service.
A FinTech mandate starts with a regulatory question, what is this activity, and who is allowed to do it. The answer fixes the licence, the structure, the partnership model and the compliance the product has to carry from day one.
Structuring lending and co-lending models against the RBI digital lending framework, including the role of lending service providers, the flow of funds and the borrower disclosure and consent requirements.
Payment aggregator and payment gateway authorisation, prepaid payment instrument licensing and the settlement, escrow and KYC obligations that attach to payment activity.
Registration and ongoing regulation of non-banking financial companies, the scale based regulatory framework and the conduct and prudential norms that apply.
Participation in the account aggregator framework, the consent architecture for financial data sharing and the agreements between the participants.
Data localisation for payment data, the obligations of the Digital Personal Data Protection Act as they apply to financial data, and fair practices in collection and recovery.
Bank and NBFC partnership structures, outsourcing of financial services within the RBI guidelines and the allocation of regulatory responsibility between partners.
Each stage answers a regulatory question before the next is built on it. The perimeter analysis fixes the licence, the licence fixes the structure, and the structure fixes the compliance the product carries to market.
Determine what the activity is in regulatory terms and which licence, registration or partnership it requires.
Design the entity, the flow of funds and the partnership model so the activity sits lawfully within the perimeter.
Prepare and pursue the application for authorisation or registration and respond to the regulator queries.
Build the customer terms, consent flows, disclosures and partner agreements the product needs to comply from launch.
Put in place the data, KYC, conduct and reporting framework the activity must maintain on a continuing basis.
Every FinTech product is read through three lenses at once. The activity has to be technically characterised against the regulatory perimeter, the model has to make commercial sense, and the structure has to be legally defensible before the regulator and the consumer.
We determine what the activity is in regulatory terms, lending, payments, deposit taking or data sharing, because the licence, the structure and the entire compliance burden follow from that characterisation under the RBI framework.
We design the funds flow, the partnership and the revenue model so the business works commercially while each participant stays within its licence, because a model that ignores the perimeter cannot scale.
We build the consent, disclosure, KYC and data architecture to satisfy the sectoral RBI guidelines and the Digital Personal Data Protection Act together, so the product launches compliant and stays that way as the rules evolve.
Most FinTech risk is not a feature risk. It is a characterisation risk. A product that is, in substance, lending or deposit taking or payment activity attracts the full regulatory perimeter for that activity, however it is described. We characterise the activity against the regulations first, because retrofitting compliance onto a launched product is the most expensive way to discover the perimeter.
The vocabulary that decides outcomes, set out precisely, not loosely.
The Reserve Bank of India 2022 directions governing lending through digital platforms, including disbursement and repayment flow and lending service provider conduct.
The standardised disclosure that a digital lender must give the borrower setting out the annual percentage rate, fees and cooling-off period.
An entity authorised under the Reserve Bank of India 2020 framework to onboard merchants and process payments without the funds settling in a merchant account.
An instrument that facilitates payment against value stored on it, issued and operated under the Reserve Bank of India PPI Master Directions.
The consent-based financial-data-sharing framework regulated by the Reserve Bank of India that lets customers share data between regulated entities.
Short, direct, on the record.
Lending in India is a regulated activity, and a digital lending product must sit on a regulated lender, typically a bank or a non-banking financial company, or be structured as a compliant partnership with one. The RBI digital lending framework governs how such arrangements are run, including that the flow of funds moves between the borrower and the regulated lender without passing through the pool account of an intermediary, and that key facts are disclosed to the borrower. A technology platform that originates or services loans without being the lender has a defined and limited role, and the structure has to respect it.
An entity that collects payments on behalf of merchants and routes the funds to them is a payment aggregator and requires authorisation from the Reserve Bank to operate. The framework imposes obligations on the handling of customer funds through an escrow arrangement, on merchant onboarding and KYC, on settlement timelines and on governance and security. A payment gateway that only provides technology and does not handle funds is treated differently. The first question for any payments business is therefore whether it handles funds, because that determines the licence it needs.
The account aggregator framework is a consent based system for sharing financial data. A licensed account aggregator acts as a consent manager, allowing a customer to share data held by one financial institution with another, for a defined purpose and period, on the customer explicit consent. The account aggregator itself does not see the data, it only moves it on instruction. Participation involves agreements with the framework and adherence to its technical and consent standards, and it interacts with the obligations of the Digital Personal Data Protection Act on the underlying personal data.
The Reserve Bank requires that data relating to payment systems be stored within India. For data that is processed abroad, the position has historically required that it be brought back and stored only in India within a defined period. This sits alongside the broader obligations of the Digital Personal Data Protection Act on the processing of personal data. For a payments or lending business, this means the architecture for storing and processing data has to be designed for the localisation requirement from the outset, because retrofitting data residency is difficult and disruptive.
The Digital Personal Data Protection Act applies to the personal data that financial services businesses collect in large volumes, identity, financial and transaction data. It requires a lawful basis for processing, generally consent, together with notice, purpose limitation, security safeguards and the handling of data principal rights and breaches. For a regulated financial entity, these obligations sit on top of the sectoral RBI requirements on data, KYC and outsourcing, so the data framework has to satisfy both the financial regulator and the data protection law at the same time.
Income tax, transfer pricing, withholding and treaty interpretation
Merger filings, dominance, cartels and CCI proceedings
Economic offences, PMLA, SEBI enforcement and internal investigations
The strongest outcomes are built into the strategy at the start, not recovered from disputes later.