India’s fintech companies are on high alert.
Over the last few years, the Reserve Bank of India (RBI) has conducted multiple high-profile investigations on, and handed out penalties to, India’s banks, fintechs, and non-banking financial institutions (NBFCs) for failing to comply with regulations around risk and fraud prevention, specifically in regards to Know Your Customer (KYC) and data protection processes.
These crackdowns came after an RBI report found that the number of reported frauds that total Rs100,000 (USD$1,205) each rose to more than 14,000 from April to September 2023, an increase of 68%. The RBI also found that the sharpest increase of fraud cases were tied to credit cards, online transactions, and deposits.
As a result, many companies have faced monetary penalties under RBI’s authority as defined by the Banking Regulation Act, 1949, and understanding how to navigate these regulatory pressures is crucial for fintech companies and financial institutions.
This post will explore recent actions by the RBI, discuss compliance requirements, and provide guidelines for navigating the regulatory landscape in India.
Background: The Reserve Bank of India & The Banking Regulation Act, 1949
Established in 1935 as a shareholders’ bank, the Reserve Bank of India (RBI) is India’s central bank and is responsible for controlling, issuing, and maintaining supply of the Indian rupee. The RBI was nationalized in 1949 and is now fully owned by the Government of India.
After nationalization, the government passed legislation to establish the Banking Regulation Act, 1949, which initially oversaw only banking companies. In 2020, the Act was amended to bring cooperative banks and other financial institutions under the oversight of the RBI. Today, the RBI has the power to:
- License banks
- Regulate shareholding and voting rights
- Supervise board and management appointments
- Oversee and regulate banking operations
- Direct audits, mergers, and liquidations
- Impose penalties
Business impacts of the RBI’s recent regulatory actions
To protect consumers from fraud, the RBI is looking to nip bad practices in the bud. In order to reduce the Indian financial industry’s compliance failures, the central bank has turned up regulatory pressure in the past few years and has recently taken actions against several major fintech and NBFC players in the country. It has also drafted a Framework on Alternative Authentication Mechanisms for Digital Payment Transactions, which requires banks, fintechs, and NBFCs to implement alternative authentication methods for digital payments.
Crackdown on Paytm
After several years of issuing warnings to Paytm Payments Bank, the RBI placed severe restrictions on the fintech giant in March 2022. The company was ordered to stop onboarding new customers and hire a third-party firm to audit its IT system.
In 2023, the RBI went further and fined Paytm Rs5.4 crore for failures in following established KYC guidelines. India’s Financial Intelligence Unit slapped on another Rs5.49 crore for non-compliance with anti-money laundering (AML) regulations.
In an interview with The Times of India, Ashok Harihara, CEO of IDfy, which provides client vetting services to banks and fintechs in India, “Most banks typically outsource the last mile of customer verification to third-party firms or so-called runners, and leakages occur at many points in that large paper process.”
As a result of these regulatory actions, Paytm is at risk of shutting down completely.
Other Notable Cases
- HDFC Bank was hit with a penalty of Rs10 million for failing to comply with KYC and AML regulations, and faced operational restrictions due to repeated outages in its digital services between 2020 and 2021. All restrictions were lifted in March 2022.
- In March 2024, IIFL Finance was ordered to immediately stop sanctioning or disbursing gold loans due to concerns tied to serious deviations in assaying and certifying the purity and net weight of its gold holdings, among other issues.
- Visa and Mastercard were asked to immediately stop card-based commercial payments that were routed through third-party fintech platforms, starting February 2024. The RBI did not provide a reason as to why it made that request.
This increasing regulatory scrutiny and penalties underscore why fintech companies need to ensure that their KYC and AML processes are up-to-date and compliant.
How fintechs can navigate India’s regulatory landscape
With expectations that India’s quickly growing fintech industry will reach USD$1.5 trillion by 2025, it’s vital that all companies in the industry are aware of key regulatory developments in order to avoid penalties and regulatory actions.
1. Strengthen KYC processes
Questionable Know Your Customer (KYC) systems have been a common issue among fintech companies. Ensuring robust KYC procedures is critical, as Paytm’s situation shows.
Fintechs should implement comprehensive KYC procedures to accurately verify customer identities. They should also ensure that any third-party companies used for KYC verification have data security processes in place that meet regulatory standards.
2. Invest in fraud prevention technologies like device intelligence
Deploying advanced fraud detection and prevention tools like device intelligence is essential to mitigate risks and protect consumers that use digital financial services, including digital lending, prepaid payment instruments, payment aggregation services, and more.
For example, a large Indian bank and a leading Indian digital payments solutions platform are using Fingerprint’s device intelligence to collect 100+ signals from user browsers, along with Android and Apple devices, to detect and prevent fraudulent activity — including account takeover attempts and payment fraud — in real time.
Why did they choose Fingerprint? Let’s take a quick look at account takeover attempts as an example.
Many companies implement multi-factor authentication (MFA) that requires a second form of verification in addition to a login password, which helps them comply with KYC regulations. The downside is that requiring additional authentication often causes friction and/or frustration for legitimate customers.
Fingerprint, on the other hand, helps prevent fraud by analyzing device and browser attributes to generate unique visitor identifiers with industry-leading accuracy, which enables companies to detect anomalies and identify fraudulent activities like account takeovers in real time.
For instance, when a user tries to log in, companies can use Fingerprint’s visitor ID to determine whether the login is coming from an unknown device. If the answer is yes, then they can require an additional authentication step, like MFA. But the extra authentication step can be skipped when legitimate users are identified, removing unnecessary friction and creating a better overall customer experience.
3. Ensure data security
Adhere to data protection requirements and ensure customers have more control over how their personal data is accessed, processed, and used, as outlined in the Personal Data Protection Bill (PDPB) 2022 and the Digital Personal Data Protection Act (DPDP Act).
4. Conduct regular compliance audits
Perform regular audits to ensure adherence to regulatory requirements and to proactively identify and rectify potential issues.
Key takeaways
Regulatory pressure is expected to continue increasing for banks, fintechs, and non-banking financial institutions in India as regulators step up efforts to keep pace with the rapid evolution of fintech offerings.
By staying informed on regulatory changes, investing in anti-fraud technology like Fingerprint’s device intelligence, and fostering a compliance-focused culture, companies in the digital financial solutions space can continue to grow while ensuring compliance.
For more insights and personalized guidance on navigating regulatory pressures and how Fingerprint can help, contact us for a free consultation.