Fintech and Digital Financial Services in India
India has no single fintech licence - it licenses activities. The activity-specific RBI, SEBI or IRDAI authorisation, not the FDI route, is the binding gate.
There is no single "fintech licence" in India - the country licenses activities, and the activity you perform sets the gate.
India does not issue a fintech licence. It licenses regulated activities, each under its own authorisation with its own entity form, capital floor and governance conditions - so the question to answer is which regulated act the business is performing, and what the regulator requires. Most fintech foreign investment is straightforward: a business that builds software for financial institutions takes 100% foreign ownership on the automatic route, like any software company. But the moment the business itself does the regulated act - taking customer money, issuing a wallet, lending, aggregating consent data, plugging a consumer app into UPI - it maps to a specific Reserve Bank of India authorisation (or a SEBI or IRDAI one), and that authorisation, rather than the FDI route, is the binding gate. The Reserve Bank determines fitness and grants or returns the application.
So settle which side of one line you are on: are you building software for financial institutions - a supplier that never touches customer funds, in which case the entry is easy - or are you yourself doing the regulated act (holding money, moving payments, lending, aggregating), in which case the page below maps your activity to its authorisation?
At a glance
- India issues no single "fintech licence" - it authorises activities (payment aggregation, wallets, lending, consent data, UPI access, insurance, securities), each under a different RBI, NPCI, SEBI or IRDAI regime with its own capital floor and conditions.
- Building software for financial institutions is an unregulated software business - 100% FDI on the automatic route, no financial authorisation. Doing the regulated act is the part that needs a licence.
- The regulated lanes take 100% FDI under "Other Financial Services," but subject to the regulator's fit-and-proper, minimum-capital and licensing conditions - the "automatic route" still has a gatekeeper, and the authorisation, rather than the FDI route, is the binding gate.
- Capital floors are real and the RBI returns applications: roughly Rs25 crore net worth for a payment aggregator (Rs15 crore at application), Rs15 crore for a non-bank prepaid-instrument issuer, Rs10 crore net owned funds for an NBFC lender - confirm against the current Directions.
- Payment data must be stored only in India (RBI directive, 6 April 2018) - a structural design constraint rather than a late compliance item.
- Press Note 3 applies regardless of sector: land-border-owned FDI needs prior government approval and an intermediate UAE or Singapore holding company does not cure it; Press Note 2 of 2026 eases this only for a non-controlling stake of up to 10% with no control. This is the onshore, rupee, RBI/NPCI domain; GIFT City / IFSC fintech is the separate offshore (IFSCA) one.
Why fintech in India
A foreign fintech enters a large, maturing market rather than an early one. India's fintech sector raised about US$2.4 billion in 2025, roughly 2% above 2024 and the third-highest globally behind the United States and the United Kingdom (Tracxn, January 2026) - below the 2021 peak, a market consolidating rather than inflating. The public rails are the draw: the account-aggregator framework alone had enabled some 2.61 billion accounts for about 252.9 million users by end-2025 (Sahamati, 31 December 2025), and UPI is the default consumer-payment layer. But the regulated lanes are narrow and gatekept - payment-aggregator authorisations are a limited, published cohort (check the current RBI Certificate of Authorisation list) rather than a market open to all comers, and the RBI returns applications routinely. The determinant of a viable entry is correct activity classification and clearing the authorisation that follows, rather than the size of the market.
Which kind of fintech are you?
Every fintech enquiry resolves to one question: which regulated act are you performing, and is it open to a directly-licensed, foreign-owned entity? The licence follows the function, and the FDI route is set by the underlying regulated activity, rather than by calling the business a fintech. The unregulated case - software supplied to financial institutions (B2B SaaS, core-banking, fraud or KYC tech) - is not in the table below: it needs no authorisation and takes 100% FDI on the automatic route. A "neobank" typically touches four of these lanes and holds none in its own name, operating over licensed partners.
Adjacent lanes map to other regulators: wealth-tech and broking to SEBI, and insurtech to IRDAI (where FDI follows insurance - intermediaries 100% since 2019, insurers now 100% under the Insurance Laws (Amendment) Act 2025, assented 20 December 2025). Crypto and virtual digital assets sit under a separate regime again - FIU-IND registration under the Prevention of Money-Laundering Act and a distinct tax treatment (a flat tax on gains plus a transaction-level TDS), rather than an RBI licensing lane. Where a business performs several functions it needs each authorisation, or a licensed partner that holds it. India issues no standalone "neobank" or "digital-bank" licence; banking itself is not the open part.
| Route / activity | Typical investor | Binding authorisation / key legal issue |
|---|---|---|
| Payment aggregator - online (PA-O) | Global PSP or checkout settling Indian online merchant payments | RBI authorisation under the PA Directions 2025; net worth Rs15 crore at application, Rs25 crore by the third financial year (confirm against the current Directions); escrow with a scheduled bank; FIU-IND; payment data localised |
| Payment aggregator - cross-border (PA-CB) | Foreign marketplace or PSP facilitating import/export collections | RBI authorisation (within the 2025 PA Directions); net worth to Rs25 crore by 31 March 2026; per-transaction cap Rs25 lakh; currency-segregated collection accounts. Distinct from GIFT City rails |
| Prepaid payment instruments (PPI) / wallets | Wallet, gift-card, prepaid or benefits issuer | RBI PPI Master Directions; non-bank issuer Rs5 crore, Rs15 crore by the third FY; KYC tiering; interoperability; data localisation (a draft 2026 PPI update is proposed, not in force) |
| NBFC - lending off own book (incl. NBFC-P2P) | Digital lender, BNPL, consumer-credit or P2P platform | RBI NBFC registration, minimum Rs10 crore net owned funds; RBI Digital Lending Directions; Press Note 3 acute for credit; DLG treatment is the deal term to price |
| Account aggregator (NBFC-AA) | Open-finance / consent-data platform | RBI registration; technical-only - cannot lend, hold funds or store data at rest; a niche category (check the current RBI register) |
| UPI via third-party app provider (TPAP) | Consumer payments super-app or global wallet | No direct NPCI membership - rides a sponsor bank's UPI handle; NPCI 30% volume cap (deadline 31 December 2026); data localisation; zero-MDR economics |
Do you need an authorisation - or only an Indian software entity?
The fastest way to scope an entry is to ask what the business actually does, in order - because the licence, rather than the FDI route, is the gate:
In every lane the FDI may be 100% automatic under Other Financial Services, but the regulator's fit-and-proper authorisation is the real gate - clear it before you form the company or hire the team.
- Only sell software to regulated institutions, never touching customer money, credit decisions, account data or regulated distribution? Usually no financial licence - an ordinary 100%-FDI software company.
- Take or move customer money, issue stored value, aggregate account data, or run a payment-system activity? An RBI authorisation (payment aggregator - online, cross-border or point-of-sale; PPI; account aggregator) is likely needed.
- Lend on your own book, or source loans and underwrite credit? An NBFC registration, or a regulated lending-service-provider model, with the default-loss-guarantee terms priced in.
- Put a consumer app on UPI? An NPCI third-party-app arrangement over a sponsor bank rather than a licence.
- Advise on investments, broker securities or distribute insurance? A separate SEBI or IRDAI lane - scope it on its own rather than as generic "fintech".
- Buying a licensed entity (an NBFC or a payment-aggregator applicant) rather than filing fresh? That is an acquisition route, and the gate is the change-in-control and fit-and-proper approval, the capital position, the customer data and the target's legacy compliance.
The RBI authorisation map - what 2025 changed
The table sets out the per-lane conditions; two structural points are where foreign entrants most often misread the map. The headline change of 2025 was the consolidation of the payment-aggregator regime. The RBI (Regulation of Payment Aggregators) Directions 2025, issued 15 September 2025, supersede the earlier 2020-21 and 2023 circulars and create three categories - online (PA-O), cross-border (PA-CB) and, newly, physical / point-of-sale (PA-P) - so a non-bank POS aggregator that previously sat outside authorisation must now obtain it on the same net-worth, escrow, merchant-KYC and FIU-IND terms. The licence is the gate, the net-worth floor is real, and the RBI returns applications - the authorised cohort is limited and published, so check the current RBI list rather than assume the door is open. The second point is the lending fork: a business that lends off its own book needs NBFC registration - there is no fintech shortcut - while one that does not want to hold the credit operates as a lending service provider to a licensed bank or NBFC under the RBI Digital Lending Directions, with funds flowing directly between borrower and regulated lender. Two further lanes are narrower than they look: the account aggregator is technical-only, and UPI is a third-party-app arrangement over a sponsor bank rather than a licence.
Digital lending and the default loss guarantee (DLG / FLDG)
Lending partnerships turn on one fast-moving term. A default loss guarantee - earlier FLDG - is an arrangement in which an unregulated partner guarantees the regulated lender against a capped slice of portfolio losses, aligning a fintech originator's incentives with a bank or NBFC balance sheet. The RBI codified it on 8 June 2023 with a 5% cap, then prohibited it on NBFC-P2P platforms (24 April 2024). The RBI (Digital Lending) Directions 2025 (8 May 2025) tightened provisioning, and - the point a foreign lending JV must get current on - default-loss-guarantee recognition was reinstated for NBFCs in October 2025. Price any lending partnership to the current DLG treatment confirmed at signing, because the position has moved several times and the structure of the JV depends on it. And for any consumer-facing model, conduct is now a design question as much as a compliance one: the RBI's digital-lending and consumer-protection rules treat the user interface, the consent flow, pricing disclosure, mis-selling and authentication as regulated surfaces - they belong in the product design rather than a late legal review.
Payment data localisation as a design constraint
Since the RBI's directive of 6 April 2018, the entire payment-data set relating to a payment system in India must be stored only in India; processing abroad is permitted, but the data must be brought back and the foreign copy deleted within the prescribed window. For a foreign fintech this is a structural design constraint rather than a late compliance item - it shapes the cloud architecture, the data-residency map and the group's global data flows from the first whiteboard. A payments business that designs a single global data lake assuming Indian data can sit in it will have to re-architect.
How a foreign company enters
The vehicle is almost always a wholly-owned Indian private limited company holding the relevant RBI, NPCI, SEBI or IRDAI authorisation, with FDI as equity under the automatic route ("Other Financial Services"). The equity permission and the authorisation are separate gates, and the regulated one governs: a licensed payment aggregator or NBFC adds the regulator's fit-and-proper assessment and change-in-control approval, so a later shift in its foreign shareholding can need the RBI's prior approval rather than just an FC-TRS filing. The working sequence is to classify the activity, confirm it is open to a directly-licensed foreign-owned entity, build to the authorisation's conditions - and run the Press Note 3 screen before any of it. Incorporation, FC-GPR and the FEMA mechanics sit on the India business-setup and FEMA pages.
Legal workstreams for a fintech entry
A fintech entry into India usually brings these workstreams together:
- classifying the activity - which regulated act is performed, and whether it is open to a directly-licensed foreign-owned entity or must run over a licensed partner;
- the specific authorisation application - payment aggregator, PPI, NBFC, account aggregator, or the SEBI / IRDAI licence - built to its capital floor, fit-and-proper and governance conditions;
- the sponsor-bank and partner agreements where the model rides a licensed entity (UPI TPAP, lending-service-provider, escrow), and the default-loss-guarantee terms on any lending partnership, priced to the current RBI position;
- where the entry is by acquisition of a licensed entity (an NBFC or payment aggregator), the change-in-control and fit-and-proper approval, the capital position, the customer-data transfer and the target's legacy compliance;
- payment-data-localisation architecture, FIU-IND registration, KYC / central-KYC obligations, the consumer-conduct and authentication design, and data-protection mapping under the Digital Personal Data Protection Act as its rules take effect;
- the FDI route, FC-GPR reporting and, for a licensed entity, the RBI change-in-control approval on any later shift in foreign shareholding; and
- the holding structure above India - often a UAE or Singapore vehicle, with its treaty and substance position - and the Press Note 3 screen wherever the ownership chain touches a land-border country.
The India-UAE corridor
A fintech group based in the Gulf, or weighing both markets, runs them as connected but separate regulatory decisions. The UAE answers the founder's residence, a regional licensing base and, through DIFC or ADGM, a recognised financial-services regime; India answers the domestic user base and the rupee rails - but an India onshore authorisation is granted by the RBI to an Indian entity and cannot be substituted by a UAE licence, just as a UAE permission does not reach Indian payment rails. A common pattern holds the group above India through a UAE vehicle - a treaty-and-substance decision that does not cure Press Note 3 if the beneficial ownership sits in a land-border country (Press Note 2 of 2026 easing it only for a non-controlling stake up to 10%).
Where this goes wrong
- Reading "100% automatic FDI" as the whole answer, when the activity-specific authorisation is the binding gate and the RBI returns applications.
- Designing a single global data architecture and assuming Indian payment data can sit in it, against the 2018 localisation mandate.
- Building a lending model off its own book without NBFC registration, or pricing a lending JV to a default-loss-guarantee position that has since changed.
- Assuming a foreign consumer app can join UPI directly, rather than riding a sponsor bank as a TPAP under the volume cap and zero-MDR economics.
- Treating an intermediate UAE or Singapore holding company as a cure for Press Note 3, when the test is beneficial ownership and the Press Note 2 of 2026 easing reaches only sub-10% non-controlling stakes; or confusing this onshore RBI/NPCI regime with the GIFT City / IFSC offshore one.
How ATB Corporate helps
ATB advises foreign fintech and digital-financial-services companies entering India, starting from the question that decides everything else: which regulated act the business performs, and whether it is open to a directly-licensed foreign-owned entity or must run over a licensed partner. We work the activity classification and the FDI route, the specific authorisation and its capital, fit-and-proper and governance conditions, the sponsor-bank and lending-partner agreements and default-loss-guarantee terms, the payment-data-localisation and consumer-conduct architecture, the acquisition route where a licensed entity is bought rather than built, and the holding structure above India, including the India-UAE corridor where a group runs both ends. We keep the regulated-versus-unregulated line explicit, so a software supplier is not over-engineered into a regulated entity and a regulated activity is not run without its licence. The Reserve Bank determines authorisation and fitness; our work is to align the entity, capital and governance with what it requires.
Fintech — Answered
Rs15 crore at application, rising to Rs25 crore by the third financial year on an ongoing basis under the RBI (Regulation of Payment Aggregators) Directions 2025; a cross-border payment aggregator must reach Rs25 crore by 31 March 2026. Confirm the figure against the current Directions, as the thresholds are periodically revised.
Completely. This page is the onshore, rupee, domestic regime (RBI, NPCI, SEBI, IRDAI); GIFT City / IFSC is the offshore, foreign-currency regime regulated by the IFSCA, covered on its own page. An authorisation in one does not permit the other's activity.
Only in India. Under the RBI directive of 6 April 2018, the full payment-data set relating to a payment system in India must be stored within India; processing abroad is allowed, but the data must be brought back and the foreign copy deleted within the prescribed window.
Only as a third-party app provider riding an Indian sponsor bank's payment handle through NPCI; it holds no direct NPCI membership. NPCI's 30% cap on any single app's share of UPI volume applies (deadline extended to 31 December 2026), and person-to-merchant UPI carries no interchange under the zero-MDR rule.
Lending off your own book requires NBFC registration. Otherwise you operate as a lending service provider to a licensed bank or NBFC under the RBI Digital Lending Directions, with funds flowing directly between borrower and regulated lender. A default loss guarantee is capped at 5% and was reinstated for NBFCs in October 2025; it is prohibited on NBFC-P2P platforms.
It follows insurance rather than generic fintech. Intermediaries have been open to 100% FDI since 2019, and insurers are now 100% under the Insurance Laws (Amendment) Act 2025, assented on 20 December 2025 (up from 74%), subject to IRDAI conditions including investing the premium in India. An insurtech does not automatically inherit this - the activity must sit in the right IRDAI category.
Acutely, especially for credit. FDI from, or beneficially owned in, a country sharing a land border with India needs prior government approval regardless of sector, and an intermediate jurisdiction such as the UAE or Singapore does not cure it because the test is beneficial ownership. Press Note 2 of 2026 (issued 15 March 2026) now lets a non-controlling stake of up to 10% with no control proceed on the automatic route with reporting; a controlling or larger stake still needs prior approval.
No. A business that supplies technology to financial institutions but never performs the regulated act - never holds customer funds, never lends, never aggregates - is an ordinary software business, 100% FDI on the automatic route with no authorisation. The licence attaches to doing the regulated act rather than to serving the sector.
India licenses activities, not fintechs: the regulated act you perform sets the authorisation, the capital floor and the data-localisation duty, and decides whether a foreign-owned entity can hold it at all.
Licensing, approvals and any tax treatment are decided by the authorities on the facts. Talk to our team when you are ready.
Get in touch