India is the third-largest fintech ecosystem in the world after the USA and China. V. Anantha Nageswaran, Chief Economic Advisor of India, Ministry of Finance, Government of India, reported that India’s fintech market size was $31 billion in 2021 and is expected to reach $1 trillion by 2030. 

However, with the increasing market size comes the increased responsibility of securing the data and information of Indian residents. A data breach can cost not only the organization but also the nation as a whole, which is why the Indian government is creating stronger regulations and asking fintech to adapt to transparent operations. 

However, due to the high number of different regulations governing the Indian fintech industry, there is often an overlap between two or more regulations, adding to the already complex system. 

The introduction of new regulations is not helping the case either. It is rumored that the growth rate might take a hit due to the bottlenecks created by the different fintech regulations, as organizations might spend more time on regulatory paperwork than the development of their core offerings.

Let’s take a look at these regulations to understand how they are affecting the Indian Fintech ecosystem. 

Regulations governing India’s fintech systems

The principal regulators in India’s fintech market are the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), and the Pension Fund Regulatory and Development Authority (PFRDA). 

These regulators oversee aspects of the fintech sector, like data privacy, online transactions, payment gateways and aggregators, lending, and collection of deposits, offering insurance products and services, and trading securities and derivatives. 

The regulations and laws applicable to the Indian fintech sector are as follows: 

Laws and regulations by RBI

The following are the regulations by RBI:

• Payment and Settlement Systems Act, 2007
• Directions for opening and operations of accounts and settlement for payments for electronic payment transactions involving intermediaries, 2009
• Guidance for licensing of payments banks, 2014 and operating guidance for payments bank, 2016
• Circular on tokenization, 2019
• Circular on the processing of e-mandate on cards for recurring transactions, 2019
• Guidelines on the regulation of payment aggregators and payment gateways, 2020
• Framework for recognition of self-regulatory organization for payment system operators, 2020
• Master directions on prepaid payment instruments (MD-PPIs), 2021
• Framework for scale-based regulation for non-banking financial companies (NBFCs), 2021

Laws and regulations by SEBI

• Circular on mutual funds, 2021

Laws and regulations by IRDAI

• Guidelines on insurance repositories and electronic issuance of insurance policies, 2015
• Insurance regulatory and development authority of India (issuance of e-insurance policies) Regulations, 2016
• Guidelines on insurance e-commerce, 2017

Laws and regulations by the National Payments Corporation of India (NPCI)

• Various circulars on UPI transactions

The regulatory powers of all these financial authorities is vested in The International Finance Service Centers Authority (IFSCA), which was established under the International Finance Service Center Act, 2019 by the government of India. The primary function of the IFSCA is to regulate financial institutions, financial products, and services aimed toward fintech development. 

Guidelines for the growing Indian fintech sector 

Today, there are 4827 fintech startups in India, and there are estimated to be $1.3 trillion in fintech market opportunities by 2025 (INC42). 

The rising digital economy begs for newer regulations to keep security with progress. Sometimes with the ballooning of the organization, compliance with the guidelines becomes more difficult. Moreover, not following the RBI guidelines will result in financial repercussions. Some of the more prominent data localization laws are given below as an example to accentuate the complexity of the compliance standards. 

Data localization laws

Data localization laws are the laws and regulations that are designed to protect the sensitive information of clients. The three main acts that govern data localization laws in Indian fintech are as follows:

• Section 94 of the Companies Act 2013, read with Sections 88 and 92, requires the company to store financial information at the registered office of the company.
• RBI’s Directive 2017-18/153, issued under the Payment and Settlement Systems Act, 2007, requires the organizations covered under it to store payment records in India.
• IRDAI requires covered organizations to store insurance data within India.

1. Systems audit report for data localization (SAR-DL)

The SAR and storage of payment system data is a mandatory compliance requirement by RBI  and NPCI guidelines to ensure appropriate security measures and data localization controls for storing payment-related information. The audit must be carried out by the Indian Computer Emergency Response Team (CERT-In) empanelled auditors who certify the completion of activities. 

The following are the factors that the auditor must report for the SAR-DL audit

• Payment Data Elements
• Transaction / Data Flow
• Application Architecture
• Network Diagram / Architecture
• Data Storage
• Transaction Processing
• Activities subsequent to Payment Processing
• Cross-Border Transactions
• Database Storage and Maintenance
• Data Backup & Restoration
• Data Security
• Access Management

The auditor will meticulously verify all the elements of the system vis-a-vis the RBI guidelines. In case of a lack of compliance in any section, the auditor will first inform the company management and offer solutions to ensure compliance. Once the issues are resolved, the auditor will supply the report to certify the reliability of the company’s information system.

2. SAR – Tokenization

The Reserve Bank of India has recently made tokenization mandatory for all credit and debit cards used for online transactions. Tokenization refers to replacing the credit card information with a code, known as a ‘token,’ which is a unique combination of the token requestor and the device. Tokenization of the card increases fintech security as the actual details of the card are not shared with the merchant. 

The cardholder sends the card details to the token requestor via their app, who will forward the request to the card network for payment. The card details are not shared with the vendor, so they are safe even if the vendor’s data is breached. Tokenization is completely free for the cardholder and is provided by the card issuer or authorized card network.

3. SAR – Payment aggregator (PAs) and Payment gateways (PGs)

RBI issued guidelines for PAs and PGs on March 31, 2021. These guidelines seek to regulate the activities of online PAs while providing basic technological recommendations for the PGs. The RBI has issued instructions on the security, fraud prevention, and risk management framework under these guidelines.

• The PA needs to follow the global security standards, including Payment Card Industry-Data Security Standard (PCI-DSS) or Payment Application-Data Security Standard (PA-DSS) as applicable to them. PCI-DSS is the security standard developed to improve the security of credit/debit card payments. PA-DSS applies to third-party applications that store, process, or transmit payment cardholders’ data. It is a standard against which payment applications are tested, validated, and assessed. 
• RBI disallows merchants to store payment data irrespective of their compliance with PCI-DSS. That said, the merchants are allowed to store limited data, in compliance with the security standards, for the purpose of payment tracking. 
• The PAs are also not allowed to store client credit card data except for the purpose of payment tracking.
• A standard system audit (SAR-PAPG), including a cybersecurity audit, must be carried out by a CERT-In empanelled auditor.

4. SAR – Prepaid payment instruments (PPI)

These guidelines by the RBI are designed to regulate prepaid payment instruments. The following are the security measures for PPI:

• PPI issuers must establish adequate data security infrastructure and systems to detect and prevent fraud.
• They must establish and implement a board-approved information security policy for the safety and security of its payment systems to mitigate identified risks. The PPI issuer must review the policy at least once a year, after a security breach or before/after major policy changes.
• PPI issuers must establish a security framework to address security concerns for risk mitigation and fraud prevention. 
• They should ensure that the authorized agents follow the same policies, if any.
• PPI issuers must establish a system to monitor, handle, and respond to cybersecurity incidents. The same must be reported to DPSS, CO, RBI, Mumbai, and CERT-In immediately.   
• They must also follow the relevant circulars as required.

Current security challenges that Indian fintech organizations face

While the RBI and other regulators are very clear on their requirements from the fintech organizations for data protection policies, it is not an easy task for them to follow. 

Let’s take a look at the current security challenges faced by fintech organizations and how they’re impacting overall growth. 

1. Mapping policies against a vast cloud infrastructure: Several fintech organizations have a vast cloud infrastructure which makes it difficult for them to monitor and identify vulnerabilities. Following the security standards for the whole organization becomes difficult if it is handled in-house.

2. The audit trail: With a vast cloud environment comes the need for a huge evidence repository. There are too many evidence artifacts for the management and the auditor to collect, review, and manage, making the process of auditing hectic and time-consuming. 

3. Security consistency: Ensuring that security is not a one-time activity but an ongoing process is often difficult. Keeping the information actually secure and not just for the sake of compliance must be understood.

4. Customer trust: Securing information can improve customer trust, and a security breach can ruin the same trust quite easily. Organizations today are spending too much time on complying with industry frameworks rather than following a holistic approach to infosec.

But despite these challenges, security is a top priority for organizations across the fintech industry, and they are taking solid steps to strike a balance between compliance and growth. How? By finding modern GRC solutions. 

Future Outlook for Information Security in Fintech

As mentioned earlier, keeping the organization secure is not a one-time activity; it involves continuous monitoring. 

The extensive efforts required for governance, risk, and compliance (GRC) call for a dedicated team – something not all organizations can deploy without affecting everyday operations. Hence, several fintech organizations are turning towards a modern approach to compliance, and rightfully so. 

A modern GRC platform can automate the strategic structure of the organization and can also help you with compliance audits by CERT-In empanelled auditors. It can keep your organization on track and keep you informed about the progress or issues with the organization’s compliance posture. 

Such platforms can help you keep track of the compliance that is relevant to your organization and educate you and your employees about the correct practices. At the same time, it streamlines and automates tasks such as evidence collection, policy creation, and employee awareness.

FAQs