Author: Sangini Mehta, NMIMS School of Law, Bengaluru
To the Point
The global banking sector is undergoing a transformative shift driven by fintech innovation. Neobanks, digital payment apps, AI-driven lending, and blockchain-based currencies are disrupting the traditional financial ecosystem. In India, this disruption exposes the limitations of legacy banking laws, which were designed for brick-and-mortar institutions rather than API-driven mobile platforms.
This article critically examines whether the existing regulatory and legal frameworks in India—principally the Banking Regulation Act, 1949—are sufficient to govern emerging fintech institutions, or whether a radical overhaul is necessary. It also explores the judiciary’s response, regulatory sandbox initiatives, and comparative global practices, while advocating a harmonized yet innovation-friendly approach.
Use of Legal Jargon
The interplay between prudential regulation, regulatory arbitrage, non-banking financial companies (NBFCs), e-wallet service providers, sandbox regimes, compliance architecture, and cross-border capital flows dominates the legal discourse in this area. Terms such as digital KYC, data fiduciary, cybersecurity resilience, algorithmic lending, and decentralized finance (DeFi) are becoming critical in regulatory debates.
The Proof
1. Banking Regulation Act, 1949
This foundational legislation governs the regulation and supervision of commercial banks in India. However, it is silent on purely digital banks, app-based lenders, and cross-border fintech entities. It does not define or regulate concepts such as “virtual banking licenses” or “digital-only institutions.”
2. RBI Master Directions and Guidelines
Master Direction on Digital Payment Security Controls (2021)
Introduced technical security standards for digital payment operators but does not substitute for a full-fledged law.
RBI’s Regulatory Sandbox Framework (2019)
Provides a controlled environment for fintech firms to test new technologies under regulatory oversight, but its scope is limited and experimental.
3. Information Technology Act, 2000
Recognizes electronic contracts, signatures, and cybercrimes but lacks provisions specific to crypto-assets, AI-powered financial tools, or open banking APIs.
4. Prevention of Money Laundering Act (PMLA), 2002
Fintech platforms offering lending or payment services fall within the scope of reporting entities, but regulatory enforcement varies widely, particularly among peer-to-peer (P2P) platforms and blockchain operators.
Abstract
This article explores the tension between traditional banking laws and the rapidly evolving fintech landscape. It highlights regulatory gaps, examines international comparisons, and analyzes Indian case law to assess how prepared our legal system is for neobanks, digital lenders, and cryptocurrencies. While the RBI has made efforts through guidelines and sandbox frameworks, these stop short of providing legal certainty. There is a growing need for codified laws that can regulate digital financial institutions without stifling innovation.
Case Laws
1. Internet and Mobile Association of India v. Reserve Bank of India (2020)
The Supreme Court invalidated RBI’s 2018 circular that banned cryptocurrencies, holding it to be a disproportionate restriction under Article 19(1)(g) of the Constitution. The case underscores the judiciary’s role in curbing arbitrary regulatory practices in the absence of comprehensive digital finance laws.
2. Shreya Singhal v. Union of India (2015)
Although primarily a free speech case, it emphasized the dangers of vague legislation in digital contexts. It supports the argument that fintech regulation must be precise, clear, and predictable.
3. State of Maharashtra v. Dr. Praful Desai (2003)
Recognized the validity of video conferencing for recording evidence, setting a precedent for tech-enabled legal processes in financial adjudication.
4. K.S. Puttaswamy v. Union of India (2017)
The landmark judgment on privacy has significant implications for fintech firms dealing with sensitive user data. The Court mandated that data handling must comply with privacy safeguards, something most digital banks are now compelled to address.
5. Delhi Transport Corporation v. DTC Mazdoor Congress (1991)
Established the principle that legislation must evolve with changing socio-economic conditions. It supports the case for legislative overhaul in banking laws to keep pace with fintech.
6. B.N. Srikrishna Committee Report (2018)
Although not a judicial decision, this report is highly influential. It laid the foundation for India’s Data Protection Bill, which will significantly impact how digital financial institutions collect, store, and use personal data.
Conclusion
India’s banking laws were designed in an analog era and are increasingly misaligned with the realities of a digital economy. While the RBI’s sandbox frameworks and directional circulars are useful stopgaps, they cannot replace the certainty, enforceability, and coherence of comprehensive fintech legislation.
Without codified rules governing digital-only banks, cryptocurrencies, and automated investment platforms, the system risks lapses in consumer protection, data misuse, and financial fraud. The legal vacuum could also lead to regulatory arbitrage, where entities operate in loopholes or gray areas.
The way forward includes:
Enacting a Fintech Regulatory Code that defines neobanks, digital currencies, and fintech aggregators.
Updating the Banking Regulation Act and the RBI Act to account for tech-driven banking models.
Ensuring fintech companies are covered under robust data protection legislation.
Introducing licensing frameworks for virtual banks and API-driven financial entities.
Standardizing audit trails, AI explainability, and cyber-resilience protocols across fintech operations.
As India aims to lead in digital banking innovation, balancing innovation with regulation is not just important it’s constitutionally essential.
FAQs
Q1: How are neobanks regulated in India?
Neobanks in India currently operate in partnership with licensed traditional banks. They are not recognized as “banks” under the Banking Regulation Act, 1949 and thus cannot accept deposits independently. Their operations are indirectly governed by RBI through their banking partners and applicable IT laws.
Q2: Are fintech companies considered Non-Banking Financial Companies (NBFCs)?
Not all fintech companies are NBFCs. Only those involved in financial activities like lending or asset management may fall under RBI’s NBFC framework. However, many operate as technology service providers or payment aggregators, requiring separate registration under Payment and Settlement Systems Act, 2007.
Q3: Is data protection law applicable to fintech firms?
Currently, fintech firms must comply with the IT Act, 2000 and relevant RBI guidelines on data security. However, once the Digital Personal Data Protection Act (DPDP Act) comes into force, fintech companies will be classified as data fiduciaries and will be subject to more stringent obligations, including user consent and data minimization.
Q4: Can digital banks be sued under consumer protection law?
Yes. Digital banks and fintech platforms offering financial services fall within the definition of service providers under the Consumer Protection Act, 2019. Any deficiency in service or data breach can result in legal liability.
Q5: How does India regulate payment gateways like Razorpay or Paytm?
Such platforms are regulated by the RBI’s Payment Aggregator and Payment Gateway Guidelines (2020). They must comply with KYC norms, data localization requirements, and periodic audits. However, gaps remain in areas such as grievance redressal and real-time fraud monitoring.
