The multi-regulator world of fintech in India

A fintech sits at the intersection of five authorities (RBI, SEBI, IRDAI, NPCI, FIU-IND); none owns the integrated perimeter, and the architecture has remained fragmented. The RBI's discipline runs on two rhythms: rule-making from circular to Master Direction, and supervisory action from observation to cancellation under Section 22(4). The decade's record from Yes Bank to PPBL, with Jane Street as SEBI's parallel, maps the same statutory grammar to different failure modes. What does this architecture reveal, what does the pattern show about what the regulator actually learned each time, and how should a company read both rhythms?

The Indian fintech sector does not have a dedicated regulator. It has never had one. Every scaled fintech proposition of the last decade, payments, lending, wealth, insurance distribution, neobank-style stacking, has emerged at the intersection of statutes written for other purposes: the Banking Regulation Act 1949, the RBI Act 1934, the Payment and Settlement Systems Act 2007, FEMA 1999, the Prevention of Money Laundering Act 2002, the SEBI Act 1992, the IRDA Act 1999, and now the Digital Personal Data Protection Act 2023. None was drafted with a fintech in mind; the companies that became large composed themselves across the statutory gaps, and the Reserve Bank of India (RBI), as custodian of the payments and non-bank perimeters, became the regulator-of-last-resort for most of what happened in that composition. Reading that posture correctly is the foundation for reading everything that follows.

The posture has been consistent across ten years: regulate what you understand, watch what you do not, and formalise only when the sector has demonstrated what the actual risk is. It is written in no Master Direction, but it is legible in the sequence of corrections. The Peer-to-Peer lending Master Directions of October 2017 arrived after platforms had operated for three to four years, and the ₹10 lakh aggregate-exposure cap reset the largest revenue models in a single notification. The 2022 Digital Lending Guidelines arrived after the Chinese-app lending crisis and sustained Parliamentary Standing Committee attention. The First Loss Default Guarantee (FLDG) arrangement was prohibited in September 2022, then walked back in June 2023 at a 5% cap after the sector argued prohibition destroyed co-lending economics. The Payment Aggregator-Cross Border circular of October 2023 replaced the OPGSP framework that had governed cross-border flows since 2010, and the September 2025 Payment Aggregator Master Direction unified the whole aggregation architecture. This is not sluggishness; it is a deliberate position closer to wait-and-watch than to Singapore's sandbox-first or the European harmonised-licensing approach, and its trade-off is specific. The advantage is that the formal architecture, when it arrives, is calibrated to demonstrated rather than hypothetical risk. The cost is that the sector builds at scale on rails that are about to be reshaped: the P2P platform absorbing a cap redesign it could not have priced, the lender re-papering every co-lending contract in a quarter, the aggregator licensing under PA-CB with fresh due-diligence obligations retrofitted to a decade-old merchant base. The posture transfers timing risk to the sector, and companies that did not read it carried that risk unhedged.

The instrument through which the RBI formalises what it has learned deserves separate attention. The RBI issues circulars, observes how the sector operationalises them, notes the workarounds through its own supervision, and consolidates into a Master Direction that reads as the final architecture. The Master Direction is the moment at which the RBI has made up its mind; circulars before it are provisional. The September 2025 Payment Aggregator Directions are the RBI's conclusion on aggregation and cross-border flows after watching the 2020-24 circulars play out; the May 2025 Digital Lending Directions are its conclusion on the Lending Service Provider architecture; the 2024 KYC Master Direction update closes seven years of incremental amendment. Companies that treated each intervening circular as the final position misread the rhythm; companies that read circulars as direction and the Master Direction as destination timed their compliance investment correctly.

Alongside the rule-making rhythm runs a supervisory rhythm, graduated, statute-anchored, and best read through the decade's case record, because each case is a rung. At the system level, macroprudential adjustment: the November 2023 increase in risk weights on unsecured personal loans to 125% slowed the book across the system without naming an entity. At the conduct level, the Digital Lending Guidelines and the 5% FLDG cap closed the partner-bank-bears-no-risk arrangement that BNPL was built on. At the entity level, business restriction calibrated to the offending line: HDFC Bank's digital embargo of December 2020 to March 2022 after repeated outages, lifted in stages against external audit; Kotak Mahindra's April 2024 repeat of the same template; Bajaj Finance's eCOM and Insta EMI suspension for Digital Lending non-compliance; IIFL Finance's gold-loan stop on loan-to-value and cash-disbursement findings; JM Financial's bar on share and IPO financing, each surgically targeted, each remediated in six to nine months. At the structural level, reconstruction under Section 45 of the Banking Regulation Act for capital and governance failure: Yes Bank's March 2020 reconstruction with SBI as anchor and AT-1 bonds written down; Lakshmi Vilas Bank's amalgamation with DBS within a fortnight; PMC Bank's variant where no anchor existed and depositors waited behind withdrawal limits until the 2022 merger into Unity Small Finance Bank. Above all of these sits cancellation.

Paytm Payments Bank is the case that demonstrates that highest rung. Three formal interventions across an eight-year supervisory engagement that began with KYC and AML observations in 2018: the March 2022 onboarding ban, the January 2024 prohibition on fresh deposits and top-ups, and the April 2026 cancellation of the licence under Section 22(4), the first cancellation of an operating payments bank in India. The escalation timeline reflects the regulator's preference for remediation; the cancellation reflects its conclusion that ringfencing the bank from its parent could not be achieved within the existing ownership structure. ₹1,395 crore in customer deposits is being repaid in full from the bank's own liquidity. What the case establishes is that the full statutory toolkit is live, and that the longest remediation timeline does not preclude the highest rung when the governance failure is structurally embedded.

The same grammar runs on the SEBI side, with parallel levers: interim directions under Sections 11(4) and 11B(1), disgorgement, settlement, cancellation, prosecution. The Jane Street order of July 2024 is SEBI's equivalent in significance: ₹4,843 crore in disgorgement and a market bar, on a finding of coordinated cross-segment manipulation across 18 BANKNIFTY expiry days, long the constituents in the morning to lift the index, short the options, reverse in the afternoon for settlement. The order extends the regulator's reach from entity conduct to algorithmic strategy design and to foreign desks operating through Indian-licensed brokers, and its institutional energy flowed directly into the exchange position-limit tightening and the November 2024 derivatives reform.

Recoverability is the variable that decides which rung the regulator climbs. Reconstruction for capital failures where systemic exposure makes wind-up disruptive; growth restriction for operational lapses where the entity is viable and the function severable; business freeze for remediable conduct; cancellation only when governance is structurally embedded in the failure mode; disgorgement when the gain is quantifiable and the conduct manipulative. The choice of rung is the diagnosis. Companies that read each supervisory action as a discrete event, rather than as a placement on the rung structure, miss the grammar through which the regulator is communicating.

The RBI is not the only authority whose rulebook applies, and the second layer is the most misread. The National Payments Corporation of India (NPCI) is not a statutory regulator; it is a Section 8 company operating under RBI oversight. Yet for a payments fintech its circulars carry operational consequence equal to or greater than any RBI direction: the 30% TPAP volume cap on UPI market share, currently in force to December 2026; the zero-MDR pricing architecture on UPI merchant payments; the autopay and authentication rule changes. The correct reading is that the RBI's payments department and NPCI operate as a single regulatory layer with two issuing authorities and two tempos, and a company that surveils only one has read half its rulebook.

The third layer is the Self-Regulatory Organisation for Fintech. FACE was recognised as the SRO-FT in August 2024, FIDC as the NBFC SRO in 2025. The RBI's Omnibus SRO Framework deliberately designed the SRO as neither regulator nor trade association: its function is to be the interlocutor through which the sector's position is filtered before the RBI acts, and the RBI treats the SRO's collective position as the sector's considered view. A company inside the SRO-FT can shape the collective submission, which then becomes the document the RBI reads as "industry view"; a company outside it is making bilateral representations that the RBI reads in a different register. The distance between treating membership as optional and treating it as the pre-regulatory signalling channel is where companies gain or lose months of policy traction.

SEBI, IRDAI, FIU-IND and the Data Protection Board each attach to product lines rather than to the entity: SEBI to wealth and broking products, IRDAI to insurance distribution, FIU-IND to every reporting entity under the money-laundering statute, the DPBI as the residual data regime after the RBI's 2018 payment-data localisation and IRDAI's information-security rules are satisfied first. The December 2025 insurance amendment raised FDI to 100% and gave IRDAI disgorgement powers, but withheld composite licensing; even in a full overhaul, the state preserved the life and general separation, so insurance-distribution fintechs continue to carry product segmentation rather than a unified intermediary pathway.

For a neobank-style stack, the practical consequence is at least six regulators, four licences and three data regimes, and the standard adviser's regulator-matrix is the wrong way to engage them, because the licences depend on each other in a specific order. Corporate structure must be frozen before the RBI application, since it determines NBFC classification and where foreign ownership sits; the classification determines permissible co-lending and FLDG arrangements; the payment aggregator entity decision must be taken before the first filing; the SEBI and IRDAI registrations trigger cross-holding and conflict architecture on the same entity; the data architecture must satisfy the sectoral localisation rules before DPDP becomes the residual constraint. The sequence the RBI expects to see is the sequence in which it reviews. A fintech that sequences by regulator priority, which is the default because it mirrors the organisation chart, ends up back at the RBI for resubmission.

The broader institutional observation is that the RBI's non-creation of a fintech regulator is not an absence of policy; it is the policy. The state has chosen to distribute authority across six custodians rather than define the sector, write a statute, and build a new supervisory architecture, preserving its own flexibility at the cost of the integration burden the distribution imposes on the company. The burden is not a cost of regulation; it is the design. A multinational entering Indian fintech cannot resolve it through a single regulatory relationship; it has to build an operating model that reads six rulebooks at once, surveils both the circular-to-Master-Direction rhythm and the supervisory rhythm, participates inside the SRO rather than around it, and sequences its applications in the order the RBI processes them. The companies that have done this are the ones that absorbed the 2025 Directions without disruption; the ones that did not are those whose business models have been reshaped, repeatedly, by corrections they could have read coming.