FinTechFinTech Startups – Regulatory Impediments and the Road Ahead

June 10, 20220


Financial Technology (hereinafter referred to as “FinTech“) has been in the news for quite some time now. FinTech is used to describe all such technology used for augmenting, streamlining, digitizing and shifting from traditional financial services.

Compared to the conventional financial services, FinTech focuses on customer outcomes by providing tailor made actionable advice to investors with greater ease of access and at an affordable cost.

In recent times, FinTech Startups have grown considerably in India. The introduction of digital payments by the Indian Government and an increase in the number of mobile users within the country have been conducive to its growth. While, FinTech Startups have taken rapid strides in India, various legal and compliance issues surround this emerging sector.

In this article, we attempt to discuss about the legal and compliance challenges faced by FinTech Startups and what is the road ahead for them.


a. Data breach is one of the common legal issues faced by FinTech Startups.

Privacy is an important aspect of a person. The Supreme Court in the case of K.S.Puttaswamy v. Union of India, (2017) 10 SCC 1 has declared the Right to Privacy as being a fundamental right of a person and is protected under Article 21 of the Indian Constitution.

The nature of the work of the FinTech Startups majorly deals with sensitive information about companies and individuals. They gather vast volumes of customer data to gain insights. Personal financial information is included in some of the data.

The technical dependencies existing in the FinTech ecosystem make these startups more susceptible to security breaches and cyber criminals. Common security breaches include money theft, application breaches, data leaks, and malware attacks.

Data confidentiality is how one can protect data against unintentional, unlawful or unauthorized access or theft. Humans are susceptible to error, and even a slightest loophole within the system can open the entire system open for the invitation of data thieves. In other cases, weak encryptions in the system can also lead to a data breach which is why data breaches and cyber security are significant setbacks for FinTech Startups and is something that needs to be addressed by introducing stringent data privacy legislations targeted to this sector.

b. There is no special FinTech regulation in India. The regulations governing offline banking and financial services are also applicable to fintech companies, which becomes a crucial issue that needs to be addressed.

The Reserve Bank of India (hereinafter referred to as “RBI”) is the primary regulator for most of the fintech companies in India. At times, based on the nature of services, the Securities and Exchange Board of India (hereinafter referred to as “SEBI”) when dealing in the securities market and the Insurance Regulatory and Development Authority of India (hereinafter referred to as “IRDAI”) for the insurance sector, as well as the Ministry of Electronics and Information Technology (hereinatre referred to as “MEITY”) and the Ministry of Corporate Affairs, may be applicable.

The existing laws inevitably end up slowing down FinTech Startups in the Indian Financial Markets by prescribing a slew of compliances. These are are not only tough to comply with, but they also make it difficult for fintech companies to enter the Indian market.

The choice of business organization of the FinTech Startups should be carefully decided,yet the stringent regulations limit their operations to a certain extent.

It is to be noted that FinTech Startups are clearly different from offline banking and financial services and the both operate differently from each other; a common set of rules and regulations can thus never be applied to these sectors.  This highlights the need for an independent regulation made exclusively for governing the FinTech Startups which exclusively works through the use of technology.

c. In any setup, Intellectual property (hereinafter referred to as “IP”) plays an important role. Similarly, software and technology innovation is the most crucial aspect of a FinTech startup.

One issue in such a case is that patent protection can be elusive for FinTechs, given the stringent requirement that the product should be novel, inventive, and have an Industrial application as laid down under Section 2(j) of the Indian Patents Act, 1970..

Determining when to register and enforce intellectual property rights can be tricky. It is thus imperative to protect the technological innovation, and startups must balance the competing demands of wanting to encourage industry-wide adoption while at the same time making sure their innovation is safe.

It should timely review the IP policies and ensure that innovation occurs at all levels of the organization and that it is captured, preserved, and managed with the future game plan in mind.

d. Another pertinent issue for a FinTech Startup is the problem of acquiring adequate funding for smooth functioning.

Raising capital for a FinTech startup can be tedious since investors want a risk-free return, and it is a known fact that startups can be pretty risky.

At the early growth stage, most startups fail either due to poor management or flaws in their business models and operational performance, which is integral to their overall vision and goals. Each business type comes with its own set of legal requirements and regulations, and hence a knowledge of the legal requirements and compliance is necessary before incorporating a particular business.

A lot of FinTech Startups lack a basic understanding of the complexities of the markets they are venturing into. The Fintech industry is a fast-evolving sector with innovations introduced every other day, and thus a lot of times, investors are sceptic about investing in such a startup.

In such a scenario, it becomes necessary for the FinTech Startups to not go for the rat race and establish a sound business model which can pave the way for growth. Secondly, the choice of acquiring capital should be as per the business needs. One can go for bootstrapping or external investments by venture capitalists or angel investors, which are governed by the rules and regulations of SEBI. As for investors, they need to focus on the problem that the FinTech startup is trying to solve and how it adds value to the customers.


a. Know your customer (KYC) is an important compliance carried out by the FinTech Startups. Although essential, it poses various issues for FinTech Startups.

  • As the name suggests, KYC is a mechanism to verify the customer’s true identity at the ‘time of’ or ‘before’ entering a financial platform to avail of financial services. It is a crucial regulatory requirement for fintech companies and other institutions with financial responsibilities (like banks, credit institutions and insurance providers). It has been introduced to protect these startups from financial frauds and mitigate the risk of security breaches.
  • The RBI has directed each financial entity to conduct KYC of each customer vide Master Direction – Know Your Customer (KYC) Direction, 2016 [RBI/DBR/2015-16/18] as per Section 35A of Banking Regulation Act, 1949 (hereinafter referred to as “Banking Regulation Act”), along with Rule 9(14) of Prevention of Money-Laundering (Maintenance of Records) Rules, 2005.
  • Although it is a crucial compliance for FinTech Startups, it is a complex procedure requiring the customer data to be monitored and screened continuingly to assess the risks that require an integrated computer network and a specialized team.
  • KYC is also a costly affair owing to the massive increase in the volume of the KYC data that needs to be collected, stored, processed and monitored due to the rapid digital transformation.
  • For a FinTech startup, investing a huge chunk of its expenditure on KYC can be unfavorable for them and can severely impact the business.

b. FinTech Startups operate over the internet and rely on individuals’ personal data, which necessitates them to comply with the Information Technology  Act of 2000.

  • Section 43A of the Information Technology Act (hereinafter referred to as “IT Act”) provides for damages to be paid by an organization in case of negligence in maintaining security measures for protecting the user’s confidential personal data.
  • The Information Technology Rules, 2011 (hereinafter referred to as “IT Rules”) further govern how personal data storage, use, and processing is to be carried out.
  • The startups must maintain security control structures and information security protocols, including IS, ISO, and IEC 27001 certifications.
  • Despite the fact that enterprises are responsible for the compliance, the IT Act itself poses obstacles. It is silent on cyber-attack from external sources. India has been a victim of cyber attacks, but no regulatory mechanism has been put in place.
  • Similarly, there is no mechanism for protecting data when using Internet Banking and the issue of identity theft. The inherent insistency in the laws can pose a challenge to the growth of FinTech Startups.

c. FinTech Startups also face issues with complying with the taxation rules set out under various legislations.

  • Taxation can be divided into two parts- Direct and Indirect Tax. With regards to Direct Tax, within the FinTech industry, many entities register themselves as a company and are required to pay corporate income tax under the Income Tax Act either as Domestic under Section 2(22) of the Income Tax Act (hereinafter referred to as “ITA”) or Foreign Companies under Section 2(23) of the ITA.
  • Also, FinTech Startups serving as a digital payment intermediary between an Indian buyer and a non-resident seller are liable to withhold an equalization levy from the amount payable to a foreign merchant.
  • With regards to Indirect Tax, FinTech Startups are covered under Section 65(12) of the Finance Act, 1994 as ‘Other Financial and related services and is subject to Goods and Service Tax (hereinafter referred to as “GST”) at the rate of 18%.
  • Further, Section 13 of the Central Goods and Services Tax (“CGST”) Act stipulates that the liability to pay GST on services arises at the time of service supply. The place of supply is thus essential to be determined.
  • The issue here is that determining the actual supply place for FinTech Startups becomes challenging since they are digital platforms, and another FinTech Company or other entities may operate one payment platform. The lack of specific provisions laying down the implications of tax on the FinTech sector is a significant issue which hampers the compliance of the taxation rules as prescribed.


In light of the changing landscape of data privacy in the country, it is essential for the FinTech startups to be abreast of the new data privacy laws. Recently, the MeitY has proposed a draft amendment to the Information Technology Rules, 2021 wherein stricter compliance have been introduced for the intermediaries. Very recently the tussle between WhatsApp and the Government on the issue of privacy again highlights the fact that data privacy laws is going to be more stringent than ever.

FinTech Startups should be particularly aware of the data they are collecting and should be thorough with the various laws that exist and the compliances that needs to be done. They should undertaking frequent audits and reviews of their privacy policies to better visualise the sorts of data they gather, the movement of that data within the firm.

The growth of Non-Fungible Tokens (hereinafter referred to as “NFT”) within the FinTech sector can mean a whole new addition of IP  compliances. NFTs comprise of two elements: the token itself and the IP rights to the underlying material attached with the token. Before minting and selling NFTs, the IP holders should double-check that all associated rights are in order.

The majority of startups are uninformed about intellectual property protection, such as patent filing, trademark registration, and copyright protection. They should also carry out a due diligence to check that there is no unlicensed use of IP- for both NFT and otherwise. A clear demarcation of what is allowed and what is not in respect to Intellectual Property rights should be maintained at all times.

To avoid further complications, legal professionals should be approached who are experts in this field and can help these startups with the necessary filings and carrying out due diligence.

Startups must also be aware of introduction of new tax legislations, new taxes, their liabilities, and the possible implications for their business. Further, all the necessary contracts like- employment contracts, non-disclosure agreements, shareholder agreements should be accurately curated and drafted to avoid any chance of pitfall. Outsourcing such work to the experts can prove to be very useful. Not only will it help in saving their time, it will also help these startups to avoid backlashes.

Thus, the issues surrounding FinTech Startups are manifold and can sometimes feel like a grey area to the startups since they are new to the market. It is therefore always better to communicate with legal professionals and industry experts and seek their help in order to understand the necessary compliances and due diligence that needs to be done. Consulting the industry experts can aid the startups in mitigating the many business risks while also paving way for a more informed and advantageous decision despite there being a number of constrains and limitations.


As evident, FinTech has the potential to reshape the financial services and financial inclusion landscape in India in fundamental ways. It can lower costs while also improving access and quality of financial services. Establishing an equilibrium between properly utilizing FinTech while minimizing its systemic implications is necessary.

RegTech can be pretty valuable for these startups in this regard because it makes rules and compliance simple and trustworthy, preventing them from making poor financial choices. It saves time and money in the form of security fraud reparations. It promotes innovation, lowers risk, and develops collaborative initiatives while automating various compliances like KYC.

A relatively new concept known as Embedded Banking can revolutionize the FinTech sector. It refers to the integration of various financial services in a business platform or app through the use of Application Programming Interfaces which can easily integrate to import functionalities and services quickly using a mobile or an app leading to better customer experience.

There is a gamut of legal regulations within the bounds of which a business has to operate. These regulations have been laid by legislation and are enshrined in different acts such as the Indian Contract Act, Companies act (and amendments), Consumer Protection Act, Industrial Disputes Act, Information Technology Act, Payment of Gratuity Act, Standards of Weights & Measures Act, Foreign Trade (Development and Regulation) Act, Foreign Exchange Management Act, and many other acts.

It is impossible to not infringe upon any one of them without the help of a lawyer who will ensure that the business abides by all these laws. There is also a complicated Income Tax regime in India that regulates the rules pertaining to corporate tax.

All startups need tax lawyers, or there is a genuine possibility that they may go out of business after an audit

– Team AMLEGALS, assisted by Ms. Pritha Lahiri (intern) 

For any query or feedback, please feel free to connect with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.