Fintech Law

Fintech Law Practice

Our fintech law practice at S.S. Rana & Co. combines three specialist teams — Corporate & Commercial Advisory, Data Protection & Cyber Laws, and Patents — to advise fintech businesses across the regulatory, IP, and data law dimensions of their work simultaneously. Fintech businesses in India are simultaneously a regulated financial entity and a technology company whose core value lies in proprietary software, algorithms, and data infrastructure.

  • RBI regulates activities, not companies. We begin every fintech engagement by assessing regulatory classification — NBFC, payment aggregator, account aggregator, or technology service provider — before advising on any other matter.
  • RBI’s Digital Lending Guidelines, 2022 restructured the compliance obligations of lending fintechs and their NBFC partners. We assess every pre-2022 fintech partnership arrangement for conformity with the current requirements.
  • Our Patents practice, ranked by IAM Patent 1000, drafts patent applications for computer-implemented inventions consistent with the Section 3(k) and 3(m) exclusions under the Patents Act, 1970.
  • DPDP Act, 2023 compliance is a product design exercise, not a legal drafting one. We engage at the architecture stage alongside engineering teams — not retrospectively after a product is live.
  • Under Indian regulatory law, the regulated entity bears ultimate accountability to the regulator regardless of what the fintech partnership agreement provides. We advise on indemnity, step-in rights, and audit rights.
  1. RBI Regulatory Framework — How We Classify Fintech Businesses

    We begin every fintech engagement with a regulatory classification assessment. NBFCs lending from their own balance sheet require registration under Section 45-IA of the RBI Act, 1934 and are subject to the Scale Based Regulation framework. Payment aggregators require authorisation under the Payment and Settlement Systems Act, 2007. Account aggregators require a separate NBFC-AA licence under RBI’s Master Directions. Prepaid instrument issuers require PPI authorisation.

  2. Digital Lending Guidelines — Our Compliance Advisory

    RBI’s Digital Lending Guidelines, 2022 require: loan disbursals and repayments flowing directly between the borrower and the regulated entity; all-inclusive APR disclosure; Key Fact Statements; regulated treatment of first loan default guarantees; and board-approved digital lending policies. For fintech-NBFC partnerships structured before the Guidelines, we conduct compliance reviews and advise on restructuring where existing arrangements do not conform to the current requirements.

    “The Digital Lending Guidelines have narrowed the definition of a technology service provider to the point where many pre-2022 fintech arrangements now sit within the regulated perimeter. We assess this as a standard step in every fintech partnership engagement.”
  3. Fintech Partnership Structures — Liability Allocation

    We structure and document fintech-bank and fintech-NBFC partnerships, advising on: who bears the risk of borrower default beyond the agreed credit guarantee structure; who is responsible for the customer’s experience and conduct standards; what happens when the fintech’s technology fails; and how regulatory liability is allocated if the partnership is subject to an RBI inquiry. The regulated entity bears ultimate accountability to the regulator regardless of what the partnership agreement provides.

  4. IP Strategy for Fintech — Patents, Trademarks, Trade Secrets

    Our Patents practice advises fintech businesses on patentability under Sections 3(k) and 3(m) of the Patents Act, 1970, drafting patent applications for computer-implemented inventions that establish a specific technical effect beyond a mere algorithm or business method. Our IP strategy for fintech clients spans patent protection, trade secret protection, and trademark protection for brand names and UI elements across India and 130+ countries.

  5. Data Protection — Our DPDP Act Advisory

    Our Data Protection, IT & Cyber Laws practice implements consent management frameworks, data retention policies, security safeguards, data principal rights workflows, and breach notification procedures under the Digital Personal Data Protection Act, 2023. For fintech companies that are also regulated entities, we advise on RBI’s cybersecurity framework as a separate and additional obligation alongside the DPDP Act. Our fintech practice operates across 13 partners and 220+ professionals in New Delhi, Mumbai, Chennai, Hyderabad, and Bangalore.

Frequently Asked Questions

fintech-laws-practice-faq

The licence or authorisation required depends on the regulated activity. Payment aggregators require authorisation from RBI under the Payment and Settlement Systems Act, 2007. Digital lenders from their own balance sheet typically require NBFC registration under Section 45-IA of the RBI Act, 1934. Account aggregators require an NBFC-AA licence. Each model has a distinct regulatory pathway and the correct classification must be assessed at the outset.

Software is patentable in India only where it produces a specific technical effect beyond a mere algorithm or business method — the exclusions in Sections 3(k) and 3(m) of the Patents Act, 1970 apply. Claim drafting strategy is critical: claims framed as a computer-implemented method establishing a specific technical effect are more likely to survive examination than abstract algorithm or business method claims.

RBI’s Digital Lending Guidelines, 2022 require loan disbursals and repayments to flow directly between borrowers and regulated entities — not through LSP accounts. APR disclosure, Key Fact Statements, regulated treatment of first loss default guarantees, and board-approved digital lending policies for regulated entities are all required. For fintech-NBFC partnerships structured before 2022, a compliance review against the current requirements is necessary.

Fintech companies as data fiduciaries must obtain valid consent for processing personal data, observe purpose limitation and data minimisation, implement security safeguards, respond to data principal rights requests, and notify breaches. Fintechs processing financial data of consumers at scale are likely to be designated as significant data fiduciaries with additional obligations. Product architecture decisions must be made at the design stage, not retrospectively.

Under Indian regulatory law, the licensed entity (the bank or NBFC) bears ultimate accountability to the regulator regardless of what the partnership agreement provides as between the parties. Fintechs and their regulated entity partners therefore negotiate indemnity, step-in rights, and audit rights — not regulatory liability allocation — as the primary commercial protection mechanisms.

For more information please contact us at : info@ssrana.com