Fintech Deep Dive — Friday | April 17, 2026

Focus: Policy & Regulation — RBI, SEBI, Compliance Updates
Coverage Period: April 10-17, 2026

Executive Summary

This week’s Indian fintech regulatory landscape has been particularly active, with the RBI pushing through transformative authentication mandates, proposing sweeping changes to NBFC oversight, and unveiling ambitious plans for the payments ecosystem through Vision 2028. SEBI launched three new IT platforms to strengthen regulatory oversight and cybersecurity, while the broader compliance environment continues to evolve under the DPDP Act framework. The cumulative effect signals a decisive shift from growth-focused regulation to trust-centric governance.

Key Developments

1. RBI’s New UPI Authentication Rules Take Effect — 2FA Mandate Now Live

Status: Effective April 1, 2026

The Reserve Bank of India’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025, officially came into force this month, mandating Two-Factor Authentication (2FA), also called Additional Factor Authentication (AFA), for every digital payment in India. This applies across UPI, card payments, and mobile wallets.

What Changed:

The new framework requires authentication using at least two of three categories:

  • Knowledge (something you know): Password, PIN, or secret passphrase
  • Possession (something you have): Smartphone, debit card, or hardware token
  • Inheritance (something you are): Fingerprint or facial biometric

At least one factor must be dynamic—generated specifically for the transaction and rendered invalid after use.

Why This Matters:

The OTP-only model that dominated Indian digital payments for years had become increasingly vulnerable. RBI identified key attack vectors:

  • Phishing attacks: Fraudsters created convincing replicas of bank websites to harvest OTPs in real time
  • SIM-swap fraud: Criminals transferred victims’ phone numbers to rogue SIMs, capturing OTPs
  • Malware interception: Malicious software on smartphones silently forwarded OTPs
  • Social engineering: Scammers impersonating bank representatives persuaded victims to share OTPs

Risk-Based Authentication (RBA):

One of the most sophisticated elements is the adoption of RBA. Instead of applying identical verification to every transaction, the system dynamically adjusts security based on risk assessment. Low-value payments from recognized devices to known merchants may proceed seamlessly, while high-value transactions from unfamiliar locations trigger additional verification layers.

Consumer Protection Shift:

The framework introduces a crucial accountability shift. If fraudulent transactions occur due to an institution’s failure to implement required authentication, the institution—rather than the customer—bears financial responsibility. This marks a meaningful rebalancing of consumer protection.

For Payment Providers:

Compliance now demands significant infrastructure investment. Device binding, app-level verification, and encrypted approval mechanisms must be integrated across all UPI apps. The era of SMS OTP as the primary authentication method is effectively ending.

Sources:

2. RBI Proposes 1-Hour Cooling-Off Period for High-Value Transfers

Status: Discussion Paper released, under public consultation

In what represents one of the most significant fraud prevention measures proposed, the RBI has floated a proposal for a mandatory one-hour cooling-off period for account-to-account transfers exceeding ₹10,000. The proposal also includes additional safeguards for senior citizens and persons with disabilities.

The Scale of the Problem:

India recorded 22,167.9 crore retail digital payment transactions worth ₹8.49 lakh crore in FY 2024-25, with UPI accounting for 81% of total retail digital payment volume. Yet between 2021 and 2025, reported digital payment fraud rose to 2.8 million cases, with cumulative losses touching ₹2,300 crore (₹23,000 million).

How the Cooling-Off Mechanism Would Work:

Under the proposed framework, certain high-value account-to-account transfers would be subject to a mandatory delay window. Users would have time to review and potentially cancel transactions before funds actually leave their account. This creates a critical intervention point for catching fraudulent transfers before they complete.

Additional Protections:

The proposal includes enhanced safeguards specifically designed for vulnerable populations:

  • Extended cooling-off windows for senior citizens
  • Simplified reporting mechanisms for persons with disabilities
  • Additional verification steps for accounts flagged as high-risk

Broader Fraud Prevention Infrastructure:

The RBI’s 1930/CFCFRMS framework has already helped save more than ₹8,690 crore across over 24.65 lakh complaints. The proposed cooling-off mechanism would add another layer to this architecture, complementing:

  • Rapid reporting systems
  • Bank-level coordination protocols
  • Real-time transaction monitoring
  • Public awareness initiatives

Industry Response:

Payment industry stakeholders have expressed both support and operational concerns. The cooling-off period, while effective for fraud prevention, could impact user experience for legitimate high-value transactions. Fintechs and banks are working with RBI to refine implementation details that balance security with convenience.

Strategic Significance:

Industry observers note this represents a fundamental recognition that state capacity must now move at the speed of fraud. As one policy expert noted, a nation cannot claim its digital revolution is complete if ordinary citizens can still lose their life savings to a fake call, a mule account, or a deepfake voice.

Sources:

3. RBI Proposes ₹1 Lakh Crore Asset Threshold for NBFC-Upper Layer Classification

Status: Draft Amendment Directions released April 10, 2026; Comments invited until May 4, 2026

The Reserve Bank of India released draft amendment directions that would fundamentally recast the Scale-Based Regulatory (SBR) framework for non-banking financial companies. The most significant change: a shift from a complex parametric scoring system to a simple ₹1 lakh crore asset-size threshold for identifying Upper Layer NBFCs.

Current vs. Proposed Framework:

Current System:

  • Used a multi-factor scoring model based on various parameters
  • NBFC-UL classification was more discretionary
  • Government-owned NBFCs were treated differently

Proposed System:

  • Clear, absolute asset-size threshold of ₹1 lakh crore
  • All entities meeting the threshold fall into the Upper Layer
  • Ownership-neutral regulatory regime: government-owned NBFCs also included
  • State government guarantees allowed as credit risk transfer instruments without limit

Impact on NBFC Landscape:

CareEdge estimates that if the amendments are finalized without changes, Upper Layer NBFCs would account for approximately 70% of total NBFC sector assets as of September 2025—compared with roughly 30% under the current framework. This represents a potential quadrupling of the regulated asset base.

Implications for Newly Classified Entities:

NBFCs transitioning from Middle to Upper Layer would face:

  • Minimum Common Equity Tier I (CET I) capital of 9%
  • Mandatory listing on stock exchanges within three years
  • Enhanced disclosure requirements
  • Stricter risk management standards
  • Large exposure framework with reduced individual and group exposure limits

Government NBFCs In Focus:

Entities such as HUDCO, IRFC, REC, and PFC—currently classified as government-owned and operating outside the standard NBFC framework—would now fall under NBFC-UL classification based on the revised criteria. This marks a significant shift toward ownership-neutral regulation.

The Tata Sons Question:

The draft directions may do little to resolve the most closely watched regulatory standoff in Indian corporate finance: whether Tata Sons Pvt Ltd will ultimately be forced to list. Tata Sons is the only entity in the NBFC-UL category to have failed to list by the September 30, 2025 deadline and simultaneously applied to deregister as a finance company. The RBI’s new framework continues to apply listing requirements to qualifying entities regardless of ownership structure.

Sources:

4. SEBI Launches Three New IT Platforms for Regulatory Modernization

Status: Launched April 11, 2026

The Securities and Exchange Board of India unveiled three new high-tech IT platforms aimed at strengthening the regulatory framework, enhancing cybersecurity oversight, and improving ease of doing business. The platforms represent a significant step in SEBI’s digital transformation journey.

The Three Platforms:

1. SEVA (likely an acronym for Securities Enforcement and Verification Application)

  • Purpose: Streamlining regulatory processes and improving compliance monitoring
  • Features: Enhanced data analytics, automated compliance checks, improved investor grievance handling

2. SID’s (likely Securities Intelligence Dashboard or similar)

  • Purpose: Real-time market surveillance and threat detection
  • Features: AI-driven pattern recognition, anomaly detection, cross-market correlation analysis

3. STARS (revamped platform)

  • Purpose: Upgraded existing STARS system for better market infrastructure oversight
  • Features: Improved risk assessment capabilities, faster response mechanisms, enhanced security protocols

Cybersecurity Enhancement:

A key component of the platform launch is strengthened cybersecurity oversight. SEBI has mandated that all registered entities implement robust cybersecurity policies for both new and existing financial products. The deadline for vendor appointment and initial reporting is April 30, 2026, applicable to Alternative Investment Funds (AIFs) and other regulated entities.

DoT-SEBI Partnership for Fraud Prevention:

Complementing the platform launch, the Department of Telecommunications and SEBI entered a strategic partnership to combat telecom-linked financial frauds. Key elements include:

  • Financial Fraud Risk Indicator (FRI): DoT shares FRI data with SEBI to identify mobile numbers linked to suspicious behavior
  • Digital Intelligence Platform (DIP): Connects over 1,400 stakeholders for real-time intelligence sharing
  • Chakshu Facility Integration: Data from DoT’s Sanchar Saathi initiative feeds into fraud detection systems
  • Proactive Fraud Flagging: Mobile connections potentially linked to financial scams can be flagged before use

Sources:

5. RBI Payments Vision 2028: Strategic Blueprint for India’s Payment Future

Status: Released; themed ‘Shaping India’s Payment Frontier’

The RBI’s Payments Vision 2028 document outlines a comprehensive strategic roadmap for India’s payment ecosystem over the next three years. With India already processing approximately 50% of global real-time payments, the vision signals a decisive shift from expansion to deepening trust, resilience, and global reach.

Key Pillars:

Shared Responsibility for Fraud:

  • Both issuer and beneficiary banks will jointly bear liability for unauthorized transactions
  • Creates structural incentive to invest harder in prevention, not just detection

Cross-Border Payment Overhaul:

  • Comprehensive review of cross-border framework
  • Single-window authorization under PSS Act and FEMA
  • Reduced friction for trade, remittances, and treasury flows

Open Card Ecosystem:

  • Interoperability mandates
  • Smart tokenization requirements
  • Transparent pricing frameworks
  • Direct challenge to incumbent card networks

Expanding Regulatory Perimeter:

  • E-commerce platforms and large payment facilitators will come under direct RBI oversight
  • Era of operating outside regulatory fold is closing

Payments Switching Service (PaSS):

  • Account portability for all linked payment mandates
  • Will fundamentally disrupt customer stickiness for every retail bank

Implications for Market Participants:

For foreign financial institutions and Global Capability Centers (GCCs) operating in India, the implications are direct:

  • Cross-border simplification is a tailwind for global money movement hubs
  • Cyber Key Risk Indicator (KRI) frameworks for Payment System Operators demand proactive compliance
  • Card ecosystem opening creates space for differentiated propositions
  • Regulatory sandbox for Small PSPs is an opportunity for GCC-incubated fintechs

Strategic Outlook:

Industry analysis suggests the winners in this next phase won’t be those who process the most transactions, but those who control risk, leverage data, and operate across borders seamlessly. If UPI was India’s payments revolution, Vision 2028 is India’s payments strategy for global dominance.

Sources:

Regulatory Compliance Calendar

DeadlineRequirementApplicable To
April 30, 2026Cybersecurity vendor appointment and reportingAIFs and SEBI-registered entities
May 4, 2026Comments on NBFC-UL draft amendmentsAll NBFCs, industry stakeholders
October 1, 2026Full compliance with cross-border card authenticationInternational card issuers
December 31, 2026Financial entity cybersecurity complianceAll regulated financial entities
May 13, 2027DPDP Act Significant Data Fiduciary complianceHigh-volume data processors

Analysis: The Trust Imperative

This week’s regulatory developments share a common thread: the recognition that India’s digital payment revolution cannot be considered complete without robust trust infrastructure. The numbers are compelling—₹8.49 lakh crore in retail digital payments annually, yet 2.8 million fraud cases and ₹2,300 crore in losses over four years.

The regulatory response is multi-dimensional:

  1. Authentication: Moving from single-factor to multi-factor, risk-based verification
  2. Accountability: Shifting fraud liability from consumers to institutions
  3. Intervention: Creating cooling-off periods for high-risk transactions
  4. Classification: Ensuring systemically important financial entities face proportionate regulation
  5. Technology: Deploying AI-powered surveillance and fraud detection systems
  6. Coordination: Breaking down silos between regulators (RBI-SEBI-DoT) and financial institutions

For fintech companies operating in India, compliance is no longer a periodic exercise but a continuous operational requirement. The regulatory perimeter is expanding, the enforcement mechanisms are strengthening, and the cost of non-compliance—both financial and reputational—is rising.

Sources

  1. Pine Labs: RBI New UPI Rules 2026
  2. LinkedIn: India’s Digital Trust Challenge - Amaresh Rai
  3. NDTV Profit: RBI Proposes Rs 1 Lakh Crore Asset Threshold
  4. Business Today: RBI NBFC Classification
  5. Moneylife: NBFC Overhaul and Tata Sons
  6. Techshots: SEBI IT Platforms Launch
  7. OpenGov Asia: DoT-SEBI Partnership
  8. LinkedIn: SEBI Digital Transformation - Vinay Mehta
  9. LinkedIn: RBI Payments Vision 2028 - Mitul Jain
  10. Wattle Corp: DPDP Compliance Checklist

This analysis covers developments from April 10-17, 2026. For ongoing regulatory updates, follow our weekly deep dives every Friday.