Fintech Deep Dive — Friday | June 26, 2026

Theme: Policy & Regulation (RBI, SEBI, Compliance)

This has been an extraordinarily active week for Indian fintech regulation. The RBI released two landmark frameworks — one governing AI and model risk across the entire financial sector, another overhauling digital fraud compensation for consumers. SEBI, meanwhile, dropped a consultation paper that could fundamentally reshape how financial products are advertised online, including classifying AI avatars as “celebrities.” Add to this mounting concerns over foreign data sovereignty after the Meta-CRED deal, and the regulatory landscape has shifted dramatically in just seven days. Here are the five most significant developments.

1. RBI’s Draft Model Risk Management Guidance: India’s First AI Rulebook for Finance

On June 24, the RBI released its draft “Guidance on Regulatory Principles for Model Risk Management, 2026” — a 64-principle, six-chapter framework that, for the first time, puts every model used by India’s banks, NBFCs, and financial institutions under a single Board-owned governance umbrella. ¹

The scope is breathtaking. The framework applies to all eleven categories of RBI-regulated entities — from commercial banks to cooperative banks, all four layers of NBFCs, all-India financial institutions, ARCs, and credit information companies. And it covers every model: internally built, third-party sourced, or hybrid — from credit-scoring algorithms to fraud detection systems to AI chatbots. The definition of “model” explicitly catches spreadsheets and rule-based decision tools if they have “a material impact on decision-making, irrespective of whether such tools are recognised as models by the regulated entity.” That last clause is the regulatory equivalent of saying: you can’t dodge this by calling your model something else.

The AI Chapter: Explainability, Kill Switches, and Hallucination Controls

The heart of the draft is Chapter V.B — fifteen dense paragraphs of the most detailed AI/ML expectations the RBI has ever articulated. Regulated entities must:

• Set explainability and transparency thresholds for all AI models, with higher thresholds for those driving material customer decisions
• Control for hallucinations, bias, overfitting, spurious correlations, and output variability
• Conduct red-teaming exercises against adversarial manipulation
• Install kill-switch mechanisms — the ability to immediately disable a model producing harmful outputs
• Provide mandatory human oversight and the option for consumers to access human assistance when interacting with AI interfaces
• Disclose to customers when they are interacting with an AI system

Crucially, the RBI does not ban opaque models outright. Where full explainability “is not achievable” — a nod to large language models and frontier AI — the model must be wrapped in enhanced controls: more intensive validation, output corroboration, restricted usage scope, and continuous monitoring.

Third-Party Models: Accountability Stays Home

The message on vendor models is blunt: “A regulated entity acquiring, using or relying upon third-party models at any stage of the model lifecycle is accountable for its outcomes.” Vendor certification is not a substitute for independent validation. The draft further requires contractual provisions for audit rights (including for the supervisor), minimum documentation access, and exit arrangements — a tall order when negotiating with large global AI providers.

What This Means for Fintech

For India’s fintech lenders, credit-scoring startups, and AI-first financial products, this draft signals a paradigm shift. The era of deploying machine learning models with light governance is ending. Every entity will need a Board-approved Model Risk Management Framework (MRMF), a complete model inventory, risk-based tiering, and independent validation — not as aspirational best practice, but as regulatory compliance.

The consultation is open until July 24, 2026. Once finalised, the guidance will supersede the model-risk portion of the RBI’s 2002 Credit Risk note — retiring a standard that predates the machine-learning era entirely.

2. RBI Finalises Digital Fraud Protection Rules: Shadow Reversal and Compensation Framework

On June 23, the RBI issued final directions on limiting customer liability in unauthorised digital banking transactions, introducing a landmark “shadow reversal” mechanism and a first-of-its-kind compensation pool for small-value fraud victims. The rules take effect on January 1, 2027 — a six-month deferral from the originally planned July 1, 2026 date. ^{2 3}

How the Compensation Works

Victims of digital payment fraud involving losses up to ₹50,000 can receive compensation of up to ₹25,000 — once in their lifetime. The compensation is funded through a shared liability model:

For cross-border transactions with no Indian beneficiary bank, the RBI bears 65% and the customer’s bank bears 35%. Eligibility requires victims to report the fraud to both the National Cyber Crime Reporting Portal (or helpline 1930) and their bank within five calendar days of the incident.

The Shadow Reversal Innovation

The most significant operational change is the “shadow reversal” mechanism. For disputed credit card transactions, banks must provisionally reverse the amount within five days of receiving a customer complaint, providing immediate relief while investigations continue. This addresses one of the most persistent consumer complaints: being left financially exposed while banks investigate fraud over weeks or months.

Extended to Sole Proprietors

The framework extends certain protections to sole proprietors, recognising that individuals running small businesses are particularly vulnerable to digital fraud and often lack the resources to navigate complex dispute resolution. Previously, many sole proprietorship accounts fell into a grey zone between retail and commercial banking protections.

Why the Deferral?

The RBI cited the need for banks and payment system participants to build the operational infrastructure — systems for shadow reversal, reporting mechanisms, and compensation processing — as the reason for the six-month delay. For fintech companies processing UPI payments, this means the window for compliance preparation has been extended but the framework itself is now final and non-negotiable.

3. SEBI’s Draft Common Advertisement Code: AI Avatars as Celebrities, Finfluencers in the Crosshairs

On June 23, SEBI released a consultation paper proposing a Common Advertisement Code (CAC) to replace the seven separate advertising rulebooks currently governing different market intermediaries. ⁴ The draft is sweeping, but two provisions have generated the most attention.

5 Lakh Followers = Celebrity

The proposed code defines a “celebrity” for advertising purposes as anyone with more than 5 lakh (500,000) followers on any social media platform. This means India’s most prominent “finfluencers” — financial content creators who review stocks, recommend mutual funds, and discuss market strategies — would be subject to the same endorsement liability standards as film stars and cricketers. If they promote a broker, a stock, or a fund, they would bear responsibility for the claims made.

This is a direct escalation of SEBI’s ongoing crackdown on unregulated financial influencers. The regulator has reportedly taken down more than 15,000 “content sites” by unregulated finfluencers and is using AI and web-scraping tools to monitor platforms including X, Instagram, and YouTube.

AI Avatars Get the Celebrity Treatment

In a forward-looking provision, SEBI proposes that virtual characters and AI-generated avatars used in financial advertising should be treated the same as human celebrities. If a brokerage creates an AI influencer to promote its platform, the entity behind it would bear full liability for the AI’s endorsements — regardless of whether the avatar is a photorealistic deepfake or a cartoon mascot.

From Prior Approval to 24-Hour Reporting

The draft replaces the current system of mandatory prior approval for most financial advertisements with a post-publication reporting requirement. Entities would upload ads to a central portal within 24 hours of running them, and stock exchanges, depositories, and AMFI would then flag violations. This shifts the compliance burden from a pre-publication gate to a post-publication audit — faster for advertisers but requiring stronger surveillance capacity from regulators.

Dark Patterns Banned

The code explicitly bans “dark patterns” in financial advertising — deceptive design practices that manipulate users into actions they didn’t intend. This covers misleading urgency claims (“only 2 spots left!”), fake social proof, and hidden fee disclosures in investment ads.

4. SEBI Overhauls Stock Exchange Technology Rules: DMA for All, Unified SOR Portal

On June 22, SEBI released a separate consultation paper on “Trading Software and Technology at Stock Exchanges” — a comprehensive overhaul of the technology infrastructure rules governing India’s equity and derivatives markets. ⁵

Direct Market Access Opened Up

The most significant proposal: opening Direct Market Access (DMA) to all categories of investors, not just institutional participants. Currently, DMA — the ability to place orders directly into exchange matching engines without broker intermediation — is largely restricted to institutional players. Broadening access could democratise high-speed trading infrastructure and has implications for fintech platforms building algorithmic and systematic trading tools for retail investors.

Single-Window SOR Approval

Smart Order Routing (SOR), which allows brokers to route client orders to the exchange offering the best price, currently requires separate approval from each stock exchange. SEBI proposes replacing this with a unified common portal — a single application listing all exchanges where a broker intends to offer SOR, with one exchange responsible for processing the entire approval. This could significantly reduce the time-to-market for brokers and fintech trading platforms.

Expanded Cybersecurity and Algorithmic Trading Requirements

The paper also proposes updated cybersecurity standards, disaster recovery requirements, and enhanced governance for algorithmic trading systems. Together with the Model Risk Management guidance from the RBI, this signals that both of India’s primary financial regulators are moving to tighten technology governance simultaneously.

5. Meta’s $900 Million CRED Investment Triggers Data Sovereignty Debate

While not a regulatory action per se, the June 22 announcement of Meta’s $900 million investment in CRED at a $4.5 billion valuation — coupled with the appointment of CRED founder Kunal Shah as WhatsApp’s global head — has triggered a significant policy debate about foreign control of Indian financial data and digital infrastructure. ^{6 7}

The GTRI Warning

The Global Trade Research Initiative (GTRI) released a report raising alarms about the concentration of foreign technology ownership in India’s fintech sector. The logic: Walmart controls approximately 72% of PhonePe, Google owns Google Pay, and Meta operates WhatsApp Pay. The proposed CRED investment — giving Meta an estimated 20% stake — would further deepen this foreign presence in a sector built largely on India’s public digital infrastructure: Aadhaar, UPI, and India Stack.

CRED processes more than 40% of India’s credit card bill payments, giving it what may be the richest repository of consumer financial-behaviour data in the country. The GTRI report argues that Indian fintech startups appear “increasingly focused on eventual acquisition by foreign firms rather than building long-term Indian-owned digital champions.”

WhatsApp Pay’s Regulatory Context

The deal also highlights the regulatory tension in India’s UPI ecosystem. Despite more than 500 million Indian users, WhatsApp Pay held just 0.65% of UPI transactions as of May 2026 — while PhonePe and Google Pay together command nearly 80%. NPCI’s 30% market-share cap is designed to prevent any single player from dominating, but Meta has been unable to reach even that threshold. The CRED investment and Shah’s appointment represent Meta’s most aggressive attempt yet to change that trajectory.

Regulatory Implications

For the RBI and the government’s data sovereignty agenda, the Meta-CRED deal crystallises a tension that has been building for years: India’s DPI创造了世界上最大的一些数字支付量，而其所有权结构却主要由外国科技公司控制。随着RBI最终确定其数字欺诈规则并起草AI治理，这些数据主权问题可能促使更严格的监管行动，特别是关于支付数据本地化和对外资收购印度金融数据公司的限制。

This Week’s Regulatory Scorecard

Looking Ahead

• July 24: Deadline for comments on the RBI Model Risk Management draft — expect significant industry pushback on third-party audit requirements and AI explainability thresholds.
• June 30: Digital lending compliance deadline for fintech lenders — boards must have their act together.
• January 1, 2027: Digital fraud protection rules go live — banks and payment platforms need the next six months to build compensation and shadow reversal infrastructure.

India’s financial regulators are moving at a pace that matches the technology they’re trying to govern. This week alone, the RBI has drafted its first AI rulebook, finalised a consumer fraud compensation framework, and reformed NBFC classification. SEBI has proposed redefining celebrity endorsement for the AI age. The signal is clear: the regulatory framework for Indian fintech is being rebuilt in real time, and companies that treat these as distant compliance exercises rather than immediate strategic imperatives will find themselves scrambling.