Chapter 4

REGULATION OF FINTECH IN INDIA

4.1 Introduction

FinTech has been in the spotlight for the last few decades. However, many of the

challenges associated with FinTech development have to do with its emerging and

developmental state. For example, there is a lack of consensus regarding the

definition of even basic concepts and the regulatory framework. It is still not

unambiguously clear which companies fall within the domain of FinTech and,

therefore, should be regulated accordingly.

FinTech development has to be believed that the growing dependence on

regulation is a potential risk for their development. The responses show that

regulation is still one of the most pressing issues for the FinTech ecosystem, even

though it is not necessarily regulation per se that causes concerns but the lack of a

regulatory framework that would be suitable for the particular situation of the

FinTech sector.

However, regulation is now regarded as less problematic for the effective

development of the ecosystem when the government and its relative agencies can

react to the most pressing issue. Moreover, the FinTech industry anticipates better

support from the regulator, such as more realistic sandbox approaches and a

willingness to consider new business models.

In the wake of global development challenges, we need to precisely regulate

FinTech in different aspects, which has various advantages and disadvantages.

139
New forms of crimes have emerged simultaneously with the development and

adoption of a new generation of financial transaction systems and their

transactional duration speed.

The modus operandi of a technically advanced offender departing from traditional

crime is completely different, so the requirement to deal with such an entirely

technical offence, as well as e-cheating and e-fraud, is to be required to change

how to deal with such new technically based offences. Thus, it is necessary to

close the gaps in the current statutory provision on technically mild offences.

In order to create a secure environment for the FinTech ecosystem in India, it is

pertinent to address some issues under the garb of existing and in-pipeline

regulations.

(Figure No .11)

140
4.2 Data Privacy

Data security and privacy are significant issues that FinTech companies must

deal with. They manage many private customer data, including transactions

and personal information. FinTech companies must put strong security

measures in place to safeguard data from unauthorised access, security

breaches, and cyber threats. Privacy issues arise when FinTech companies

gather, store, and use people's personal information.

To address these issues and keep customers' trust, it's crucial to use data

anonymisation techniques, be transparent, and ensure proper consent. The

regulatory environment in which FinTech companies operate is complicated;

they must understand and abide by all the laws enforced for the time being,

along with the Digital Personal Data Protection Act 2023, in India.

Implementing appropriate organisational and technical safeguards, performing

data protection impact analyses, and ensuring the lawful processing of personal

data are all components of compliance. Significant fines and reputational harm

may result from noncompliance.

FinTech companies must prioritise data security and privacy by using strong

encryption, access controls, and data governance frameworks to address these

issues. They must invest in compliance programs to stay current with changing

regulations and modify their practices accordingly. Collaborations with legal

authorities, data protection regulators, and business associations can also offer

direction and the best methods for overcoming these difficulties.

141
The Information Technology Act 2000, The IT Rules of 2011 and The Digital

Personal Data Protection Act 2023 oversee data protection in the FinTech

industry. Private law seeks to solve several issues, one of which is the

protection of the privacy of individuals. FinTech acknowledges the significant

role that data, and more specifically Big Data, play in the operation of the

digital economy.

4.2.1 Legal Position

With regards to data privacy, the legal framework comprises the following

enactments:

4.2.1.1 The Reserve Bank of India Act, 1934

RBI was established under the RBI Act 1934 for the supervision of banks

both within the country and overseas with the ultimate goal of protecting

the rights of banking customers as a whole, as well as for the regulation of

the issue of bank notes and the maintenance of reserves to secure and

operate the credit system in the nation. Concerning data privacy, the said

act covers the following points:

i. Under The RBI Act 1934, Chapter III-A, titled ―Collection and

Furnishing of Credit Information‖, deals with non-disclosure of

confidential information.97 The said chapter provides that certain

information shall be treated as confidential. In this regard, some

important provisions are mentioned as under:-

97
The Reserve Bank of India Act ,1934(2 of 1934) s. 45NB.

142
 a. Under Section 45E, RBI may at any time direct any banking

company to submit to it such statements relating to credit

information in such form and within time as may be specified

from time to time.;

b. Under Section 45 NB, any information relating to a non-banking

financial company contained in any statement or return submitted

by such company, obtained through audit or inspection, or

otherwise by the Bank shall be treated as confidential and shall

not, except otherwise provided in this section, be disclosed.

c. Under Section 45 NB, information may be published by the RBI if

it considers it necessary in the public interest. It should be done in

such consolidated form as it may think fit without disclosing the

name of any non-banking financial company or its borrowers;

d. Under Section 45 NB, information may be published under the

practices and usages customary or permitted by any other law.

e. Bank and NBCF shall not be compelled by a court, tribunal, or

other body to produce or examine any statement furnished under

the provision of this chapter.

The Reserve Bank of India has provided guidelines for the disclosure of

confidential credit information primarily through its Master Circulars and

other regulatory notifications. These guidelines are aimed at ensuring the

confidentiality, accuracy, and responsible use of credit information by

banks and financial institutions.

143
 4.2.1.2 The Public Financial Institutions (Obligation as To

Fidelity and Secrecy) Act, 1983

Another enactment for maintaining secrecy provides the responsibility to

preserve fidelity and secrecy in banking or NBFC institutions, except

otherwise offered within the show or any other law for the time being in

force.

i. Financial institutions are required by law to maintain the

confidentiality of all customer information under normal

circumstances, and these organisations are held accountable for

failing to do so.98

ii. For conducting efficient business, public financial institutions need

to collect and provide information to:-

a. Central Government

b. Certain banking institutions permitted by corresponding Acts.

c. As per need, any other public financial institutions.99

iii. All members of financial institutions shall oblige to declarations of

maintenance of secrecy.100

98
The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 ( Act 48 of
1983) s.3(1).
99
The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 ( Act 48 of
1983) s.3(2).
100
The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 ( Act 48 of
1983) s.4.

144
 4.2.1.3 The Information Technology Act, 2000

As a result of the United Nations Commission on International Trade

legislation's approval of model legislation on electronic commerce on 30

January 1997, this act has been implemented to make the necessary

adjustments to the current law.

i. Any person who, with malice or reckless disregard for the privacy

of another, photographs, publishes, or transmits an image of another

person's private area without the consent of that person and under

circumstances that violate that person's privacy shall be punished by

imprisonment for a term not to exceed three years, a fine not to

exceed two lakh rupees or both.101

ii. Except as otherwise provided in this Act or any other law in force, if

any person who, in pursuance of any of the powers conferred under

this Act, rules or regulations made thereunder, has secured access to

any electronic record, book, register, correspondence, information,

document or other material without the consent of the person

concerned discloses such electronic form, text, register, post, data,

paper or other material to any other person, such disclosure shall be

void.102

iii. If a corporation has, deals with, or handles sensitive personal data

or information in a computer resource that it owns, controls, or

operates and is careless about putting in place and keeping up with

101
The Information Technology Act, 2000 (Act 21 of 2000) s.66E.
102
The Information Technology Act, 2000 (Act 21 of 2000) s.72.

145
 reasonable security practices and procedures, and this causes

someone to lose or gain something they shouldn't have, the

corporation will have to pay damages to the person who was hurt.103

4.2.1.4 The Digital Personal Data Protection Act 2023104

This legislation aims to establish a framework for handling digital

personal data that acknowledges the importance of individuals' right to

safeguard their personal information while recognising the necessity of

processing such data for authorised purposes and related topics.

Data Fiduciary105 means any person alone or in conjunction with others

determines the purpose and means of processing personal data.‖ Which is

required to:

i. Destroy personal data by the general obligations of the data

fiduciary unless retention is required for compliance with any law

currently in effect. When the indicated purpose is no longer being

served, or as soon as it is reasonably presumed that it is no longer

being served, whichever comes first,106 and

ii. Instruct its Data Processor to delete any personal data provided to

the Data Processor by the Data Fiduciary for processing.107

103
The Information Technology Act, 20000 (Act 21 of 2000) s.43A.
104
Yet Not notified;
105
The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) s. 2(i).
106
The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) s.8(7)(a).
107
The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) s.8(7)(b).

146
4.2.2 Policy Framework

Creating a robust policy framework for data privacy in the context of

FinTech is essential to protect sensitive financial and personal information

while fostering innovation. Here's an outline of a comprehensive policy

framework for data privacy in FinTech. The policy framework pertaining to

data privacy is specified as follows:

4.2.2.1 The Information Technology (Reasonable and Practices

and Procedures and Sensitive Personal Data or

Information) Rules, 2011

Here are the terms and expressions often used in the digital sphere, and

by extension, the means through which the Personal Data/Information

will be released and to what extent.

Sensitive personal data or Information of a person means such personal

information which consists of information relating to:

i. Password;

ii. financial information such as Bank account, credit card,

debit card, or other payment instrument details;

iii. physical, physiological and mental health conditions;

iv. sexual orientation;

v. medical records and history;

vi. Biometric information;

147
 vii. any detail relating to the above clauses as provided to the

body corporate for providing service; and

viii. any of the information received under the above provisions

by the body corporate for processing, stored or processed

under lawful contract or otherwise:108

For the guidelines mentioned above, private information does not include

data that is already publicly known or accessible, such as information

provided under the Right to Information Act, 2005 or any other

legislation currently in effect

4.2.2.2 RBI Master Direction –Know Your Customers (KYC)

Directions, 2016, updated as of May 10, 2021

The RBI exercises its power under the RBI Act and other enactments to

provide master circulars and different directions for the time being.

Regulated Entities (REs) are those agencies licensed under Section 22 of

the Banking Regulation Act of 1949.

They are required to identify customers, either through the establishment

of an account-based relationship or otherwise and monitor their

transactions in accordance with the provisions of the Prevention of

Money-Laundering Act, 2002 and the Prevention of Money-Laundering

(Maintenance of Records) Rules, 2005, as amended from time to time by

the Government of India as notified by the Government of India.

108
The Information Technology (Reasonable and Practices and Procedures and Sensitive Personal
Data or Information) Rules ,2011 Rule 3.

148
Legislation empowering the Reserve Bank in this respect, the Reserve

Bank of India, having determined that issuing the Directions mentioned

below is necessary and reasonable in the public interest, does so.

i. Secrecy Obligations and Sharing of Information:

a. Banks shall maintain secrecy regarding the customer

information arising from the contractual relationship between

the banker and the customer.

b. Information collected from customers to open an account shall

be treated as confidential, and details thereof shall not be

divulged for cross-selling or any other purpose without the

customer's express permission.

c. While considering the requests for data/information from the

Government and other agencies, banks shall satisfy themselves

that the information being sought is not of such a nature as will

violate the provisions of the laws relating to secrecy in the

banking transaction

d. The exceptions to the said rule shall be as follows:

e. Where disclosure is under compulsion of law

f. Where there is a duty to the public to disclose, the interest of the

bank requires disclosure and where the disclosure is made with

the express or implied consent of the customer.

149
 g. NBFCs shall maintain the confidentiality of information as

provided in Section 45NB of RBI Act 1934.109

ii. CDD Procedure and sharing KYC information with the Central

KYC Records Registry (CKYCR)110

a. The Government of India has authorised the Central Registry of

Securitisation Asset Reconstruction and Security Interest of

India (CERSAI) to act as and perform the CKYCR functions

vide Gazette Notification No. S.O. 3183(E) dated November 26,

2015.

b. Regarding the provision of Rule 9(1A) of PML Rules, the REs

shall capture the customer‘s KYC records and upload them onto

CKYCR within ten days of the commencement of an account-

based relationship with the customer.

c. CERSAI has released Operational Guidelines for uploading the

KYC data.

d. REs shall capture the KYC information for sharing with the

CKYCR in the manner mentioned in the Rules, as per the KYC

templates prepared for ‗Individuals‘ and ‗Legal Entities‘ (LEs),

as the case may be. The templates may be revised from time to

time, as may be required and released by CERSAI.

109
RBI/DBR/2015-16/18 Master Direction DBR.AML.BC.No.81/14.01.001/2015-16; regulation
no. 55.
110
RBI/DBR/2015-16/18 Master Direction DBR.AML.BC.No.81/14.01.001/2015-16; regulation
no. 9 and 10.

150
e. The ‗live run‘ of the CKYCR started on July 15, 2016, in a

phased manner beginning with new ‗individual accounts.

Accordingly, Scheduled Commercial Banks (SCBs) must

invariably upload the KYC data pertaining to all new personal

accounts opened on or after January 1, 2017, with CKYCR.

SCBs were initially allowed time up to February 1, 2017, for

uploading data in respect of accounts opened during January

2017.REs other than SCBs were required to start uploading the

KYC data about all new individual accounts opened on or after

April 1, 2017, with CKYCR regarding the provisions of the

Rules

f. REs shall upload KYC records pertaining to accounts of LEs

opened on or after April 1, 2021, with CKYCR in terms of the

provisions of the Rules ibid. The KYC records have to be

uploaded as per the LE Template released by CERSAI.

g. Once CKYCR generates a KYC Identifier, REs shall ensure that

the same is communicated to the individual/LE as the case may

be.

h. In order to ensure that all KYC records are incrementally

uploaded to CKYCR, REs shall upload/update the KYC data

about accounts of individual customers and LEs opened before

the dates mentioned above as per (e) and (f), respectively at the

time of periodic updation as specified in Section 38 of this

151
 Master Direction, or earlier, when the updated KYC information

is obtained/received from the customer.

i. REs shall ensure that during periodic updation, the customers

are migrated to the current CDD standard.

j. Where a customer, to establish an account-based relationship,

submits a KYC Identifier to a RE, with explicit consent to

download records from CKYCR, then such RE shall retrieve the

KYC records online from the CKYCR using the KYC Identifier,

and the customer shall not be required to submit the duplicate

KYC records or information or any other additional

identification documents or details, unless –

 There is a change in the information of the customer as

existing in the records of CKYCR;

 The current address of the customer is required to be

verified.

 The RE considers it necessary to verify the customer's

identity or address, perform enhanced due diligence, or

build an appropriate client risk profile.111

111
RBI/DBR/2015-16/18 Master Direction DBR.AML.BC.No.81/14.01.001/2015-16;regulation no.
56.

152
 4.2.2.3 Master Circular on Credit Card, Debit Card and Rupee

Denominated Co-Branded Pre-paid Card Operations of

Banks and Credit Card issuing NBFCs112

A set of rules, regulations, standards, and procedures has been developed

to guarantee that the banks and NBFCs that issue credit, debit, and

prepaid cards follow industry best practices. Banks should follow certain

principles and precautions to keep their card operations secure and user-

friendly.

i. Customer Confidentiality -:

a. The card issuing bank/NBFC should not reveal any information

relating to customers obtained at the time of opening the account

or giving the credit card to any other person or organisation

without obtaining their specific consent as regards the purpose/s

for which the information will be used and the organisations with

whom the information will be shared. The application form for a

credit card must explicitly provide for consent the same. Further,

in cases where the customer gives his support for the bank to share

the information with other agencies,

b. Banks should explicitly state and explain to the customer the

whole meaning/ implications of the disclosure clause. The

information being sought from customers should not be of such

nature as will violate the provisions of the laws relating to secrecy

112
RBI/2015-16/31 DBR.No.FSD.BC.18/24.01.009/2015-16.

153
 in the transactions. Banks/NBFCs would be solely responsible for

the correctness or otherwise of the data provided.113

ii. The disclosure to the DSAs/recovery agents should also be limited

to the extent that will enable them to discharge their duties.

Personal information provided by the cardholder but not required

for recovery purposes should not be released by the card issuing

bank/NBFC. The card issuing bank/NBFCs should ensure that the

DSAs/DMAs do not transfer or misuse any customer information

while marketing credit card products.114

4.2.2.4 Code of Bank’s Commitment to Customers January

2018115

To ensure safe and fair customer dealing in the event of banking in a

digital environment; to foster an honest and cordial relationship between

you and your bank; to encourage market forces, through competition, to

achieve higher operating standards; to increase transparency so you can

have a better understanding of what you can reasonably expect from us;

to promote good and fair banking practices by setting minimum standards

in our dealings with you.

The bank is required to handle any information that pertains to the clients

by the following rules and principles:

113
RBI/2015-16/31 DBR.No.FSD.BC.18/24.01.009/2015-16 regulation no. 9.1.
114
RBI/2015-16/31 DBR.No.FSD.BC.18/24.01.009/2015-16 regulation no. 9.2.
115
https://karnatakagraminbank.com/download-files/Code-of-Banks-Commitment-to-Customers-
January-2018.pdf (last visited on April 22, 2023).

154
 i. We will not reveal information or data relating to your accounts,

whether provided by you or otherwise, to anyone, including other

companies/entities in our group, other than in the following

exceptional cases:

Providing information to the Credit Information Companies (CICs) as

per the Credit Information Companies (Regulation) Act (CICA) about

loans, unsecured loans, credit cards, etc.

a. Giving the information required by law or by the banking

regulator.

b. Fulfilling a duty towards the public to reveal the information.

c. Our interests require us to give the information (for example,

to prevent fraud). Still, we will not use this as a reason for

giving information about you or your accounts (including

your name and address) to anyone else, including other

companies in our group, for marketing purposes.

d. You authorise us to reveal the information.

e. When required to give a banker's reference about you, we

will need, unless provided earlier, your written permission

before we give it.

ii. We will not use your personal information for marketing purposes

by anyone, including ourselves unless you authorise us to do so.

155
 iii. If we collect any information from you other than the KYC

requirement, we will order it separately and not as a part of the

account opening form. If we collect any additional information,

we will explain the purpose for which we collect this information

and take your specific consent.116

4.2.2.5 Master Circular on Customer Service in Banks117

This circular is made for notable changes in the delivery of the different

types of financial services by banks in India.

The scope of the secrecy law in India has generally followed the

common law principles based on implied contracts. The bankers'

obligation to maintain secrecy arises from the contractual relationship

between the banker and the customer. As such, no information should be

divulged to third parties except under well-defined circumstances. The

following exceptions to the said rule are typically accepted

i. Where disclosure is under compulsion of law

ii. Where there is the duty to the public to disclose

iii. Where the interest of the bank requires disclosure and

iv. Where the disclosure is made with the express or implied

consent of the customer.118

116
Chapter No. 5 Privacy and Confidentiality https://karnatakagraminbank.com/download-
files/Code-of-Banks-Commitment-to-Customers-January-2018.pdf (last visited on April 22,
2023).
117
RBI/2015-16/59 DBR No.Leg.BC. 21/09.07.006/2015-16.

156
 At the time of opening of accounts of the customers, banks collect certain

information. While complying with the above requirements, banks also

collect additional personal information.

In this connection, the Committee on Procedures and Performances Audit

on Public Services (CPPAPS) observed that the information collected

from the customer was being used for cross-selling services of various

products by banks, their subsidiaries and affiliates. Sometimes, such

information was also provided to other agencies. As banks are aware, the

information provided by the customer for KYC compliance while

opening an account is confidential and divulging any details thereof for

cross-selling or any other purpose would breach customer confidentiality

obligations.

Banks should treat the information collected from the customer for the

account opening as confidential and not divulge any details for cross-

selling or other purposes. Banks may, therefore, ensure that information

sought from the customer is relevant to the perceived risk, is not

intrusive, and conforms with the guidelines issued in this regard.

Wherever banks desire to collect information about the customer for a

purpose other than KYC requirements, it should not form part of the

account opening form. Such information may be ordered separately,

purely voluntarily, after explaining the objectives to the customer and

taking his express approval for the specific uses for such information.

118
Customer Confidentiality Obligations, available at RBI/2015-16/59 DBR No.Leg.BC.
21/09.07.006/2015-16 regulation no.25.

157
 Banks should, therefore, strictly instruct all branches to ensure

compliance with their obligations to the customer.119

Data protection is essential to expanding and developing the FinTech sector

worldwide, including India. To protect people's privacy, foster trust, and

reduce risks, the growing reliance of FinTech operations on data calls is a high

demand for solid data protection measures with respect to the FinTech

ecosystem.

4.3 Online Fraud

Fraud deliberately misrepresents facts to persuade someone to give up their

legal rights. This may involve telling a lie or withholding information.

Deception aims to mislead and persuade someone to act against their legal

interests.

When fraud is performed digitally with misrepresentation and other

components of fraud with technology, or when a person meets a fraudster

through technology.

The term has been defined/described as ―Fraud" means and includes any of the

following acts committed by a party to a contract, or with his connivance, or

by his agent, with intent to deceive another party to it of his agent or to induce

him to enter the contract: —

i. The suggestion, as a fact, of that which is not confirmed by one who

does not believe it to be accurate;

119
Regulation no. 25.1 Collecting Information from customers for cross-selling purposes, available
at RBI/2015-16/59 DBR No.Leg.BC. 21/09.07.006/2015-16.

158
 ii. The active concealment of a fact by one having knowledge or belief

of the fact;

iii. a promise made without any intention of performing it;

iv. any other act fitted to deceive;

v. any such act or omission as the law declares fraudulent.120

Explanation. —Mere silence as to facts likely to affect the willingness of a

person to enter into a contract is not fraud unless the circumstances of the

case are such that, regard being had to them, it is the duty of the person

keeping silence to speak 2, or unless his silence is, in itself, equivalent to

speech.

Fraud is deliberate misrepresentation or deceit to gain a financial or personal

advantage. To deceive, the act entails falsifying data, methods, or facts.

Financial, identity, insurance, credit card, investment, and pyramid scams are

all types of fraud.

Fraudulent actions include document forgery, misrepresentation, false

statements, money theft, and financial document manipulation. Fraudulent acts

aim to deceive others into accepting incorrect information, resulting in money

loss, reputation damage, or other harm. People, groups, or organisations may

commit fraud to defraud people, businesses, or governments.

To a similar extent, the term "Online Fraud" is a comprehensive label

encompassing both the fraudulent acquisition of financial resources and the

theft of personal identity when the same has been done with means of using

120
The Indian Contract Act, 1872 ( Act 9 of 1872) s. 17.

159
technology, or we can also say when there is misrepresentation conclusively

done by any medium of financial inclusion with the virtue of technological

interference.

The way we can protect ourselves from these trappers is, first and foremost,

our vigilance and not responding unnecessarily to any financial illusion of

earning more in a short period.

In the present technological financial inclusion, few scammers have been

marked. These are covered under the following heads:-

i. Phishing: Fraudsters pose as trustworthy entities through emails,

texts, or websites to get sensitive information, including

passwords, credit card numbers, and personal identity.

ii. Malware and Ransomware: Malware infiltrates and damages

computers. Ransomware encrypts data and demands payment to

decrypt it. Both use weaknesses to extract money.121

iii. Online Scams include auction, shopping, and advance fee fraud.

These entail misleading people into paying for fake goods or

services or misrepresenting products or investments to get

money or sensitive information.

iv. Identity theft happens when someone illegally uses another

person's personal information, such as their Social Security

121
Imtihal A. Saeed, Ali Selamat and Ali M.A. Abhugoub ―A Survey on Malware and Malware
Detection System‖ International Journal of Computer Application ( 2013).

160
 number, credit card data, or bank account information, to make

unauthorised transactions or access financial accounts.

v. Data breaches: Inadequate security measures allow unauthorised

access or disclosure of sensitive data. This data may be used for

identity theft, financial fraud, and other crimes.

vi. Social Engineering: Fraudsters use social engineering to access

systems or sensitive data. Deception may entail impersonation,

manipulation, or psychological manipulation. Firewalls,

encryption, strong authentication, and user awareness training

prevent and fight technological fraud. Organisations and people

should also update software, avoid dubious communications,

and be careful when providing personal information online.122

4.3.1 Legal Position

Fortunately, the legislation is positioned to secure FinTech industries from

the offenders they find new tempting ways to mislead and deceive the

person; some sought actions are available in the Penal Code and other

Information of Technology Act of 2000 and different prevalent sections in

other specific laws for the time being enforced. This researcher explained

FinTech's legal results, which do not directly affect FinTech but provide a

legal foundation for FinTech organisations to handle many criminal

behaviours and offences. For example, many laws prohibit online fraud.

122
Nayan Joshi , E-Crimes & Fraud (Kamal Publishers,New Delhi, 1st edn., 2019).

161
 4.3.1.1 The Indian Penal Code-1860

The Indian Penal Code 'IPC' does not have a very effective impression

on the office related to financial fraud, but it can be used for fraudulent

online activity. These rules can be implemented to prevent or punish

fraudulent behaviour.

When prosecuting cases involving fraudulent actions that are carried out

online, just one of these components may be used as evidence. It is also

possible that all of these components could be used as evidence. These

sections of the code address offences such as cheating, forgery, and

impersonation, among other similar transgressions.

i. "Cheating" occurs when a person fraudulently or dishonestly

induces another person to deliver the property to them, consent to

their retention of property, or do or omit something they would

not do or skip if not deceived, which damages or harms them in

body, mind, reputation, or property.123

ii. A person is said to be cheated by personation if he pretends to be

someone else, willfully substitutes one person for another, or

represents that he or another is someone else. Whether the person

impersonated is real or fictional, the offence is committed.124

iii. Forgery occurs when a person makes any false document or

electronic record or part of it or in electronic form with the intent

123
Indian Penal Code,1860,(Act 45 of 1860),s. 415.
124
Indian Penal Code,1860,(Act 45 of 1860),s. 416.

162
 to damage or injure the public or any person, support any claim or

title, drive any person to part with property, enter into any express

or implied contract, or commit fraud or that fraud may be

executed.125

iv. When someone signs, seals, executes, modifies, or attaches their

electronic signature to a document or electronic record with the

knowledge that it will lead others to believe that the paper, part of

the document, or electronic signature was made, signed, sealed,

executed, transmitted, or affixed by or with the authority of the

author of the paper, that person is said to have acted dishonestly or

fraudulently. or126

v. a person who makes changes to a document or electronic record in

any significant way after it has been made, executed, or affixed

with an electronic signature by another person, whether that other

person is alive or not at the time of the change, without legal

authority, dishonestly, fraudulently, or in any different manner;127

vi. a person who dishonestly or fraudulently causes any person to

sign, seal, execute or alter a document or an electronic record or to

affix his electronic signature on any electronic form knowing that

such person, because of unsoundness of mind or intoxication,

cannot, or that because of deception practised upon him, he does

125
Indian Penal Code,1860,(Act 45 of 1860),s.463.
126
Indian Penal Code,1860, (Act 45 of 1860),s. 464(I).
127
Indian Penal Code,1860, (Act 45 of 1860),s. 464 (II).

163
 not know the contents of the document or electronic record or the

nature of the alteration.128

vii. a person who dishonestly or fraudulently induces another person to

sign, seal, execute, or change a document or electronic record or

to attach his electronic signature to a paper or electronic form,

knowing that the other person is unable to do so due to

incapacitation or intoxication, or is unaware of the contents of the

document or electronic record due to deception practised on

him.129

viii. A person who intentionally forges a document or electronic record

intending to use it to cheat is punishable by imprisonment for a

period that may last up to seven years and a fine.130

The above-discussed provision of India's penal code is too concluded to

deal with physical fraud with limited access to electronic records, which

may have been effective earlier. Still, with the expansion of its services to

the Internet of Things, a significant distance needs to be covered by the

penal system.

4.3.1.2 The Securities and Exchange Board of India Act, 1992

After the Harshad Mehta Scam, the Government of India acknowledged

the loops in the security markets among various stock exchange

agencies. It enacted a board to safeguard investors' interests, advance the

128
Indian Penal Code,1860, (Act 45 of 1860),s. 464 (III).
129
Indian Penal Code,1860,(Act 45 of 1860),s. 467.
130
Indian Penal Code,1860,(Act 45 of 1860),s.468.

164
 growth of the securities market, oversee its regulation, and handle any

issues that may arise in connection with or incident to those goals.

The Board's responsibility is to safeguard the interests of investors in

securities, advance market development, and regulate the securities

industry using whatever means it deems appropriate. 131

i. Regulate the business in the stock market and other securities

in the market.

ii. To Register and regulate the stock broker sub-broker and

their working thereof

iii. To prohibit fraudulently, unfair trade practices in the

securities market and insider trading

iv. Regulating the substantial trading of shares 132

v. Calling information and relevant documents and examining

the same.

vi. Conducting the initiative to develop the security market.

With prejudice, boards have also been empowered to suspend any stock

exchanger that prohibited the sale and purchase of specific stocks and

others in enlightening the provision of the act of 1992.

Board to regulate or prohibit prospectus, offer document, or

advertisement seeking securities funds.

 For investor protection, the Board may: specify, by regulations,

131
The Securities and Exchange Board of India Act,1992 (Act of 15 of 1992) s.11.
132
The Securities and Exchange Board of India Act,1992 (Act of 15 of 1992) s.12A.

165
 a. the matters relating to the issue of capital, transfer of

securities, and other matters incidental to it; and

b. how the companies shall disclose such matters shall be

disclosed by the companies;

c. Prohibit any company from issuing a prospectus, offer

document, or advertisement soliciting money from the public

for the issue of securities, and specify the conditions under

which the companies shall disclose such matters. The Board

may define listing and transfer requirements and other related

things.133

Moreover, the board has noted that there has been no implementation of

a collective investment scheme or any corresponding arrangements that

conform to the provisions of this act.134

4.3.1.3 The Insurance Regulatory and Development Authority

Act, 1999

The Authority shall regulate, promote and ensure the orderly growth of

the insurance and reinsurance businesses. The powers and functions of

the Authority shall include —

i. issue to the applicant a certificate of registration, renew, modify,

withdraw, suspend or cancel such registration;

ii. protection of the interests of the policy-holders in matters

concerning assigning of policy, nomination by policy-holders,

133
The Securities and Exchange Board of India Act,1992 (Act of 15 of 1992) s.11A.
134
The Securities and Exchange Board of India Act,1992 (Act of 15 of 1992) s.11A.A.

166
 insurable interest, settlement of insurance claim, surrender value

of the policy and other terms and conditions of contracts of

insurance;

iii. specifying requisite qualifications, code of conduct and practical

training for intermediary or insurance intermediaries and agents;

iv. specifying the code of conduct for surveyors and loss assessors;

v. promoting efficiency in the conduct of the insurance business;

vi. promoting and regulating professional organisations connected

with the insurance and re-insurance business;

vii. levying fees and other charges for carrying out the purposes of

this Act;

viii. calling for information from, undertaking inspection of,

conducting enquiries and investigations including audit of the

insurers, intermediaries, insurance intermediaries and other

organisations connected with the insurance business;

ix. Control and regulation of the rates, advantages, terms and

conditions that insurers may offer in respect of general insurance

business not so controlled and regulated by the Tariff Advisory

Committee under section 64U of the Insurance Act, 1938 (4 of

1938);

x. specifying the form and manner in which books of account shall

be maintained and statement of accounts shall be rendered by

insurers and other insurance intermediaries;

xi. regulating investment of funds by insurance companies;

167
 xii. regulating the maintenance of the margin of solvency;

xiii. adjudication of disputes between insurers and intermediaries or

insurance intermediaries;

xiv. supervising the functioning of the Tariff Advisory Committee;

xv. specifying the percentage of premium income of the insurer to

finance schemes for promoting and regulating professional

organisations referred to in clause (f);

xvi. specifying the percentage of life insurance business and general

insurance business to be undertaken by the insurer in the rural or

social sector; and

xvii. exercising such other powers as may be prescribed.135

4.3.1.4 The Information Technology Act, 2000

The shifting phenomena of payment mechanisms have been reached to

digitally based gadgets, and to the same degree, unlawful access to this

financial information has been allowed. It encompasses hacking,

decrypting passwords, gaining illegal access to data, and inserting

malicious software into computer systems. 136

The Information Technology Act targets several kinds of fraud that may

occur online, including unauthorised access, identity theft, phishing, and

other fraudulent actions carried out electronically.

135
The Insurance Regulatory and Development Authority Act, 1999 (Act 41 of 1999) s.14.
136
The Information Technology Act (Act 21 of 2000) s.43.

168
 i. This pertains to the coverage of computer-related transgressions,

encompassing acts such as hacking, identity theft, and electronic

fraud.137

ii. When a person fraudulently or dishonestly uses another person's

electronic signature, password, or other unique identification

feature, they are subject to imprisonment of either description for

a term that may not exceed three years and a fine that may not

exceed one lakh rupees.138

iii. When a person or group defrauds by impersonating using a

communication device or computer resource, they are subject to

imprisonment of either type for up to three years and a fine of up

to one lakh rupees.139

The Amendment Act of 2009 was passed into law to minimise the

frequency of improper uses of information technology and attract

attention to such usage. Some sections were substituted, and more clarity

was made regarding the offence and their punishment. Both objectives

were intended to support the prosecution system in dealing with it.

4.3.1.5 Payment and Settlement Act, 2007

This act provides for the regulation and supervision of payment systems

in India. It designates the Reserve Bank of India as the authority for that

purpose and for issues connected with or incidental to the above-

137
The Information Technology Act (Act 21 of 2000) s.66.
138
The Information Technology Act (Act 21 of 2000) s.66C.
139
The Information Technology Act (Act 21 of 2000) s.66D.

169
 mentioned act and other purposes associated with or incidental to the

show as mentioned above.

i. Electronic funds transfer refers to transferring funds electronically,

whereby an individual initiates the transfer by providing

instructions, authorisation, or an order to a bank to debit or credit an

account maintained with that bank. This type of transfer

encompasses a variety of transactions, including point-of-sale

transfers, automated teller machine transactions, direct deposits or

withdrawals of funds, and transfers initiated through telephone,

Internet, and card payment methods. 140

ii. A person who issues a legal entity identifier or other unique

identification by whatever designation specified by the Reserve

Bank from time to time.141

iii. Legal entity identifier means a unique identity code assigned to a

person by an issuer for identification purposes in such derivatives or

financial transactions as may be specified by the Reserve Bank from

time to time.142

iv. Payment institution means any instrument, authorisation or order in

any form, including electronic means, to affect a payment.

A. From a person to a system participant

140
Payment of Settlement Act ,(Act 51 of 2007) S.2(c).
141
Payment of Settlement Act ,(Act 51 of 2007) S.2(da.)
142
Payment of Settlement Act,(Act 51 of 2007) S.2(db).

170
 B. From a system participant to another system participant.143

v. The Reserve Bank is also empowered to make directions for

payment shape and size; its timing to maintain by the payment

system, Banks' paper, electronic, or other money transfers. Such

additional standards to comply with the payment systems generally

also provide suggestions for improving performance.144

vi. A bank or system provider may not, directly or indirectly, levy a

fee on a person making or receiving a payment using electronic

modes of payment as specified in section 269SU of the Act,145

The said section of the Income Tax Act informs that every business

owner must prepare to adopt electronic payment methods outlined

in the regulations. In addition to the facility for any other electronic

mode of payment that this individual has previously provided to

consumers, these particular modes of income would also be

accessible. It is true even if the individual has already provided

consumers with one or more electronic payment options.146

vii. A system provider shall not disclose the existence or contents of any

document or part thereof or other information given to him by a

system participant, except as required by this Act, with the express

or implied consent of the system participant.147

143
Payment of Settlement Act ,(Act 51 of 2007) S.2(h).
144
Payment of Settlement Act, (Act 51 of 2007) S.10.
145
Income-Tax Act,1961(Act 43 of 1961) s.269 SU.
146
The Finance (No. 2) Act, (Act 2 of 2019), s.60.
147
Payment of Settlement Act, (Act 51 of 2007) s.12.

171
 viii. The act's design also guarantees the privacy of system providers,

who are forbidden from disclosing to third parties the existence or

contents of any document or portion of a document or any other

information provided to them by a system participant unless

specifically required to do so by the provisions of this Act, with the

express or implied consent of the system participant in question.148

ix. To prevent the operations of such a designated payment system

from being detrimental to the interests of its customers, the Reserve

Bank of India requires the system provider to maintain liquid assets

in the manner and form that it may specify from time to time in an

amount equal to such percentage of the amounts collected by the

system provider; deposit and keep deposited in a separate account or

accounts held in a scheduled commercial bank.149

x. The act further provides arbitration for the details within the system,

provides for settlement of disputes, and, along with residuary power

lies on the Reserve Bank, also provides a situation where the

Reserve Bank itself in disputes the central government come into o

picture to settle the disputes150

xi. The structure of Act also made the use the enforced the provision of

itself or the guideline and direction given by Reserve Bank under

this act or otherwise should be implanted whereby for such

148
Payment of Settlement Act, (Act 51 of 2007) s.22.
149
Payment of Settlement Act, (Act 51 of 2007) s.23A.
150
Payment of Settlement Act ,(Act 51 of 2007) s.24.

172
 complete assurance of same act also provided the penal provision

for its violators151

4.3.2 Policy Framework

Creating a robust policy framework for online fraud in the context of

FinTech is essential to be aware of while using financial credentials online.

Here's an outline of a comprehensive policy framework for combating online

fraud in FinTech. The policy framework pertaining to the same is specified

as follows:

4.3.2.1 Prepaid Payment Instrument152

Subsequently, in 2007, RBI supported digital payments to reduce cash use.

RBI promotes debit cards, credit cards, net banking, and prepaid payment

instruments. Prepaid Payment Instruments (PPIs) can be used to acquire

products and services. These devices hold cash, debit, or credit card

payments.

Prepaid cards include smart, magnetic strips, mobile, and paper vouchers.

Each has unique traits and words. Nature decides. PPI categories.

i. Closed-system payments: Corporate organisations issue these for

internal usage or with a contracted service provider. Cards cannot

be reloaded or cashed. Merchant gift certificates, calling cards, etc.

Even if they can be used for value-added services from the same

151
Payment of Settlement Act ,(Act 51 of 2007) Chapter.VII.
152
RBI/DPSS/2021-22/82 CO.DPSS.POLC.No.S-479/02.14.006/2021-22.

173
 provider, mobile pre-paid value or talk time may be closed-system

prepaid payment instruments.

ii. Semi-Closed System Payment Instruments: Issuer-contracted

merchants accept them. Third-party service providers offer these.

Any card-accepting merchant receives Semi-Open System Payment

Instruments. Reloadable but non-cashable. Reputable card issuers

issue bank gift cards.

iii. Open System Payment Instruments: ATMs and card-accepting

retailers. Recognised card issuers can manage bank-issued travel

cards.

4.3.2.2 Aadhar-based Payment System

Aadhar's crucial significance in the payment system The Unique

Identification Authority of India (UIDAI) issues the Aadhaar card, which

enables FinTech services in India. Aadhaar card facilitates FinTech.

FinTech organisations can remotely verify consumers' identities using

Aadhaar-based e-KYC processes—Streamlines user onboarding, making

opening financial accounts and using FinTech services easy.

AEPS uses Aadhaar authentication to enable financial transactions for

those without bank accounts. It lets people utilise their Aadhaar number

and biometric authentication (fingerprint or iris scan) to make cash

withdrawals, balance enquiries, and fund transfers at micro-ATMs or

Business Correspondent terminals.

174
 FinTech companies can integrate AEPS into their platforms to increase

financial inclusion and target disadvantaged groups. Welfare and subsidy

programmes are tied to Aadhaar.

FinTech companies can use Aadhaar authentication to directly transmit

benefits to individuals, eliminating intermediaries and lowering system

leakages. Through FinTech platforms, government subsidies, pensions, and

other welfare payments may be distributed efficiently and transparently.

The Unified Payments Interface (UPI) allows digital payments with

Aadhaar. Users can link their Aadhaar number to their bank accounts and

use it as a payment address for peer-to-peer or commercial payments.

Aadhaar-enabled payments are a straightforward and secure way to make

digital transactions, especially for those without smartphones or traditional

banking credentials.153

With the rapid advancements in technology, while technology has made

things faster and more accessible, it has also created new challenges or

vulnerabilities in the form of financial loss due to the increasing use of

technology in financial activities. Protecting and ensuring individuals' and

organizations‘ privacy, security, and legal rights in the rapidly evolving

FinTech landscape has become more challenging. FinTech has made

financial services more accessible and has brought about new risks and

complexities in ensuring the security and freedoms of individuals and

businesses in this digital financial world.

153
Aadhaar (Targeted delivery of Financial and other subsidies, benefits and Services) Act,2016
(Act 18 of 2016).

175
4.4 Digital Contract

This Indian Contract Act154 outlines the general principles that must be adhered

to for a contract to be valid and enforceable by law. Digital agreements save

money and help the environment by eliminating printing, transporting, and

keeping paper documents.

Digital contracts are utilised in numerous circumstances, including business,

employment, lease, sales, and many more; the legality and enforceability of

digital contracts may vary by country and local laws and regulations.

4.4.1 Legal Position

A digital contract plays an effective role in FinTech innovation. In this

regard comprehensive legislation is as follows

4.4.1.1 India Contract Act, 1872

When the formation of a contract involves the communication of

proposals, the acceptance of bids, the revocation of submissions and

acceptances, as the case may be, being expressed in electronic form or

utilising an electronic record, that contract shall not be deemed to be

unenforceable solely on the ground that such electronic form or means

was used to bring about the formation of the contract. Instead, the contract

will be found to be unenforceable on the sole basis of the fact that such an

154
The Indian Contract Act, 1872,(Act 9 of 1872).

176
 electronic form or method was employed to carry out the activity in

question.155

Electronic contracts allow entering into legally binding agreements for

business dealings conducted online. E-contracts serve as the foundation

for specifying the rights and obligations of the parties involved in any

transaction that takes place online, including purchasing goods or services,

subscribing to a digital service, and participating in an online auction.

The IT Act provides for the use of digital signatures to authenticate

electronic records and contracts. Digital signatures are regulated by the

Controller of Certifying Authorities (CCA) in India; for a digital contract

to be legally binding, there must be a clear offer and acceptance.

4.4.1.2 Indian Evidence Act, 1872

The Indian Evidence Act of 1872 played a pivotal role in the Indian legal

system by defining the rules and principles governing the presentation and

evaluation of evidence in court. Its significance lies in its contribution to

the fair and effective administration of justice in India.

The provisions of Section 65B of the Evidence Act delineate the specific

requirements and procedures for generating and preserving evidence in

electronic form. The section additionally outlines the criteria for

determining the acceptability of electronic records, including eSignatures

and digital documents, as evidentiary material in court proceedings.

155
The Information Technology Act (Act 21 of 2000) s.10A.

177
 This part also allows for the utilisation of electronic signatures admissible

as evidentiary material in a court of law. Electronic evidence encompasses

all information created, saved, and transmitted using electronic devices

with the aforementioned functionalities. Any data stored in a digital

format is regarded as a document.

A document is defined as information that is saved, copied, or recorded

electronically, on magnetic or optical media, or in printed form on paper.

All documents above are admissible as evidence without the requirement

of supplementary substantiation.

4.4.1.3 The Insurance Regulatory and Development Authority

of India, 1999

The authoritative entity tasked with regulating and governing the

insurance sector in India. However, the primary legislation does not

directly discuss digital contracts. The IRDAI has taken strong measures to

promote the adoption of digital technology within the insurance business.

The organisation has implemented measures to foster the adoption of

electronic paperwork and online transactions, encompassing the utilisation

of digital contracts. Furthermore, it enables insurers to provide

policyholders with electronic insurance policies, sometimes called e-

policies.156 The legal validity of these digital policies is equivalent to that

of traditional paper policies.

156
IRDAI, "Information and Cyber Security Guideline", April 2023.

178
In addition, The IRDAI has officially acknowledged using digital

signatures as a valid method for verifying the authenticity of digital

insurance contracts. This acknowledgement facilitates the implementation

of secure and legally enforceable digital transactions between insurance

companies and policyholders.

The regulatory body grants permission to insurance providers to distribute

insurance policies via online platforms and aggregators, facilitating the

ease of digital insurance purchases for customers. Digital contracts play a

crucial role in promoting the online distribution process.

While the Act does not explicitly address digital contracts, regulatory

bodies have responded to the demands of the digital era by providing

guidelines and regulations that facilitate electronic transactions, such as

digital insurance contracts.

The objective of these measures is to enhance the accessibility and

convenience of insurance services for consumers while simultaneously

safeguarding the rights and interests of policyholders within the digital

domain. To protect the interests of customers in digital insurance

transactions. These encompass regulations about the divulgence of policy

terms, the clarity of price information, and the establishment of channels

for addressing grievances. The IRDAI has made it compulsory for

insurance companies and intermediaries to adopt robust cybersecurity

protocols to safeguard digital contracts and client data against potential

cyber risks.

179
4.4.1.4 Information and Technology Act, 2000

The IT Act recognises electronic records and digital signatures as legally

valid. Section 4 of the IT Act states that where any law requires

information to be in writing or in the form of a document, such

requirement is deemed satisfied if such information is rendered or made

available in an electronic format.

Through the use of e-commerce, businesses can transcend geographical

borders and connect with clients all over the world. This worldwide reach

is made conceivable using electronic contracts, which provide a digital

foundation for conducting business with consumers residing in various

nations and legal systems.

After going through the other provisions of digital contracts, the

researcher has discovered that E-commerce and electronic contracts are

inextricably linked since electronic contracts are frequently relied upon

by e-commerce transactions to make online business activities more

efficient.

They contribute to establishing the legal terms and conditions that

regulate the sale of goods and services across international borders via

the Internet. In e-commerce, electronic contracts make it possible to

automate certain operations. Contracts can be automatically generated,

presented, and accepted through electronic systems, and this process can

be driven by either predetermined criteria or user interactions. Because of

180
 this automation, the transaction process is streamlined, which enables

sales to be completed more quickly and efficiently.

4.4.1.5 Consumer Protection Act, 2019

Given emerging facts and the circumstances in the digital era,

parliamentarians were supposed to amend the Consumer Protection Act

of 1986 as per the requirement of the present time; they enforced the

Consumer Protection Act of 2019 and then its rules, namely the

Consumer Protection Rules (E-Commerce) of 2020 where in acted.

Further, E-commerce platforms frequently include terms and conditions

that govern the use of their services. These terms and conditions may

consist of the rights and obligations of users, privacy policies, refund

policies, dispute resolution methods, and other rules and procedures.

Formerly, consumers engage in online transactions; they must read and

accept the terms and conditions often offered in electronic contracts.

4.4.2 Policy Framework

Creating a robust policy framework for digital contracts in the context of

FinTech, with more collaborative and accurately to in a manner. The policy

framework pertaining to the same is specified as follows:

Liability of a Customer

In light of the recent increase in the number of customer complaints

regarding unauthorised transactions that resulted in debits to their accounts

or cards, as well as the increased emphasis that is being placed on IT-

181
 enabled financial inclusion and related customer protection issues, the

criteria that are used to determine the customer's liability in these kinds of

situations have been reviewed. 157

The review was carried out in light of the increased emphasis that is being

placed on IT-enabled financial inclusion and related customer protection

issues. Customers who keep their cell phone numbers private from the bank

run the risk of the bank being unable to give the capability of conducting

electronic transactions in any form other than cash withdrawals at ATMs.

This risk is incurred because customers who keep their cell phone numbers

private run the risk of the bank being unable to provide the capability of

conducting electronic transactions. As soon as a customer reports an

unauthorised transaction, the bank is expected to take quick action to

prevent any other unauthorised transactions from occurring in the customer's

account. This obligation begins as soon as the customer reports the

unauthorised transaction. This is done to protect the customer from suffering

any monetary loss.

Zero Liability of a Customer 158

157
RBI/2017-18/109 DCBR.BPD. (PCB/RCB).Cir.No.06/12.05.001/2017-18.
158
RBI/2017-18/109 DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18;Rule 6.

182
 When an unauthorised transaction takes place as a result of any of the

following events, the customer has the right to have their obligation reduced

to zero:

Contributory fraud, negligence, or shortcomings on the part of the bank

(regardless of whether or not the customer reported the transaction).

Third-party breach refers to a situation in which the shortcoming does not

rest with the bank nor with the customer but exists somewhere in the

system, and the client tells the bank of the breach within three business days

of receiving notice from the bank regarding an illegal transaction.

Limited Liability of a Customer 159

In the following circumstances, one is responsible for the loss that occurs as

a result of transactions that were not authorised:

In situations where the loss was caused by negligence on the part of a

customer, such as when the customer shared the payment credentials, the

client is responsible for bearing the entirety of the loss until the consumer

notifies the bank of the unauthorised transaction. The bank is responsible for

covering any losses arising from the unapproved transaction after it has been

reported.

In situations where neither the bank nor the customer is responsible for an

unauthorised electronic banking transaction, the responsibility lies

elsewhere in the system. The customer notifies the bank of such a

159
RBI/2017-18/109 DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18;Rule 7.

183
 transaction within four to seven working days of receiving a communication

of the transaction; the customer's per-transaction liability shall be limited to

the value of the transaction, provided that the customer notifies the bank of

such a transaction within those time frames.

It was seen that whether it was fraud or transaction failure, only ones used

their vigilance to secure their money and otherwise.

The ultimate object of the digital Contract is to provide the formation of a

contract within a shorter period between two parties sitting at two different

places. Now, FinTech applies at a global level, so they both are

complimentary to each other in the legal paradigm.

4.5 Money Laundering.

Money laundering involves legalising unlawful funds. Black money isn't taxed

because it's unaccounted for. Money laundering conceals illicit funds.

"Money laundering" is attributed to Al Capone. Capone used launderettes

across the city to hide his illegal wine sales during Prohibition. Indians call

"money laundering" Hawala transactions. Money laundering involves

legalising unlawful funds. Money laundering conceals illicit funds.

Money laundering involves investing money such that even investigators

cannot find its origins. The "launderer" manipulates this money. The legitimate

money holder receives the black money invested in capital markets or other

activities.

184
Recognising that money laundering from illicit trafficking in narcotic drugs

and psychotropic substances, as well as other serious crimes, has expanded

internationally to become a global threat to the integrity, reliability, and

stability of financial and trade systems and even government structures, the

international community must take countermeasures to deny criminals and

their illicit proceeds safe-havens.

Recognising the need to promote and create effective ways for pursuing,

freezing, seizing, and confiscating illicitly obtained property to deter criminal.

Recognising that only international collaboration and the construction of

bilateral and multilateral information networks like the Egmont Group, which

allow States to exchange information between competent authorities, will

successfully combat money laundering.

Highlighting many States' efforts to create and implement money-laundering

laws.

Realising that all States must make progress in complying with the relevant

recommendations and actively participate in international and regional actions

to establish and strengthen effective money-laundering measures.

All States must apply the following constitutional principles to implement the

money-laundering provisions of the 1988 UN Convention against Illicit

Trafficking in Narcotic Drugs and Psychotropic Substances and other relevant

international instruments. Criminalising the laundering of money from serious

offences to prevent, detect, investigate, and prosecute money laundering

through, among other things:

185
 i. Criminal proceeds identification, freezing, seizure, and

confiscation;

ii. International money-laundering cooperation and legal aid;

iii. Including money laundering in mutual legal aid agreements for

investigations, court cases, and judicial proceedings;

iv. Establishing an effective financial and regulatory regime to deny

criminals and their illicit funds access to national and international

economic systems, safeguarding financial system integrity and

ensuring money-laundering rules and regulations through:

v. "Know your customer" regulations to furnish responsible

authorities with client identities and financial transactions

vi. Financial records;

vii. Mandatory suspicious activity reporting;

viii. Removing bank secrecy hurdles to money-laundering prevention,

investigation, and punishment;

ix. Similar measurements;

x. Law enforcement to enable:

xi. Money-laundering detection, investigation, prosecution, and

conviction;

xii. Extradition

xiii. Information-sharing systems.

186
 4.5.1 Legal Position

Combating money laundering is an essential element for the economic

growth of any country in this manner legislature enactment plays a vital

role, In this regard comprehensive legislation is as follows

The Prevention of Money Laundering Act, 2002

With part of the declaration, our country also enacted the purview of the

same, wherefore the act of 2002 has come into existence, whereby The

Enforcement Directorate (ED) has been established to implement and

combat money laundering and illegitimate transactions of money. ED is in

a similar want of supply chain of money and has also recognised to combat

and accept the flow of advancement of technology in the finance system.

Thus, as technology advances and finance are handled digitally, it was

never intended that money laundering could be possible digitally.

4.5.2 Policy Framework

Money laundering policies are substantive to back the enactment of the

legislature In this regard policies are as follows

Directions for opening and operation of Accounts and settlement of

payments for electronic payment transactions involving

intermediaries160

The Reserve Bank of India has been issued this direction for considering

the country increasingly uses electronic/online payment methods to pay

160
RBI/2009-10/231 DPSS.CO.PD.No.1102 /02.14.08/ 2009-10; dated 24th November 2009.

187
 merchants for goods and services, such as bill payments and online

shopping. Aggregators and payment gateway service providers help banks

and prepaid payment instrument issuers facilitate clients' electronic

payments to retailers. E-commerce and m-commerce platforms have also

become facilitators for such payments.

Most existing arrangements involving intermediaries credit customer

payments for e-commerce/m-commerce/bill payment transactions to their

accounts before transferring the funds to merchant accounts to settle

customer obligations. Any delay in intermediaries transferring funds to

merchant accounts harms customers, merchants, and the payment system.

To protect customers' interests and ensure that their payments are

adequately accounted for by intermediaries and remitted to merchants who

deliver products and services without delay.

All FinTech operations revolve around money transactions, so there is a

high probability of transactions of illegitimate proceeds through FinTech.

In this situation, it is highly imperative to adopt certain filter legal

mechanisms which be able to prevent of transaction funds.

4.6 New Emerging Facets of FinTech

There are now around 7300 startups operating in the financial technology

sector in India, making it the third largest industry in the world after the United

States and the United Kingdom. The Indian FinTech ecosystem is present with

challenges amid exemplary success. These challenges include data security and

188
privacy threats, a scarcity of financial literacy, underperformance of initial

public offerings (IPOs), global geopolitical and macroeconomic events, and

the pace at which regulations change.

However, several assessments suggest that the enormous benefits presented by

FinTech significantly outweigh the obstacles in their scope.

The government and its relevant regulators, with their supportive actions and

expansion of the financial technology sector in India, can be attributed to

several factors.

4.6.1 Proposed Changes in Law Related to FinTech161

The Payment and Settlement Act 2007 was the first law designed to regulate

and supervise India's payment systems. It granted the Reserve Bank of India

the authority to establish a Board to handle the payments sector. It also found

the legal basis for the fundamental characteristics of a payment system

framework, namely netting and settlement finality.

FinTech's expansion has enabled non-banks to play an essential role in

payments. This, coupled with the government's initiative to promote the

development of digital payments, led to a comprehensive review of the

payments sector's vision to encourage access and competition in the

payments industry.

161
Government of India ,Report on Inter-Ministerial Committee for Finalisation of Amendments of
the PSS Act, 2007(Ministry of Finance, August 2018).

189
 A committee composed of Government and Reserve Bank officials assessed

the recommendations of the Committee on Digital Payments in the context of

the PSS Act and drafted a new bill to replace the existing statute.

The revised Bill aims to promote competition, consumer protection, systemic

stability, and resilience in the payment sector, establish an independent

Payment Regulatory Board (PRB) to regulate the payment sector, including

non-banks as significant players in the payments ecosystem, and consolidate

and amend the payment law.

4.6.1.1 The Payment and Settlement System Bill, 2018

The payment system has been updated to account for the fact that we are in

the age of a technologically advanced era, and the new bill of 2018 being

considered for passage has been designed and drafted accordingly. The bill

has 12 chapters divided into 12 parts, totalling 13 chapters, including two

schedules.

It has a separate controlling agency, the Payment Regulatory Board 162, for

the paramount consideration of the object and work conferred in the

proposed bill.

The bill provides regulation for the payments industry through the

Payments Regulatory Board. The Payments Regulatory Board shall balance

162
Payment and Settlement System Bill, 2018,s.3.

190
 the following goals163 when issuing regulations and instructions under said

Bill.

i. protect consumer payment safety and confidence;

ii. systemic resilience and risk control;

iii. Competition and innovation should be enabled with participants

among the payment systems;

iv. Interoperability among system participants and payment systems;

payments systems and payment services to be developed and

operated in a way that promotes ease of use

v. Improve the quality, efficiency, and economy of payment systems

and payment services.

The draft of the proposed bill was prepared with careful consideration and

the influential role of PRB in mind, and it also extends to the change of the

existing law.

4.6.1.2 Prepaid Payment Instrument 164

The foremost objectives behind framing these directions are understood as

follows: -

The authorisation, regulation, and oversight of businesses that issue and

operate PPIs within the country. This will be accomplished by establishing

a framework. This direction aims to promote healthy competition and

163
Payment and Settlement System Bill, 2018 ,s.4.
164
RBI/DPSS/2021-22/82 CO.DPSS.POLC.No.S-479/02.14.006/2021-22.

191
inventiveness in this industry cautiously, considering the safety and

security of systems and transactions, as well as the protection of customers

and the convenience of their experience. This initiative aims to promote

healthy competition and inventiveness in this industry. To achieve a unified

strategy for PPIs and to ensure that these strategies are compatible with one

another.

PPIs for international outward transactions Full-KYC PPIs issued by banks

with AD-I licences may be used in cross-border outbound transactions

(only for permissible current account transactions under FEMA, such as

purchasing goods and services) if they comply with current regulations.

PPIs are not used for outbound fund transfers or Liberalised Remittances

Scheme (LRS) payments. Prefunding of online merchant's accounts shall

not be permitted using such Rupee-denominated PPIs. PPI issuer shall

enable the facility of cross-border outward transactions only on explicit

request of PPI holders and shall apply a per transaction limit not exceeding

Rs.10,000/-, while per month limit shall not exceed Rs.50,000/- for such

cross-border transactions; if such PPIs are issued in card form, they shall be

EMV Chip and PIN compliant.

Bank and non-bank PPI issuers, appointed as Indian agents of authorised

overseas principals, shall be permitted to issue full-KYC PPIs to

beneficiaries of inward remittances under RBI's Money Transfer Services

Scheme (MTSS) by the MTSS Guidelines issued by RBI's Foreign

Exchange Department (FED); Loading or reloading full-KYC PPIs given

to beneficiaries is limited to Rs.50,000 from individual inward MTSS

192
 remittances. The beneficiary's bank account would receive amounts over

Rs.50,000. PPI issuers' obligations and responsibilities are distinct from

those of Indian Agents under MTSS, and such PPIs cannot be issued as a

separate category of PPI.

This Master Direction does not apply to entities permitted under FEMA to

issue foreign exchange-denominated PPIs. Those entities are exempt from

the requirements of this Master Direction.

Interoperability is the technical compatibility that enables a payment

system to be used with other payment systems.165

PPI issuers must follow NPCI and card network technical specifications,

norms, and requirements to make their products compatible with the

Unified Payments Interface (UPI) and other payment systems. PPI issuers

must additionally make their products UPI-compatible. PPI issuers should

find it easier to join UPI and card networks since the NPCI and card

networks handle this.

PPI issuers must take on the responsibilities of Payment System Providers

(PSP) under the Unified Payments Interface. The NPCI must award a

handle to the PPI issuer in compliance with its regulations and standards

while also considering any relevant risk management factors. Since the

*99# USSD is incorporated into the UPI, non-bank PPI issuers can also

participate in the transaction.166

165
RBI/DPSS/2021-22/82 CO.DPSS.POLC.No.S-479/02.14.006/2021-22;Rule 11.1.
166
RBI/DPSS/2021-22/82 CO.DPSS.POLC.No.S-479/02.14.006/2021-22;Rule 11.4.

193
 PPI policyholders are only entitled to enlist in UPI if their individual PPI

issuers opt to do so on their behalf. However, policyholders can enrol if

their issuers register them on their behalf. PPI issuers can only link

customer wallets to the handle issued as the sole acceptable method. It is

against the law for PPI issuers to function in the capacity of PSPs and

accept customers from any banks or other PPI issuers.

This conduct is illegal since PPI issuers cannot legally act as PSPs. The

individual who possesses the PPI is the one who is responsible for

confirming oneself by making use of the credentials that have previously

been established for their wallet.

This responsibility falls on the individual who owns the PPI. In other

words, a transaction will be pre-approved before it is sent to the UPI to be

processed once it has been sent for processing.

4.7 Judicial Approach towards FinTech Evolution

India's judicial approach to FinTech is evolving, with Hon‘ble Courts

addressing various legal and regulatory issues arising from the rapidly growing

FinTech sector. Courts have been keen on ensuring FinTech companies adhere

to existing financial regulations and licensing requirements. They have uprise

the importance of various issues pertaining to FinTech for activities like

payments, lending, fraud, and money laundering.

194
The growth of digital payment platforms in India has led to various legal

issues, including transactions, fraud, and cybersecurity disputes. Courts have

played a role in resolving such disputes and ensuring consumer protection.

The enforcement of contracts related to FinTech services, including digital

lending and payment agreements, has been a critical area of judicial review.

Courts have to seek a balance between the rights and responsibilities of both

parties in these contracts.

1. Internet And Mobile Association of India Case167

Background

Since 2016, the Reserve Bank of India (RBI) has issued numerous warnings

about dealing with any form of transactions in cryptocurrencies, the most

recent being on February 1, 2017. In response to this news, the Government of

India's Ministry of Finance established an Interdisciplinary Committee in April

2017 with the Special Secretary for Economic Affairs and representatives from

the Departments of Economic Affairs, Financial Services, Revenue, Home

Affairs, Electronics and Information Technology, the Reserve Bank of India,

the National Institution for Transforming India (NITI Aayog).168

On April 5, 2018, in the exercise of its powers under Sections 35A read with

Section 36(1) and Section 56 of the Banking Regulation Act, 1949, Sections

45J and 45L of the Reserve Bank of India Act, 1934, and Sections 10(2) read

167
Writ Petition (Civil) No.528 of 2018.
168
Paridhi Sharma & Harsha Bhalse, Notes on Banking Law, (Amar Law Publication, Indore, 1st
edn.,2023).

195
with Section 18 of the Payment and Settlement System Act, 169 the Reserve

Bank of India took the following action: revokes the license of two banks for

failing to comply with the provisions of the Banking Regulation Act, 1949.

RBI issued a circular instructing the entities regulated by RBI to (i) strengthen

regulation and supervision, (ii) build and deepen financial markets, (ii) broaden

and deepen financial markets, (iii) improve currency management, (iv)

promote financial inclusion and literacy and (v) facilitating data management

not to deal in virtual currencies nor to provide services for facilitating any such

dealing.

Facts of the Case

The Central Bank of India issued a Statement on Growth and Regulation

Policy in April 2018. Which Ordered the RBI-authorized entities (1) not to

deal with or offer services to any individual or business entity dealing with or

settling virtual currency and (2) to terminate any existing relationship with

such individuals/business entities.

The petitioner170 in the first writ petition is a specialised industry body known

as ‗The Internet and Mobile Association of India‘, which represents the

interests of the online and digital services industry, challenges the said circular

where it was challenged that RBI lacks the authority to prohibit the trading of

virtual currencies on VC exchanges for the following reasons:

169
The Payment and Settlement Systems Act, 2007 (Act 31 of 2007).
170
Writ Petition (Civil) No.528 of 2018.

196
 i. Virtual currencies are commodities/digital products, not legal

tender.

ii. RBI can use the Preamble to the RBI Act of 1934 to administer the

country's currency and credit system to its benefit because virtual

currencies are not part of the credit system.

iii. Section 45JA's171power to regulate the country's financial system to

its advantage and Section 45L's172 power to regulate its credit

system, exercisable in the public interest and upon satisfaction, need

to be more elastic to include goods outside the financial and credit

systems.

iv. Section 35A(1)(a) of the Banking Regulation Act, 1949 grants the

power to make directions "in the public interest," and Section 36(1)

grants the ability to caution or prohibit banking organisations from

entering a transaction.

 do not apply blanket directions that would deny virtual

currency exchanges access to the country's banking services,

as the term "public interest" does not include the denial of

such access.

v. The Reserve Bank of India's authority under Section 10(2) of the

Payment and Settlement Systems Act, 2007, to issue guidelines for

the proper and efficient management of payment systems and under

171
The Reserve Bank of India Act 1934 (Act 2 of 1934).
172
The Reserve Bank of India Act,1934 (Act 2 of 1934).

197
 Section 18 of the same Act to lay down policies relating to payment

system regulation and to issue directions about payment system

business, exercisable in the public interest when satisfied, does not

apply to virtual currency.

RBI Stand

With the reply to the argument, RBI conferred the status and criteria to

acknowledge a currency. It may be used for illegal activities and further

countered the Virtual Currency Exchange by obeying much lower KYC

standards than other payment and monetary system players.

KYC standards fail because VC anonymity remains.VC trade's cross-border

character and lack of accountability could affect RBI's regulated payments

system. A significant part of the VC industry is not a member of the Petitioner

Association or accountable for its actions, but it drives the industry.

RBI or any other government agency cannot limit, regulate, or control VC

formation or transactions, leading to ongoing financial concerns.

Analysis by Hon’ble Supreme Court

From analysing the advance argument and affirmation of parties, the Hon‘ble

Supreme Court explores the provisions of The Reserve Bank of India Act,1934

and the Banking Regulation Act, 1949, along with the Payment Settlement

Act, 2007.

198
Thus, the RBI Act 1934, the Banking Regulation Act 1949 and the Payment

and Settlement Systems Act 2007 cumulatively recognise and confer vast

powers upon RBI

i. to operate the currency and credit system of the country to its

advantage.

ii. to take over the management of the currency from the central

government

iii. to have the sole right to make and issue bank notes that would

constitute legal tender at any place in India

iv. regulate the financial system of the country to its advantage

v. to have a say in the determination of inflation targets in terms of the

consumer price index

vi. to have complete control over banking companies

vii. to regulate and supervise the payment systems.

viii. to prescribe standards and guidelines for the proper and efficient

management of the payment systems

ix. to issue directions to a payment system or a system participant who,

in RBI‘s opinion, is engaging in any act that is likely to result in

systemic risk being inadequately controlled or is expected to affect

the payment system, the monetary policy or the credit policy of the

country and

x. to issue directions to system providers, system participants, or any

other person generally, to regulate the payment systems or in the

199
 interest of management or operation of any payment systems or the

public interest.‖

Having noted the role of RBI as a central bank in the country's economy, the

functions entrusted to them and the powers conferred upon them under various

statutes, let us undertake the exercise of fixing the identity of virtual

currencies.

Hon’ble Supreme Court Observation

From the observation mentioned above made by the Hon‘ble Supreme Court, it

was seen that RBI, being the monetary control and regulator, must be done in

the provision of the above-discussed enactment; however, to a similar extent,

the Hon‘ble Court left to provide observation over the payment system, which

is also another relevant issue in the present time.

The same case extended in the case of the Indian Hotel and Restaurant

Associations 173
Supreme Court also observed that ―there must have been at

least some empirical data about the degree of harm suffered by the regulated

entities (after establishing that they were harmed). It is not the case of RBI that

any of the entities regulated by it has suffered because of the provision of

banking services to the online platforms running VC exchanges.‖

The Reserve Bank of India (RBI) has extensive authority due to its unique

position in the Indian economy and the statutory scheme of the three acts listed

above. Preventative and restorative measures are both within the scope of these

173
State of Maharashtra v. Indian Hotel and Restaurants Association (2013) 8 SCC 519.

200
abilities. Yet, the potential for power to be exercised in each situation differs

from its actual availability.

2. Dr. R Pavithra's Case174

Background

In this case, the Hon‘ble Madras High Court had discussed another aspect of

FinTech, i.e. Fraud with the misuse of FinTech operating payment company,

and the victim was, in this case, Dr R Pavithra,175 In a writ petition filed

praying to issue an interim direction directing the City Union Bank to

immediately credit a sum of Rs. 3 lakhs, being the sum unlawfully and

authorised siphoned off from the account of the petitioner using Paytm. R.N.

Manjula, J. said that the petitioner did no fraudulent actions. Still, the third

parties did the violations, and Paytm failed to resolve the dispute within 90

days and has yet to come up with any concrete structure regarding how the loss

suffered will be compensated. Further, it needed to prove how the customer

was liable. Thus, the Court held that Paytm is responsible for making out the

loss suffered by the petitioner.

Facts of the Case

The petitioner was a resident doctor at a Medical College. She was being paid

a stipend of Rs. 25,000/- per month by the Medical College, and the amount

was credited to her bank account with the City Union Bank (‗Bank‘). Out of

the said earnings, she had saved a sum of Rs. 3,20,000/- and was planning to

174
WP ( Cri) 6789 of 2021.
175
Dr R Pavithra v. Police Commissioner and oOrs. ,WP( Cri) 6789 of 2021.

201
utilise the same to meet her final year fees. On 09-02-2021, an attempt was

made by some miscreant to hack into her savings account, bearing with the

Bank. The said fact was known to her through an SMS alert. She noticed the

said message only on 11-02-2021.

She immediately sent a message to the Bank asking them to block the account.

She was under the impression that the report had been barred the further

unauthorised transactions in her account under her request. Once again, on 13-

02-2021, she received another SMS informing her of an attempt to break into

her savings account.

The petitioner sent another message to the bank along with her registered

mobile number, requesting the bank to block her account.

On 15-02-2021, she received an SMS informing her that someone had hacked

into her account. Within a few minutes, there was an unauthorised debit from

her performance at different intervals of 3 lakhs by making successive

transactions using the Paytm application. The miscreants had hacked into her

account and stolen her money.

The petitioner called the bank and asked them to block her account. However,

her money had been illegally siphoned off; no OTP for withdrawal had been

received on her mobile phone, and she had yet to share her bank details or

personal details with anyone. She received the information from the Bank that

her money had been transferred fraudulently to the Paytm account.

Immediately, she called Paytm and registered a complaint.

202
The RBI had issued a circular dated 04-01-2019, which applies to all

authorised non-bank payment transactions through Prepaid Payment

Instruments (‗PPIs‘) issuers for customer protection/limiting the liability of

customers in unauthorised electronic PPI issued by authorised non-bank.

Paragraph 6(b) of the said circular states the customer‘s limited liability in

cases of a third-party breach where the deficiency lies neither with the PPI

issuer nor with the customer but elsewhere in the system and the customer

notifies the PPI issuer or the Bank regarding the unauthorised payment

transaction.

In the same circular, it is stated that the burden of proving customer liability in

cases of unauthorised electronic payment transactions shall lie on the PPI

issuer. Further, RBI issued another circular dated 06-07-2017 bearing

No.RBI/2017-18/15, applicable to all Scheduled Commercial Banks (including

RPBs), all Small Finance Banks and Payments for Customer Protection/

Limiting Liability of Customers in unauthorised electronic banking

transactions. Under paragraphs Nos. 6 and 7 of the above circulars, the bank is

liable in cases where the responsibility for unauthorised electronic banking

transactions lies neither with the bank nor the customer but elsewhere in the

system. According to Paragraph No. 12 of the circular, the burden of proving

the customer‘s liability in case of unauthorised electronic banking transactions

shall lie with the bank.

203
Analysis of Hon’ble High Court

The Hon‘ble Court said that even though the public is encouraged to use

payment banks such as Paytm, Google Pay, Amazon Pay, etc., the customer is

made to run from pillar to post if affected due to any third-party violations or

fraudulent intervention.

The Court was surprised that even when the RBI has issued detailed master

directions for both banks and Prepaid Payment Instruments (‗PPI‘), every

institution blames the other. No one has come up with a concrete idea as to

who has to bear the loss suffered by the petitioner for none of her mistakes.

The Court noted that some miscreants attempted to access the petitioner‘s

account with the City Union Bank through the Paytm app from 09-02-2021.

The City Union Bank had alerted the petitioner by sending an SMS that

someone accessed her account. The petitioner noticed the message on 11-02-

2021, and she sent an SMS to block her account. But it was unsuccessful. The

fraudulent attempts continued, and things went beyond the control of the

petitioners and the banker.

The Bank contended that their liability ends with alerting the customer, and

they could not block her account because the SMS was not sent correctly. The

petitioner omitted to call the branch directly to see that her performance was

blocked. The Court said that given the various online mechanisms provided by

the banks for almost all banking services, no one goes to the branch physically

to make any complaint.

204
So, it is not a surprise that the petitioner did not make any direct contact with

the bank and that she followed scrupulously how she was instructed in the alert

SMS. The Court noted that the status report stated that the fraudsters have

managed to access the app by being in some other states, like Bihar.

Further, the petitioner had not revealed the details of her PIN Number or

additional information to the fraudsters knowingly or unknowingly. It also

noted that as per the records, it is clear that the access was done through a

payment bank named Paytm. The Court found the counter affidavit of the RBI

diplomatic to the extent that the RBI did not pinpoint either the Bank or Paytm

to be liable to compensate the petitioner.

The RBI guidelines are customer-friendly, and if the customer reports

fraudulent transactions within three days of the occurrence, as per the

guidelines, there is ‗zero liability‘ fixed on the customer. The above position is

similar for banks and Prepaid Payment Instruments, except they were through

different circulars. Since the transaction was not done through net banking

sites but through a payment bank application named ‗Paytm‘, it has to be seen

whether the banker or the payment banker is liable.

The Court noted that the customer's liability is fixed at Rs. 10,000/- per

transaction if the complaint has been made within 4 to 7 days, and if beyond

seven days, it is as per the policy of the prepaid payment instrument issuer. In

this case, the petitioner had given her complaint to her banker immediately

after the transaction.

205
It cannot be claimed by Paytm that the petitioner ought to have given her

complaint to Paytm instead of the Bank, as she did not know how the fraud

was committed. Further, the Bank has communicated with Paytm about the

fraudsters‘ activity.

So, it cannot be said that Paytm was unaware of the fraud because the

customer complained directly to her bank. Further, the Court rejected Paytm‘s

contention that the payment bank is a private corporation and not a government

institution; hence, it cannot be subjected to the jurisdiction of this Court.

Observation of the Hon’ble Court

The Court said the liability is on Paytm, not the Bank. However, as it cannot

give a straightaway direction against a private body like Paytm, the Court

moulded the relief and advised the RBI to act against Paytm for violating its

guidelines.

The Court further said that per the RBI guidelines, the non-bank PPI issuers

should ensure that a complaint is resolved and the customer's liability is

established within the stated time, not exceeding 90 days. But Paytm has not

come forward to take cognisance of the grievances suffered by the petitioner,

who used Paytm banking services.

Further, suppose the PPI issuer is unable to resolve the complaint and

determine the customer‘s liability within 90 days. In that case, the amount as

prescribed under RBI guidelines shall be paid to the customer irrespective of

whether the negligence is on the part of the customer or otherwise. Thus, the

206
Court directed RBI to issue directions to Paytm to compensate for the loss

suffered by the petitioner.

3. M/s Inditrade Fincorp Limited Case 176

Background

In another case of M/s Inditrade Fincorp Limited,177 the High Court of

Telangana observes the seriousness of instant online loan apps and explores

the contravention of online loan applications with China‘s back investment and

how this application trapped the individuals with tamping views and offers,

many of them get indulged in it and has to refund around 150 to 450 percents

over the principal amount.

The Facts of the Case

A series of FIR has been logged in online loan applications for fraud and

mental harassment and abuse to informants and their relatives and family

members in panic states.

In the first FIR of one M.Suman Kumar lodged a complaint on 18.12.2020 to

3rd respondent-the Cyber Crime Police, Hyderabad. The complainant stated

that he is a businessman. He has availed a loan of Rs.70,000/- from Instant

Loan Apps and repaid some of the amounts to them through online payment.

Due to the lockdown imposed due to the COVID-19 pandemic situation, he

could not repay the loan in time.

176
W. P. No.25172 OF 2022 (GM – RES).
177
M/S. Inditrade Fincorp Ltd. v. Union of India and Ors.,W. P. No.25172 OF 2022 (GM – RES).

207
For the last two days, he has received several calls from Mobile Nos to his

mobile number, demanding amounts and abusing him in the filthiest language.

They are putting his family members and relatives in a panic situation by using

abusive language and threatening them.

He has also stated that he has seen a news article covering one person who

committed suicide due to harassment in a similar situation. Hence, he

requested the police to act against those who harassed him in the above-said

manner.

Considering the above, the FIR has been lodged u/s 506 of IPC and 67 of the

IT Act.

Similarly, the second FIR, one M.Theophila Neerikshana, complained on

05.12.2020 to the Cyber Crimes Police, Hyderabad, stating that on 01.12.2020,

she and her brother got anonymous calls from unknown persons to their mobile

numbers from different numbers abusing them for repayment of the loan for no

loan taken. They have taken a loan from ‗1 Credit and rupee plus App‘ and

paid Rs.10500/- through the said App. After one week, one person called her

and asked her to repay the loan, which they unknowingly credited.

She questioned the act of granting a loan to her without applying, for which the

caller stated that by mistake, he called her and would not call again like that.

She paid the amount credited to her account without applying through the Loan

App from 23.11.2020 to 01.01.2020.

She stated that again, she was credited an amount of Rs.30,000/- to her Andhra

Bank savings Account Number without being applied by her. After one week,

208
they continuously get calls using abusive language, creating WhatsApp groups,

and sending her photos and messages. They also took her mobile data, contact

number and all personal pictures from her phone gallery.

They further stated that they are representing from Small Vault, Money Click,

Rupee Lakshini, Dnhanicash, Krazy Bean, Act loan each full bubble loan, big

shock, paise loan I Credit, Cash seeds, Rupee factory, cash accessible cash

applications. They continuously call from nearly 100 different numbers and

abuse them in filthy language, blackmailing and threatening them. They also

demanded to pay more amount, or they would send messages to all contacts

with ‗photos with defaulter tag‘.

She also mentioned details of the mobile numbers from which she received

calls and registered the complaint as a case crime number for the offences

under Section 354-D, 506 and 509 of IPC and Section 67 of the Information

Technology Act, 2018

Third FIR, another instance where M. Anuradha complained on 21.12.2020,

police stating that her family was in financial trouble. Her mother sought help

with online loans from certain Apps. First, she took Rs.5000/- from three

different Apps on 30% interest, which is high. They asked her to fill in the

basic details such as ‗PAN‘ and ‗AADHAR‘.

They did not know that all their mobile data would be accessed and used

against them. After the deadline of a week to pay the amount, they started

making calls and sending abusive messages from different numbers under the

guise of repayment.

209
As their mother did not have money then, she took a loan from another app to

clear the due amount from the previous App and started a number of ways to

harass her mother and create panic about the situation in their home.

The complainant also mentioned the particulars of almost 38 Apps involved in

the fraud and registered the complaint in a specific case crime number for the

offences under Section 354-D, 506, 509 and 420 of IPC.

During the investigation, the police sent a notice to all payment gateways

requesting to furnish the details of all the loan apps involved in the above-said

cases. Also, they obtained the beneficiary account holders for the transactions

involved in the said cases. After knowing that several accounts have been

affected in the above-said crimes, they sent notices dated 02.03.2021,

05.03.2021, 05.03.2021 and 20.04.2021 to the concerned banks to freeze the

account.

The petitioner submitted its defence and affirmed that they had made the

business expansion diversification via digital mode and made itself cost-

effective, enter into service Agreements with FinTech Services providers, hire

a few FinTech institutions/ companies/organisations and provide services of

technical marketing support and loan collection by and enter into various

service agreements to discharge certain functions in disbursement,

documentation and display of loans and further also executed payout/ payment

solution agreement with payment gateway companies like M/s Cashfree

Payments India Private Limited, M/s Razorpay Software Private Limited and

210
others for integrating the same with the digital platform offering loan to

individuals.

Conversely, the prosecution informed the Hon‘ble High Court that the

allegations were severe; it was a loan app fraud. Many Chinese companies and

fraud companies in India cheat innocent people, and due to said harassment,

hundreds of innocent victims commit suicide. The Police have registered

several cases in the entire State of Telangana about the same loan app issues

and harassment.

The Investigating Officer has to collect evidence, investigate the allegations

and analyse the bank statements of the suspected companies, including the

petitioner company, to conclude that the amount was transferred into the

accounts of the companies that had committed offences.

During the investigation, the Investigating Officer seized the documents and

property from the possession of the petitioner in the said crimes since those are

suspect accounts and directed the banks and gateway service provider to freeze

the account activity of the petitioner.

The Finding of the Hon’ble Court

The above-stated submissions would reveal that there are allegations that some

unknown people are providing loans to the complainants through Loan Apps,

and in some instances, they are providing even without applying for loans and

later under the guise of repayment, calling them from different mobile numbers

211
threatening and blackmailing them, saying that they will keep their pictures in

the contact numbers that on the complaints lodged by the complainants,

According to E.D., it is a money laundering and cheating case. He has

registered the above crimes for the above offences. During the investigation,

police addressed letters to payment gateway providers and banks of the

petitioner, as detailed above, to freeze the accounts of the petitioner, which are,

according to police, suspect reports.

A perusal of the material would also reveal that the Police have received

several complaints stating that they have obtained loans from Mobile Apps,

they are unable to repay the same, they are also charging heavy interest, i.e., at

the rate of 150% to 450% interest and harassing the loanees/innocents due to

unbearable torture and harassment, several innocents have committed suicide

in entire states.

During the investigation of all loan App fraud cases, it was found that many

loan applications are being uploaded by Chinese nationals, keeping Indians as

Directors for their companies to escape the clutches of law.

Chinese follow the strategy because when the debtor fails to pay back the

money, they start harassing/threatening/ blackmailing the victims. Further,

they would inform their friends and relatives that they are cheaters.

Additionally, they make continuous calls to the debtors and would use abusive

language.

Notices were sent to all the FinTech companies connected to loan Apps,

including the petitioner company, to verify the genuineness of the financial

212
transactions, including the petitioner who received notices and submitted

information/ documents as sought by the Investigating officer. On verification

of the same, the Investigating Officer has issued necessary instructions to the

banks to freeze the accounts.

Suppose the petitioner's bank accounts, as he prayed, are de-frozen at this

stage. In that case, there is every likelihood of diverting funds to China through

various means like Cryptocurrency. Police have to investigate, specifically, the

role played by the petitioner in the commission of offences.

On completion of an investigation, if the Investigating Officer concludes that

the amounts were not transferred to the accounts of the petitioner and that the

petitioner company has nothing to do with the allegations in all the above-said

crimes, he will take a decision concerning the issuance of necessary

instructions to banks to de-freeze the accounts of the petitioner. The accounts

of the petitioner are only suspect accounts in the above-said crime.

With the above observation, the Hon‘ble High Court has given the liberty to

the petitioner to file an appropriate application before the court below.

4. PayPal Case 178

Background

PayPal Payments Private Limited, the petitioner, impugns the order dated 17

December 2020 passed by the first respondent, the Financial Intelligence Unit

India, holding it to be a reporting entity under the Prevention of Money

178
Paypal Payments Private Limited v. Financial Intelligence Unit India, Anr. W.P.(C) B138/2021.

213
Laundering Act 20023 and consequently proceeding to impose monetary

penalties for it having failed to comply with the reporting obligations as placed

under the Prevention of Money Laundering (Maintenance of Records) Rules

2005,

PayPal asserts that it is not a payment system operator as defined under the

PMLA, and consequently, it would be erroneous for FIU-IND to hold it as a

Reporting Entity. This is asserted because it does not render services relating

to clearing, payment or provision of settlement between a payer and a

beneficiary.

It essentially avers that it merely provides a technological interface enabling

export-related transactions that an Indian exporter and an overseas buyer may

undertake. It is its categorical case that in the chain of transactions which

ensues between the Indian exporter and an overseas buyer, PayPal is at no

stage engaged in the actual handling of funds.

Facts of the Case

PayPal also relies upon the stand as struck by the Reserve Bank of India,

which in separate proceedings had averred on an affidavit that it is not a

payment system operator.

The petitioner seeks to derive advantage from the stand so taken by RBI in

those proceedings since the definition of a ―Payment system under the

Payments and Settlements System Act 2007 is identical to the provision

embodied in the PMLA.

214
It would be apposite to notice the following essential facts to evaluate the

challenge that stands raised. As per the disclosures made in the writ petition,

the petitioner's officials are stated to have participated in a meeting with the

Additional Director of the FIU-IND, where they had been invited to explain

the scope and content of their business operations in India.

The petitioner asserts that it was willing to cooperate with the FIU-IND in that

meeting and remains bound by that obligation even today. On 16 March 2018,

FIU-IND issued a communication directing PayPal to register as a reporting

entity under the PMLA. FIU-IND further asserted that the business model of

PayPal established that it would fall within the definition of a reporting entity

as embodied in Section 2(1)(wa) of the PMLA.

FIU-IND alleged that despite the detailed clarifications that PayPal had

submitted, it was convinced that it was liable to register itself by the statutory

obligations placed by the PMLA. Acknowledging receipt of that letter,

On 23 July 2019, FIU-IND issued a Show Cause Notice purporting to be under

Section 13 of the PMLA addressed to PayPal and its six officers alleging non-

compliance with Section 12 of the PMLA and Rule 7 of the 2005 Rules.

PayPal was, in terms of the aforesaid notice, called upon to show cause why

suitable directions were not issued against them, including the imposition of

penalties. Responding to the aforesaid show cause notice, PayPal on 08

August.

215
Hon’ble Court Observation

Hon‘ble High Court of Delhi, on its judgment dated 09 th May 2023, holds that

PayPal is liable to be viewed as a "payment system operator" and consequently

obliged to comply with reporting entity obligations placed under the PMLA 179.

However, the imposition of penalty regarding the impugned order dated 17

December 2020 is quashed for reasons aforenoted.

The impugned order shall stand set aside to the extent above,‖ the court also

said observed that all elements of the transaction comprised or connected with

a payment being effected between two parties would appear to fall within the

scope of the expression ―payment system‖ as defined under Section 2(1)(rb) of

the PMLA.

Any system which enables the transfer of money between two ends would thus

appear to fall within the ambit of the expression "payment system". The Court,

therefore, finds no justification to restrict the application of the term "payment

system" only to those entities which may be directly or undeviatingly engaged

in the handling or transferring of funds. Any interpretation contrary to what

has been noted above would not only scuttle and impede the measures to be

deployed but also obstruct and hamper data collection and analysis,

constituting critical elements of AML measures.

179
Prevention of Money Laundering Act, 2002 ( Act 15 of 2003).

216
5. Google Pay Case 180

Background

The present petition has been filed like Public Interest Litigations for the

issuance of appropriate writs, orders or directions directing the Respondent

authorities to direct Google Pay India Services Private Limited to cease their

operations in India for violation of regulatory and privacy norms.

The Petitioner contends that Google Pay has violated privacy norms by gaining

access to and using consumers‘ data such as Aadhar details, which is in

contravention of Section 29, 38(g) and 38(i) of the Aaadhar Act, 2016 and the

Payments and Settlement Systems Act, 2007 and Banking Regulation Act,

1949.

Further, it is stated that the storage and use of sensitive and personal banking

information would be tantamount to an offence by a company as per Section

43 of the Aadhar Act, 2016.

The main grouse of the Petitioner is that operations of Google Pay in India as a

payment system provider are unauthorised for want of obtaining necessary

permissions, and hence Google Pay storing sensitive information of Indian

citizens would be tantamount to violations under the Aadhar Act, 2016;

Payments and Settlement Systems Act, 2007; and the Banking Regulation Act,

1949.

180
Abhijit Mishra v. RBI and Anr. W.P. 3693/2019.

217
It is further submitted that upon a perusal of the terms and conditions of

Google Pay, it emerges that the Google Pay application, which operates on the

UPI platform, has been performing the role of facilitator of transactions.

Therefore, Google Pay has been performing the role of a Payments System

Provider (PSP) without obtaining valid authorisation from the RBI as per

Sections 4 and 7 of the Payments and Settlement Systems Act, 2007.

Therefore, this constitutes an offence by a company under Section 26 of the

PSS Act.

The Petitioner places reliance on a reply to an RTI applications filed by the

Petitioner before the RBI and UIDAI, seeking the information as to whether

Google Pay was authorised to operate as a payment system provider and if the

UIDAI had granted permission to access and store customer data while

processing payments.

RBI stand

The Payment and Settlement System Act 2007 regulates and supervises Indian

payment systems, and RBI is the designated authority. Entities must seek RBI

authorisation under the Payment and Settlement System Act, 2007, to start or

operate as payment systems.

The RBI has authorised the NCPI, an RBI entity, to operate retail payments

and settlement systems in India under section 7 of the Payment and Settlement

System Act, 2007.

218
Under the Payment and Settlement System Act, 2007, NPCI is the network

operator, service provider, and coordinator of the Unified Payments Interface

(UPI), a real-time instant payment system for inter-bank transactions.

According to NPCI procedural norms, NPCI can handle client complaints.

The NPCI also regulates domestic payment systems. Google Pay is an

application that provides services on UPI, which is operated and governed by

NPCI. It is not a Payment Systems Provider. Payment Service Providers

provide clients with front-end applications. PSPs offer end-to-end services.

The NPCI's multi-bank architecture allows Third-Party App Providers

(TPAPs) to participate in UPI through PSP banks. Google Pay is considered a

TPAP under this arrangement, and stated that NPCI has permitted four banks

to partner with UPI under the multi-bank method.

Every PSP bank in the UPI system gives consumers Virtual Payment

Addresses (VPA) for P2P or P2M transactions. This sophisticated setup

protects bank details and private data by routing all transactions through

clients' VPAs. Google Pay is a TPAP that connects banks/systems to a vast

consumer base.

The RBI responded to the Petitioner's worries over BHIM AADHAR Pay

storing sensitive financial information like AADHAR data by contrasting it to

UPI. Both services are NPCI products, although Google Pay is a third-party

UPI-enabled app unrelated to BHIM-AADHAR.

RBI further claims that the RBI Ombudsman Scheme for Digital Transactions,

2019, best handles customer concerns about digital transactions. Chapter IV of

219
the Scheme outlines how individuals can file complaints with the RBI to

resolve their issues. The RBI has highlighted the difference between BHIM

AADHAR Pay and UPI in response to the Petitioner‘s concerns regarding

storing sensitive banking information of customers, such as AADHAR details,

etc. While both services are products offered and operated by the NPCI,

Google Pay is only a third-party UPI-enabled app that is not connected to

BHIM-AADHAR.

RBI further submits that the appropriate mechanism to address complaints

regarding digital transactions undertaken by customers of system participants

is squarely covered by the RBI Ombudsman Scheme for Digital Transactions,

2019. Chapter IV of the Scheme provides the procedure for redressal of

grievances faced by individuals through the channels of filing a complaint

before the RBI.

Hon’ble Cout Observation

With the view withdrawn from the counter affidavit filed by the RBI, the court

made it clear that Goole Pay is a mere third-party app provider for which no

authorisation from RBI is required under the provisions of the Act.181

4.8 Conclusion

New challenges have emerged simultaneously with the development and adoption

of a new generation of financial transaction systems. In this scenario, it has

become pertinent to have precise regulation with regard to FinTech in order to

181
Payment and Settlement System Act, 2007 ( Act 51 of 2007).

220
deal with issues like data privacy, online fraud, digital contracts and money

laundering.

The government and the regulatory bodies have recognized the changes that are

taking place in the FinTech space and have constantly kept pace within the rapidly

changing environment in terms of technology and customer expectation.

The evolution of FinTech is not without any pitfalls and challenges. Therefore, the

focus of the government and the regulatory bodies has been to make relevant

regulations & future-ready policy framework and create an ecosystem to harness

innovation in this field.

In the said chapter, the researcher has also made an effort to analyze the effective

role of judiciary in regulating the FinTech operations.

221