After China concluded its years-long efforts to overhaul the tech sector in 2023, the spotlight has shifted to India, where another regulatory crackdown, this time targeting the financial sector, is underway.

Rising cases of online fraud and cyberattacks have triggered widespread disruption of banking services, prompting the Reserve Bank of India (RBI) to tighten regulation enforcement and impose a new set of standards aimed at enhancing the security practices and processes of financial service providers, including fintech start-ups and traditional players.

In the fiscal year ending April 2024, the monetary authorities imposed 281 penalties across a range of banks and non-banking financial companies, resulting in fines amounting to 861.1 million rupees (US$10.26 million), double the amount imposed in the previous year. Specifically, the RBI tightened its reins on know-your-customer (KYC) and anti-money laundering practices, as well as cybersecurity and information technology (IT).

The increased oversight was in response to the surge in cyberattacks in the sector. In FY 2024, the RBI recorded a total of 36,075 online financial fraud cases, triple the number of cases in the previous year.  Reported fraud cases involving digital payments reached 29,082, a sevenfold increase from two years ago, resulting in losses of 14.57 billion rupees, up 4x from the previous year.

Ransonware attack

The security systems of many financial institutions proved inadequate to withstand these attacks, which led to large-scale operational disruptions and massive financial losses. In early August, a ransomware attack forced the temporary shutdown of payment services across nearly 300 small banks in the countryside. Two weeks earlier, Nainital Bank, a private financial institution, was reported to have lost 167 million rupees to hackers.

With such cases rising to crisis levels, the RBI scaled up its supervision of a once loosely regulated industry. It has issued a spate of warnings to the financial sector, paired with tightened rules and tougher penalties. In April, Kotak Mahindra Bank, one of the country’s largest private financial institutions, was called out for being “deficient in its IT risk and information security governance” between 2022 and 2023, and as a consequence, it was barred from onboarding new customers through online channels as well as issuing new credit cards.

The punishment represents a huge barrier to the bank’s digitally reliant business expansion. During the fiscal year 2023-24, 98% of Kotak Mahindra Bank’s personal loans, 72% of new saving accounts and more than half of other products including credit cards, unsecured loans and insurance policies were processed online through its platform Kotak811. In the trading week after the regulatory order was unveiled, the bank’s share price sank to its lowest for the year.

Meanwhile, fintech firms and payment aggregators were also caught in the widening clampdown. Mobile payment service provider Paytm, once the darling of fintech investors, terminated its deposit and credit services after the RBI said external auditors revealed “persistent non-compliances and continued material supervisory concerns”. These, according to reports, included the discovery of accounts of spurious ownership, which could have been used for money laundering and other illicit transactions.

Amid the crackdown, Paytm saw its revenue decline 36% year-on-year to US$179.5 million in April-June 2024, while its net loss widened by 134%. Since the RBI announcement, its share price has declined by 30% even falling by as much as 58%.

The fintech clampdown has affected not only local players but global companies as well. In July, the RBI slapped a fine of 24.75 million rupees on payments leader Visa Worldwide for unauthorized authentication processes on card transactions. Two local payment service providers were also penalized in the case for substandard KYC regime.

Next target

Despite the heightened regulatory actions, concerns remain over the rapacity of cybercriminals. Rapyder, a cloud service provider based in Bangaluru, has voiced fears that the cloud network, where massive amounts of personal data are stored, could be the next target.

“Cybercriminals frequently exploit weak encryption methods, poor access restrictions, and misconfigured cloud storage services to gain access to valuable data,” PricewaterhouseCoopers says in a recent report on cyber threats to fintechs. “Only a tailored and carefully designed cybersecurity strategy that exclusively caters to the nature of the operating models of fintechs will efficiently address the unique challenges posed by various vectors such as cloud vulnerabilities.”

In addition to addressing cybersecurity loopholes, the RBI regularly reviews and upgrades regulatory standards to ensure the sustainable development of the financial services sector. It reminds remitting banks, for example, to secure the personal information of payout recipients, such as their names and addresses, and implement an additional layer of identity authentication.

For payment aggregators, the RBI has imposed a more rigorous and lengthier KYC process for business transactions, as well as other requirements such as asking them to establish physical support centres and set up an escrow account to store the funds until a transaction is completed.

Industry concerns

As expected, industry players have not been exactly thrilled with the stringent regulations, which have increased the hurdles for business expansion. Local law firm Amlegals has enumerated three concerns over the regulatory clampdown: eroded interest from multinational corporations, huge financial burden for small companies, and disincentive to the shift towards virtual payments.

“The strict KYC criteria and compliance regulations, while intended to improve consumer protection and ensure fair market practices, provide difficulties for both current participants and future entrants, potentially affecting the convenience of doing business, especially for small and medium-sized merchants,” Amlegals asserts.

“It is critical to strike a careful balance between encouraging innovation and maintaining regulatory monitoring. The efficacy of these principles depends upon their capacity to enhance stability in the context of a culture that encourages inclusiveness, growth, and technological innovation.”