FEMA & RBI · NBFC & Financial Services Licensing
Peer-to-Peer Lending & Account Aggregator Licensing
Peer-to-Peer lending platforms and Account Aggregators are not ordinary fintech startups — they are Non-Banking Financial Companies regulated directly by the Reserve Bank of India, and both carry a Certificate of Registration requirement before a single rupee of customer money or a single byte of financial data can move through the platform.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Peer-to-Peer lending platforms and Account Aggregators are not ordinary fintech startups — they are Non-Banking Financial Companies regulated directly by the Reserve Bank of India, and both carry a Certificate of Registration requirement before a single rupee of customer money or a single byte of financial data can move through the platform. Getting the entity structure, Net Owned Fund, fit-and-proper promoter profile, and technology architecture wrong at the application stage does not just delay launch — it can mean outright rejection and a fresh application cycle. PNPC Global has advised NBFC and fintech promoters across India and the UAE since 1986 on RBI licensing, and we stay engaged from the pre-application structuring conversation through the annual compliance cycle that follows registration — not just the day the Certificate of Registration is issued.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
An NBFC-Peer to Peer Lending Platform (NBFC-P2P) is a non-banking financial company that operates an online platform to bring individual and institutional lenders and borrowers together for unsecured personal loans, without the platform itself lending from its own books. It is regulated under the RBI Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (as amended from time to time), issued under Sections 45-IA and 45JA of the Reserve Bank of India Act, 1934. A P2P platform acts purely as an intermediary or marketplace: it matches lenders with borrowers, facilitates loan agreements, handles disbursement and repayment through escrow-style nodal/trust accounts, and earns fee-based revenue — it does not raise deposits, does not hold funds on its own balance sheet as a lender, and does not guarantee returns or provide credit enhancement to participants. Operating a P2P lending business without RBI registration is a contravention of Section 45-IA of the RBI Act, and RBI has periodically flagged unregistered digital lending apps operating disguised P2P or lending models.
An Account Aggregator (NBFC-AA) is a distinct category of non-banking financial company regulated under the RBI Master Direction – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (as amended). An Account Aggregator does not lend, does not hold customer funds, and does not access, view, or store the substance of a customer's financial data — its sole regulated function is to operate a consent-based technology architecture that securely retrieves a customer's financial information from Financial Information Providers (FIPs — banks, NBFCs, insurers, mutual funds, pension funds, tax authorities and other RBI-notified categories) and transmits it, only with explicit customer consent captured through the Account Aggregator's consent artefact, to Financial Information Users (FIUs — typically lenders, wealth managers, or other regulated entities requesting the data for a specific, time-bound, revocable purpose). The Account Aggregator framework operates on the same-language, interoperable technology stack commonly referred to as the account aggregator ecosystem or the data-sharing layer of the India Stack, and every licensed Account Aggregator must be a member of, and technologically compliant with, the common technical specifications maintained by the Account Aggregator ecosystem's central registry framework.
Both categories require the operating entity to first be incorporated as a company under the Companies Act, 2013 — typically a Private Limited or Public Limited Company — and then apply to RBI for a Certificate of Registration (CoR) under Section 45-IA of the RBI Act before commencing the regulated activity. Both are subject to a prescribed minimum Net Owned Fund (NOF) requirement, a fit-and-proper assessment of promoters and directors, detailed technology and data-security architecture review, and — once registered — an ongoing compliance regime covering periodic RBI returns, statutory audit, fair practices code, grievance redressal, and information-security standards. Neither an NBFC-P2P nor an NBFC-AA can accept public deposits, and both are prohibited from cross-holding or diversifying into unrelated regulated activities without separate RBI approval — an NBFC-P2P cannot also function as an NBFC-AA (or vice versa) under the same corporate entity without RBI's explicit permission, since each licence is activity-specific under the RBI's principle of one regulated activity per NBFC licence in most cases.
The strategic reason founders pursue these licences despite the regulatory overhead is straightforward: an unregistered platform cannot legally operate the core business model at all, cannot open the escrow/nodal bank accounts that regulated P2P disbursement requires, cannot integrate with the Account Aggregator ecosystem's central registry as a live participant, and cannot represent to lenders, borrowers, banks, or FIU/FIP counterparties that it is RBI-regulated — a threshold credibility requirement in a sector where every serious counterparty (banks, NBFCs, institutional lenders) checks the RBI list of registered NBFCs before onboarding a fintech partner. PNPC's role begins well before the application is drafted: assessing whether P2P or AA (or neither) is the correct regulatory characterisation for the proposed business model, structuring the promoter and shareholding profile to clear the fit-and-proper bar, and building the NOF and capital-raise plan around RBI's current registration thresholds.
When P2P or Account Aggregator registration applies to you
You are building a digital platform that matches individual or institutional lenders with individual borrowers for unsecured personal loans, and the platform itself will not lend from its own balance sheet — this is the NBFC-P2P activity requiring RBI CoR before launch
You are building a consent-based data-sharing platform intended to pull financial information (bank statements, GST returns, tax data, insurance, investment holdings) from regulated Financial Information Providers and deliver it to lenders or other regulated Financial Information Users — this is the NBFC-AA activity, a distinct RBI licence from P2P
You are a fintech, lending, or wealthtech company evaluating whether to integrate as a Financial Information User (FIU) with an already-licensed Account Aggregator, and need advisory on the participation agreement, consent-flow compliance, and data-usage restrictions rather than a fresh AA licence yourself
You are a bank, NBFC, insurer, mutual fund, or pension fund considering onboarding as a Financial Information Provider (FIP) on the Account Aggregator network and need regulatory and technology-compliance advisory on that participation
Your existing NBFC or fintech licence does not cover the P2P or AA activity you now intend to add, and you need advisory on whether a fresh entity and fresh CoR is required, or whether an amendment/expansion of an existing licence is possible
You have promoters, directors, or a shareholding structure with foreign investment (FDI) involved in a proposed P2P or AA entity and need the FEMA/FDI sectoral-cap position clarified alongside the RBI licensing track
You are already RBI-registered as an NBFC-P2P or NBFC-AA and need ongoing compliance support — periodic RBI returns, fair practices code implementation, statutory audit coordination, or representation in an RBI inspection or query
When this is not the right licence
You are building a traditional lending business that lends from your own balance sheet (on-book lending) rather than merely matching third-party lenders and borrowers — this requires a standard NBFC-Investment and Credit Company (NBFC-ICC) registration, a different Master Direction and NOF threshold, not the P2P framework
You are a digital lending app that partners with a bank or NBFC to originate and service loans on the regulated entity's books (the loan service provider / lending service provider model) — this is governed by RBI's Digital Lending Guidelines, not the P2P Master Direction, since the platform is not itself matching P2P lenders and borrowers
You want to build a personal finance or budgeting app that only displays a user's own data back to them, with no data transmission to a third-party FIU for lending, underwriting, or wealth-advisory purposes — this may not require an AA licence at all if no regulated data-sharing to a third party is involved; a narrower data-privacy and technology advisory may be the correct engagement
You are simply looking to integrate your NBFC/bank/lending business as a consumer of Account Aggregator data (an FIU) — you do not need to become a licensed Account Aggregator yourself; you need an AA participation and consent-architecture advisory instead
Your platform is a marketplace or comparison aggregator for loan products (matching borrowers to multiple bank/NBFC loan offers, earning referral commission) without actually structuring or facilitating peer-to-peer lending agreements — this is typically a referral/DSA (Direct Selling Agent) arrangement, not a P2P NBFC activity
You do not yet have a clear, committed promoter group able to meet the fit-and-proper and Net Owned Fund thresholds RBI expects at application stage — in this scenario, a pre-application readiness assessment is the right first engagement, not a full licence application
NBFC-P2P vs NBFC-Account Aggregator vs adjacent digital-lending/fintech models
| Feature | NBFC-P2P | NBFC-Account Aggregator | Standard NBFC (ICC/on-book lending) | Digital Lending App (LSP/DLA model) |
|---|---|---|---|---|
| Governing framework | RBI Master Directions – NBFC-P2P Lending Platform (Reserve Bank) Directions, 2017 (as amended) | RBI Master Direction – NBFC-Account Aggregator (Reserve Bank) Directions, 2016 (as amended) | RBI Master Direction – Non-Banking Financial Company (NBFC) Scale Based Regulation, 2023 | RBI Digital Lending Guidelines (2022, as amended) — layered on the regulated entity's own NBFC/bank licence |
| Core regulated activity | Matching lenders and borrowers on an online platform for unsecured personal loans; no on-book lending by the platform | Consent-based retrieval and transmission of financial data between FIPs and FIUs; no lending, no data storage of financial information content | Lending and investment from the company's own balance sheet | Loan sourcing/servicing on behalf of a regulated lender; the app itself is not usually separately RBI-licensed unless it is itself an NBFC |
| Certificate of Registration required | Yes — mandatory CoR from RBI under Section 45-IA before commencing business | Yes — mandatory CoR from RBI under Section 45-IA before commencing business | Yes — mandatory CoR under Section 45-IA | Not separately, if operating purely as an outsourced agent of a regulated lender; but the underlying lender must be RBI-regulated |
| Holds/lends own funds | No — funds move directly between lender and borrower participants via escrow/nodal accounts; platform cannot lend from its own books | No — never handles customer funds at all; the licence is purely data-flow, not funds-flow | Yes — lends from its own balance sheet, funded by owned funds and permitted borrowings | Depends on structure — typically the partner bank/NBFC lends; the app/LSP does not lend on its own book unless separately licensed |
| Deposit acceptance | Prohibited | Prohibited (not applicable — no funds handling at all) | Prohibited for most NBFC categories unless specifically permitted as a Deposit-taking NBFC (NBFC-D) | Not applicable to the LSP; governed by the underlying lender's own deposit status |
| Escrow / nodal account requirement | Mandatory — separate escrow accounts for lender funds pending disbursal and for borrower repayments, maintained with a bank distinct from the platform's own operating account, per RBI's prescribed structure | Not applicable — no funds ever pass through an Account Aggregator | Not typically applicable in the same escrow sense; governed by standard banking arrangements | Escrow arrangements may apply per Digital Lending Guidelines for loan disbursal and repayment flows through the regulated entity |
| Exposure/lending caps on participants | Prescribed caps apply per lender and per borrower across all P2P platforms combined, and an aggregate exposure limit for a single lender across the platform, as specified in the current P2P Master Direction | Not applicable — no lending activity | Governed by the NBFC's own prudential exposure norms under Scale Based Regulation | Governed by the underlying regulated lender's own prudential norms |
| Data-handling role | Standard NBFC KYC/data obligations for onboarded lenders and borrowers | Core regulated function — consent architecture, data-minimisation, purpose-limitation, and non-storage of the substance of financial information transmitted | Standard NBFC KYC/credit-data obligations | Governed by Digital Lending Guidelines' data-minimisation, app-permission, and disclosure norms |
| Can combine with other NBFC activity | Generally restricted to the P2P activity alone under the same CoR; diversification needs RBI approval | Generally restricted to the AA activity alone under the same CoR; an AA cannot undertake any other business | May combine permitted activities within its classified NBFC layer under Scale Based Regulation, subject to RBI norms | The lender/NBFC side may combine other permitted NBFC activities; the LSP/app itself is typically not separately regulated |
| Foreign investment (FDI) | Permitted under the automatic route for NBFC activities per the FDI Policy and FEMA Non-Debt Instruments Rules, subject to conditions and minimum capitalisation norms applicable to NBFC-FDI where relevant | Permitted under the automatic route subject to FDI Policy conditions applicable to NBFC/financial-services activity | Permitted under automatic route subject to FDI Policy conditions for the NBFC sector | Governed by the FDI position of the underlying regulated lending entity |
| Primary risk if unregistered | Section 45-IA contravention; RBI can direct discontinuation, and unregistered lending-adjacent apps have been the subject of RBI public cautionary notices and enforcement action | Section 45-IA contravention; cannot legally participate in the Account Aggregator ecosystem's central registry as a live FIP/FIU counterparty without a licensed AA in the flow | Section 45-IA contravention; RBI can direct winding down of unauthorised lending business | Non-compliance with Digital Lending Guidelines can result in RBI action against the regulated lending partner, indirectly shutting down the app's business model |
This table is directional guidance only. The precise Net Owned Fund threshold, exposure caps, and permitted activity boundaries applicable to NBFC-P2P and NBFC-AA registrations are set out in RBI's Master Directions as amended from time to time, and RBI periodically revises these thresholds and caps. A pre-application regulatory consultation confirming the RBI norms current as of your filing date is essential before structuring capital, shareholding, or business model commitments.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Business Model & Regulatory Characterisation — Confirming P2P vs AA vs neither | Before any application is drafted, we map the actual data flow and funds flow of your business model against RBI's Master Directions. Many fintech ideas sit in a grey zone — a lending marketplace that also wants to display aggregated financial data, or a data platform that later wants to add a lending layer. We identify which licence (or licences, requiring separate entities) the model actually needs, and flag where a proposed feature would require RBI approval to add later. | Week 1–2 |
| 2 | Entity Structuring & Promoter Fit-and-Proper Assessment | RBI's fit-and-proper criteria examine the promoters' and proposed directors' financial soundness, integrity, and track record — including a declaration of no conviction, no history of financial default, no adverse regulatory or criminal proceedings, and demonstrable financial capacity to bring in the Net Owned Fund. We run this assessment before the application is filed, not after RBI raises a query, because a promoter-profile problem discovered mid-application is far costlier to resolve than one identified at structuring stage. | Week 1–3, run in parallel with characterisation |
| 3 | Company Incorporation or Existing-Entity Readiness Review | If starting fresh, we incorporate the Private Limited Company with MoA objects clauses specifically drafted to support the P2P or AA activity (a generic 'fintech services' object clause is often queried by RBI as insufficiently specific). If an existing company is being repurposed, we conduct a compliance and financial-history review of that entity, since RBI evaluates the applicant company's own track record, not just its promoters. | Week 2–4 for fresh incorporation; 1–2 weeks for existing-entity review |
| 4 | Net Owned Fund Planning & Capitalisation | RBI prescribes a minimum Net Owned Fund threshold for both NBFC-P2P and NBFC-AA applicants under their respective Master Directions, computed per Section 45-IA's NOF definition (paid-up capital plus free reserves, less accumulated losses and specified intangible/deferred items). We plan the capital infusion schedule, the supporting net-worth certificate from a practising Chartered Accountant, and the source-of-funds documentation RBI expects for each contributing promoter — including FEMA compliance where any promoter or investor is a non-resident. | Week 3–6, dependent on capital-infusion timeline |
| 5 | Technology Architecture & Information-Security Documentation | Both P2P and AA applications require a detailed description of the technology platform: for P2P, the loan-matching engine, escrow/nodal account integration with the partner bank, and credit-assessment methodology disclosed to lenders; for AA, the consent-architecture implementation, API integration readiness with the Account Aggregator ecosystem's central registry technical specifications, data-encryption-in-transit and non-storage compliance, and business-continuity/disaster-recovery framework. RBI's application scrutiny on the technology and data-security dimension is materially more detailed for these two categories than for a standard NBFC-ICC application. | Week 4–8, run in parallel with capitalisation — this is frequently the longest workstream |
| 6 | Application Drafting & Board/Shareholder Documentation | We prepare the complete CoR application — corporate documents, business plan, projected financials for the initial years of operation, policy documents (fair practices code, IT policy, outsourcing policy, grievance redressal policy, KYC/AML policy), and the Board resolutions authorising the application and confirming the Board's oversight responsibility for the regulated activity. Every policy document is drafted specific to the P2P or AA business model — generic boilerplate policies are a common cause of RBI query rounds. | Week 6–9 |
| 7 | Application Filing with RBI | The application is filed with the Regional Office of RBI having jurisdiction over the registered office of the applicant company, along with the prescribed application fee and the complete document set. We coordinate the physical and digital submission requirements as prescribed by the relevant Regional Office, which can have minor procedural variations. | Week 9–10 for filing; RBI's own processing timeline thereafter is outside PNPC's control and depends on RBI's current caseload and query cycles |
| 8 | RBI Query Handling & Clarification Rounds | RBI's licensing process for both P2P and AA categories typically involves one or more rounds of written queries or clarification requests — on promoter background, capital source, technology readiness, or business-model specifics. We draft and coordinate every response, and where RBI requests a meeting or presentation on the technology architecture (common for AA applications given the ecosystem's technical interoperability requirements), we prepare the applicant team for that engagement. | Varies significantly by case — RBI's query and review timeline is not fixed and should not be assumed to follow a standard duration |
| 9 | Certificate of Registration (CoR) Issuance | On RBI's satisfaction with the application, the Certificate of Registration is issued, permitting the entity to commence the regulated P2P or AA activity. The CoR often carries specific conditions — for example, a requirement to commence operations within a stipulated period, or conditions on the initial scale of operations — which we review carefully with the client before go-live. | On RBI's approval — total time from initial engagement to CoR varies considerably by case and is not a fixed, guaranteed timeline |
| 10 | Escrow/Nodal Account Setup (P2P) or Central Registry Onboarding (AA) | For P2P: we coordinate the escrow and nodal account arrangement with a scheduled commercial bank per RBI's prescribed structure, ensuring lender-pending-disbursal funds and borrower-repayment funds are segregated as required. For AA: we coordinate the technical onboarding to the Account Aggregator ecosystem's central registry and the execution of participation agreements with FIPs and FIUs the platform intends to work with at launch. | Week 1–4 post-CoR |
| 11 | Pre-Launch Compliance Readiness — Policies live, systems tested, first cohort onboarding | Before go-live, we confirm the fair practices code is displayed to users as required, the grievance redressal mechanism is operational with a designated Grievance Redressal Officer, the KYC/AML programme is functioning for onboarding lenders and borrowers (P2P) or FIU/FIP participants (AA), and the RBI-prescribed disclosures are built into the user interface and onboarding flow. | Week 2–6 post-CoR, run in parallel with account/registry setup |
| 12 | Ongoing RBI Reporting & First Compliance Cycle | Once operational, the entity moves into RBI's periodic reporting regime — including returns specific to the P2P or AA category, along with the general NBFC returns applicable under the Scale Based Regulation framework where relevant. We set up the reporting calendar from Day 1 of operations rather than waiting for the first due date to arrive. | Ongoing from go-live |
| 13 | Statutory Audit & Annual Compliance Certification | RBI requires the statutory auditor of a registered NBFC-P2P or NBFC-AA to report specifically on compliance with the applicable Master Direction as part of the annual audit, in addition to standard Companies Act audit requirements. We coordinate this dual-scope audit and the certifications RBI expects to be filed alongside the audited financials. | Annually, aligned to the company's financial year |
| 14 | Growth-Stage & Structural Change Advisory | Change in shareholding beyond prescribed thresholds, change in control, change in directors, or any proposed diversification of activity by a registered NBFC-P2P or NBFC-AA typically requires prior RBI intimation or approval. We advise at every such inflection point — funding rounds, promoter exits, geographic expansion, or a proposed pivot in business model — so structural changes are RBI-compliant before they are executed, not after. | As needed through the life of the licence |
Realistic end-to-end timeline: RBI's own review and approval timeline for NBFC-P2P and NBFC-AA Certificate of Registration applications is not fixed by regulation and varies materially by case complexity, promoter profile, and RBI's current processing queue — it has historically run to several months or longer from a complete filing, and should not be assumed to follow a guaranteed duration. Pre-filing structuring, capitalisation, and technology-readiness work (Stages 1–8 above) realistically takes 3–4 months for a well-prepared applicant before the application is even filed.
Certificate of Incorporation and latest Memorandum & Articles of Association, with MoA objects clause specifically covering the P2P or Account Aggregator activity
Certified copy of the Board resolution approving the application for NBFC-P2P or NBFC-AA Certificate of Registration and authorising a signatory
Shareholding pattern of the applicant company with full details of every shareholder holding shares above the threshold RBI treats as requiring fit-and-proper disclosure
Details of group companies, if any, and their business activities — RBI evaluates the promoter group's overall financial standing and regulatory history, not just the applicant entity
Audited financial statements of the applicant company for the preceding financial years (where the entity is not newly incorporated), or opening/provisional financials for a fresh incorporation
Personal net-worth statement of each promoter and director, certified by a practising Chartered Accountant
Income-tax returns of promoters and directors for the preceding financial years
Declaration of no conviction, no pending criminal proceedings, and no history of default with any bank/financial institution, in the format prescribed by RBI
Professional background, qualifications, and prior experience of the proposed directors and key management personnel — particularly relevant for the Principal Officer/Grievance Redressal Officer roles that RBI expects to be named at application stage
Credit report / CIBIL or equivalent credit bureau report of promoters and directors where requested
Source-of-funds documentation for each promoter's contribution to the Net Owned Fund, including bank statements evidencing the capital infusion
Net Owned Fund certificate from a practising Chartered Accountant, computed per Section 45-IA of the RBI Act as of the date specified in the application
Bank statements and share application/allotment documents evidencing that the paid-up capital has actually been received and is unencumbered
Auditor's certificate confirming no diminution in the value of investments or assets that would affect the NOF computation
For foreign shareholders contributing to capital — FDI-compliant share subscription documentation, FC-GPR filing status, and FEMA sectoral-cap confirmation for the NBFC activity
Detailed business plan describing the proposed P2P lending model or Account Aggregator data-flow model, target customer segments, and revenue model
Projected financial statements (balance sheet, profit and loss, cash flow) for the initial years of operation post-registration
Description of the risk-management framework — for P2P, the borrower credit-assessment methodology disclosed to lenders and default-handling process; for AA, the consent-revocation and data-breach response process
Organisational structure chart showing key roles — Principal Officer, Compliance Officer, Grievance Redressal Officer, and the technology/information-security ownership within the organisation
Technical architecture document — for P2P, the loan-matching platform, escrow/nodal account integration, and system uptime/business-continuity plan; for AA, the consent-artefact implementation and API compliance with the Account Aggregator ecosystem's central registry technical specifications
Information security policy covering data encryption in transit and at rest, access controls, and incident-response procedures
For AA applicants specifically — evidence of technical readiness to integrate with the Account Aggregator ecosystem, including any sandbox testing or certification already undertaken with empanelled technology service providers
Business continuity and disaster recovery plan, and details of data centre location and hosting arrangement (India-based hosting is generally expected for regulated financial data)
Cyber-security audit report or a commitment to conduct one, where the applicant has an operational platform already in pilot/testing
Fair Practices Code — covering disclosure to lenders and borrowers (P2P) or to FIPs/FIUs and customers (AA), transparent fee structure, and non-discriminatory practices
KYC / Anti-Money Laundering (AML) policy for onboarding lenders, borrowers, or FIU/FIP counterparties, aligned to RBI's KYC Master Direction
Grievance Redressal policy naming a designated Grievance Redressal Officer and the escalation and turnaround-time framework for customer complaints
Outsourcing policy, where any technology, customer-service, or collections function is proposed to be outsourced to a third-party vendor
IT and data-governance policy specific to the P2P or AA activity, addressing data retention, data-minimisation (particularly critical for AA, which is prohibited from storing the substance of financial information transmitted), and third-party data-sharing restrictions
Escrow and nodal account agreement with the designated bank, evidencing segregation of lender and borrower funds (P2P only)
Participation agreements with Financial Information Providers and Financial Information Users, and evidence of live integration with the Account Aggregator ecosystem's central registry (AA only)
Periodic RBI returns applicable to the registered category, filed per the reporting calendar prescribed in the relevant Master Direction
Annual statutory audit report with the auditor's specific certification on compliance with the applicable NBFC-P2P or NBFC-AA Master Direction
Board-approved annual review of the fair practices code, IT policy, and grievance redressal mechanism, evidencing ongoing governance oversight of the regulated activity
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Application Structuring | Decision to build a P2P or AA fintech business | Regulatory characterisation of the business model, promoter fit-and-proper pre-assessment, entity structuring, and Net Owned Fund capitalisation planning — all before a form is drafted. | Filing an application against the wrong regulatory characterisation, or with a promoter profile that does not clear fit-and-proper scrutiny, results in query rounds or outright rejection and a costly re-application cycle. |
| Application & RBI Review | Complete document set ready | Application drafting, policy-document preparation specific to the activity, technology architecture documentation, and management of RBI's query and clarification rounds through to Certificate of Registration. | Generic or boilerplate policy documents and vague technology descriptions are the most common cause of extended RBI query cycles and delayed or refused registration. |
| Certificate of Registration Issued | RBI approval | Review of any conditions attached to the CoR, escrow/nodal account setup (P2P) or central registry onboarding (AA), and pre-launch readiness confirmation across policies, systems, and grievance mechanisms. | Commencing operations before escrow arrangements or technical onboarding are actually live, or missing a condition attached to the CoR, exposes the entity to RBI supervisory action even after registration. |
| First Year of Operations | Go-live | Reporting calendar set up from Day 1, statutory audit scope confirmed to include the applicable Master Direction certification, fair practices code and grievance mechanism operational and monitored, and KYC/AML programme functioning for every onboarded participant. | Missed periodic RBI returns, an audit that omits the required regulatory certification, or a non-functioning grievance mechanism are exactly the gaps RBI supervisory inspections are designed to find. |
| Annual Compliance Cycle | Financial year end | Statutory audit with the Master-Direction-specific auditor certification, Net Owned Fund reconfirmation, Board review of policies, and filing of all periodic and annual RBI returns applicable to the registered category. | NOF erosion below the prescribed threshold, or a lapsed annual return, can trigger RBI scrutiny of the entity's continued eligibility to hold the Certificate of Registration. |
| Funding Round or Shareholding Change | Investor interest, promoter exit, or capital raise | Advisory on whether the proposed change in shareholding or control requires prior RBI intimation or approval, fit-and-proper assessment of any new promoter/director, and FEMA/FDI compliance where a foreign investor is involved. | Executing a change in control or a material shareholding change without the required RBI intimation/approval can itself constitute a licence-condition breach, independent of how sound the underlying commercial transaction is. |
| Business Model Expansion or Pivot | Proposed new feature or adjacent activity | Assessment of whether a proposed new feature (for example, a P2P platform wanting to add data-aggregation features, or an AA wanting to add any lending-adjacent function) falls within the existing CoR's permitted activity, or requires a fresh application, a new entity, or RBI's prior approval. | Both P2P and AA licences are activity-specific; operating an unapproved adjacent activity under an existing CoR is treated as operating outside the terms of the licence and can attract RBI action against the entire registration, not just the new feature. |
| RBI Inspection or Supervisory Query | Routine supervision or specific complaint-driven review | Preparation of the entity's records, representation in correspondence and meetings with RBI's supervisory department, and remediation planning for any observations raised. | An unprepared or poorly documented response to an RBI supervisory query can escalate a minor observation into a formal show-cause process or, in serious cases, cancellation of the Certificate of Registration. |
What exactly is the difference between an NBFC-P2P and an NBFC-Account Aggregator?
They are two entirely separate RBI-regulated activities governed by two different Master Directions. An NBFC-P2P operates a marketplace that matches individual lenders with individual borrowers for unsecured personal loans — money moves between the participants through escrow accounts, and the platform earns a fee without lending from its own books. An NBFC-Account Aggregator never handles money at all — it operates a consent-based technology layer that retrieves a customer's financial data from banks, NBFCs, insurers, and other Financial Information Providers, and transmits it to a lender or other Financial Information User only with the customer's explicit, revocable consent. One is a lending marketplace; the other is a regulated data pipe. Neither can be operated under the same Certificate of Registration as the other.
Do I need RBI registration before I can even build and test the platform?
You can build and internally test the technology. What you cannot do is operate the regulated activity commercially — onboard real lenders and borrowers to facilitate actual P2P loans, or go live with real customer consent flows moving actual financial data to a Financial Information User — before the Certificate of Registration is issued. Operating the commercial activity without RBI registration is a contravention of Section 45-IA of the RBI Act.
What is the Net Owned Fund requirement for a P2P or Account Aggregator licence?
RBI prescribes a minimum Net Owned Fund threshold for both categories under their respective Master Directions, computed per the Section 45-IA definition of NOF — broadly, paid-up equity capital and free reserves, reduced by accumulated losses, deferred revenue expenditure, and certain specified intangible assets and investments in group companies. Because RBI periodically revises these thresholds, we confirm the exact figure applicable as of your specific filing date during the pre-application consultation rather than quoting a number that may already be superseded.
Can an existing NBFC simply add P2P or AA as an additional activity to its current licence?
Generally, no. Both NBFC-P2P and NBFC-AA are activity-specific registrations under RBI's regulatory architecture — an entity registered for one NBFC category is not automatically permitted to conduct P2P or AA activity under the same Certificate of Registration. In most cases a separate application, and often a separate corporate entity, is required. There are limited scenarios where RBI has permitted structural adjustments, but this should never be assumed without a specific regulatory consultation on the exact existing licence and the proposed new activity.
How long does the RBI approval process actually take?
There is no fixed statutory timeline that RBI guarantees for NBFC-P2P or NBFC-AA Certificate of Registration approval. In practice, the process runs through one or more rounds of RBI queries on the promoter profile, capital structure, business plan, and — particularly for these two categories — the technology and data-security architecture. The overall timeline depends heavily on how complete and well-prepared the initial application is, and on RBI's own processing queue at the time of filing.
Who are Financial Information Providers (FIPs) and Financial Information Users (FIUs) in the Account Aggregator ecosystem?
A Financial Information Provider is an entity that holds a customer's financial data and is willing to share it through the Account Aggregator framework when the customer consents — typically banks, NBFCs, insurance companies, mutual funds, pension funds, and certain tax and other RBI/regulator-notified data sources. A Financial Information User is the entity requesting that data for a specific, disclosed purpose — typically a lender assessing a loan application, or a wealth manager building a consolidated view of a client's holdings, with the customer's explicit and revocable consent captured through the AA's consent artefact. The Account Aggregator itself sits in the middle as a consent-management and data-transmission conduit — it is never a FIP or FIU itself.
Can an Account Aggregator see or store the actual financial data it transmits?
No. This is the central regulatory design principle of the AA framework. An Account Aggregator is expressly prohibited from using, retaining, or storing the substance of the financial information it transmits between an FIP and an FIU beyond what is operationally necessary for the technical transmission itself, and it cannot use the data for any purpose other than the specific consented transmission. The AA's business model is built entirely around being a data-blind conduit — its revenue comes from facilitating the consented data flow, not from having any commercial use of the data itself.
What are the escrow / nodal account requirements for a P2P platform?
An NBFC-P2P platform is required to route lender funds pending disbursal, and borrower repayments, through escrow accounts opened with a bank and structured such that the platform itself does not have unrestricted access to co-mingle or use these funds for its own purposes. This structure exists specifically so a P2P platform's own financial distress cannot put participant funds at risk, since the platform is a facilitator, not a custodian in the ordinary lending sense.
Are there caps on how much an individual lender can lend through a P2P platform, or how much a borrower can borrow?
Yes. RBI's P2P Master Direction prescribes exposure limits — a cap on the amount a single lender can lend to a single borrower, and an aggregate cap on a single lender's total P2P lending exposure across all platforms combined, along with a maximum tenure for P2P loans. Because RBI periodically reviews and can revise these figures, we confirm the exact caps in force at the relevant time as part of platform design and lender/borrower disclosure documentation, rather than treating any previously quoted figure as permanently fixed.
Can foreign investors or NRIs be promoters or shareholders in an NBFC-P2P or NBFC-AA?
Foreign investment in NBFC activities, including P2P and AA categories, is generally permitted under the automatic route under India's FDI Policy and the FEMA (Non-Debt Instruments) Rules, 2019, subject to the conditions applicable to NBFC/financial-services FDI. Where foreign shareholders are involved, the standard FEMA reporting obligations — FC-GPR on the RBI FIRMS portal within the prescribed window of allotment — apply in addition to, and independently of, the NBFC licensing process itself. Foreign promoters and directors are also subject to the same fit-and-proper scrutiny as resident promoters.
What happens if RBI rejects the application?
RBI is not obligated to disclose detailed reasons for rejection in the way a court judgment would, though the query rounds preceding a decision typically surface the specific concerns RBI has with the application. A rejected applicant can, after addressing the underlying concerns — whether promoter profile, capital adequacy, or business-model clarity — submit a fresh application, but this means restarting substantially the entire process, including fresh fees and documentation. There is no fast-track re-application process specific to a previously rejected NBFC-P2P or NBFC-AA application.
Does a registered NBFC-P2P or NBFC-AA need a separate statutory audit process from a normal company?
Both remain subject to the standard Companies Act 2013 statutory audit requirement applicable to every company. In addition, RBI requires the statutory auditor of a registered NBFC-P2P or NBFC-AA to specifically report on the entity's compliance with the applicable Master Direction — covering matters like Net Owned Fund maintenance, adherence to prescribed exposure caps (for P2P) or data-handling restrictions (for AA), and compliance with the fair practices code and grievance redressal framework — as an addition to the standard financial-statement audit opinion.
What ongoing returns does RBI require from a registered NBFC-P2P or NBFC-AA?
Registered NBFC-P2P and NBFC-AA entities are subject to periodic reporting obligations to RBI specific to their category, in addition to general returns applicable to NBFCs more broadly under the Scale Based Regulation framework where relevant to their classification. The exact return formats, frequency, and filing portal are prescribed in the respective Master Directions and RBI circulars issued from time to time. We set up the applicable reporting calendar as part of the post-registration engagement, confirmed against the current RBI reporting requirements at that time.
Is there a limit on how many P2P platforms a single lender can use, or is it per-platform?
The RBI-prescribed aggregate exposure cap for an individual P2P lender applies across all P2P platforms combined, not per platform in isolation — the intent is to prevent a lender from circumventing the individual exposure cap simply by spreading lending across multiple registered P2P platforms. This is enforced in part through mandatory reporting by registered P2P platforms, and lenders are expected to make accurate disclosures of their existing P2P exposure when onboarding to a new platform.
Can a P2P platform guarantee returns to lenders or offer any form of credit guarantee?
No. An NBFC-P2P platform is expressly prohibited from providing or arranging any credit enhancement, credit guarantee, or assured minimum return to lenders on the platform. The entire regulatory design treats the P2P platform as a facilitator of a direct lender-borrower relationship, with the credit risk sitting with the lender, not the platform. Any marketing or product feature that implies a guaranteed return or a platform-backed safety net for lenders is a direct violation of this core restriction.
What is the Principal Officer or Grievance Redressal Officer role RBI expects to be named?
RBI expects a registered NBFC-P2P or NBFC-AA to designate specific accountable individuals within the organisation — typically a Principal Officer responsible for regulatory and AML/KYC compliance oversight, and a Grievance Redressal Officer responsible for handling and escalating customer complaints within a defined turnaround time, whose contact details must be disclosed to customers. These are not honorary titles — RBI expects these roles to be functionally staffed and accountable, and their existence and effectiveness can be examined during a supervisory review.
How does an Account Aggregator make money if it cannot hold or use the data it transmits?
An Account Aggregator's revenue model is typically fee-based, charging FIUs (and in some arrangements, FIPs) a transaction or subscription-based fee for facilitating each consented data-transmission event through its platform — analogous to a toll on a data pipe rather than a business built on monetising the underlying data itself. Because the AA cannot use, sell, or repurpose the data it transmits, the entire commercial model has to be built around the volume and reliability of consented data-flow transactions, not data monetisation.
What is the difference between a P2P platform and a Direct Selling Agent (DSA) or loan marketplace?
A DSA or loan-comparison marketplace refers borrowers to banks or NBFCs and earns a referral or origination commission — the loan itself is originated and held on the referring bank's or NBFC's own books, and the marketplace is not itself a party structuring a lender-borrower relationship. A P2P platform is fundamentally different: it structures and facilitates an actual lending relationship between an individual lender (who could be another retail customer) and a borrower, with the platform itself as the regulated intermediary for that specific transaction. This distinction is exactly why a loan-comparison website does not need P2P registration, while a platform that actually matches individual lenders to borrowers does.
Does PNPC handle both the RBI licensing and the ongoing FEMA compliance if my P2P or AA platform has foreign shareholders?
Yes. PNPC's FEMA & RBI practice covers both tracks as a coordinated engagement rather than two separate workstreams handed to different specialists — the RBI Certificate of Registration process for the P2P or AA activity itself, and the FEMA/FDI compliance (FC-GPR filing, sectoral cap confirmation, downstream investment mapping if relevant) for any foreign capital in the structure. Structuring both together from Day 1 avoids a scenario where the NBFC application and the FEMA filing timeline are misaligned.
Can an NBFC-P2P or NBFC-AA operate across India, or is it state-specific?
Once RBI issues the Certificate of Registration, the entity is authorised to operate the regulated activity across India — there is no state-specific licensing layer for the core NBFC-P2P or NBFC-AA activity itself, since RBI regulation operates at the central/national level. Other unrelated state-level registrations a company needs regardless of its NBFC status (GST registration in states of operation, professional tax, shops and establishment registration for physical offices) apply independently, in the same way they would for any company.
What happens to customer funds or data if a licensed P2P or AA company shuts down or is deregistered?
For a P2P platform, the escrow-account structure exists specifically to protect participant funds independent of the platform's own solvency — funds in transit are held with the escrow bank per the prescribed structure, not on the platform's own balance sheet, which is intended to limit (though not necessarily eliminate) the operational disruption to lenders and borrowers if the platform itself winds down. For an AA, since it never holds or stores the substance of financial data by design, a shutdown does not create a data-retention exposure in the way it would for a data-storing business — the AA's core architecture is built to avoid exactly this risk. In both cases, an orderly wind-down still requires RBI intimation and a formal closure process, and existing participant relationships (outstanding P2P loans, active AA consent artefacts) need a documented transition plan.
How much does it cost to get an NBFC-P2P or NBFC-AA licence, including RBI fees and professional fees?
RBI charges a prescribed application fee for the Certificate of Registration process, which is a modest component compared to the overall cost of getting licence-ready — the larger costs are the Net Owned Fund capitalisation itself, technology-platform build cost, and professional fees for structuring, documentation, and RBI liaison through the query-and-approval process. Because the capitalisation requirement and RBI's fee schedule are both subject to periodic revision, and because professional fees depend on the complexity of the specific promoter structure and business model, we provide a written, case-specific fee proposal after the initial discovery conversation rather than quoting a generic figure that would not reflect your actual situation.
Why should I engage a CA firm rather than a legal firm or a specialised fintech-licensing consultant for this?
NBFC-P2P and NBFC-AA applications sit precisely at the intersection of company law, RBI regulatory practice, FEMA/FDI compliance (where foreign capital is involved), Net Owned Fund certification (which specifically requires a practising Chartered Accountant's certificate), and ongoing statutory audit with Master-Direction-specific certification. A firm that only handles the legal drafting or only handles the technology documentation leaves the financial certification, capital-structuring, and post-registration compliance pieces to be coordinated separately — often across multiple advisors who are not talking to each other. PNPC's CA practice covers the full lifecycle: NOF certification, FEMA/FDI compliance, the RBI application process, and the annual statutory audit and compliance cycle after registration, as one coordinated engagement.
Can a single company hold both a P2P Certificate of Registration and an Account Aggregator Certificate of Registration?
This is not the standard structure RBI's licensing framework contemplates — each Certificate of Registration is issued for a specific NBFC activity category, and P2P and AA are distinct categories with different Master Directions, different technology and risk profiles, and different core prohibitions (an AA cannot lend or hold funds; a P2P platform's whole purpose is facilitating a lending relationship). A promoter group wanting to operate both business lines would typically need to structure them as separate corporate entities, each separately registered, rather than seeking a combined registration under one company.
What is the role of the Reserve Bank's 'account aggregator ecosystem' central registry, and does every AA have to join it?
The Account Aggregator ecosystem operates on a common, interoperable technology framework, with a central registry maintaining the list of live, technically-compliant Account Aggregators, Financial Information Providers, and Financial Information Users participating in the network. A licensed NBFC-AA is expected to achieve live technical integration with this common framework as part of becoming operationally functional — holding the Certificate of Registration alone does not make an AA operationally useful to FIUs and FIPs; the technical onboarding to the interoperable ecosystem is what actually enables it to route consented data flows in practice.
Are there restrictions on who can be a lender on a P2P platform — can any individual lend?
RBI's P2P Master Direction sets eligibility conditions for participants — both lenders and borrowers must meet KYC requirements, and there are exposure and category restrictions on who can participate and to what extent (for instance, restrictions distinguishing individual lenders from institutional participants, and caps on total exposure per lender). The platform is responsible for verifying eligibility and enforcing exposure caps at onboarding and on an ongoing basis, not merely at the point of first registration.
What is the tenure limit for a P2P loan, and can it be extended or restructured?
RBI's P2P Master Direction prescribes a maximum tenure for loans facilitated through a P2P platform. Because this figure, like the exposure caps, is subject to periodic RBI revision, we confirm the tenure limit in force at the relevant time as part of platform design rather than relying on a figure that may have been superseded. Loan restructuring or extension on a P2P platform also needs to be handled within the platform's disclosed terms and RBI's applicable framework — it is not simply a bilateral matter between lender and borrower outside the platform's oversight.
Does PNPC only advise Indian-incorporated entities, or can a UAE-based promoter structure a P2P/AA business through PNPC?
PNPC has operating offices in Chennai, Bangalore, Hyderabad, and Dubai. For a UAE-based promoter or NRI wanting to set up an Indian NBFC-P2P or NBFC-AA entity, we coordinate the India-side incorporation, RBI licensing, and FEMA/FDI compliance from our Chennai/Bangalore/Hyderabad teams while managing the UAE-side promoter relationship and any UAE entity considerations through our Dubai office — as a single coordinated engagement rather than requiring the client to separately brief two disconnected firms.
What is a 'fit-and-proper' assessment and how strict is RBI about it in practice?
The fit-and-proper assessment is RBI's evaluation of whether the promoters, directors, and key managerial personnel of an applicant have the integrity, financial soundness, and professional competence to responsibly operate a regulated financial entity. In practice, RBI takes this assessment seriously for both P2P and AA categories given the sensitivity of the activities involved — unsecured lending intermediation and financial-data handling respectively — and a promoter with an undisclosed adverse credit history, a prior regulatory action, or unclear source of funds for their capital contribution can cause significant delay or outright rejection, even if every other part of the application is strong.
Can an NBFC-P2P platform also offer insurance, investment products, or other cross-sell financial products to its lenders and borrowers?
Cross-selling unrelated financial products on a P2P platform raises regulatory questions about whether the platform is operating within the specific, narrow scope of its P2P Certificate of Registration or has effectively expanded into other regulated activities without approval. Any cross-sell arrangement needs to be structured carefully — often through a properly disclosed, arm's-length referral relationship with a separately licensed insurance or investment entity, rather than the P2P entity itself directly offering the additional product — and reviewed against the specific conditions of the entity's CoR.
What ongoing role does PNPC play after the Certificate of Registration is issued — does the engagement end at licensing?
No. PNPC's engagement model for NBFC-P2P and NBFC-AA clients is structured as a continuing relationship, not a one-time licensing project. Post-registration, we support the statutory audit and Master-Direction-specific certification, the periodic RBI reporting calendar, policy reviews, advisory on structural changes (funding rounds, promoter changes, business-model expansion), and representation in any RBI supervisory correspondence — because a Certificate of Registration is the start of an ongoing regulated relationship with RBI, not the end of the compliance journey.
PNPC Global vs typical fintech-licensing consultants and legal-only firms
| Dimension | PNPC Global | Legal-Only Firm | Generic Licensing Consultant |
|---|---|---|---|
| Net Owned Fund certification | In-house practising CA certification, integrated with the application | Outsourced to a third-party CA, coordinated separately | Often outsourced or generic, not integrated with capital planning |
| FEMA / FDI compliance for foreign promoters | Handled as one coordinated engagement alongside the RBI licensing track | Typically handled by a separate FEMA specialist, if at all | Frequently not covered — treated as the client's separate problem |
| Post-registration statutory audit with Master Direction certification | Provided as an ongoing annual engagement by the same firm | Not typically offered — legal firms do not conduct statutory audits | Not offered — outside a licensing consultant's scope |
| Technology & policy document drafting specific to P2P/AA | Drafted specific to the actual business model, not templated | Often templated, requiring client rework before RBI submission | Varies widely by consultant experience level |
| Presence in India and UAE | Chennai, Bangalore, Hyderabad, and Dubai offices under one firm | Typically India-only, requiring a separate UAE advisor | Typically India-only |
| Engagement horizon | Pre-application through annual compliance for the life of the licence | Often ends once the CoR is issued | Almost always ends once the CoR is issued |
| Track record since | 1986 — established CA practice, not a fintech-era-only consultancy | Varies | Typically a newer entrant focused on the licensing niche alone |
What the PNPC package includes
- 01
Pre-application regulatory characterisation — confirming whether your business model requires P2P registration, AA registration, both as separate entities, or neither
- 02
Promoter and director fit-and-proper pre-assessment, run before the application is filed
- 03
Entity incorporation or existing-entity readiness review, with MoA objects drafted specific to the regulated activity
- 04
Net Owned Fund planning and Chartered Accountant certification, coordinated with the capital-infusion schedule
- 05
FEMA/FDI compliance for any foreign promoter or investor, run in parallel with the RBI application track
- 06
Complete application drafting — business plan, financial projections, and every RBI-required policy document drafted specific to your business model, not templated
- 07
Technology and information-security documentation support, coordinated with your technical team
- 08
RBI query and clarification-round management through to Certificate of Registration
- 09
Escrow/nodal account coordination (P2P) or Account Aggregator ecosystem technical onboarding support (AA)
- 10
Post-registration statutory audit with the applicable Master Direction certification, and the ongoing RBI reporting calendar, year after year
If you are building a P2P lending platform or an Account Aggregator, the licensing decision you get right — or wrong — in the first month shapes every year of regulatory standing that follows. Talk to PNPC before you draft the application, not after RBI's first query arrives.