HomeServicesFEMA & RBIPeer-to-Peer Lending & Account Aggregator Licensing

FEMA & RBI · NBFC & Financial Services Licensing

Peer-to-Peer Lending & Account Aggregator Licensing

Peer-to-Peer lending platforms and Account Aggregators are not ordinary fintech startups — they are Non-Banking Financial Companies regulated directly by the Reserve Bank of India, and both carry a Certificate of Registration requirement before a single rupee of customer money or a single byte of financial data can move through the platform.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Peer-to-Peer lending platforms and Account Aggregators are not ordinary fintech startups — they are Non-Banking Financial Companies regulated directly by the Reserve Bank of India, and both carry a Certificate of Registration requirement before a single rupee of customer money or a single byte of financial data can move through the platform. Getting the entity structure, Net Owned Fund, fit-and-proper promoter profile, and technology architecture wrong at the application stage does not just delay launch — it can mean outright rejection and a fresh application cycle. PNPC Global has advised NBFC and fintech promoters across India and the UAE since 1986 on RBI licensing, and we stay engaged from the pre-application structuring conversation through the annual compliance cycle that follows registration — not just the day the Certificate of Registration is issued.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Peer-to-Peer Lending & Account Aggregator Licensing is

An NBFC-Peer to Peer Lending Platform (NBFC-P2P) is a non-banking financial company that operates an online platform to bring individual and institutional lenders and borrowers together for unsecured personal loans, without the platform itself lending from its own books. It is regulated under the RBI Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (as amended from time to time), issued under Sections 45-IA and 45JA of the Reserve Bank of India Act, 1934. A P2P platform acts purely as an intermediary or marketplace: it matches lenders with borrowers, facilitates loan agreements, handles disbursement and repayment through escrow-style nodal/trust accounts, and earns fee-based revenue — it does not raise deposits, does not hold funds on its own balance sheet as a lender, and does not guarantee returns or provide credit enhancement to participants. Operating a P2P lending business without RBI registration is a contravention of Section 45-IA of the RBI Act, and RBI has periodically flagged unregistered digital lending apps operating disguised P2P or lending models.

An Account Aggregator (NBFC-AA) is a distinct category of non-banking financial company regulated under the RBI Master Direction – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (as amended). An Account Aggregator does not lend, does not hold customer funds, and does not access, view, or store the substance of a customer's financial data — its sole regulated function is to operate a consent-based technology architecture that securely retrieves a customer's financial information from Financial Information Providers (FIPs — banks, NBFCs, insurers, mutual funds, pension funds, tax authorities and other RBI-notified categories) and transmits it, only with explicit customer consent captured through the Account Aggregator's consent artefact, to Financial Information Users (FIUs — typically lenders, wealth managers, or other regulated entities requesting the data for a specific, time-bound, revocable purpose). The Account Aggregator framework operates on the same-language, interoperable technology stack commonly referred to as the account aggregator ecosystem or the data-sharing layer of the India Stack, and every licensed Account Aggregator must be a member of, and technologically compliant with, the common technical specifications maintained by the Account Aggregator ecosystem's central registry framework.

Both categories require the operating entity to first be incorporated as a company under the Companies Act, 2013 — typically a Private Limited or Public Limited Company — and then apply to RBI for a Certificate of Registration (CoR) under Section 45-IA of the RBI Act before commencing the regulated activity. Both are subject to a prescribed minimum Net Owned Fund (NOF) requirement, a fit-and-proper assessment of promoters and directors, detailed technology and data-security architecture review, and — once registered — an ongoing compliance regime covering periodic RBI returns, statutory audit, fair practices code, grievance redressal, and information-security standards. Neither an NBFC-P2P nor an NBFC-AA can accept public deposits, and both are prohibited from cross-holding or diversifying into unrelated regulated activities without separate RBI approval — an NBFC-P2P cannot also function as an NBFC-AA (or vice versa) under the same corporate entity without RBI's explicit permission, since each licence is activity-specific under the RBI's principle of one regulated activity per NBFC licence in most cases.

The strategic reason founders pursue these licences despite the regulatory overhead is straightforward: an unregistered platform cannot legally operate the core business model at all, cannot open the escrow/nodal bank accounts that regulated P2P disbursement requires, cannot integrate with the Account Aggregator ecosystem's central registry as a live participant, and cannot represent to lenders, borrowers, banks, or FIU/FIP counterparties that it is RBI-regulated — a threshold credibility requirement in a sector where every serious counterparty (banks, NBFCs, institutional lenders) checks the RBI list of registered NBFCs before onboarding a fintech partner. PNPC's role begins well before the application is drafted: assessing whether P2P or AA (or neither) is the correct regulatory characterisation for the proposed business model, structuring the promoter and shareholding profile to clear the fit-and-proper bar, and building the NOF and capital-raise plan around RBI's current registration thresholds.

When P2P or Account Aggregator registration applies to you

You are building a digital platform that matches individual or institutional lenders with individual borrowers for unsecured personal loans, and the platform itself will not lend from its own balance sheet — this is the NBFC-P2P activity requiring RBI CoR before launch

You are building a consent-based data-sharing platform intended to pull financial information (bank statements, GST returns, tax data, insurance, investment holdings) from regulated Financial Information Providers and deliver it to lenders or other regulated Financial Information Users — this is the NBFC-AA activity, a distinct RBI licence from P2P

You are a fintech, lending, or wealthtech company evaluating whether to integrate as a Financial Information User (FIU) with an already-licensed Account Aggregator, and need advisory on the participation agreement, consent-flow compliance, and data-usage restrictions rather than a fresh AA licence yourself

You are a bank, NBFC, insurer, mutual fund, or pension fund considering onboarding as a Financial Information Provider (FIP) on the Account Aggregator network and need regulatory and technology-compliance advisory on that participation

Your existing NBFC or fintech licence does not cover the P2P or AA activity you now intend to add, and you need advisory on whether a fresh entity and fresh CoR is required, or whether an amendment/expansion of an existing licence is possible

You have promoters, directors, or a shareholding structure with foreign investment (FDI) involved in a proposed P2P or AA entity and need the FEMA/FDI sectoral-cap position clarified alongside the RBI licensing track

You are already RBI-registered as an NBFC-P2P or NBFC-AA and need ongoing compliance support — periodic RBI returns, fair practices code implementation, statutory audit coordination, or representation in an RBI inspection or query

When this is not the right licence

You are building a traditional lending business that lends from your own balance sheet (on-book lending) rather than merely matching third-party lenders and borrowers — this requires a standard NBFC-Investment and Credit Company (NBFC-ICC) registration, a different Master Direction and NOF threshold, not the P2P framework

You are a digital lending app that partners with a bank or NBFC to originate and service loans on the regulated entity's books (the loan service provider / lending service provider model) — this is governed by RBI's Digital Lending Guidelines, not the P2P Master Direction, since the platform is not itself matching P2P lenders and borrowers

You want to build a personal finance or budgeting app that only displays a user's own data back to them, with no data transmission to a third-party FIU for lending, underwriting, or wealth-advisory purposes — this may not require an AA licence at all if no regulated data-sharing to a third party is involved; a narrower data-privacy and technology advisory may be the correct engagement

You are simply looking to integrate your NBFC/bank/lending business as a consumer of Account Aggregator data (an FIU) — you do not need to become a licensed Account Aggregator yourself; you need an AA participation and consent-architecture advisory instead

Your platform is a marketplace or comparison aggregator for loan products (matching borrowers to multiple bank/NBFC loan offers, earning referral commission) without actually structuring or facilitating peer-to-peer lending agreements — this is typically a referral/DSA (Direct Selling Agent) arrangement, not a P2P NBFC activity

You do not yet have a clear, committed promoter group able to meet the fit-and-proper and Net Owned Fund thresholds RBI expects at application stage — in this scenario, a pre-application readiness assessment is the right first engagement, not a full licence application

Structure Comparison

NBFC-P2P vs NBFC-Account Aggregator vs adjacent digital-lending/fintech models

FeatureNBFC-P2PNBFC-Account AggregatorStandard NBFC (ICC/on-book lending)Digital Lending App (LSP/DLA model)
Governing frameworkRBI Master Directions – NBFC-P2P Lending Platform (Reserve Bank) Directions, 2017 (as amended)RBI Master Direction – NBFC-Account Aggregator (Reserve Bank) Directions, 2016 (as amended)RBI Master Direction – Non-Banking Financial Company (NBFC) Scale Based Regulation, 2023RBI Digital Lending Guidelines (2022, as amended) — layered on the regulated entity's own NBFC/bank licence
Core regulated activityMatching lenders and borrowers on an online platform for unsecured personal loans; no on-book lending by the platformConsent-based retrieval and transmission of financial data between FIPs and FIUs; no lending, no data storage of financial information contentLending and investment from the company's own balance sheetLoan sourcing/servicing on behalf of a regulated lender; the app itself is not usually separately RBI-licensed unless it is itself an NBFC
Certificate of Registration requiredYes — mandatory CoR from RBI under Section 45-IA before commencing businessYes — mandatory CoR from RBI under Section 45-IA before commencing businessYes — mandatory CoR under Section 45-IANot separately, if operating purely as an outsourced agent of a regulated lender; but the underlying lender must be RBI-regulated
Holds/lends own fundsNo — funds move directly between lender and borrower participants via escrow/nodal accounts; platform cannot lend from its own booksNo — never handles customer funds at all; the licence is purely data-flow, not funds-flowYes — lends from its own balance sheet, funded by owned funds and permitted borrowingsDepends on structure — typically the partner bank/NBFC lends; the app/LSP does not lend on its own book unless separately licensed
Deposit acceptanceProhibitedProhibited (not applicable — no funds handling at all)Prohibited for most NBFC categories unless specifically permitted as a Deposit-taking NBFC (NBFC-D)Not applicable to the LSP; governed by the underlying lender's own deposit status
Escrow / nodal account requirementMandatory — separate escrow accounts for lender funds pending disbursal and for borrower repayments, maintained with a bank distinct from the platform's own operating account, per RBI's prescribed structureNot applicable — no funds ever pass through an Account AggregatorNot typically applicable in the same escrow sense; governed by standard banking arrangementsEscrow arrangements may apply per Digital Lending Guidelines for loan disbursal and repayment flows through the regulated entity
Exposure/lending caps on participantsPrescribed caps apply per lender and per borrower across all P2P platforms combined, and an aggregate exposure limit for a single lender across the platform, as specified in the current P2P Master DirectionNot applicable — no lending activityGoverned by the NBFC's own prudential exposure norms under Scale Based RegulationGoverned by the underlying regulated lender's own prudential norms
Data-handling roleStandard NBFC KYC/data obligations for onboarded lenders and borrowersCore regulated function — consent architecture, data-minimisation, purpose-limitation, and non-storage of the substance of financial information transmittedStandard NBFC KYC/credit-data obligationsGoverned by Digital Lending Guidelines' data-minimisation, app-permission, and disclosure norms
Can combine with other NBFC activityGenerally restricted to the P2P activity alone under the same CoR; diversification needs RBI approvalGenerally restricted to the AA activity alone under the same CoR; an AA cannot undertake any other businessMay combine permitted activities within its classified NBFC layer under Scale Based Regulation, subject to RBI normsThe lender/NBFC side may combine other permitted NBFC activities; the LSP/app itself is typically not separately regulated
Foreign investment (FDI)Permitted under the automatic route for NBFC activities per the FDI Policy and FEMA Non-Debt Instruments Rules, subject to conditions and minimum capitalisation norms applicable to NBFC-FDI where relevantPermitted under the automatic route subject to FDI Policy conditions applicable to NBFC/financial-services activityPermitted under automatic route subject to FDI Policy conditions for the NBFC sectorGoverned by the FDI position of the underlying regulated lending entity
Primary risk if unregisteredSection 45-IA contravention; RBI can direct discontinuation, and unregistered lending-adjacent apps have been the subject of RBI public cautionary notices and enforcement actionSection 45-IA contravention; cannot legally participate in the Account Aggregator ecosystem's central registry as a live FIP/FIU counterparty without a licensed AA in the flowSection 45-IA contravention; RBI can direct winding down of unauthorised lending businessNon-compliance with Digital Lending Guidelines can result in RBI action against the regulated lending partner, indirectly shutting down the app's business model

This table is directional guidance only. The precise Net Owned Fund threshold, exposure caps, and permitted activity boundaries applicable to NBFC-P2P and NBFC-AA registrations are set out in RBI's Master Directions as amended from time to time, and RBI periodically revises these thresholds and caps. A pre-application regulatory consultation confirming the RBI norms current as of your filing date is essential before structuring capital, shareholding, or business model commitments.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Business Model & Regulatory Characterisation — Confirming P2P vs AA vs neitherBefore any application is drafted, we map the actual data flow and funds flow of your business model against RBI's Master Directions. Many fintech ideas sit in a grey zone — a lending marketplace that also wants to display aggregated financial data, or a data platform that later wants to add a lending layer. We identify which licence (or licences, requiring separate entities) the model actually needs, and flag where a proposed feature would require RBI approval to add later.Week 1–2
2Entity Structuring & Promoter Fit-and-Proper AssessmentRBI's fit-and-proper criteria examine the promoters' and proposed directors' financial soundness, integrity, and track record — including a declaration of no conviction, no history of financial default, no adverse regulatory or criminal proceedings, and demonstrable financial capacity to bring in the Net Owned Fund. We run this assessment before the application is filed, not after RBI raises a query, because a promoter-profile problem discovered mid-application is far costlier to resolve than one identified at structuring stage.Week 1–3, run in parallel with characterisation
3Company Incorporation or Existing-Entity Readiness ReviewIf starting fresh, we incorporate the Private Limited Company with MoA objects clauses specifically drafted to support the P2P or AA activity (a generic 'fintech services' object clause is often queried by RBI as insufficiently specific). If an existing company is being repurposed, we conduct a compliance and financial-history review of that entity, since RBI evaluates the applicant company's own track record, not just its promoters.Week 2–4 for fresh incorporation; 1–2 weeks for existing-entity review
4Net Owned Fund Planning & CapitalisationRBI prescribes a minimum Net Owned Fund threshold for both NBFC-P2P and NBFC-AA applicants under their respective Master Directions, computed per Section 45-IA's NOF definition (paid-up capital plus free reserves, less accumulated losses and specified intangible/deferred items). We plan the capital infusion schedule, the supporting net-worth certificate from a practising Chartered Accountant, and the source-of-funds documentation RBI expects for each contributing promoter — including FEMA compliance where any promoter or investor is a non-resident.Week 3–6, dependent on capital-infusion timeline
5Technology Architecture & Information-Security DocumentationBoth P2P and AA applications require a detailed description of the technology platform: for P2P, the loan-matching engine, escrow/nodal account integration with the partner bank, and credit-assessment methodology disclosed to lenders; for AA, the consent-architecture implementation, API integration readiness with the Account Aggregator ecosystem's central registry technical specifications, data-encryption-in-transit and non-storage compliance, and business-continuity/disaster-recovery framework. RBI's application scrutiny on the technology and data-security dimension is materially more detailed for these two categories than for a standard NBFC-ICC application.Week 4–8, run in parallel with capitalisation — this is frequently the longest workstream
6Application Drafting & Board/Shareholder DocumentationWe prepare the complete CoR application — corporate documents, business plan, projected financials for the initial years of operation, policy documents (fair practices code, IT policy, outsourcing policy, grievance redressal policy, KYC/AML policy), and the Board resolutions authorising the application and confirming the Board's oversight responsibility for the regulated activity. Every policy document is drafted specific to the P2P or AA business model — generic boilerplate policies are a common cause of RBI query rounds.Week 6–9
7Application Filing with RBIThe application is filed with the Regional Office of RBI having jurisdiction over the registered office of the applicant company, along with the prescribed application fee and the complete document set. We coordinate the physical and digital submission requirements as prescribed by the relevant Regional Office, which can have minor procedural variations.Week 9–10 for filing; RBI's own processing timeline thereafter is outside PNPC's control and depends on RBI's current caseload and query cycles
8RBI Query Handling & Clarification RoundsRBI's licensing process for both P2P and AA categories typically involves one or more rounds of written queries or clarification requests — on promoter background, capital source, technology readiness, or business-model specifics. We draft and coordinate every response, and where RBI requests a meeting or presentation on the technology architecture (common for AA applications given the ecosystem's technical interoperability requirements), we prepare the applicant team for that engagement.Varies significantly by case — RBI's query and review timeline is not fixed and should not be assumed to follow a standard duration
9Certificate of Registration (CoR) IssuanceOn RBI's satisfaction with the application, the Certificate of Registration is issued, permitting the entity to commence the regulated P2P or AA activity. The CoR often carries specific conditions — for example, a requirement to commence operations within a stipulated period, or conditions on the initial scale of operations — which we review carefully with the client before go-live.On RBI's approval — total time from initial engagement to CoR varies considerably by case and is not a fixed, guaranteed timeline
10Escrow/Nodal Account Setup (P2P) or Central Registry Onboarding (AA)For P2P: we coordinate the escrow and nodal account arrangement with a scheduled commercial bank per RBI's prescribed structure, ensuring lender-pending-disbursal funds and borrower-repayment funds are segregated as required. For AA: we coordinate the technical onboarding to the Account Aggregator ecosystem's central registry and the execution of participation agreements with FIPs and FIUs the platform intends to work with at launch.Week 1–4 post-CoR
11Pre-Launch Compliance Readiness — Policies live, systems tested, first cohort onboardingBefore go-live, we confirm the fair practices code is displayed to users as required, the grievance redressal mechanism is operational with a designated Grievance Redressal Officer, the KYC/AML programme is functioning for onboarding lenders and borrowers (P2P) or FIU/FIP participants (AA), and the RBI-prescribed disclosures are built into the user interface and onboarding flow.Week 2–6 post-CoR, run in parallel with account/registry setup
12Ongoing RBI Reporting & First Compliance CycleOnce operational, the entity moves into RBI's periodic reporting regime — including returns specific to the P2P or AA category, along with the general NBFC returns applicable under the Scale Based Regulation framework where relevant. We set up the reporting calendar from Day 1 of operations rather than waiting for the first due date to arrive.Ongoing from go-live
13Statutory Audit & Annual Compliance CertificationRBI requires the statutory auditor of a registered NBFC-P2P or NBFC-AA to report specifically on compliance with the applicable Master Direction as part of the annual audit, in addition to standard Companies Act audit requirements. We coordinate this dual-scope audit and the certifications RBI expects to be filed alongside the audited financials.Annually, aligned to the company's financial year
14Growth-Stage & Structural Change AdvisoryChange in shareholding beyond prescribed thresholds, change in control, change in directors, or any proposed diversification of activity by a registered NBFC-P2P or NBFC-AA typically requires prior RBI intimation or approval. We advise at every such inflection point — funding rounds, promoter exits, geographic expansion, or a proposed pivot in business model — so structural changes are RBI-compliant before they are executed, not after.As needed through the life of the licence

Realistic end-to-end timeline: RBI's own review and approval timeline for NBFC-P2P and NBFC-AA Certificate of Registration applications is not fixed by regulation and varies materially by case complexity, promoter profile, and RBI's current processing queue — it has historically run to several months or longer from a complete filing, and should not be assumed to follow a guaranteed duration. Pre-filing structuring, capitalisation, and technology-readiness work (Stages 1–8 above) realistically takes 3–4 months for a well-prepared applicant before the application is even filed.

Document Checklist
Corporate & Entity Documents

Certificate of Incorporation and latest Memorandum & Articles of Association, with MoA objects clause specifically covering the P2P or Account Aggregator activity

Certified copy of the Board resolution approving the application for NBFC-P2P or NBFC-AA Certificate of Registration and authorising a signatory

Shareholding pattern of the applicant company with full details of every shareholder holding shares above the threshold RBI treats as requiring fit-and-proper disclosure

Details of group companies, if any, and their business activities — RBI evaluates the promoter group's overall financial standing and regulatory history, not just the applicant entity

Audited financial statements of the applicant company for the preceding financial years (where the entity is not newly incorporated), or opening/provisional financials for a fresh incorporation

Promoter & Director Fit-and-Proper Documentation

Personal net-worth statement of each promoter and director, certified by a practising Chartered Accountant

Income-tax returns of promoters and directors for the preceding financial years

Declaration of no conviction, no pending criminal proceedings, and no history of default with any bank/financial institution, in the format prescribed by RBI

Professional background, qualifications, and prior experience of the proposed directors and key management personnel — particularly relevant for the Principal Officer/Grievance Redressal Officer roles that RBI expects to be named at application stage

Credit report / CIBIL or equivalent credit bureau report of promoters and directors where requested

Source-of-funds documentation for each promoter's contribution to the Net Owned Fund, including bank statements evidencing the capital infusion

Capital & Net Owned Fund Evidence

Net Owned Fund certificate from a practising Chartered Accountant, computed per Section 45-IA of the RBI Act as of the date specified in the application

Bank statements and share application/allotment documents evidencing that the paid-up capital has actually been received and is unencumbered

Auditor's certificate confirming no diminution in the value of investments or assets that would affect the NOF computation

For foreign shareholders contributing to capital — FDI-compliant share subscription documentation, FC-GPR filing status, and FEMA sectoral-cap confirmation for the NBFC activity

Business Plan & Financial Projections

Detailed business plan describing the proposed P2P lending model or Account Aggregator data-flow model, target customer segments, and revenue model

Projected financial statements (balance sheet, profit and loss, cash flow) for the initial years of operation post-registration

Description of the risk-management framework — for P2P, the borrower credit-assessment methodology disclosed to lenders and default-handling process; for AA, the consent-revocation and data-breach response process

Organisational structure chart showing key roles — Principal Officer, Compliance Officer, Grievance Redressal Officer, and the technology/information-security ownership within the organisation

Technology & Information Security Documentation

Technical architecture document — for P2P, the loan-matching platform, escrow/nodal account integration, and system uptime/business-continuity plan; for AA, the consent-artefact implementation and API compliance with the Account Aggregator ecosystem's central registry technical specifications

Information security policy covering data encryption in transit and at rest, access controls, and incident-response procedures

For AA applicants specifically — evidence of technical readiness to integrate with the Account Aggregator ecosystem, including any sandbox testing or certification already undertaken with empanelled technology service providers

Business continuity and disaster recovery plan, and details of data centre location and hosting arrangement (India-based hosting is generally expected for regulated financial data)

Cyber-security audit report or a commitment to conduct one, where the applicant has an operational platform already in pilot/testing

Policy Documents (Drafted Specific to the Regulated Activity)

Fair Practices Code — covering disclosure to lenders and borrowers (P2P) or to FIPs/FIUs and customers (AA), transparent fee structure, and non-discriminatory practices

KYC / Anti-Money Laundering (AML) policy for onboarding lenders, borrowers, or FIU/FIP counterparties, aligned to RBI's KYC Master Direction

Grievance Redressal policy naming a designated Grievance Redressal Officer and the escalation and turnaround-time framework for customer complaints

Outsourcing policy, where any technology, customer-service, or collections function is proposed to be outsourced to a third-party vendor

IT and data-governance policy specific to the P2P or AA activity, addressing data retention, data-minimisation (particularly critical for AA, which is prohibited from storing the substance of financial information transmitted), and third-party data-sharing restrictions

Post-Registration / Ongoing Compliance Documents

Escrow and nodal account agreement with the designated bank, evidencing segregation of lender and borrower funds (P2P only)

Participation agreements with Financial Information Providers and Financial Information Users, and evidence of live integration with the Account Aggregator ecosystem's central registry (AA only)

Periodic RBI returns applicable to the registered category, filed per the reporting calendar prescribed in the relevant Master Direction

Annual statutory audit report with the auditor's specific certification on compliance with the applicable NBFC-P2P or NBFC-AA Master Direction

Board-approved annual review of the fair practices code, IT policy, and grievance redressal mechanism, evidencing ongoing governance oversight of the regulated activity

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Pre-Application StructuringDecision to build a P2P or AA fintech businessRegulatory characterisation of the business model, promoter fit-and-proper pre-assessment, entity structuring, and Net Owned Fund capitalisation planning — all before a form is drafted.Filing an application against the wrong regulatory characterisation, or with a promoter profile that does not clear fit-and-proper scrutiny, results in query rounds or outright rejection and a costly re-application cycle.
Application & RBI ReviewComplete document set readyApplication drafting, policy-document preparation specific to the activity, technology architecture documentation, and management of RBI's query and clarification rounds through to Certificate of Registration.Generic or boilerplate policy documents and vague technology descriptions are the most common cause of extended RBI query cycles and delayed or refused registration.
Certificate of Registration IssuedRBI approvalReview of any conditions attached to the CoR, escrow/nodal account setup (P2P) or central registry onboarding (AA), and pre-launch readiness confirmation across policies, systems, and grievance mechanisms.Commencing operations before escrow arrangements or technical onboarding are actually live, or missing a condition attached to the CoR, exposes the entity to RBI supervisory action even after registration.
First Year of OperationsGo-liveReporting calendar set up from Day 1, statutory audit scope confirmed to include the applicable Master Direction certification, fair practices code and grievance mechanism operational and monitored, and KYC/AML programme functioning for every onboarded participant.Missed periodic RBI returns, an audit that omits the required regulatory certification, or a non-functioning grievance mechanism are exactly the gaps RBI supervisory inspections are designed to find.
Annual Compliance CycleFinancial year endStatutory audit with the Master-Direction-specific auditor certification, Net Owned Fund reconfirmation, Board review of policies, and filing of all periodic and annual RBI returns applicable to the registered category.NOF erosion below the prescribed threshold, or a lapsed annual return, can trigger RBI scrutiny of the entity's continued eligibility to hold the Certificate of Registration.
Funding Round or Shareholding ChangeInvestor interest, promoter exit, or capital raiseAdvisory on whether the proposed change in shareholding or control requires prior RBI intimation or approval, fit-and-proper assessment of any new promoter/director, and FEMA/FDI compliance where a foreign investor is involved.Executing a change in control or a material shareholding change without the required RBI intimation/approval can itself constitute a licence-condition breach, independent of how sound the underlying commercial transaction is.
Business Model Expansion or PivotProposed new feature or adjacent activityAssessment of whether a proposed new feature (for example, a P2P platform wanting to add data-aggregation features, or an AA wanting to add any lending-adjacent function) falls within the existing CoR's permitted activity, or requires a fresh application, a new entity, or RBI's prior approval.Both P2P and AA licences are activity-specific; operating an unapproved adjacent activity under an existing CoR is treated as operating outside the terms of the licence and can attract RBI action against the entire registration, not just the new feature.
RBI Inspection or Supervisory QueryRoutine supervision or specific complaint-driven reviewPreparation of the entity's records, representation in correspondence and meetings with RBI's supervisory department, and remediation planning for any observations raised.An unprepared or poorly documented response to an RBI supervisory query can escalate a minor observation into a formal show-cause process or, in serious cases, cancellation of the Certificate of Registration.
Frequently asked
What exactly is the difference between an NBFC-P2P and an NBFC-Account Aggregator?

They are two entirely separate RBI-regulated activities governed by two different Master Directions. An NBFC-P2P operates a marketplace that matches individual lenders with individual borrowers for unsecured personal loans — money moves between the participants through escrow accounts, and the platform earns a fee without lending from its own books. An NBFC-Account Aggregator never handles money at all — it operates a consent-based technology layer that retrieves a customer's financial data from banks, NBFCs, insurers, and other Financial Information Providers, and transmits it to a lender or other Financial Information User only with the customer's explicit, revocable consent. One is a lending marketplace; the other is a regulated data pipe. Neither can be operated under the same Certificate of Registration as the other.

Practitioner noteWe regularly meet founders who describe a business plan that blends both — a lending app that also wants to pull bank statements directly from the borrower. That is two separate regulated activities. Either you become licensed for both (as two entities, since combining them under one CoR is not how RBI structures these licences), or you build the AA-dependent data flow by integrating with an already-licensed third-party Account Aggregator as an FIU, which is a far lighter compliance lift than becoming an AA yourself.
Do I need RBI registration before I can even build and test the platform?

You can build and internally test the technology. What you cannot do is operate the regulated activity commercially — onboard real lenders and borrowers to facilitate actual P2P loans, or go live with real customer consent flows moving actual financial data to a Financial Information User — before the Certificate of Registration is issued. Operating the commercial activity without RBI registration is a contravention of Section 45-IA of the RBI Act.

Practitioner noteA pilot with a small closed group of test users, disclosed clearly as a non-commercial pilot with no real money movement, is a materially different risk position from a soft-launch that quietly onboards paying customers before the CoR arrives. We advise clients precisely on where that line sits for their specific plan.
What is the Net Owned Fund requirement for a P2P or Account Aggregator licence?

RBI prescribes a minimum Net Owned Fund threshold for both categories under their respective Master Directions, computed per the Section 45-IA definition of NOF — broadly, paid-up equity capital and free reserves, reduced by accumulated losses, deferred revenue expenditure, and certain specified intangible assets and investments in group companies. Because RBI periodically revises these thresholds, we confirm the exact figure applicable as of your specific filing date during the pre-application consultation rather than quoting a number that may already be superseded.

Practitioner noteWe deliberately do not quote a fixed rupee figure here because RBI's prescribed NOF thresholds for NBFC categories are revised from time to time, and quoting a stale number is worse than not quoting one. Ask us for the figure current as of your engagement date — it is one of the first things we confirm.
Can an existing NBFC simply add P2P or AA as an additional activity to its current licence?

Generally, no. Both NBFC-P2P and NBFC-AA are activity-specific registrations under RBI's regulatory architecture — an entity registered for one NBFC category is not automatically permitted to conduct P2P or AA activity under the same Certificate of Registration. In most cases a separate application, and often a separate corporate entity, is required. There are limited scenarios where RBI has permitted structural adjustments, but this should never be assumed without a specific regulatory consultation on the exact existing licence and the proposed new activity.

Practitioner noteWe have seen founders assume that because they already hold an NBFC-ICC licence, adding a P2P marketplace feature is a minor product update. It is not — from RBI's perspective it is an entirely new regulated activity requiring its own registration pathway. We flag this distinction at the very first conversation.
How long does the RBI approval process actually take?

There is no fixed statutory timeline that RBI guarantees for NBFC-P2P or NBFC-AA Certificate of Registration approval. In practice, the process runs through one or more rounds of RBI queries on the promoter profile, capital structure, business plan, and — particularly for these two categories — the technology and data-security architecture. The overall timeline depends heavily on how complete and well-prepared the initial application is, and on RBI's own processing queue at the time of filing.

Practitioner noteWe tell clients plainly: the biggest lever they control is the quality and completeness of the application at first filing. A well-prepared application with specific (not generic) policy documents and a clear technology architecture description materially reduces the number of query rounds, which is the single biggest driver of how long the overall process takes.
Who are Financial Information Providers (FIPs) and Financial Information Users (FIUs) in the Account Aggregator ecosystem?

A Financial Information Provider is an entity that holds a customer's financial data and is willing to share it through the Account Aggregator framework when the customer consents — typically banks, NBFCs, insurance companies, mutual funds, pension funds, and certain tax and other RBI/regulator-notified data sources. A Financial Information User is the entity requesting that data for a specific, disclosed purpose — typically a lender assessing a loan application, or a wealth manager building a consolidated view of a client's holdings, with the customer's explicit and revocable consent captured through the AA's consent artefact. The Account Aggregator itself sits in the middle as a consent-management and data-transmission conduit — it is never a FIP or FIU itself.

Practitioner noteA very common question from founders is whether they need to become a licensed AA to simply consume Account Aggregator data as a lender. They do not — becoming an FIU on an existing licensed AA's network is a participation agreement and technical integration exercise, not a fresh RBI licence. We help clients work out which side of that line their business actually needs.
Can an Account Aggregator see or store the actual financial data it transmits?

No. This is the central regulatory design principle of the AA framework. An Account Aggregator is expressly prohibited from using, retaining, or storing the substance of the financial information it transmits between an FIP and an FIU beyond what is operationally necessary for the technical transmission itself, and it cannot use the data for any purpose other than the specific consented transmission. The AA's business model is built entirely around being a data-blind conduit — its revenue comes from facilitating the consented data flow, not from having any commercial use of the data itself.

Practitioner noteThis single restriction shapes almost every architecture decision an AA applicant makes — from database design to log-retention policy. We review technology documentation specifically for language that inadvertently implies data storage or secondary use, since that is one of the fastest ways to draw a detailed RBI query on an AA application.
What are the escrow / nodal account requirements for a P2P platform?

An NBFC-P2P platform is required to route lender funds pending disbursal, and borrower repayments, through escrow accounts opened with a bank and structured such that the platform itself does not have unrestricted access to co-mingle or use these funds for its own purposes. This structure exists specifically so a P2P platform's own financial distress cannot put participant funds at risk, since the platform is a facilitator, not a custodian in the ordinary lending sense.

Practitioner noteSetting up a compliant escrow arrangement with a bank willing to service a newly-licensed NBFC-P2P is its own workstream — not every bank has a ready-made product for this, and the account structure has to match RBI's prescribed segregation requirements precisely. We coordinate this as part of the post-CoR engagement rather than leaving clients to negotiate this alone with a bank's corporate banking team.
Are there caps on how much an individual lender can lend through a P2P platform, or how much a borrower can borrow?

Yes. RBI's P2P Master Direction prescribes exposure limits — a cap on the amount a single lender can lend to a single borrower, and an aggregate cap on a single lender's total P2P lending exposure across all platforms combined, along with a maximum tenure for P2P loans. Because RBI periodically reviews and can revise these figures, we confirm the exact caps in force at the relevant time as part of platform design and lender/borrower disclosure documentation, rather than treating any previously quoted figure as permanently fixed.

Practitioner noteThese caps directly shape your platform's underwriting logic and user-facing disclosures. Building the lending limits into your technology stack based on outdated figures is a compliance gap that is expensive to retrofit — we confirm current caps before, not after, the platform's credit-limit logic is finalised.
Can foreign investors or NRIs be promoters or shareholders in an NBFC-P2P or NBFC-AA?

Foreign investment in NBFC activities, including P2P and AA categories, is generally permitted under the automatic route under India's FDI Policy and the FEMA (Non-Debt Instruments) Rules, 2019, subject to the conditions applicable to NBFC/financial-services FDI. Where foreign shareholders are involved, the standard FEMA reporting obligations — FC-GPR on the RBI FIRMS portal within the prescribed window of allotment — apply in addition to, and independently of, the NBFC licensing process itself. Foreign promoters and directors are also subject to the same fit-and-proper scrutiny as resident promoters.

Practitioner noteWe frequently structure P2P and AA applications where the founding team includes an NRI or foreign-resident co-founder, particularly given PNPC's Dubai office and UAE client base. The FEMA/FDI compliance runs on a parallel track to the RBI licensing track, and both need to be planned together from Day 1 — not sequenced as an afterthought once the CoR process is already underway.
What happens if RBI rejects the application?

RBI is not obligated to disclose detailed reasons for rejection in the way a court judgment would, though the query rounds preceding a decision typically surface the specific concerns RBI has with the application. A rejected applicant can, after addressing the underlying concerns — whether promoter profile, capital adequacy, or business-model clarity — submit a fresh application, but this means restarting substantially the entire process, including fresh fees and documentation. There is no fast-track re-application process specific to a previously rejected NBFC-P2P or NBFC-AA application.

Practitioner noteThis is exactly why we push clients to treat the pre-application fit-and-proper and technology-readiness assessment as seriously as the application itself. A rejection is not just a delay — it is months of lost time and a fresh capitalisation and documentation cycle. Getting it right the first time is materially cheaper than a second attempt.
Does a registered NBFC-P2P or NBFC-AA need a separate statutory audit process from a normal company?

Both remain subject to the standard Companies Act 2013 statutory audit requirement applicable to every company. In addition, RBI requires the statutory auditor of a registered NBFC-P2P or NBFC-AA to specifically report on the entity's compliance with the applicable Master Direction — covering matters like Net Owned Fund maintenance, adherence to prescribed exposure caps (for P2P) or data-handling restrictions (for AA), and compliance with the fair practices code and grievance redressal framework — as an addition to the standard financial-statement audit opinion.

Practitioner noteThis dual-scope audit requires an auditor genuinely familiar with the specific NBFC-P2P or NBFC-AA Master Direction, not just a general statutory auditor. We coordinate this specifically, since a generic audit opinion that omits the required Master-Direction-specific certification is itself a compliance gap that RBI can flag.
What ongoing returns does RBI require from a registered NBFC-P2P or NBFC-AA?

Registered NBFC-P2P and NBFC-AA entities are subject to periodic reporting obligations to RBI specific to their category, in addition to general returns applicable to NBFCs more broadly under the Scale Based Regulation framework where relevant to their classification. The exact return formats, frequency, and filing portal are prescribed in the respective Master Directions and RBI circulars issued from time to time. We set up the applicable reporting calendar as part of the post-registration engagement, confirmed against the current RBI reporting requirements at that time.

Practitioner noteReporting requirements for newer NBFC categories like P2P and AA have evolved as RBI has gained supervisory experience with the sector — the return formats and frequency in force today should not be assumed to be identical to what applied when the framework first launched. We keep this current for every client on retainer.
Is there a limit on how many P2P platforms a single lender can use, or is it per-platform?

The RBI-prescribed aggregate exposure cap for an individual P2P lender applies across all P2P platforms combined, not per platform in isolation — the intent is to prevent a lender from circumventing the individual exposure cap simply by spreading lending across multiple registered P2P platforms. This is enforced in part through mandatory reporting by registered P2P platforms, and lenders are expected to make accurate disclosures of their existing P2P exposure when onboarding to a new platform.

Practitioner noteThis cross-platform aggregation requirement has real implications for how a P2P platform's onboarding and disclosure flow should be designed — a lender's self-declaration of existing exposure elsewhere is a compliance control point, not a formality. We build this into the onboarding-flow advisory for P2P clients.
Can a P2P platform guarantee returns to lenders or offer any form of credit guarantee?

No. An NBFC-P2P platform is expressly prohibited from providing or arranging any credit enhancement, credit guarantee, or assured minimum return to lenders on the platform. The entire regulatory design treats the P2P platform as a facilitator of a direct lender-borrower relationship, with the credit risk sitting with the lender, not the platform. Any marketing or product feature that implies a guaranteed return or a platform-backed safety net for lenders is a direct violation of this core restriction.

Practitioner noteWe review marketing language and product-feature descriptions specifically for this issue during the pre-launch compliance readiness review — phrases like 'protected principal' or 'guaranteed returns,' even used loosely by a marketing team with no bad intent, are a serious regulatory red flag for a P2P platform.
What is the Principal Officer or Grievance Redressal Officer role RBI expects to be named?

RBI expects a registered NBFC-P2P or NBFC-AA to designate specific accountable individuals within the organisation — typically a Principal Officer responsible for regulatory and AML/KYC compliance oversight, and a Grievance Redressal Officer responsible for handling and escalating customer complaints within a defined turnaround time, whose contact details must be disclosed to customers. These are not honorary titles — RBI expects these roles to be functionally staffed and accountable, and their existence and effectiveness can be examined during a supervisory review.

Practitioner noteIn an early-stage fintech team, it is common for a founder to wear this hat informally without a documented policy backing it. We insist on this being a properly Board-approved, documented role from the pre-launch stage — not something assembled reactively when RBI or a customer complaint calls for it.
How does an Account Aggregator make money if it cannot hold or use the data it transmits?

An Account Aggregator's revenue model is typically fee-based, charging FIUs (and in some arrangements, FIPs) a transaction or subscription-based fee for facilitating each consented data-transmission event through its platform — analogous to a toll on a data pipe rather than a business built on monetising the underlying data itself. Because the AA cannot use, sell, or repurpose the data it transmits, the entire commercial model has to be built around the volume and reliability of consented data-flow transactions, not data monetisation.

Practitioner noteFounders sometimes come to an AA business plan with assumptions borrowed from data-monetisation models in unregulated sectors. We spend real time in the structuring conversation resetting this expectation early — an AA that tries to build a secondary revenue line around the data it sees is building a licence violation into its own business model.
What is the difference between a P2P platform and a Direct Selling Agent (DSA) or loan marketplace?

A DSA or loan-comparison marketplace refers borrowers to banks or NBFCs and earns a referral or origination commission — the loan itself is originated and held on the referring bank's or NBFC's own books, and the marketplace is not itself a party structuring a lender-borrower relationship. A P2P platform is fundamentally different: it structures and facilitates an actual lending relationship between an individual lender (who could be another retail customer) and a borrower, with the platform itself as the regulated intermediary for that specific transaction. This distinction is exactly why a loan-comparison website does not need P2P registration, while a platform that actually matches individual lenders to borrowers does.

Practitioner noteWe are asked this distinction often enough that it is one of the first questions we ask in a discovery call. Founders sometimes describe a DSA-style referral model using P2P terminology informally, and clarifying the actual regulated characterisation early avoids building toward the wrong licence entirely.
Does PNPC handle both the RBI licensing and the ongoing FEMA compliance if my P2P or AA platform has foreign shareholders?

Yes. PNPC's FEMA & RBI practice covers both tracks as a coordinated engagement rather than two separate workstreams handed to different specialists — the RBI Certificate of Registration process for the P2P or AA activity itself, and the FEMA/FDI compliance (FC-GPR filing, sectoral cap confirmation, downstream investment mapping if relevant) for any foreign capital in the structure. Structuring both together from Day 1 avoids a scenario where the NBFC application and the FEMA filing timeline are misaligned.

Practitioner noteWe have seen cases where a founder's FEMA filing for a funding round proceeded independently of, and out of step with, their pending NBFC licence application — creating a mismatch RBI later queried. Running both tracks under one coordinated engagement avoids this entirely.
Can an NBFC-P2P or NBFC-AA operate across India, or is it state-specific?

Once RBI issues the Certificate of Registration, the entity is authorised to operate the regulated activity across India — there is no state-specific licensing layer for the core NBFC-P2P or NBFC-AA activity itself, since RBI regulation operates at the central/national level. Other unrelated state-level registrations a company needs regardless of its NBFC status (GST registration in states of operation, professional tax, shops and establishment registration for physical offices) apply independently, in the same way they would for any company.

Practitioner noteThis national-scope feature is one of the genuine advantages of the RBI-regulated NBFC model compared to some state-licensed financial activities — a properly registered P2P or AA platform is not required to seek separate approval in each state it operates in.
What happens to customer funds or data if a licensed P2P or AA company shuts down or is deregistered?

For a P2P platform, the escrow-account structure exists specifically to protect participant funds independent of the platform's own solvency — funds in transit are held with the escrow bank per the prescribed structure, not on the platform's own balance sheet, which is intended to limit (though not necessarily eliminate) the operational disruption to lenders and borrowers if the platform itself winds down. For an AA, since it never holds or stores the substance of financial data by design, a shutdown does not create a data-retention exposure in the way it would for a data-storing business — the AA's core architecture is built to avoid exactly this risk. In both cases, an orderly wind-down still requires RBI intimation and a formal closure process, and existing participant relationships (outstanding P2P loans, active AA consent artefacts) need a documented transition plan.

Practitioner noteWe advise on wind-down planning as seriously as we advise on launch planning — an NBFC-P2P or NBFC-AA cannot simply stop operating one day without formally closing out its regulatory position with RBI, informing participants, and managing outstanding obligations in an orderly way.
How much does it cost to get an NBFC-P2P or NBFC-AA licence, including RBI fees and professional fees?

RBI charges a prescribed application fee for the Certificate of Registration process, which is a modest component compared to the overall cost of getting licence-ready — the larger costs are the Net Owned Fund capitalisation itself, technology-platform build cost, and professional fees for structuring, documentation, and RBI liaison through the query-and-approval process. Because the capitalisation requirement and RBI's fee schedule are both subject to periodic revision, and because professional fees depend on the complexity of the specific promoter structure and business model, we provide a written, case-specific fee proposal after the initial discovery conversation rather than quoting a generic figure that would not reflect your actual situation.

Practitioner noteWe deliberately avoid quoting a blanket 'this is what it costs' figure for NBFC licensing on our website, because the honest answer varies enormously by case — a straightforward domestic-promoter P2P application and a complex multi-jurisdictional AA application with foreign shareholders are simply not comparable engagements. Ask us for a written scope and fee letter; we provide one before any work begins.
Why should I engage a CA firm rather than a legal firm or a specialised fintech-licensing consultant for this?

NBFC-P2P and NBFC-AA applications sit precisely at the intersection of company law, RBI regulatory practice, FEMA/FDI compliance (where foreign capital is involved), Net Owned Fund certification (which specifically requires a practising Chartered Accountant's certificate), and ongoing statutory audit with Master-Direction-specific certification. A firm that only handles the legal drafting or only handles the technology documentation leaves the financial certification, capital-structuring, and post-registration compliance pieces to be coordinated separately — often across multiple advisors who are not talking to each other. PNPC's CA practice covers the full lifecycle: NOF certification, FEMA/FDI compliance, the RBI application process, and the annual statutory audit and compliance cycle after registration, as one coordinated engagement.

Practitioner noteWe are regularly brought in specifically for the Net Owned Fund certification and audit-certification pieces on applications that started with a legal firm handling the RBI filing itself. Coordinating this from the outset, rather than stitching two advisors together mid-process, consistently produces a cleaner application and a smoother annual compliance cycle afterward.
Can a single company hold both a P2P Certificate of Registration and an Account Aggregator Certificate of Registration?

This is not the standard structure RBI's licensing framework contemplates — each Certificate of Registration is issued for a specific NBFC activity category, and P2P and AA are distinct categories with different Master Directions, different technology and risk profiles, and different core prohibitions (an AA cannot lend or hold funds; a P2P platform's whole purpose is facilitating a lending relationship). A promoter group wanting to operate both business lines would typically need to structure them as separate corporate entities, each separately registered, rather than seeking a combined registration under one company.

Practitioner noteWe advise promoter groups with ambitions to eventually operate both a lending marketplace and a data-aggregation business to plan the corporate group structure — parent holding company with two separately regulated operating subsidiaries — from the outset, rather than trying to retrofit a single-entity structure into a dual-licence model later.
What is the role of the Reserve Bank's 'account aggregator ecosystem' central registry, and does every AA have to join it?

The Account Aggregator ecosystem operates on a common, interoperable technology framework, with a central registry maintaining the list of live, technically-compliant Account Aggregators, Financial Information Providers, and Financial Information Users participating in the network. A licensed NBFC-AA is expected to achieve live technical integration with this common framework as part of becoming operationally functional — holding the Certificate of Registration alone does not make an AA operationally useful to FIUs and FIPs; the technical onboarding to the interoperable ecosystem is what actually enables it to route consented data flows in practice.

Practitioner noteWe have seen licensed entities sit on a CoR for months without genuine commercial traction because the technical integration and onboarding to FIP/FIU counterparties was treated as an afterthought rather than a parallel workstream during the licensing process itself. We push clients to start FIP/FIU relationship-building and technical sandbox testing well before the CoR is even issued.
Are there restrictions on who can be a lender on a P2P platform — can any individual lend?

RBI's P2P Master Direction sets eligibility conditions for participants — both lenders and borrowers must meet KYC requirements, and there are exposure and category restrictions on who can participate and to what extent (for instance, restrictions distinguishing individual lenders from institutional participants, and caps on total exposure per lender). The platform is responsible for verifying eligibility and enforcing exposure caps at onboarding and on an ongoing basis, not merely at the point of first registration.

Practitioner noteThis is an area where the platform's own onboarding technology has to actively enforce compliance, not just disclose the rules to users. We review this specifically as part of the pre-launch technology and policy readiness check — a platform that discloses the caps in its terms and conditions but does not technically enforce them is not actually compliant.
What is the tenure limit for a P2P loan, and can it be extended or restructured?

RBI's P2P Master Direction prescribes a maximum tenure for loans facilitated through a P2P platform. Because this figure, like the exposure caps, is subject to periodic RBI revision, we confirm the tenure limit in force at the relevant time as part of platform design rather than relying on a figure that may have been superseded. Loan restructuring or extension on a P2P platform also needs to be handled within the platform's disclosed terms and RBI's applicable framework — it is not simply a bilateral matter between lender and borrower outside the platform's oversight.

Practitioner noteWe advise clients to build tenure and restructuring logic directly into the platform's loan-agreement templates and system rules, confirmed against current RBI norms, rather than leaving it to manual case-by-case handling — manual handling at scale is where compliance gaps quietly accumulate.
Does PNPC only advise Indian-incorporated entities, or can a UAE-based promoter structure a P2P/AA business through PNPC?

PNPC has operating offices in Chennai, Bangalore, Hyderabad, and Dubai. For a UAE-based promoter or NRI wanting to set up an Indian NBFC-P2P or NBFC-AA entity, we coordinate the India-side incorporation, RBI licensing, and FEMA/FDI compliance from our Chennai/Bangalore/Hyderabad teams while managing the UAE-side promoter relationship and any UAE entity considerations through our Dubai office — as a single coordinated engagement rather than requiring the client to separately brief two disconnected firms.

Practitioner noteEvery NBFC-P2P or NBFC-AA licence has to be held by an Indian-incorporated entity regulated by RBI — there is no route to operate this specific regulated activity through a UAE entity alone. Where we get asked this, it is usually a founder based in Dubai building for the Indian market, and the answer is: yes, the operating entity must be Indian, but we make the cross-border coordination seamless.
What is a 'fit-and-proper' assessment and how strict is RBI about it in practice?

The fit-and-proper assessment is RBI's evaluation of whether the promoters, directors, and key managerial personnel of an applicant have the integrity, financial soundness, and professional competence to responsibly operate a regulated financial entity. In practice, RBI takes this assessment seriously for both P2P and AA categories given the sensitivity of the activities involved — unsecured lending intermediation and financial-data handling respectively — and a promoter with an undisclosed adverse credit history, a prior regulatory action, or unclear source of funds for their capital contribution can cause significant delay or outright rejection, even if every other part of the application is strong.

Practitioner noteWe run an honest, sometimes uncomfortable, pre-application conversation with every promoter group about anything in their background that could surface during RBI's fit-and-proper review. Disclosing a past issue proactively, with context, in the application is a materially better position than having RBI discover it independently during its own checks.
Can an NBFC-P2P platform also offer insurance, investment products, or other cross-sell financial products to its lenders and borrowers?

Cross-selling unrelated financial products on a P2P platform raises regulatory questions about whether the platform is operating within the specific, narrow scope of its P2P Certificate of Registration or has effectively expanded into other regulated activities without approval. Any cross-sell arrangement needs to be structured carefully — often through a properly disclosed, arm's-length referral relationship with a separately licensed insurance or investment entity, rather than the P2P entity itself directly offering the additional product — and reviewed against the specific conditions of the entity's CoR.

Practitioner noteCross-sell is one of the more common 'can we just add this feature' questions we get from growing P2P clients, and it is rarely a simple yes. We review every proposed cross-sell arrangement against the entity's specific licence conditions before it is built, not after it has already launched.
What ongoing role does PNPC play after the Certificate of Registration is issued — does the engagement end at licensing?

No. PNPC's engagement model for NBFC-P2P and NBFC-AA clients is structured as a continuing relationship, not a one-time licensing project. Post-registration, we support the statutory audit and Master-Direction-specific certification, the periodic RBI reporting calendar, policy reviews, advisory on structural changes (funding rounds, promoter changes, business-model expansion), and representation in any RBI supervisory correspondence — because a Certificate of Registration is the start of an ongoing regulated relationship with RBI, not the end of the compliance journey.

Practitioner noteWe tell every NBFC client this directly at the outset: the licence is the easy part to explain and the hard part to get right; staying compliant every year after is the part that actually protects the business long-term. Clients who treat the CoR as a finish line are the ones who end up needing crisis-mode help a few years later.
Why PNPC Global

PNPC Global vs typical fintech-licensing consultants and legal-only firms

DimensionPNPC GlobalLegal-Only FirmGeneric Licensing Consultant
Net Owned Fund certificationIn-house practising CA certification, integrated with the applicationOutsourced to a third-party CA, coordinated separatelyOften outsourced or generic, not integrated with capital planning
FEMA / FDI compliance for foreign promotersHandled as one coordinated engagement alongside the RBI licensing trackTypically handled by a separate FEMA specialist, if at allFrequently not covered — treated as the client's separate problem
Post-registration statutory audit with Master Direction certificationProvided as an ongoing annual engagement by the same firmNot typically offered — legal firms do not conduct statutory auditsNot offered — outside a licensing consultant's scope
Technology & policy document drafting specific to P2P/AADrafted specific to the actual business model, not templatedOften templated, requiring client rework before RBI submissionVaries widely by consultant experience level
Presence in India and UAEChennai, Bangalore, Hyderabad, and Dubai offices under one firmTypically India-only, requiring a separate UAE advisorTypically India-only
Engagement horizonPre-application through annual compliance for the life of the licenceOften ends once the CoR is issuedAlmost always ends once the CoR is issued
Track record since1986 — established CA practice, not a fintech-era-only consultancyVariesTypically a newer entrant focused on the licensing niche alone

What the PNPC package includes

  1. 01

    Pre-application regulatory characterisation — confirming whether your business model requires P2P registration, AA registration, both as separate entities, or neither

  2. 02

    Promoter and director fit-and-proper pre-assessment, run before the application is filed

  3. 03

    Entity incorporation or existing-entity readiness review, with MoA objects drafted specific to the regulated activity

  4. 04

    Net Owned Fund planning and Chartered Accountant certification, coordinated with the capital-infusion schedule

  5. 05

    FEMA/FDI compliance for any foreign promoter or investor, run in parallel with the RBI application track

  6. 06

    Complete application drafting — business plan, financial projections, and every RBI-required policy document drafted specific to your business model, not templated

  7. 07

    Technology and information-security documentation support, coordinated with your technical team

  8. 08

    RBI query and clarification-round management through to Certificate of Registration

  9. 09

    Escrow/nodal account coordination (P2P) or Account Aggregator ecosystem technical onboarding support (AA)

  10. 10

    Post-registration statutory audit with the applicable Master Direction certification, and the ongoing RBI reporting calendar, year after year

If you are building a P2P lending platform or an Account Aggregator, the licensing decision you get right — or wrong — in the first month shapes every year of regulatory standing that follows. Talk to PNPC before you draft the application, not after RBI's first query arrives.

← Back to FEMA & RBI
Talk to a CA