Every Business is a Data Business: Applicability of DPDP Act to Non-Financial Entities

/0 Comments/in , , , , /by

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

  1. Clear and accessible privacy notices at all customer touchpoints
  2. Consent for marketing communications and behavioural profiling
  3. Data minimisation—avoiding excessive or persistent tracking
  4. Right to withdrawal and grievance redressal mechanisms
  5. Deploy consent banners for digital marketing
  6. Maintain opt-out mechanisms
  7. Train sales agents on data minimisation
  8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

  1. Obtain explicit consent for collection of identity documents and contact details
  2. Provide detailed notices explaining the purpose of collection of each category of data
  3. Securely store documentation, especially digital scans of IDs
  4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
  5. Obtain consent before collecting identity proofs
  6. Encrypt storage of buyer documentation
  7. Delete lead data after reasonable time if unconverted
  8. Update customer agreements with DPDPA disclosures
  9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

  1. Implement the highest level of security safeguards mandated under the Rules
  2. Minimise collection of data not directly required for treatment
  3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
  4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

  1. inform its representatives of the purposes for which their data will be processed,
  2. provide them with the Data Fiduciary’s privacy notice, and
  3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources:

Multi-lender LSPs – Compliance & Considerations 

/0 Comments/in , , /by

– Aditya Iyer, Manager (Legal) (finserv@vinodkothari.com)

  1. The illusion of choice – a consumer’s woe

Consider this: you’re out shopping on a Saturday afternoon for a perfect pair of jeans. You stop by a store that retails multiple brands and boasts the best variety. With a salesperson to guide you, you make your pick after careful diligence and comparison, and finally check out.  Hours later, however, you discover that certain brands were selling better trousers at a lower price point, in the very same store, but these were deliberately obscured from your vision. Now, you feel duped, hurt and confused.

It’s still the same product. However, what has changed is your ability to make an informed choice. What’s worse, indeed, is that you were made to believe that you had an informed choice. 

A sincere consumer, shopping for trousers from a multi-brand store. 

  1. Multi-lender LSPs (MLLs)

Drawing parallels from the above, in the lending space, a similar tale unfolds. There is an emerging class of platforms that operate as Multi-lender LSPs (MLLs). These MLLs undertake the sourcing function for multiple lenders against a given product. For instance, Partner ‘A’ may act as a sourcing agent via its platform for unsecured personal loans offered by Lenders X, Y, and Z. 

In this case, the consumer may be onboarded onto the platform and be under the impression that they are making an informed choice, and receiving an impartial display of all options for the given loan product. If this is indeed the case, then there is no issue. However, it is possible that due to factors including (a) certain Lender-LSP Arrangements, and (b) differences in the commission received from various lenders, the loan product of a particular lender may be pushed to the borrower. The borrower may also be influenced towards making a particular selection through the use of deceptive design practices designed to subvert their decision-making process (Dark Patterns – for more, see our resource here)

Here, the lack of choice and transparency, and insufficient disclosure in the sourcing process would be an unfair lending practice. And unlike a simple pair of trousers, here the consumer’s hard-earned money and personal finances are at stake. 

A similar tale unfolds on a multi-lender platform. 

  1. Requirements for REs under the Digital Lending Directions, 2025 
  • Para 6 of the DL Directions

In order to protect the borrower and their right to choose, the RBI vide the Digital Lending Directions, 2025 (‘DL Directions’) has prescribed additional requirements upon REs contracting with such MLLs (refer to our article on the DL Directions here). 

These requirements under Para 6 of the DL Directions are applicable upon “RE-LSP arrangements involving multiple lenders”, and pertain to: 

  • The borrower being provided a digital view of all the loan offers which meet the borrower’s requirements. 
  • A view of the unmatched lenders as well.
  • The digital view would have to include the KFS, APR, and penal charges if any of all the lenders, to display terms in a comparable manner. 
  • The content displayed should be unbiased and objective, free from the influence of any dark patterns or deceptive design practices designed to favour a given product. 

The RBI’s annual report for FY 2024-2025 also reveals that the rationale behind these additions was to mitigate risks arising out of LSPs that display the loan offers in a discretionary way, and “which seldom display all available loan offers to the borrower for making an informed choice”. These requirements were, of course, first published via the Draft Guidelines on ‘Digital Lending – Transparency in Aggregation of Loan Products for Multiple Lenders’ (our team’s views on the same may be found here).

  • Multi-lender LSP v. LSP working for multiple lenders – Is there a difference? 

Although this may not be immediately apparent from the language, the “RE-LSP arrangements involving multiple lenders” being contemplated here (in our view) are not RE-LSP arrangements where a single LSP is contracting with multiple REs, each for a separate product, but rather the MLLs described above.

For example, consider a scenario where the LSP works with Lender ‘A’ for vehicle loans, Lender ‘B’ for personal loans, Lender ‘C’ for gold loans and so on. Would this then be considered a Multi-lender LSP requiring compliance under Para 6 of the DL Directions? In our view, no. 

Here, because each borrower has only a single lender for a particular product, there is no question of their ability to choose being prejudiced, or there being a need to draw a comparison between the terms offered by multiple lenders. Hence, the requirements under Para 6 of the DL Directions would not be applicable upon REs contracting with such LSPs. 

Such requirements would only become relevant in the case where the LSP is undertaking sourcing for multiple lenders against a particular product. In such a case, because the borrower is under the impression that they have a choice, it becomes crucial to protect the borrower’s ability to make that choice (in an informed, transparent, and non-discriminatory manner). 

  1. Consumer Protection Act, 2019 

Additionally, with reference to the above scenario, under Section 2(9) of the Consumer Protection Act, the following (amongst others) have been recognised as consumer rights (upon violation of which the consumer can seek redressal): 

  • Right to be informed: “the right to be informed about the quality, quantity, potency, purity, standard and price of goods, products or services, as the case may be, so as to protect the consumer against unfair trade practices”
  • Access to competitive prices: “the right to be assured, wherever possible, access to a variety of goods, products or services at competitive prices”. 

In our view, with respect to MLLs, this may be interpreted to mean that the borrower has a right to be informed of the comparable options and to receive an impartial, unbiased, and competitive display of the terms to enable their decision-making.

Finally, it is to be noted that such MLLs, would also qualify as “E-Commerce Entities” under the Consumer Protection (E-Commerce) Rules, and the said rules inter alia cast a duty upon such entities to ensure that they do not adopt any unfair trade practice, whether in course of business on its platform, or otherwise [Rule (4)(2)]. Under the E-commerce Rules, a “marketplace e-commerce entity” is an e-commerce entity providing an information technology platform to facilitate transactions between buyers and sellers. Marketplace e-commerce entities are required to ensure that: 

  • All the details about the sellers necessary to help the buyer make an informed decision at the pre-purchase stage are “displayed prominently in an appropriate place on its platform” 

To the extent MLLs would meet this definition, they would also need to ensure the same. 

Tokenisation of Real World Assets – The Way Ahead for Creating Securities

/0 Comments/in , , , , , /by

-Subhojit Shome (subhojit@vinodkothari.com)

Introduction

The tokenisation of real-world assets (RWA) using cryptographic technology is rapidly emerging as a transformative innovation in the financial ecosystem. Note here that the term RWA refers to all traditional assets including both real assets as well as traditional financial assets that exist in the physical world. By leveraging blockchain technology, tokenisation enables the representation of tangible assets, such as real estate, commodities, and artwork, or intangible assets like intellectual property, as digital tokens on a distributed ledger. This development is reshaping the way assets are managed, traded, and accessed, creating new opportunities and challenges.

RWA tokenisation has garnered attention due to several converging factors. Blockchain technology offers a streamlined alternative to traditional systems by reducing intermediaries, lowering transaction costs, and ensuring faster settlement times. Fractional ownership of high-value assets makes them accessible to a broader range of investors, enhancing market liquidity. Blockchain’s immutable nature provides a transparent record of transactions and ownership, reducing fraud and enhancing trust. Additionally, tokenised assets are borderless, enabling seamless cross-border trading and investment opportunities.

According to market reports, the capital locked in tokenised RWA is expected to touch $50 billion by the end of 2025 surpassing all previous records. In 2024, the ecosystem had achieved a 32% annual growth rate.

In this article, we look at the impetus behind this technology, its status of adoption in India and critical issues that act as roadblocks in its development. 

Development

The tokenisation market has witnessed significant advancements in a number of areas. Real estate tokenisation has enabled properties to be tokenised for fractional ownership, reducing entry barriers for smaller investors. Similarly, commodities like gold and other precious metals have been tokenised, providing an efficient means of trading and ownership. High-value artworks and collectibles are being tokenised to allow multiple investors to own shares in masterpieces. Tokenisation has also extended into private equity and debt markets, enabling innovative funding mechanisms and the development of secondary market opportunities. Moreover, the emergence of regulated tokenisation platforms in certain developed economies (e.g. the UK) underscores the growing maturity of this market.

Figure 1: Benefits of Tokenisation of Real-World Assets using Blockchain

Fractional ownership creates liquidity in traditionally illiquid assets. It also democratises investment by enabling wider participation through reduced minimum investment thresholds. Here the emphasis is not on reduction of any regulatory investment threshold but rather, being represented in the digital world, RWA tokenisation allows infinitesimally fractional parts of an asset to be bought and sold. Cost efficiency is achieved by reducing reliance on intermediaries, which lowers transaction and administrative costs. Blockchain’s transparency increases trust and reduces fraud risks. Furthermore, smart contracts enable automation of compliance, dividend distribution, and other processes.

Process

The process of RWA tokenisation broadly involves the following steps –

Figure 2: Process of RWA tokenisation

In the tokenisation process one may note that the custody of the underlying asset is separated from the ownership of the asset. While the ownership is represented by use of tokens, the underlying asset may need to be held with a custodian ‘off-chain’ (i.e. in the physical world). 

Issues

However, tokenisation is not without challenges. Regulatory uncertainty remains a significant hurdle due to inconsistent global regulatory frameworks. Technology risks, such as cybersecurity concerns and vulnerabilities in smart contracts, could undermine trust. Market volatility is another concern, as tokens may experience higher price fluctuations compared to their underlying assets. Some tokenised assets may face illiquidity risks if the secondary markets lack sufficient depth. Additionally, legal ambiguity regarding ownership rights and the enforceability of tokenised claims persists in many jurisdictions.

Several key regulatory considerations must be addressed. Asset classification is crucial for defining whether tokenised assets are securities, commodities, payment instruments or another category altogether.

In India, regulatory uncertainty remains the key issue in the implementation of RWA tokenisation. Say, for instance, there is tokenisation of real estate in which the management of the property is overseen by the issuer or by a manager appointed by such issuer and fractional ownership units are offered for sale to retail investors. Such a transaction starts to take on the colour of a collective investment scheme and SEBI may intervene and mandate the issuer to register as such with the regulator. In the case of real estate these schemes can also be viewed as having a structure akin to a REIT especially SM REIT

The SEBI is yet to notify any regulatory prescription specifically for the purposes of regulating crypto-assets and or token offerings to the retail public and it has been reported in the press1 that the securities market regulator has informed the Parliamentary Standing Committee on Finance that regulation of crypto-assets would be difficult given the nature of technology that sustains them. In the matter of, An RTI enquiry, as referenced in the matter of Appeal No. 4532 of 2021 filed by Rohith Methayil Rajagopal, was raised with the SEBI’s CPIO as to the stand of Regulator with regard to “digital trading and possession of Cryptocurrencies by the Indian Citizens” and if SEBI had any “legal document and its date that permits digital trading of Bitcoin / Cryptocurrencies in India”. The response of the CPIO, as affirmed by the appellate authority, was that it did not have the knowledge of either matter. Based on this one can conclude that the Regulator has not, yet, formalised its stance over dealings in crypto assets. Recently, however, the Regulator has expressed an openness to a multi-regulator based oversight framework for crypto-assets.2

There have been interest shown by mutual fund houses to invest in ETFs or indices on blockchain-based projects and crypto-assets and draft scheme information documents were filed with the Regulator. SEBI, however, has expressed its reservations3 on approving such funds/ fund of funds. Highlighting high degree of regulatory uncertainty when it comes to crypto-assets which is not an ideal situation either for business houses looking to raise funds using crypto-assets or for investors who have invested in such assets.

Another major inhibitor is the tax treatment of such tokenised assets. This is because given the construct of such token it will get classified as virtual digital asset  under section 2(47A)4 of the Income Tax Act, 1961. The implication of this is that income on sale of such assets will get taxed at a flat rate of 30%. Other than the cost of acquisition, any other expenses incurred with respect to such assets are not allowed to be deducted while computing the income. Further, any loss from the transfer of such assets are also not allowed to be set-off against such income or under income computed under any provision of the act. Accordingly, such losses are also not allowed to be carried forward to any succeeding assessment years.

GIFT City

Recently, however, there has been some headway in asset tokenisation in Gujarat International Finance Tec-City (GIFT City) which may be poised to host India’s inaugural regulated platform for the tokenization of real estate and infrastructure assets. This initiative aims to democratize investment opportunities by enabling fractional ownership through digital tokens, leveraging blockchain technology to enhance liquidity and transparency in the sector. To this extent the IFSCA has constituted an ‘Expert Committee on Asset Tokenization’; the terms of reference of this committee are as follows –

  • Develop regulations and policy guidelines for tokenization of real and physical assets
  • Examine the legal validity of Smart Contracts
  • Develop a risk management framework for digital tokens
  • Examine the role of Digital Custodians in the asset tokenization model and develop operational policy measures

Conclusion

Tokenisation is a transformative technology that has the capability to change the very nature of real world assets in the way they are managed and traded. The flow of capital into this sector is an indication of the potential of this sector in contributing to the economic growth of a country. In the formation of the working group on crypto-assets to reform US digit asset regulations, the US has taken stock of this development in the market and the need to make such technologies mainstream. It is encouraging to see India’s intention to move ahead with such innovation in the GIFT City. It is now time to wait and watch whether tokenisation will find acceptance in the economic mainstream and for this to happen a clear regulatory architecture has to emerge in India.

  1. Why has the market watchdog said it is difficult to regulate such currencies? What is the status of the bill? – Article in The Hindu, June 12, 2022 ↩︎
  2. SEBI considers regulatory role in crypto trading, diverging from RBI’s approach. Here’s what experts think – Article in the Economic Times, May 17, 2024 ↩︎
  3.  Sebi says no to mutual funds for cryptos. What are your alternatives? – Article in the Economic Times, December 30, 2021 ↩︎
  4. Virtual crypto-assets as defined under Section 2(47A) of the Act means—
     any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration, with the promise or representation of having inherent value, or functions as a store of value or a unit of account including its use in any financial transaction or investment, but not limited to investment scheme; and can be transferred, stored or traded electronically; a non-fungible token or any other token of similar nature, by whatever name called;
    any other crypto-asset, as the Central Government may, by notification in the Official Gazette specify. 
    However, the Central Government is empowered to exclude any crypto-asset from the definition of virtual crypto-asset by a notification in the official gazette on this behalf.
    ↩︎

Workshop on Co-lending and Loan Partnering

/0 Comments/in , , , , , /by

For registration click here: https://forms.gle/bq18tHgQb618jAcb9

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [334.23 KB]

Survival at Stake? The impact of RBI’s Norms on P2P Lending Platforms 

/0 Comments/in , , /by

Dayita Kanodia and Manisha Ghosh l finserv@vinodkothari.com

Introduction

RBI on August 16, 2024 has issued a notification for the review and modification of Master Direction – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (‘Directions’) for platforms acting as intermediaries and providing an online marketplace for lending between peers. 

The review has been carried out pursuant to observations that some of these platforms have adopted certain practices which are violative of the said Directions. These practices include, among others, violation of the prescribed funds transfer mechanism, promoting peer to peer lending as an investment product with features like tenure linked assured minimum returns, providing liquidity options and at times acting like deposit takers and lenders instead of being a platform. 

Read more

Offline Payment aggregators to be under regulatory scheme: RBI proposes amendments to PA regime

/0 Comments/in , , , /by

Archisman Bhattacharjee and Manisha Ghosh I finserv@vinodkothari.com

Introduction

On April 16, 2024, the Reserve Bank of India (RBI) issued Draft Directions on the Regulation of Payment Aggregators (PAs) (‘Draft PA Directions’) serving two primary purposes:

  1. Regulating Offline PAs i.e. PAs operating at physical points of sale, an area previously not covered by existing regulations.
  2.  Amendments to the current guidelines concerning Payment Aggregators, primarily intended to extend the scope of the extant regulations to offline PAs; however, having several additionalities such as PA’s due diligence on the merchants, ongoing merchant monitoring based on business profile, disallowing payment to any other account on specific directions from the merchant etc.
Read more

Introducing Financial Services on ONDC: Opportunities & Challenges for Digital Lenders

/0 Comments/in , /by

– Shreshtha Barman | finserv@vinodkothari.com

Read more

Snippet on Regulation of Payment Aggregator – Cross Border

/0 Comments/in , , /by

Shreshtha Barman and Tejasvi Thakkar| finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [86.02 KB]

Our Resources on the topic :

  1. Understanding regulatory intricacies of Payment Aggregator business
  2. RBI to regulate operation of payment intermediaries
  3. Payment and Settlement Systems: A Primer

Digital Personal Data Protection Bill 2023:  Analysing the Impact on Digital Lenders

/0 Comments/in , , , /by

– Subhojit Shome, Assistant Manager | subhojit@vinodkothari.com

Click here to view our: Consultancy and advisory services on Digital Personal Data Protection Act, 2023 

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [1.44 MB]

Watch our Shastrartha on Digital Personal Data Protection Bill, 2023 – Analysing the impact on financial sector lender