You’ve built legal systems for NBFCs and digital lenders. What’s the core difference in leading legal strategy for fintech versus traditional finance?
FinTech’s legal strategy differs fundamentally from traditional finance. The core difference lies in speed, scalability, and regulatory ambiguity.
FinTechs operate in a dynamic environment where legal frameworks often lag behind innovation. The legal strategy must be proactive—anticipating regulatory shifts (e.g., RBI’s digital lending guidelines) while enabling rapid product iteration.
Traditional finance relies on established precedents and slower, risk-averse compliance cycles. For FinTechs, legal teams must embed flexibility into contracts, partnerships, and tech stacks to adapt to new rules without stifling growth.
To elaborate more, in traditional finance, legal frameworks are well-defined, with decades of case laws and RBI guidelines providing clarity. Compliance is structured, slow-moving, and risk-averse. In FinTech, regulations often lag behind innovation. Companies launch products first, and regulators respond later.
When BNPL (Buy Now, Pay Later) exploded in India, regulators initially lacked a clear stance. Later a ban was imposed on loading PPIs via credit lines. The RBI’s digital lending guidelines were introduced to provide rules around digital lending, which include data privacy, money flow, data accessibility, and loss-sharing arrangement in case of default.
As the head of the Legal Department, I can say we act as business partners, not gatekeepers. It’s about enabling growth while staying compliant. We don’t just say ‘no,’ we show ‘how.’
In FinTech, with evolving rules like the DPDP Act, how do you build compliance systems that stay ahead of regulations yet fuel business growth?
Regulatory shifts are inevitable. If you design systems with flexibility, new regulations become easier to adopt. India’s Digital Personal Data Protection (DPDP) Act introduces strict rules on consent, data storage, and breach reporting.
A key strategy for compliance systems, particularly with laws like the DPDP Act, is principle-based design, focusing on core principles (like data minimization and consent) rather than rigid rules, which ensures adaptability.
Well, we build systems around core principles (e.g., data minimization, consent) rather than rigid rules, ensuring adaptability. Instead of waiting for DPDP’s exact consent mechanisms, we implemented granular, user-friendly consent flows early. We implemented consent management in the workflows. Automate data mapping and retention policies. Used AI-powered tools to detect and report breaches in real-time. I worked with product teams early to embed compliance into UX (e.g., clear disclosures for RBI’s KYC norms).
When designing compliance models especially in fintech, how do you approach ‘grey zones’ where regulation hasn’t yet caught up to innovation?
Grey zones aren’t no-go areas—they’re opportunities to shape future regulation through responsible experimentation. In grey zones, the worst approach is inaction. Take calculated risks, but always have an exit plan.
FinTech often operates where laws are untested or ambiguous, such as AI-based lending, crypto-assets, and cross-border data flows.
Navigating grey zones requires a structured framework. My approach was to classify grey areas into high (e.g., cross-border data flows), medium (e.g., AI-driven credit scoring), and low risk (e.g., UI/UX tweaks) and to prioritize conservative stances in domains where the penalties for non-compliance are severe. Then, I proactively sought informal regulatory guidance, such as the RBI’s sandbox consultations and document interpretations, to mitigate enforcement risks. Wherever possible, I sought non-binding feedback or informal guidance from the regulator to avoid future clashes. On the contractual side, I drafted contracts with renegotiation triggers tied to regulatory changes (e.g., digital lending terms adjusted to new lending laws). Usually, these are called fallback clauses, which include “regulatory renegotiation” triggers, in contracts, allowing terms to be adjusted automatically, if the laws change.
When navigating regulatory sandboxes, how do you draw the line between innovation and premature regulatory exposure?
Sandboxes are like flight simulators—they let you crash safely while learning what flies with regulators. Using sandboxes requires careful management and insulation. It’s important to have a predefined exit strategy with metrics for success or failure. Predefine metrics for success/failure (e.g., customer complaints <1%) and phase out experiments that attract undue scrutiny.
Activities within the sandbox should be insulated legally by using separate contracts and limited user pools to prevent risks from spreading to the main business.
Regulatory sandboxes (like RBI’s) allow testing innovations in a controlled environment. Use it to validate core assumptions while limiting scale to avoid reputational harm.
Navigating cross-border regulations is critical for FinTech growth. How do you structure the same to balance compliance with global expansion goals?
Global compliance isn’t about uniformity – it’s about maintaining core principles while respecting local nuances. Different countries have conflicting regulations—GDPR (EU) vs. DPDP (India), varying AML norms.
Strategies include a hub-and-spoke model to centralised functions while localizing critical requirements. To say, have a centralised compliance functions (e.g., AML policies) but with localised critical requirements (e.g., data storage under EU GDPR vs. India’s DPDP). Collaborate with local regulators and fintech associations (e.g., Singapore’s MAS) to align with regional expectations. To reduce duplication where possible, use regulatory reciprocity, e.g., RBI’s MoUs with Gulf Cooperation Council (GCC) nations in areas like cross-border transactions and fintech collaboration.
With AI and blockchain transforming FinTech, how do you see these technologies reshaping compliance, particularly data privacy, in the coming years?
AI and blockchain will reshape compliance, moving towards automation. In five years, compliance will be fully automated—but human oversight will remain crucial for making ethical judgments.
With the help of AI and blockchain, it is possible to monitor compliance in real-time. AI flags emerging risks (e.g., new money laundering patterns or regulatory breaches, such as unfair lending practices under the RBI’s FLDG guidelines). With the help of blockchain, immutable ledgers can automate reporting (e.g., loan disbursals recorded on-chain for RBI inspections) for audit.
Through smart contracts and decentralised identity systems, blockchain enables automated, trust less enforcement of rules and user-controlled data sharing.
Yet, the inherent immutability of blockchain clashes with data privacy requirements such as the “right to be forgotten”, and public blockchains raise concerns over default transparency.
Together, AI and blockchain are driving a new wave of RegTech, offering real-time regulatory reporting, dynamic risk assessments, and verifiable consent management. Emerging technologies such as zero-knowledge proofs, federated learning, and homomorphic encryption will likely become essential in balancing compliance with privacy. As these technologies mature, regulatory bodies will increasingly demand transparent, auditable AI systems and interoperable blockchain frameworks to meet evolving global compliance standards.
About Keshav Lahoti:
Keshav Lahoti is the Director – Head of Legal, Secretarial & Compliance at Indifi, a pioneering FinTech platform revolutionizing MSME lending in India. With over a decade of experience across FinTech, NBFCs, and manufacturing sectors, Keshav excels in building robust compliance frameworks and navigating complex regulatory landscapes.
His regulatory expertise spans RBI guidelines, SEBI LODR, FEMA, FDI, KYC/AML, and the DPDP Act. He has led significant capital market initiatives, including managing an IPO and private placement fund, executing multiple funding rounds totaling ₹2,000 Crore, and overseeing debt issuances exceeding ₹1,500 Crore, including NCDs and structured instruments.
At Indifi, Keshav has been instrumental in driving compliance automation, significantly enhancing operational efficiency. He played a pivotal role in the successful completion of an RBI audit and secured key regulatory approvals, including the RBI factoring license and the IRDA Corporate Agent license.
Keshav has worked closely with private equity investors, Tier-1 law firms, Big 4 audit and consulting firms, government authorities, and consortium bankers, demonstrating his ability to lead high-stakes negotiations and regulatory engagements.
A recipient of the Indifi Value Championship Leadership Award and the Legal Eagle Award, Keshav is also a respected mentor and thought leader. He actively shapes discussions around corporate governance, data privacy, and strategic legal alignment, ensuring legal strategy remains tightly integrated with business objectives and growth.
