{"id":159,"date":"2026-04-28T11:16:37","date_gmt":"2026-04-28T11:16:37","guid":{"rendered":"https:\/\/blog.osto.one\/?p=159"},"modified":"2026-05-05T10:13:03","modified_gmt":"2026-05-05T10:13:03","slug":"the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you","status":"publish","type":"post","link":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/","title":{"rendered":"The Indian Fintech Compliance Map: What’s Mandatory, What Kills Your License, and What Your Lawyer Won’t Tell You"},"content":{"rendered":"

Building a fintech in India means operating under more security and compliance obligations than almost any startup category in the world. RBI, SEBI, IRDAI, NPCI, CERT-In. Each has published cybersecurity frameworks that apply to different types of financial entities.<\/p>\n

Some are legally mandatory. Some become mandatory the moment something goes wrong. Some are effectively mandatory the moment you try to partner with a bank or raise institutional capital.<\/p>\n

<\/p>\n

\n

Nobody hands you this map at the start. You usually find out what’s required the hard way \u2014 during your first RBI interaction, when a sponsor bank questionnaire arrives, or when CERT-In issues a notice about an incident you didn’t know you had to report.<\/p>\n<\/div>\n

What’s mandatory today and has real teeth<\/h2>\n

<\/p>\n

\n
CERT-In Mandatory Directions \u00b7 Active since 2023<\/div>\n

Applies to every organisation operating in India with an IT infrastructure. No exceptions for size, funding stage, or registration status.<\/p>\n<\/div>\n

\n
\n 6 HRS<\/span>
\n Incident reporting window.<\/strong> Data breach, ransomware, unauthorised account access, phishing, supply chain compromise \u2014 all must be reported to CERT-In within six hours of detection. Not six hours after containment. Six hours after you first know something happened. Most companies are not ready for this.<\/span>\n <\/div>\n
\n 180 DAYS<\/span>
\n Log retention.<\/strong> All system logs \u2014 servers, applications, network devices \u2014 must be maintained for 180 days and be available within India or accessible to CERT-In on request.<\/span>\n <\/div>\n<\/div>\n

Meeting the six-hour window requires automated alerting so you know within minutes, a pre-written report template, and a named person who can file it. Companies that find out about a breach from a customer complaint on a Monday morning have already missed the window.<\/p>\n

<\/p>\n

\n\n\n\n\n\n\n
RBI Master Direction<\/th>\nWho it applies to<\/th>\nCore requirement<\/th>\n<\/tr>\n<\/thead>\n
IT Governance<\/td>\nNBFCs, payment aggregators, payment gateways, account aggregators, PPI issuers<\/td>\nBoard-approved ISP, named security officer, annual VAPT, IR plan, BCP\/DR tested annually<\/td>\n<\/tr>\n
PCI DSS<\/td>\nAny product that touches payment card data<\/td>\nAnnual penetration test \u2014 overlaps with RBI VAPT if scoped correctly<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

What’s commercially mandatory \u2014 banks will block you otherwise<\/h2>\n

There’s a category of requirements that aren’t legally mandated but become prerequisites the moment you pursue the partnerships you need to operate.<\/p>\n

Every serious sponsor bank in India \u2014 IDFC First, RBL, SBM India, Axis \u2014 has a vendor risk management programme. Before they approve you as a technology partner, they send a security questionnaire asking for: SOC 2 or ISO 27001 attestation, penetration test history and scope, data encryption standards, access control policies, and incident response procedures.<\/p>\n

<\/p>\n

\n

SOC 2 is not required by Indian law.<\/p>\n

It is commercially required by the bank you need to operate. This distinction matters because it tells you when to prioritise it \u2014 not immediately, but before your first serious bank partnership conversation starts, because the process takes nine to twelve months.<\/p>\n<\/div>\n

Some banks will accept a VAPT report plus written policies for early-stage partners, with a committed SOC 2 timeline. Get this in writing if you go that route.<\/p>\n

The DPDPA deadline that changes everything<\/h2>\n

<\/p>\n

\n
\n
\u20b9250 Cr<\/div>\n
max penalty<\/div>\n<\/p><\/div>\n
DPDPA full enforcement expected around May 2027. For a seed-stage fintech, \u20b9250 crore is an existential number.<\/div>\n<\/div>\n

For fintechs specifically, the financial data you process \u2014 bank account details, transaction histories, credit records, income information \u2014 is classified as sensitive personal data under the act, with stricter treatment than general personal data.<\/p>\n

The obligations that require building infrastructure, not just policy: mandatory security safeguards proportionate to the risk, 72-hour breach notification to the Data Protection Board, explicit consent for non-transactional data processing, and erasure rights for users.<\/p>\n

The good news: the security infrastructure that satisfies RBI’s requirements \u2014 WAF, endpoint protection, continuous monitoring, access controls \u2014 substantially overlaps with DPDPA’s security safeguard standard. One well-run security programme serves both. The new piece DPDPA adds is consent management and data rights infrastructure, which RBI compliance doesn’t address.<\/p>\n

The practical priority order<\/h2>\n

If you’re a seed-stage Indian fintech figuring out where to start, this sequence minimises existential risk while building toward the complete picture.<\/p>\n

<\/p>\n

\n
\n 1<\/span><\/p>\n
\n
Make CERT-In reporting operational first<\/div>\n
Automated alerting, a template, a named person. This eliminates a live legal exposure that costs almost nothing to address.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n 2<\/span><\/p>\n
\n
Commission a VAPT before production launch<\/div>\n
Satisfies RBI Master Direction, part of PCI DSS, and becomes your primary evidence for sponsor bank vendor reviews.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n 3<\/span><\/p>\n
\n
Document your security policies<\/div>\n
Information Security Policy, Incident Response Plan, BCP\/DR Plan. Board-approved. Three documents. Current. Reflecting reality.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n 4<\/span><\/p>\n
\n
Start your SOC 2 process when the first bank partnership conversation becomes serious<\/div>\n
Give yourself nine to twelve months.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n 5<\/span><\/p>\n
\n
Map your DPDPA obligations now<\/div>\n
What data do you collect? Where does it go? What third parties touch it? Four to six weeks of work. The foundation of everything DPDPA-related that follows.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

<\/p>\n

\n

The overlap between RBI requirements, CERT-In directions, PCI DSS, SOC 2, and DPDPA is significant. One comprehensive security programme satisfies the majority of all five simultaneously. You don’t need five separate compliance workstreams. You need one programme comprehensive enough to evidence across all five.<\/p>\n<\/blockquote>\n

<\/p>\n

This is exactly the problem Osto<\/a> is built for \u2014 one platform that runs the security infrastructure and generates the evidence across RBI, CERT-In, PCI DSS, and SOC 2 simultaneously, so Indian fintech teams aren’t managing five separate workstreams.<\/p>\n","protected":false},"excerpt":{"rendered":"

Building a fintech in India means operating under more security and compliance obligations than almost any startup category in the\u2026<\/p>\n","protected":false},"author":5,"featured_media":239,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,40],"tags":[],"class_list":["post-159","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-fintech"],"yoast_head":"\nIndian Fintech Compliance: RBI, CERT-In & DPDPA Guide<\/title>\n<meta name=\"description\" content=\"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Indian Fintech Compliance: RBI, CERT-In & DPDPA Guide\" \/>\n<meta property=\"og:description\" content=\"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\" \/>\n<meta property=\"og:site_name\" content=\"Osto\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-28T11:16:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-05T10:13:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ansh Satwani\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ansh Satwani\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\"},\"author\":{\"name\":\"Ansh Satwani\",\"@id\":\"https:\/\/www.osto.one\/resources\/#\/schema\/person\/4e82cd35cf60206ad1232e7d2d255144\"},\"headline\":\"The Indian Fintech Compliance Map: What’s Mandatory, What Kills Your License, and What Your Lawyer Won’t Tell You\",\"datePublished\":\"2026-04-28T11:16:37+00:00\",\"dateModified\":\"2026-05-05T10:13:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\"},\"wordCount\":862,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.osto.one\/resources\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png\",\"articleSection\":[\"Blog\",\"Fintech\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\",\"url\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\",\"name\":\"Indian Fintech Compliance: RBI, CERT-In & DPDPA Guide\",\"isPartOf\":{\"@id\":\"https:\/\/www.osto.one\/resources\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png\",\"datePublished\":\"2026-04-28T11:16:37+00:00\",\"dateModified\":\"2026-05-05T10:13:03+00:00\",\"description\":\"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage\",\"url\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png\",\"contentUrl\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.osto.one\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Indian Fintech Compliance Map: What’s Mandatory, What Kills Your License, and What Your Lawyer Won’t Tell You\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.osto.one\/resources\/#website\",\"url\":\"https:\/\/www.osto.one\/resources\/\",\"name\":\"Osto\",\"description\":\"Osto secures apps, networks, and endpoints with an integrated platform built for modern teams.\",\"publisher\":{\"@id\":\"https:\/\/www.osto.one\/resources\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.osto.one\/resources\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.osto.one\/resources\/#organization\",\"name\":\"Osto\",\"url\":\"https:\/\/www.osto.one\/resources\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.osto.one\/resources\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/01\/cropped-osto-blue-21-edited.png\",\"contentUrl\":\"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/01\/cropped-osto-blue-21-edited.png\",\"width\":1144,\"height\":428,\"caption\":\"Osto\"},\"image\":{\"@id\":\"https:\/\/www.osto.one\/resources\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.osto.one\/resources\/#\/schema\/person\/4e82cd35cf60206ad1232e7d2d255144\",\"name\":\"Ansh Satwani\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.osto.one\/resources\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/febb3eb0d31b99257e1d641255c28ad967bb930f531f6f2997f0bea21fd977c9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/febb3eb0d31b99257e1d641255c28ad967bb930f531f6f2997f0bea21fd977c9?s=96&d=mm&r=g\",\"caption\":\"Ansh Satwani\"},\"url\":\"https:\/\/www.osto.one\/resources\/author\/ansh\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Indian Fintech Compliance: RBI, CERT-In & DPDPA Guide","description":"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/","og_locale":"en_US","og_type":"article","og_title":"Indian Fintech Compliance: RBI, CERT-In & DPDPA Guide","og_description":"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.","og_url":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/","og_site_name":"Osto","article_published_time":"2026-04-28T11:16:37+00:00","article_modified_time":"2026-05-05T10:13:03+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png","type":"image\/png"}],"author":"Ansh Satwani","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ansh Satwani","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#article","isPartOf":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/"},"author":{"name":"Ansh Satwani","@id":"https:\/\/www.osto.one\/resources\/#\/schema\/person\/4e82cd35cf60206ad1232e7d2d255144"},"headline":"The Indian Fintech Compliance Map: What’s Mandatory, What Kills Your License, and What Your Lawyer Won’t Tell You","datePublished":"2026-04-28T11:16:37+00:00","dateModified":"2026-05-05T10:13:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/"},"wordCount":862,"commentCount":0,"publisher":{"@id":"https:\/\/www.osto.one\/resources\/#organization"},"image":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage"},"thumbnailUrl":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png","articleSection":["Blog","Fintech"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/","url":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/","name":"Indian Fintech Compliance: RBI, CERT-In & DPDPA Guide","isPartOf":{"@id":"https:\/\/www.osto.one\/resources\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage"},"image":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage"},"thumbnailUrl":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png","datePublished":"2026-04-28T11:16:37+00:00","dateModified":"2026-05-05T10:13:03+00:00","description":"Navigate India's fintech compliance landscape \u2014 RBI, SEBI, IRDAI, CERT-In, PCI DSS, and DPDPA requirements explained. Know what's legally mandatory before your first RBI interaction.","breadcrumb":{"@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#primaryimage","url":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png","contentUrl":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-May-1-2026-11_14_18-AM.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.osto.one\/resources\/blog\/the-indian-fintech-compliance-map-whats-mandatory-what-kills-your-license-and-what-your-lawyer-wont-tell-you\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.osto.one\/resources\/"},{"@type":"ListItem","position":2,"name":"The Indian Fintech Compliance Map: What’s Mandatory, What Kills Your License, and What Your Lawyer Won’t Tell You"}]},{"@type":"WebSite","@id":"https:\/\/www.osto.one\/resources\/#website","url":"https:\/\/www.osto.one\/resources\/","name":"Osto","description":"Osto secures apps, networks, and endpoints with an integrated platform built for modern teams.","publisher":{"@id":"https:\/\/www.osto.one\/resources\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.osto.one\/resources\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.osto.one\/resources\/#organization","name":"Osto","url":"https:\/\/www.osto.one\/resources\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.osto.one\/resources\/#\/schema\/logo\/image\/","url":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/01\/cropped-osto-blue-21-edited.png","contentUrl":"https:\/\/www.osto.one\/resources\/wp-content\/uploads\/2026\/01\/cropped-osto-blue-21-edited.png","width":1144,"height":428,"caption":"Osto"},"image":{"@id":"https:\/\/www.osto.one\/resources\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.osto.one\/resources\/#\/schema\/person\/4e82cd35cf60206ad1232e7d2d255144","name":"Ansh Satwani","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.osto.one\/resources\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/febb3eb0d31b99257e1d641255c28ad967bb930f531f6f2997f0bea21fd977c9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/febb3eb0d31b99257e1d641255c28ad967bb930f531f6f2997f0bea21fd977c9?s=96&d=mm&r=g","caption":"Ansh Satwani"},"url":"https:\/\/www.osto.one\/resources\/author\/ansh\/"}]}},"_links":{"self":[{"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/comments?post=159"}],"version-history":[{"count":1,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/posts\/159\/revisions"}],"predecessor-version":[{"id":160,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/posts\/159\/revisions\/160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/media\/239"}],"wp:attachment":[{"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/media?parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/categories?post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.osto.one\/resources\/wp-json\/wp\/v2\/tags?post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}