On February 27, 2026, Rishi Gupta, the MD and CEO of Fino Payments Bank Limited (“Fino”), a listed, payments bank regulated by the Reserve Bank of India (“RBI”), was arrested by the Directorate General of GST Intelligence (“DGGI). The arrest was effected under Section 132 of the Central Goods and Services Tax Act, 2017 and Section 132 of the State Goods and Services Tax Act, 2017, which render it a cognizable and non-bailable offence to supply goods or services without issuing a tax invoice.

The DGGI's case is that Mr. Rishi Gupta personally selected and approved three programme managers. These entities acted as intermediaries and onboarded merchants onto Fino’s payment aggregator system. All 36 of these merchant entities were found to be non-functional shell entities during the DGGI investigation. These entities allegedly processed online gaming and betting transactions without issuing GST invoices, suppressing taxable turnover on a significant scale.

Fino has maintained that the investigation concerns its independent programme managers, not the bank's own compliance. It has been argued that there is no credible evidence linking Mr. Gupta personally to the alleged fraud. On March 23, 2026, the Telangana High Court dismissed a writ petition filed by Mr. Gupta, seeking a declaration that his arrest was illegal, holding that the petitioners failed to make out any grounds for interference. The Telangana High Court noted that sufficient material had been placed on record to justify the arrest. Notably, the RBI recently approved Mr. Gupta's appointment as the MD and CEO, acting as a reminder that a clean bill of health from one regulator is no protection against the jurisdiction of another.

Fino provided the infrastructure through which transactions were processed. Within the regulated framework, the programme managers acted as merchant-facing intermediaries and were responsible for onboarding clients and managing entities. We understand that the DGGI investigation into Fino was triggered by a separate investigation into a technology service provider (“TSP”) in connection with allegations of fund diversion and tax evasion linked to illegal online gaming transactions. As investigators traced the money trail from the TSP network, Fino’s payment aggregator infrastructure was identified as the conduit through which proceeds from illegal online gaming platforms had been routed.

The investigation alleges that the merchants onboarded through this system were able to route transactions through an RBI-licensed bank without issuing invoices, filing returns, or discharging applicable tax liabilities as required under the GST Act. For Fino, these transactions appeared to be in the ordinary course of business.

The DGGI's allegation is that Fino's senior management knew, or ought to have known, that the programme managers it approved were shell entities, that the merchants onboarded behind them were not conducting genuine business, and that the transactions being processed were not accompanied by any corresponding tax compliance.

India's financial regulatory architecture distributes oversight across several independent agencies. The RBI governs banking operations, digital payments, and non-banking financial companies. The Securities and Exchange Board of India regulates listed companies and securities intermediaries, including stockbrokers and investment advisers. The Ministry of Electronics and Information Technology administers the cybersecurity and data governance framework. The Financial Intelligence Unit India (“FIU-IND”) receives and analyses suspicious and cash transaction reports under the Prevention of Money Laundering Act, 2002 (“PMLA”). The DGGI enforces indirect tax law under the CGST Act, 2017. Each agency operates pursuant to its own statutory mandate, with no formal obligation to share investigative intelligence with co-regulators in real time.

However, there are consequences of this fragmented architecture. A regulated entity may maintain a fully compliant record across multiple regulators and still face action. The RBI’s approval of Mr. Gupta's re-appointment for a three-year term was granted while the DGGI investigation was ongoing, is an illustration of this anomaly. For investors conducting diligence on fintech targets, the implication is direct: regulatory clearance from the primary sector regulator will no longer suffice. It will have to be accompanied by a revised scope of due diligence as set out below, along with appropriate protections in the transaction documents. There is no consolidated compliance window in India's financial services architecture, and legislative or regulatory intervention to create one is not imminent.

Further, technology service providers occupy a structural gap in the regulatory architecture. These TSPs are not licensed by the RBI and access regulated infrastructure contractually, through API arrangements with licensed entities. The Fino episode is centered around the conduct of programme managers and a failure to audit and monitor them. However, it also highlights a broader structural vulnerability. Where a TSP facilitates access to regulated infrastructure, it does so entirely outside the regulatory perimeter. If such a TSP been subject to the same compliance and reporting obligations as a licensed entity, the conduct it allegedly facilitated may have been visible to regulators at an earlier stage. Currently, the entire regulatory burden falls on the licensed entity.

The RBI’s (Payments Banks - Managing Risks in Outsourcing) Directions, 2025 (“Outsourcing MD”) require the regulated entity to undertake due diligence on the entities before entering into outsourcing arrangements with them. However, this diligence too, suffers from certain limitations. Most importantly, diligence exercises tend to focus primarily on the IT systems, cybersecurity, and operational resilience and may not always look at indirect tax compliance. The gap between what the Outsourcing MD require and what the Fino Bank episode demonstrates is precisely the space where the fraud was alleged to have operated.

Standard legal due diligence concentrates on the regulated entity. It typically focusses on a review of the licenses held, the regulatory correspondence, internal compliance records, and the material contracts executed by the regulated entity. While this framework is adequate for capturing risks that are visible at the level of the regulated entity, it may not adequately capture risks within the entity’s commercial ecosystem. This includes risks in the conduct of technology service providers, programme managers, and the downstream merchants those intermediaries onboard. The Fino episode makes this inadequacy concrete.

An investor relying on a clean RBI track record, a satisfactory disclosure history, and well-drafted outsourcing agreements would have found nothing in the target's regulatory file to suggest the exposure that the DGGI subsequently uncovered.

Diligence on fintech entities must now extend beyond the licensed entity to encompass the commercial ecosystem. Diligence teams must now undertake a complete review of all technology service providers, API partners, programme managers, and business correspondent relationships, along with a review of the underlying contractual arrangements. Beyond reviewing the contractual arrangements, the financial and tax diligence will also require a targeted review of the GST and indirect tax compliance of all material business partners, including registration status, invoice issuance practices, and the legitimacy of any input tax credit positions taken. All correspondence received from the DGGI, Central GST, and State GST authorities in relation to both the target and, to the extent obtainable, its principal business partners must be reviewed. An assessment of the target's FIU-IND compliance posture, including whether suspicious transaction reports and cash transaction reports are being correctly filed and whether any directions or inquiries are outstanding, is equally necessary. These are not standard components of an Indian fintech diligence exercise and will have to be included in the scope going forward.

The gap between risk identification and allocation must be bridged by the transaction documents. Representations and warranties should be expressly extended to cover the GST and indirect tax compliance of all material business partners and technology service providers, to the target's knowledge following reasonable and documented inquiry. A knowledge qualifier in this context must be understood to require that the target has genuinely investigated the position rather than merely certifying the absence of information it never sought. Warranties that do not meet this inquiry standard will not provide the investor with any meaningful protection.

Risk allocation must be reinforced through specific indemnities covering pre-closing regulatory exposure arising from third-party use of the target’s infrastructure. This must extend to GST enforcement, proceedings under the PMLA, or regulatory action triggered by a business partner’s conduct. In situations where the diligence exercise has revealed active enforcement inquiries or anomalous transaction concentrations in the partner ecosystem, deferred consideration structures or escrow arrangements linked to regulatory outcomes become essential.

Post-closing, investors will need continued visibility into this commercial ecosystem. Information rights requiring prompt notification of regulatory correspondence connected to any business partner relationship, and consent rights over the onboarding of new material technology service providers or programme managers, provide investors with a critical tool to monitor and manage a risk profile that cannot be fully assessed at the time of closing.

About the authors: Majid Afsar Siddiqi is a Partner and Anushka Shah is a Senior Associate at Lex Consult.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.