RBI PPI and KYC penalties in May 2026 show why fintech founders need stronger onboarding, risk review and compliance evidence.
Bhavya Sharma
Company Secretary and compliance advisor
Bhavya Sharma advises founders and companies on corporate law, governance, FEMA and regulatory documentation.
What happened
On 15 May 2026, reports based on RBI action said Appnit Technologies was penalised Rs. 5.8 lakh for non-compliance relating to Know Your Customer norms and Prepaid Payment Instruments. The reported issues included Aadhaar OTP-based e-KYC PPI accounts continuing beyond the allowed period without required customer identification and lack of periodic account risk review systems.
For fintech founders, the amount of the penalty is less important than the signal: KYC is not a one-time onboarding screen. It is an operating control that must remain live throughout the customer relationship.
Founder risk map
| Area | What can go wrong | Founder control |
|---|---|---|
| Onboarding | Customers are moved into higher-KYC products without complete verification. | Map each product journey to its required KYC tier and block unsupported upgrades. |
| Aadhaar OTP e-KYC | Limited KYC accounts stay active longer than permitted. | Build expiry triggers, alerts and forced re-KYC workflows. |
| Risk categorisation | No periodic review of customer risk levels. | Document low, medium and high-risk criteria and review cadence. |
| Evidence | Compliance exists in chat/email, not in audit-ready records. | Keep board minutes, policy approvals, logs and exception registers. |
FinTech compliance checklist for 2026
- Maintain a product-wise compliance matrix for wallet, payment, lending, card, aggregator or PPI flows.
- Record which entity is regulated, which entity is technology provider, and which licence/partner covers the product.
- Keep KYC policy, AML policy, PMLA controls, risk categorisation and periodic review evidence updated.
- Run sample checks before investor diligence, bank partnership reviews and regulatory inspections.
- Escalate KYC exceptions to a named compliance owner, not only to the product team.
Sources used
FAQs
What triggered the May 2026 fintech compliance discussion?
Recent RBI penalties against regulated financial entities, including Appnit Technologies for KYC and PPI compliance lapses, highlight the need for stronger customer identification and periodic risk-review controls.
Does an RBI monetary penalty invalidate customer transactions?
RBI penalty announcements commonly clarify that the action relates to regulatory compliance deficiencies and does not automatically question the validity of customer transactions or agreements.
Building or scaling a fintech product?
BSA can help founders review KYC, PPI, partner-contract and board documentation before launch or diligence.
