Introduction

India is no stranger to developing and incorporating technology within its economic framework. For instance, the country’s role in pioneering the development of key Digital Public Infrastructure (‘DPI’) technology, a common example being the Unified Payments Interface (‘UPI’), has deeply penetrated into everyday transactions bringing ease of access and financial inclusion. Now, in the age of Artificial Intelligence (‘AI’) India’s proactive, innovation-focused, yet measured stance towards AI, combined with an industry-specific regulatory approach reveals a careful legislative design based on institutional readiness keeping in mind consumer protection. This contrasts with the standalone centralised omnibus law adopted by the European Union and countries like South Korea.

Reports suggest that accelerated adoption of AI could contribute up to 500 billion USD to India’s economy by 2030. AI is well positioned to transform service delivery in the financial services sector owing to inherently data-heavy and customer-facing operations. However, the increased adoption of AI could expose risks relating to cybersecurity, data protection and algorithmic bias. For India, this translates to a requirement for a clear, comprehensive, and inclusive AI framework that outlines risk-assessment, liability allocation, and ensures adherence to high performance standards. This is especially critical for a crucial sector like financial services where safety of public funds, access to credit, and market volatility may be affected with unchecked widespread adoption of AI leading to financial stability concerns. 

This piece will first broadly examine the responses by relevant stakeholders across the financial sector to regulate the use and deployment of AI. It will then narrow its focus to an ongoing AI collaboration in India’s payments and fintech space, analysing whether the current framework is equipped to regulate ‘Agentic Commerce’. Finally, the piece proposes a two-way solution to address these fault lines: targeted regulatory amendments and stronger institutional coordination to streamline the regulation of AI within the financial services industry.

A sectoral response: RBI and SEBI

Spending on AI is set to double this year in India’s financial sectors as more institutions take the automated route. The Economic Survey 2025-26 notes a nascent but gradual transition towards AI adoption by Indian banks and financial institutions as around 21% make the shift. The RBI’s FREE-AI Committee Report introduced in late 2025 reflects this very stance of an innovation-centric approach to incorporating AI systems in the financial sector. The Report presents a relatively forward-looking stance to deal with the risks emanating from AI adoption in the financial sector while emphasising the benefits and opportunities made available with such adoption. Benefits include efficiency enhancement, increased formal finance access through non-traditional creditworthiness assessment, decrease in fraud, and improving customer experience.

Risk factors cannot be overstated, with threat to financial stability being one of the most significant concerns. This is caused by high technological penetration where more and more segments of the industry adopt AI, and through supplier concentration where a majority of banks and Fintechs adopt the same set of AI systems which amplifies any errors prevailing in these systems resulting in a systemic-level risk. The result would be ‘herding effect’, demand-supply fluctuations, and distorted asset prices. Data privacy risks arising from third-party AI partnerships raise direct concerns under the Digital Personal Data Protection Act 2023 (‘DPDP Act’), which mandates informed consent before processing personal data.

The FREE-AI Committee Report attempts to answer and safeguard against most of these risks. Reflecting a technology-agnostic stance, the Report recommends amendments to seven existing RBI Master Directions to account for AI adoption. To protect against risks like herding, the report recommends the building and integration of DPI for AI adoption and piloting through an AI innovation sandbox. In terms of liability allocation, the Regulated Entities (‘REs’) classified by the RBI remain responsible for any losses suffered by customers, but this is hedged by a new graded liability framework where first-time wrongs are waived off taking into consideration whether the RE adhered to risk-mitigation strategies like AI auditing, red-teaming, and incident-reporting. This is a meaningful step forward in allocating liability particularly when AI systems shift to a more agentic role unlike deterministic systems. The Report also stresses on the necessity of keeping a human in the loop for final decision-making functions even when adopting more advanced Agentic AI models.

SEBI’s recent circular on Algo Trading by Retail Investors (‘RIs’) creates a principal-agent relationship with stockbrokers as principals and algo providers as agents. It keeps human liability intact by virtue of this relationship where brokers will be liable when things go wrong. It also carves out a distinction on white-box and black-box algos, with the latter being opaque AI driven trading systems requiring the algo provider to maintain traceable research records. This mirrors the RBI Report on human intervention and explainability, albeit arrived independently by SEBI. While the industry-specific regulatory model has helped identify specific risks, coordination among regulators remains scattered and weak, resulting in fragmented oversight affecting both government agencies and companies. This siloed approach increases regulatory burden and uncertainty for tech businesses operating across multiple industries. For instance, a Fintech operating as both a Payment Aggregator (‘PA’) and a trading platform is simultaneously under RBI and SEBI’s governance radar. Although both regulators require explainability and maintain human accountability for AI-driven decisions, there is no streamlined compliance standard. Further, differing interpretations, thresholds, and timelines make compliance difficult and inconsistent. 

In an attempt to address this regulatory uncertainty, the Ministry of Electronics and Information Technology of India (‘MeitY’) has come up with India AI Governance Guidelines (‘AI Guidelines’) which seeks to horizontalize the sectoral findings by emulating the seven principles under RBI’s report addressing sectoral fragmentation. The AI Guidelines also address a concern touched upon before, that of rapidly evolving Agentic AI systems where self-directed autonomous systems may require rethinking current governance approaches. However, doubts remain on whether these principles are equipped to handle what is already being commercially deployed.

Pine Labs Collaboration with OpenAI: are we equipped to regulate?

Beyond banking and securities markets, the payments infrastructure space where UPI alone processed over 241 billion transactions in FY 25-26, presents an equally critical frontier for Agentic AI regulation. Yet, Payment Aggregators (“PAs“) remain outside the scope of existing AI governance efforts, including the FREE-AI Committee Report. 

India’s Fintech space is valued at USD 1.5 trillion, and banks and fintechs are shifting from software buyers to software builders. Agentic AI is rethinking workflows and fundamentally disrupts how teams work and think. Navigation-heavy mobile apps may give way for voice-based agentic services embedded in the backend workflows. In this backdrop, Pine Labs, one of India’s largest Fintech companies providing payment infrastructure is the clearest contemporary example of this regulatory gap in action. Having already deployed AI internally to autonomously handle settlement workflows that previously required manual human oversight, Pine Labs has now collaborated with OpenAI, using its API models to move beyond traditional automation to build ‘Agentic Commerce’. 

What differentiates Agentic Commerce is that it does not deal with if/then deterministic structures on which traditional Fintech systems have been built upon but adds an additional reasoning layer which changes AI functions from simple searches to delegating entire financial lifecycles within a single prompt. This enables agents to autonomously navigate complex tasks including self-negotiating supplier terms, optimising cross-border settlement cycles, and managing recurring bill payments. This intelligence is supported by Pine Labs’ security features and compliance architecture prioritising aspects of data protection, encryption, and having a human supervisor to meet stringent financial regulatory requirements.

The Pine Labs collaboration raises immediate questions about regulatory fit under the PA Master Directions. However, as per the CEO of Pine Labs, the rollout of autonomous agentic systems will move faster in overseas markets with more inclusive regulatory regimes before being adopted in the Indian market. This reveals a practical regulatory arbitrage already emerging around Agentic AI deployment.

Pine Labs, being a Fintech platform facilitating aggregation of digital payments infrastructure among other things, will be classified as a ‘Payment Aggregator’ under the 2025 RBI Master Directions Regulation of Payment Aggregator (PA Master Directions). A crucial shortcoming of the PA Master Directions is that it was developed keeping in mind traditional Fintech structures and does not accommodate the deployment of Agentic AI systems by PAs. The FREE-AI Committee Report does not include the PA Master Directions in its suggested amendments.

Under the PA Master Directions, merchant onboarding, KYC, and fund aggregation all depend on the PA’s contractual relationship with the merchant. But when Agentic Commerce takes over this function and enters into supplier agreements and executes transactions autonomously, the very notion of the contract entered into by the Agentic AI gets questioned. Contractual law requires offer, acceptance, and consideration by a human agent and AI systems fulfil none of these requirements. Under the Indian Contract Act 1872 (‘ICA’), consent must be given by a person competent to contract, which is a threshold Agentic AI cannot meet. Further, under Section 184 of the ICA, an agent must be someone of majority and of sound mind. These characteristics relating to legal personhood are not extendable to Agentic AI systems and such contracts would be liable to be scrutinised by the courts. This raises the question of whether transactions autonomously executed by Pine Labs’ agentic system constitute legally binding contracts at all. And if they do not, the liability question becomes equally challenging: is it the PA who deployed the system, the merchant who contracted with the PA, or the AI developer who built it? 

Legal commentators in common law jurisdictions have explored treating Agentic AI as a ‘constructive agent’, meaning not a legal person, but one whose actions are attributed to the human deployer for the limited purposes of contract formation and accountability. Applying this to the Indian context, which shares the same common law foundations, would place the liability on the PA as the deploying principal. But without express recognition under Indian law, this remains an open question.

The PA Master Directions themselves offer a starting point. Regulation 7 places governance responsibility squarely on the promoters and directors of the PA. Due Diligence (‘DD’) obligations under Regulation 13 make the PAs responsible for merchant onboarding, background checks, monitoring, and even FIU-IND registration for Non-bank PAs. Regulation 15 provides for limited agent-performed KYC/DD functions for Non-bank PAs with ultimate responsibility on the PA to verify and conduct DD on the agents, aligning with the RBI Report’s graded liability framework. This provision is the closest to the deployment of Agentic Commerce operations by Fintechs, as it contemplates delegated functions performed by third-party agents with accountability retained by the PA, although no direct reference to AI systems is provided. The PA Master Directions predate the FREE-AI Committee Report and were drafted keeping in mind human intermediaries as agents. This calls for a timely amendment to the PA Master Directions which the FREE-AI Committee Report misses out on. Recognition of Agentic AI under Regulation 15 and adhering to the human in the loop principle shall be the first step forward.

Regulation 9(a) of the PA Master Directions sets the baseline security standard, requiring compliance with global security standards like PCI-DSS and PCI-SSF. But this reliance is now under question as the PCI Security Standards Council has acknowledged that AI introduces risk vectors outside existing PCI-DSS controls and is developing AI-specific guidance, meaning the very standard the Directions rely on is already being outpaced by AI. Simultaneously, when an autonomous AI system processes sensitive transaction data across hundreds of thousands of merchants without discrete human decisions at each step, it becomes unclear how the DPDP Act’s consent and purpose limitation framework would be applicable to such scenarios. 

Way Forward

The Pine Labs and OpenAI collaboration is not a future scenario but a present reality that India’s regulatory architecture was not designed to handle. The immediate priority is targeted amendments to the PA Master Directions including recognising Agentic AI systems under Regulation 15, clarifying AI assisted transaction monitoring under Regulation 13(h), and explicitly addressing the consent and purpose limitation gap that the DPDP Act leaves open when autonomous systems process merchant data without discrete human decisions at each step. The FREE-AI Committee Report’s accountability and explainability principles provide the right foundation and the gap lies in their application to payment infrastructure specifically.

Beyond technical amendments, the deeper challenge is institutional. Sectoral regulators have independently arrived at similar principles including human oversight, explainability, and graded liability, but without coordination these principles will be applied inconsistently across the very workflows that Agentic AI makes seamless. The AI Governance Guidelines’ recommendation to constitute an apex inter-ministerial coordination body has been given formal effect by the recent formation of the AI Governance and Economic Group (AIGEG). A dedicated working group on Agentic AI in financial services, operating under the AIGEG framework and bringing together regulators like RBI, SEBI, IRDAI, would be a meaningful structural response to this fragmentation.

Apart from reactionary measures, a disruptive innovation like AI requires consistent monitoring and regulatory awareness, making anticipatory governance essential. Any amendments to the PA Master Directions should include sunset clauses with periodic review triggers, ensuring the framework self-updates rather than falling behind the pace of AI deployment. Additionally, requiring PAs to proactively disclose the decision boundaries and escalation protocols of deployed agentic systems to RBI before deployment embeds accountability into the architecture itself, rather than imposing it after harm occurs.

India built UPI ahead of global demand and it became a template for inclusive digital finance. The opportunity with Agentic AI governance is the same, to build frameworks that anticipate rather than lag behind deployment. Anticipatory AI governance in financial services is the next frontier.

The author is a 4th Year B.A.LLB. (Hons.) student at Gujarat National Law University, Gandhinagar.