Payment platforms and fintech companies are transitioning from password-based authentication to passkeys, biometrics, and other device-based verification methods. This shift improves security and user experience, but it creates a specific challenge for companies preparing for public listings: existing fraud liability frameworks don’t account for the new authentication architecture.
SEBI’s scrutiny of fintech IPOs now includes detailed questions about operational risk management, fraud-loss frameworks, and customer fund protection mechanisms. The authentication technology shift affects all three areas.
Why This Matters for Public Listings
When fintech companies file draft offer documents with SEBI, they’re required to disclose material risks in their “risk factors” section. Fraud risk and operational risk qualify as material for payment platforms, digital lending businesses, and similar fintech models.
SEBI and merchant bankers evaluate these risks through specific questions:
How does the platform allocate fraud losses between itself, customers, and financial institution partners? The allocation framework determines who absorbs losses when unauthorized transactions occur.
What operational controls exist to detect and prevent fraud? This includes authentication systems, transaction monitoring, and customer verification processes.
What’s the historical fraud-loss profile, and how is it trending? Past fraud losses inform financial projections and provisioning requirements.
The authentication technology shift affects the answers to all three questions. Passkeys and biometric authentication change what “unauthorized transaction” means and who bears liability when authentication fails.
The Authentication Liability Question
Under password-based authentication, the liability framework is relatively established. If a transaction occurs using correct password credentials, there’s a rebuttable presumption that the account holder authorized it. The account holder can contest this by proving credential compromise, but the burden generally sits with the user to demonstrate unauthorized access.
Passkeys and biometric authentication shift this framework. The authentication factor is no longer “something you know” (password) but “something you are” (fingerprint, face scan) or “something you have” (device-bound cryptographic keys).
When a transaction is authenticated using biometrics, can the customer later claim it was unauthorized? What evidence would support that claim? If the biometric authentication itself failsfor example, false positive matcheswho bears the loss?
Most fintech contracts in use today don’t specifically address these scenarios. The terms were written for password-based authentication and haven’t been updated for the passkey transition.
What’s Actually in Current Contracts
Standard fintech user agreements typically allocate fraud liability through language like: “You are responsible for maintaining the confidentiality of your password” or “Transactions authenticated with your credentials are deemed authorized by you.”
This language works for password-based systems. It doesn’t clearly address biometric authentication because there’s no “confidentiality” concept for your fingerprint as it’s physically inseparable from you.
Similarly, payment platform agreements with banking partners often allocate fraud losses based on where the authentication failure occurred. If the authentication process succeeded correctly but the transaction was still fraudulent, one allocation applies. If the authentication process itself was compromised, a different allocation might apply.
Passkeys and biometrics blur these lines. The authentication process might “succeed” from a technical standpoint (correct biometric match) but still represent an unauthorized transaction (if the device or biometric capture was compromised).
The contractual ambiguity creates uncertainty about loss allocation. During IPO diligence, uncertainty translates into conservative financial modeling.
The DPDP Act Layer
The Digital Personal Data Protection Act adds a regulatory dimension. Biometric data qualifies as personal data under the Act, and collecting or processing it requires specific consent and security measures.
For fintech platforms implementing biometric authentication, this creates compliance obligations:
Clear consent for biometric data collection: Users need to be informed specifically about biometric data collection and provide explicit consent. The standard “I agree to terms and conditions” checkbox might not satisfy DPDP requirements for biometric data processing, particularly where sensitive identifiers such as fingerprints or facial templates are involved.
Purpose limitation: Biometric data collected for authentication can’t be repurposed for other uses (like analytics or marketing) without separate consent. The system design and contractual architecture should reflect this limitation clearly.
Security obligations: Platforms have heightened security responsibilities for biometric data. This includes secure storage architecture, encryption at rest and in transit, strict access controls, audit trails, and incident response mechanisms. A data breach involving biometric information carries different regulatory and reputational consequences than a breach of password databases, given that biometric identifiers cannot be reset in the same way as credentials.
Data storage and retention controls: Storing biometric data requires clear retention policies, deletion protocols, and safeguards against indefinite or unnecessary storage. Companies need robust internal systems, governance frameworks, and documented technical controls to demonstrate that biometric data is stored lawfully, proportionately, and securely.
Cross-border processing: If biometric authentication happens on infrastructure outside India, there are specific data localization and transfer considerations. Contracts with cloud and authentication vendors must address regulatory expectations, transfer mechanisms, and supervisory access rights where applicable.
During IPO diligence, SEBI and merchant bankers will review DPDP compliance generally. For fintech companies, biometric authentication compliance specifically gets attention because it affects operational risk, internal control robustness, and the credibility of the company’s data governance framework..
The Account Freeze Complication
A related operational risk that’s receiving increased scrutiny is account freezes by law enforcement. The Enforcement Directorate and police cyber cells have been freezing accounts more frequently in connection with fraud investigations.
When an account is frozen, customer funds become inaccessible. For fintech platforms, this creates two specific problems:
Operational disruption: If the platform itself holds customer funds (like wallet balances), a freeze affects the platform’s ability to serve all customers, not just the investigation target. In cases where release or clarification is not secured in a timely manner, the business impact can be existential. Companies can effectively fold if access to funds or critical accounts remains blocked, particularly where liquidity cycles are tight.
Customer protection questions: How does the platform protect unrelated customer funds when enforcement action targets specific accounts? Where customers include banks or large NBFCs, even the hint of regulatory or enforcement exposure at the vendor level can trigger contractual exit rights, suspension of integrations, or heightened scrutiny. Regulated counterparties are often risk-averse; a single operational red flag can lead them to distance themselves quickly.
SEBI’s IPO scrutiny includes questions about customer fund protection mechanisms. Platforms need documented procedures for handling account freezes, segregating customer funds, and managing de-freeze processes efficiently. The ability to demonstrate ring-fencing structures, audit trails, and board-level oversight becomes critical in due diligence.
The authentication technology shift affects this indirectly. As fraud detection improves through better authentication, the profile of fraud cases changes. Law enforcement actions might increasingly target authentication compromise rather than simple credential theft. This shifts the operational risk profile that needs to be disclosed, contractually allocated, and managed within the company’s broader governance and regulatory framework.
A Practical Framework for IPO Readiness
Fintech companies can address these diligence concerns through updated contract structures and operational documentation. The goal is creating clarity about risk allocation and compliance frameworks.
Update user terms for biometric authentication: Specifically address how biometric-authenticated transactions are treated, what constitutes unauthorized use in a biometric context, and what dispute resolution process applies. This doesn’t need to shift liability entirely to users or platform but it needs to make the framework clear.
Revise banking partner agreements: Update fraud-loss allocation provisions to account for authentication technology changes. Define specifically what happens when biometric authentication succeeds technically but the transaction is contested as unauthorized.
Document DPDP compliance for biometric data: Create clear consent mechanisms, security protocols, and processing documentation specific to biometric authentication. This isn’t just regulatory compliance, it’s evidence of operational maturity that diligence teams look for.
Build account freeze protocols: Document specific procedures for handling law enforcement actions, customer fund segregation, and de-freeze processes. This demonstrates that the platform has thought through operational risks rather than responding reactively.
Update fraud-loss provisioning: The authentication technology shift might change fraud-loss profiles over time. Financial projections should reflect realistic scenarios under the new authentication architecture, not just extrapolate historical data from password-based systems. The added complication of KYC obligations under the Aadhaar framework further affects loss modelling, since authentication failures, KYC disputes, or regulatory non-compliance can trigger account restrictions, reversals, penalties, or customer remediation costs that were not present in legacy credential-based environments.
The Disclosure Question
When fintech companies file draft offer documents, they need to decide what level of detail to provide about authentication technology and fraud risk.
Too little disclosure creates regulatory risk. If material operational changes aren’t discussed, SEBI might request additional information or flag incomplete disclosures.
Too much disclosure can create unnecessary investor concern, especially if the language is technical rather than commercially focused.
The right approach is describing the authentication technology transition matter-of-factly, explaining the risk allocation framework clearly, and demonstrating that operational controls and contractual structures address the identified risks. It is also relevant to consider whether infrastructure investment in authentication, security architecture, and fraud mitigation systems can be articulated as a specific object of the IPO, or whether it would need to be subsumed within a broader “general corporate purposes” bucket. The framing of use-of-proceeds disclosures may influence how comfortably these technology investments sit within the offer structure.
This works better when the underlying contracts and compliance frameworks are actually in place. Describing how fraud risk is managed is straightforward if the management framework exists. It becomes difficult if the framework is still aspirational.
Timing Considerations
For fintech companies planning IPOs in the next 12-18 months, the authentication technology transition is happening now. Most platforms are implementing or have recently implemented passkey or biometric authentication options.
The contract updates and compliance frameworks can be built in parallel with the authentication rollout. This keeps the implementation moving forward while addressing the capital markets readiness dimension.
For companies already in the IPO preparation process with draft offer documents being prepared, there’s less flexibility. The authentication framework needs to be documented as-is, even if it’s not optimal. Post-IPO updates are possible but create more complexity.
The simpler path is addressing these frameworks before the IPO process begins.
What Investors and Regulators Actually Care About
Neither SEBI nor institutional investors expect perfect fraud prevention or zero operational risk. Fintech businesses inherently involve fraud risk and operational complexity.
What they’re evaluating is whether the company has thought through the risks systematically and created frameworks to manage them. The authentication technology transition is an opportunity to demonstrate that systematic thinking.
Fintech companies that update their contractual structures, compliance frameworks, and operational protocols in parallel with the authentication rollout show operational maturity. Those that implement the technology first and address the contractual and compliance dimensions later create diligence friction.
For companies building toward public listings, the authentication shift isn’t an obstacle. It’s an opportunity to strengthen the operational foundation that SEBI and investors will evaluate.
COMMERCIAL LAW BLOG 
Leave a comment