Technology, Telecommunications, and Fintech Quarterly Milestones (April-June 2025)

Partner: Jyotsna Jayaram, Senior Associate: Prabal De, Associate: Anushka Gupta

Key Developments

Securities and Exchange Board of India issues consultation paper on responsible usage of AI and machine learning in Indian securities markets

The Securities and Exchange Board of India (SEBI) has on 20 June 2025 released a consultation paper proposing guiding principles for the responsible integration of Artificial Intelligence (AI) and Machine Learning (ML) applications and models within the Indian securities market.

This consultation paper comes against the backdrop of various actions by SEBI to govern the use of AI and ML by regulated entities. In December 2024, SEBI had issued amendments to regulations governing investment advisors, requiring them to disclose the extent of their use of AI and ML to their clients. More recently, in 2025, through amendments to various regulations, SEBI had stated that the various regulated entities will be solely responsible for their use of AI and ML tools.

This consultation paper aims to set out a larger framework in relation to the use of these technologies to optimise their benefits while minimising potential risks, thereby safeguarding investor protection, market integrity, and financial stability. Key recommendations include establishing skilled internal teams for model oversight, maintaining auditability and explainability, implementing robust risk controls, and managing third-party vendor relationships. Market participants must define data governance norms and subject AI/ML systems to independent audits. SEBI has also emphasised the need for transparency, suggesting that market participants using AI/ML for customer-facing operations make certain disclosures (e.g., product features, purpose, risks) and maintain comprehensive documentation of models and input/output data for at least five years.

SEBI also highlighted the importance of fairness, mandating that AI/ML models do not discriminate and that market participants ensure high data quality, implement bias detection and removal processes, and train staff on potential data biases. Strong policies for data security, cybersecurity, and data privacy are also discussed, with investor personal data processing adhering to applicable laws. Any technical glitches or data breaches must be reported to SEBI.

SEBI had invited comments from all stakeholders on these guiding principles and the proposed tiered approach and is considering them before finalising the framework.

The consultation paper can be accessed here.

National e-Governance Division outlines non-binding business requirements for consent management system under the Digital Personal Data Protection Act, 2023

The Ministry of Electronics and Information Technology’s National e-Governance Division has, in April 2025, released the Business Requirement Document for a Consent Management System (Document). This Document acts as a guide on functional and technical requirements and considerations for entities intending to act as consent managers. These requirements are not mandatory but can serve as an important tool for organisations aiming to align their consent management systems with the Digital Personal Data Protection Act, 2023 (DPDP Act).

The Document aims to facilitate the full lifecycle of consent, including collection, validation, modification, renewal, and withdrawal, in line with the DPDP Act. It describes a user-centric platform for individuals to view, manage, and control their consent preferences and exercise their data rights, while adhering strictly to the DPDP Act’s principles, including purpose limitation, data minimisation, and secure processing of personal data.

The consent management lifecycle contemplated under the Document covers the entire process from explicit, purpose-specific consent collection (with granular options, multi-language support, and metadata logging), through real-time consent validation (checking for existence, activity, and scope alignment), to enable data principals to modify, renew, or withdraw their consent easily and with immediate effect. Other aspects include a user dashboard for managing consent history, multi-channel support (email, SMS, in-app messages, APIs) for information on consent-related activities, a grievance redressal mechanism for submitting complaints, and comprehensive immutable audit logs.

The Document is available here.

Department of Telecommunications clarifies the requirement of end-user KYC for internet telephony providers operating under the ‘Business Connection’ category

On 16 June 2025, the Department of Telecommunications (DoT) issued a clarificatory letter in respect of Know Your Customer (KYC) compliances in relation to the provision of internet telephony services. The DoT clarifies the applicability of an earlier addendum dated 31 August 2023 (Addendum, available here) issued by it, which required that all licensees providing bulk mobile numbering series for cellular mobile to enterprise customers must conduct KYC for each individual end user/end customer.

There was ambiguity regarding whether the Addendum applied only to licensees providing bulk mobile connections over the public network (such as through PSTN or PMLN lines). Through this clarificatory letter, the DoT has affirmed that this requirement also applies to licensees providing internet telephony services through bulk mobile connections. Accordingly, all licensees providing mobile connections, irrespective of whether these classify as internet-based calling, will be required to conduct the KYC of each end user.

Any breach of these instructions will be treated as a breach of the terms and conditions of the Unified License (under which these licensees are able to issue mobile numbering series) and may attract penal consequences. Entities are required to comply with these instructions within 90 days of issuance of the clarification.

The letter can be accessed here.

Supreme Court issues landmark judgment on accessibility of digital KYC for persons with disabilities

In April 2025, the Supreme Court of India delivered a judgment in Pragya Prasun & Ors. v Union of India & Ors. addressing systemic barriers in India’s digital KYC framework that impede access to essential services for persons with disabilities, including acid attack survivors and individuals with visual impairments (PwD).

The petitioners, who included acid attack survivors and blind individuals, highlighted that “liveness” checks (e.g., blinking eyes, facial recognition, reading text on screen) were inaccessible. Further, despite regulatory flexibilities (such as offline verification provisions), certain entities mandatorily enforced such digital-only inaccessible methods of KYC, effectively denying them access to various banking, telecom, insurance, pension, and investment services.

Analysing such concerns, the Supreme Court emphasised that under the Rights of Persons with Disabilities Act, 2016 (RPWD Act) and Article 21 of the Indian Constitution, it is the duty of the State and its instrumentalities to ensure that reasonable accommodations are made to uphold dignity and provide equal access to digital services for PwDs. Accordingly, the Supreme Court issued various directives – including that regulators must direct regulated entities (public or private) to follow prescribed accessibility standards and undergo periodical accessibility audits. Particularly in respect of the Reserve Bank of India, the judgement directed the issuance of guidelines applicable to all its regulated entities, requiring the adoption of alternative modes for verifying “liveness” as part of their KYC processes – beyond blinking of eyes.

The text of the judgement can be accessed here.

If you require any further information about the material contained in this newsletter, please get in touch with your Trilegal relationship partner or send an email to alerts@trilegal.com. The contents of this newsletter are intended for informational purposes only and are not in the nature of a legal opinion. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein.