At a glance
A financial advisor’s client file is deeper than a bank’s: risk profiles, goals, family circumstances, the complete net-worth picture a suitability assessment requires. Under India’s DPDP Act, an advisory or distribution practice is a Data Fiduciary with the full duties — and the profession’s specific tension is that suitability rules require deep collection while the Act demands it stay purpose-bound: gathered for advice, used for advice, not recycled into product pushes. Regulator-mandated records keep their statutory periods; the rest of the file follows purpose and erasure.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to financial advisors, investment advisers and mutual-fund distributors; it is not formal legal advice.
The situation
Good advice runs on disclosure: to recommend well, you need the client’s income, assets, debts, dependants, health contingencies, risk appetite and goals — a fuller picture than any single institution holds. Clients give it because the relationship is personal; that’s the profession’s strength and its data problem. The file that makes you a good advisor makes you a rich target and a heavy fiduciary — and in a practice built on trust and referrals, one leaked net-worth profile costs more than any regulator’s fine. The DPDP Act mostly asks this profession to formalise what its ethics already imply.
Does DPDP apply to an advisory practice?
Yes — registered investment adviser, mutual-fund distributor, or informal one-person advisory: deciding why and how client data is used makes you a Data Fiduciary. Registration status matters to SEBI (the Securities and Exchange Board of India), not to the DPDP Act — the duties (notice, lawful basis, security, breach reporting, retention limits) attach to the data handling itself. That includes answerability for the stack around you: the back-office platform, the CRM, the KYC registration agencies you route through, the sub-brokers or staff whose phones the client files live on. A practice of one, advising forty families over WhatsApp and Excel, is fully inside the Act — with the least infrastructure and often the deepest per-client data of anyone reading this series.
The client data an advisor actually holds
Everything a suitability assessment needs — which is everything.
- KYC and identity — PAN, Aadhaar or other ID, addresses, signatures, photographs, bank details for mandates.
- The financial picture — income, bank statements, existing investments and policies, loans and liabilities, tax positions: the net worth, assembled.
- The personal layer — dependants and their ages, health considerations, inheritance situations, marriage and education plans: the context that makes advice suitable and the data that makes files sensitive.
- The profile you created — risk scores, goal plans, recommendation records: derived data, still the client’s personal data.
- Family clusters — advisory relationships run in households; one engagement often holds three generations’ data.
The personal layer deserves the pause: an advisor’s notes routinely contain facts — a dependant’s disability, a marriage under strain, an inheritance dispute — that the client has told almost no one. That’s not CRM data; that’s confidence.
The obligation that actually bites: suitability data is purpose-bound
The regulator makes you collect deeply; the DPDP Act insists the depth serves only its purpose — advice — and the gap between those is where distribution habits get caught. Suitability and appropriateness obligations mean thorough collection is required, and record-keeping rules mean much of it is retained — both comfortably lawful. The bite is downstream:
- Advice data isn’t a product-push list. The net-worth picture gathered for a financial plan doesn’t automatically license pitching every new fund launch, insurance product or portfolio-service tie-up against it. Where your practice earns on distribution, the honest structure is a separate, specific consent for marketing and product communications — unbundled from the advisory engagement, declinable without losing the advice.
- Household data multiplies consent, not access. The spouse’s salary slip shared for the family plan is the spouse’s data — a Data Principal of their own, owed their own notice, not a rider on the primary client’s file.
- Referral culture isn’t a disclosure basis. Sharing a client’s situation with a friendly CA, insurance agent or lender “to help” is a disclosure needing the client’s knowledge and basis — however warm the intent.
- Derived profiles carry rights. Risk scores and plan documents are personal data the client can seek access to and correction of; “that’s our internal assessment” doesn’t remove it from scope.
Where DPDP sits alongside SEBI’s and the industry’s rules
Securities regulation already demands KYC, suitability records and confidentiality — the DPDP Act adds the general privacy machinery and covers the practice beyond the regulated core. Registered advisers operate under SEBI’s framework: mandated KYC through the official registration infrastructure, suitability documentation, multi-year record maintenance, codes of conduct that include client confidentiality. Distributors carry the industry’s own KYC and conduct norms. All of that mandated collection and retention rests on the DPDP Act’s legal-obligation ground (Section 7) for its periods — the familiar reconciliation: statutory records stay, each hold traceable to the rule requiring it. What the Act adds: a regulator for the data itself (the Data Protection Board), enforceable client rights (access, correction, erasure of what no rule requires), breach notification duties, and coverage of everything the securities rules don’t reach — the marketing list, the referral pipeline, the prospect notes, the website’s lead form.
Common mistakes advisory practices make
Trust-economy habits, unexamined.
- The WhatsApp file room — statements, KYC and plan documents living in chat threads per client, on every device the practice touches.
- Distribution on advisory data — fund launches and insurance pitches blasted at the client base because the file says who can afford what; no separate consent anywhere.
- The household shortcut — spouses’ and parents’ data collected and used with no notice to them, as if the primary client’s signature covered the family.
- Referral-network sharing — client situations discussed with CAs, agents and lenders without the client’s knowledge.
- The immortal prospect list — years of leads and half-engagements, kept because “advisory is a long game,” with no consent trail and no schedule.
- Excel as infrastructure — the full client book, net worths included, in an unprotected spreadsheet that’s been emailed at least once.
Collecting client financials compliantly
Engagement onboarding is your point of collection — split the mandated, the advisory and the optional there. A plain notice at engagement covering what’s collected and why; the regulated KYC block on its statutory footing; the suitability collection tied explicitly to the advisory purpose; and any marketing or product-communication consent as its own unticked, declinable ask. Documents flow through one controlled channel — not the chat default — and household members’ data gets its own minimal notice. The mechanics are the professional-intake standard: see secure client document collection for professionals, and pattern the ask on the document-request template. Your clients, meanwhile, are reading guides that tell them to mask statements, question over-collection and chase deletion — an advisor whose intake already looks like that answer is running a referral asset, not a compliance cost.
FAQ
I’m a small MF distributor, not a registered adviser — does this apply to me?
Yes — the DPDP Act attaches to handling client data, not to your registration category. Distribution practices hold KYC, bank details and financial profiles, which is fiduciary territory in full.
Can I pitch new products to clients whose finances I already know?
With a separate, specific consent for marketing — unbundled from the advisory engagement and declinable without losing it. Using suitability data as a targeting list without that consent is the profession’s most common DPDP gap.
A client’s spouse shares documents for the family plan — whose consent do I need?
The spouse’s — they’re a Data Principal in their own right, owed their own notice. Household advisory works fine under the Act; it just can’t treat one signature as covering the family.
How long do I keep client records after an engagement ends?
Regulator-mandated records for their required periods — that’s a legal-obligation ground. Everything beyond the mandate (working notes, duplicate documents, the WhatsApp copies) follows purpose and erasure: schedule it, delete it, and tell the client what’s retained under which rule if they ask.
What should I fix first in a small practice?
The channel and the spreadsheet: move client files out of chat threads and unprotected Excel into one access-controlled store. It’s a weekend’s work, it’s most of your breach risk, and every other duty gets easier once the data is in one governed place.