At a glance
Fintech was heavily data-regulated before the DPDP Act existed — RBI’s KYC and digital-lending rules, PMLA record-keeping, payments-data localisation. What the Act adds is a general privacy layer with its own regulator: purpose-bound consent, enforceable customer rights, breach duties and erasure. The two regimes mostly interlock — PMLA retention is a recognised legal-obligation ground — but the traps are real: RBI compliance is not DPDP compliance, and the biggest gap in most fintechs is cross-selling on data that was collected because a regulation demanded it.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to fintech businesses; it is not formal legal advice.
The situation
A fintech’s founding paradox: you exist because you handle money-linked personal data better than incumbents, and you operate in the one sector where three regulatory regimes already reach that data. The instinct — “we did RBI-grade KYC and an ISO audit, privacy is handled” — is exactly the instinct the DPDP Act punishes, because the Act regulates something the financial rules mostly don’t: what you do with the data beyond the regulated purpose. The distance between “compliant onboarding” and “compliant business” is where fintech’s DPDP work lives.
Doesn’t RBI regulation already cover this?
No — RBI’s rules and the DPDP Act protect different things, and you answer to both. Financial regulation protects the system and the borrower: KYC integrity, lending conduct, settlement, localisation. The DPDP Act protects the person’s data as such — with its own lawful-basis requirement, its own rights (access, correction, erasure), its own breach regime and its own regulator, the Data Protection Board. Every fintech deciding why and how customer data is processed is a Data Fiduciary; your banking partners’ compliance doesn’t cover you, and yours doesn’t cover your lending service providers (LSPs) — each entity in the stack carries its own role. One more reality: businesses processing financial data at volume are natural candidates for Significant Data Fiduciary notification, which adds audits, impact assessments and a resident data protection officer (DPO) on top of everything here.
The customer data fintech actually handles
The densest per-customer data estate in consumer business — identity, money, behaviour and device, cross-linked.
- KYC and identity — Aadhaar-based or document KYC, PAN, photographs, video-KYC recordings: collected under regulatory mandate.
- Financial core — account details, transactions, balances, repayment histories, credit-bureau pulls.
- Behavioural and device data — app events, device identifiers, location where taken for KYC: the layer lending models feed on.
- Derived data — scores, risk flags, segments: data you created about a person, still their personal data.
- The partner mesh — the same customer’s data flowing between you, banks, bureaus, collection agencies and co-lending partners — every flow needing a basis and a contract.
The obligation that actually bites: purpose-binding on regulated data
Most of your data was collected because a regulation demanded it — which means the regulation’s purpose, not your growth plan, is what the data is lawfully for. KYC documents exist because RBI and the Prevention of Money-Laundering Act (PMLA) require identity verification; transaction records exist to run the account. Under the DPDP Act those collections rest comfortably on the legal-obligation ground (Section 7) — no consent theatre needed. The bite arrives at the second use:
- Cross-sell and marketing are separate purposes. Mining KYC-grade profiles and transaction histories to push loans, insurance or a partner’s products needs its own specific consent — unbundled, declinable, and not a condition of the service. This is the single most common fintech gap.
- Model-building beyond the stated purpose is a purpose too. Repayment behaviour feeding the credit model that serves the customer is one thing; the same data enriching products the customer never signed up for needs its own basis.
- Erasure meets its limits honestly. A customer’s deletion request can’t erase what PMLA’s record-keeping (five years beyond the relationship) or RBI’s KYC rules require you to hold — but it erases everything else, and the response should say precisely what was kept and under which law. “We’re regulated, we keep everything” is not that answer.
Where DPDP sits alongside RBI, PMLA and the lending rules
The regimes point the same direction — RBI’s digital-lending rules are practically a DPDP preview — and the retention rules interlock rather than conflict. If you lend digitally, you already live under data rules stricter than most sectors will ever see: need-based collection only, explicit borrower consent, no access to contacts, call logs or media files (one-time camera/mic/location access only for KYC), borrower data stored in India, and borrower rights to revoke consent and seek deletion. Meeting those is real progress toward DPDP’s minimisation and consent standards — on that slice of your data. Payments players carry RBI’s localisation mandate; everyone carries PMLA’s KYC record-keeping, which slots in as the DPDP Act’s legal-obligation ground exactly the way tax retention does for accountants. What the DPDP Act adds across the whole estate: notice quality, purpose-binding beyond the regulated purposes, rights fulfilment on a clock, breach notification to the Board and affected customers — and remember a cyber-incident also starts the Indian Computer Emergency Response Team’s (CERT-In) separate 6-hour reporting under the IT Act.
Common mistakes fintechs make
The pattern is over-confidence from partial regulation.
- “RBI-compliant, therefore compliant” — conduct rules treated as if they were the privacy law; the purposes beyond regulation left ungoverned.
- Cross-sell on KYC-grade data — mandated collection quietly repurposed into marketing reach, with no separate consent anywhere.
- The bundled onboarding consent — one “I agree” covering the account, marketing, partner sharing and bureau pulls; exactly what specific, unbundled consent rules out.
- Erasure requests answered with “we’re regulated” — a blanket refusal where the law supports only a scoped one.
- The partner mesh on thin contracts — collection agents, LSPs and analytics vendors touching customer data without terms binding security, breach notice and deletion.
- Derived data treated as house data — scores and segments about a person are still personal data, in scope for access and correction.
Collecting KYC and customer data compliantly
Onboarding decides most of it: split the mandated from the optional at the moment of collection. The KYC block runs on its regulatory basis with a plain notice; every optional purpose — marketing, partner offers, product analytics beyond service delivery — gets its own unticked opt-in, declinable without losing the service. Collect to the regulation’s list, not beyond it; log the consent record with the notice version; and route documents through your app’s own flow rather than agents’ devices. The sensitive-ID mechanics are shared across sectors — see collecting Aadhaar, PAN and KYC from customers — and your consent screens should read like the granular-consent pattern, one purpose per ask.
FAQ
We’re an RBI-regulated NBFC — does the DPDP Act add anything?
Yes: a general privacy regime with its own regulator and penalties. RBI governs your conduct and the mandated data; the DPDP Act governs every purpose beyond that — marketing, analytics, partner sharing — plus rights fulfilment, breach notification and erasure across the estate.
Can we use KYC data to offer customers other products?
Only with a separate, specific consent for that purpose — unbundled from onboarding and declinable without losing the service. Data collected under a legal mandate is lawfully held for that mandate’s purpose, not for reach.
A customer wants their data deleted, but PMLA says keep KYC five years. Who wins?
Both, scoped: retain exactly what PMLA and RBI rules require, for their periods, and erase everything else — telling the customer what was kept and under which law. Blanket refusal and blanket deletion are both wrong.
Do the digital-lending rules mean we’re already DPDP-ready?
They put you ahead on collection discipline — need-based data, no contacts/call-log access, India storage, deletion rights. DPDP still adds notice standards, purpose-binding across non-lending uses, rights on a clock, and Board-facing breach duties.
Are fintechs likely to be Significant Data Fiduciaries?
Many are strong candidates — the designation turns on factors like volume and sensitivity of data and risk to data principals, which describes fintech precisely. If notified, add a resident DPO, audits and periodic impact assessments to the plan.