DPDP for Fintech: Navigating RBI Guidelines and Data Protection Together

If you run a fintech in India today, you are answering to two regulatory regimes that were not designed to talk to each other. The Reserve Bank of India has spent years building a data governance framework through KYC Directions, Digital Lending Guidelines, the Account Aggregator architecture, and payment data localisation mandates. The DPDP Act 2023 arrived with its own vocabulary, its own obligations, and its own enforcement body. Neither framework references the other in any meaningful way.

The result is a compliance landscape where following one set of rules does not automatically satisfy the other. Your KYC data retention obligations under RBI directions directly conflict with the DPDP Act's data minimisation principle. Your Account Aggregator consent architecture, built to RBI specifications, may not meet the DPDP Act's standard for "free, specific, informed, and unconditional" consent. And your breach notification timelines now answer to three different clocks.

I have spoken to compliance leads at over a dozen Indian fintechs over the past six months, from lending platforms processing ten thousand loan applications a month to payment aggregators handling crores of daily transactions. The consistent message: they know both frameworks exist. They do not know where the boundaries are, and they are terrified of getting caught in the gap. For a cross-sector comparison of how these obligations stack up against other industries, see our DPDP compliance by industry guide.

Key Takeaways

• Indian fintechs must comply with both the DPDP Act 2023 and sector-specific RBI regulations simultaneously. Neither supersedes the other.
• RBI KYC Directions require retaining customer records for at least five years after account closure. The DPDP Act requires deletion once the purpose is fulfilled. Fintechs must implement purpose-tagged retention to satisfy both.
• Payment system data must be stored exclusively in India under RBI mandates. The DPDP Act permits cross-border transfers unless a country is blacklisted by the Central Government. For payment data, the RBI's stricter rule prevails.
• Digital Lending Apps face the most granular data access restrictions: no access to contact lists, call logs, or media files under RBI's Digital Lending Directions 2025.
• Breach notification involves three authorities: CERT-In (6 hours), the Data Protection Board of India (72 hours under DPDP), and RBI's incident reporting framework. Missing any one is a separate violation.
• The Account Aggregator consent framework and the DPDP consent framework share principles but differ in execution. Compliance with one does not guarantee compliance with the other.

Who Qualifies as a Data Fiduciary in Fintech?

Under the DPDP Act 2023, any entity that determines the purpose and means of processing personal data is a Data Fiduciary. In fintech, this covers a wide range of entities:

• Banks and NBFCs processing loan applications, account data, and transaction histories
• Payment aggregators and payment gateway operators handling transaction data, merchant information, and payer details
• Digital lending platforms (including Lending Service Providers and Digital Lending Apps)
• Insurance distribution platforms processing policyholder data
• Wealth management and broking platforms handling investor portfolios and KYC records
• Account Aggregators facilitating consented data sharing between Financial Information Providers and Financial Information Users
• UPI-based apps processing transaction and user data

Each of these is independently a Data Fiduciary with full obligations under Section 8 of the DPDP Act, on top of whatever RBI, SEBI, or IRDAI regulations already apply to them. The compliance burden is additive, not substitutive.

Large fintechs processing data at significant scale may also be designated as Significant Data Fiduciaries, which triggers additional obligations including appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments, and submitting to independent audits.

Where Do RBI and DPDP Rules Overlap?

The good news, if you can call it that, is that several RBI frameworks already push fintechs toward practices the DPDP Act now mandates. The overlap is real, and fintechs that took RBI compliance seriously have a head start.

Compliance Area	RBI Framework	DPDP Act 2023	Alignment
Consent for data collection	Digital Lending Directions 2025: explicit, free, informed, auditable consent required	Section 6: free, specific, informed, unconditional consent with clear affirmative action	Strong overlap; DPDP adds "unconditional" and "clear affirmative action" requirements
Purpose limitation	Digital Lending Guidelines: data used only for purposes communicated to borrower	Section 4: personal data processed only for lawful purpose for which consent was given	Near-identical principle
Data minimisation	Digital Lending Directions: collect only data necessary for disclosed purpose	Section 4(2), read with Section 6: collect only data necessary for the specified purpose	Aligned in principle
Privacy policy disclosure	RBI mandates transparent privacy policies on RE and LSP websites	Section 5: notice to Data Principal before or at the time of processing	DPDP requires proactive notice, not just website publication
Data localisation	Payment data must be stored in India (RBI circular, April 2018); borrower data localisation under Digital Lending Directions	Section 16: cross-border transfers permitted unless country is blacklisted	RBI is stricter; RBI rules prevail for payment and lending data
Breach reporting	RBI incident reporting to respective regulatory department	Section 8(6): notify DPBI and each affected Data Principal within 72 hours	Separate obligations; both must be fulfilled

Where Do RBI and DPDP Rules Conflict?

This is where fintech compliance teams earn their salaries. Three areas of genuine tension exist between the two frameworks, and as of March 2026, no regulatory guidance has resolved them.

The Data Retention Conflict

This is the most discussed conflict in the industry, and for good reason.

RBI's position: The KYC Master Direction requires regulated entities to maintain records of transactions and customer identification data for a minimum of five years after the business relationship has ended. For suspicious transaction reports, records must be maintained for five years from the date of the transaction. Anti-Money Laundering (AML) directions reinforce these retention periods.

DPDP's position: Section 8(7) of the DPDP Act 2023 states that personal data must be erased once the purpose for which it was collected is fulfilled, or when the Data Principal withdraws consent, unless retention is "necessary for compliance with any law." The DPDP Rules 2025 reinforce that Data Fiduciaries must erase data when consent is withdrawn or the purpose is fulfilled, subject to a reasonable time period determined by the Data Fiduciary.

The resolution, for now: The DPDP Act's own carve-out in Section 8(7), "necessary for compliance with any law," provides the legal basis for retaining data as required by RBI directions. But the practical implementation is not straightforward. You cannot retain all customer data indefinitely just because some of it has a regulatory retention requirement.

Here is what compliance teams at the fintechs I have spoken to are doing:

1. Purpose-tagging every data field at the point of collection. KYC data gets tagged with the RBI retention requirement. Marketing consent data gets tagged with the DPDP purpose.
2. Building automated deletion workflows that trigger erasure for DPDP-governed data when the purpose is fulfilled, while preserving RBI-mandated records in a separate, access-restricted store.
3. Documenting the legal basis for every retention decision. If a Data Principal exercises their right to erasure, the fintech must be able to point to the specific RBI direction that requires continued retention of specific data fields.

The Cross-Border Data Transfer Conflict

RBI's position: Payment system data must be stored exclusively within India. The Digital Lending Directions 2025 add that if borrower data is processed outside India, it must be deleted from foreign servers and returned to India within 24 hours.

DPDP's position: Section 16 of the DPDP Act 2023 permits cross-border data transfers to any country unless the Central Government specifically restricts transfers to that country. As of March 2026, no country has been blacklisted.

For fintechs, RBI's data localisation mandate is the binding constraint. The DPDP Act's more permissive framework does not override sector-specific RBI rules. A payment aggregator using a cloud provider with servers outside India for processing (even if storage is local) must still ensure compliance with RBI's data localisation mandate, regardless of what the DPDP Act permits.

The Consent Architecture Conflict

The Account Aggregator framework has a sophisticated consent architecture built into it. Consent Artifacts specify the purpose, duration, frequency, and scope of data sharing. Financial Information Users receive data only within the parameters of the consent artifact.

The DPDP Act's consent requirements under Section 6 share the same philosophy but introduce additional requirements:

• Withdrawal must be as easy as giving consent (Section 6(4)). The AA framework allows revocation, but the DPDP Act requires the withdrawal mechanism to be equally convenient, not buried in settings.
• Consent must be "unconditional." If an AA-based service requires consent to all data sharing as a precondition for using the service, this may violate the DPDP Act's "unconditional" requirement. Bundled consent is a red flag.
• The Data Principal must receive a clear notice (Section 5) before consent is obtained. AA consent artifacts are designed for machine-readability; the DPDP Act requires plain-language, human-readable notices.

No fintech I have spoken to has fully resolved this. The working approach is to layer a DPDP-compliant notice and consent flow on top of the AA consent architecture, treating them as separate but coordinated compliance exercises.

What Are the Specific Rules for Digital Lending Apps?

The RBI's Digital Lending Directions 2025 impose the most granular data access restrictions in Indian fintech regulation. These are worth understanding in detail because they interact with DPDP obligations at a very specific level.

What Digital Lending Apps cannot access:

• Contact lists
• Call logs
• Telephony functions
• Media files (photos, videos)
• Any mobile phone resource beyond what is explicitly stated below

What Digital Lending Apps can access, with restrictions:

• Camera: one-time access, during onboarding, for KYC only, with explicit consent
• Microphone: one-time access under the same conditions
• Location: one-time access during onboarding, for credit assessment purposes, with explicit consent

Under the DPDP Act, each of these data access points would require its own specific consent under Section 6. The RBI restrictions are stricter in scope (they ban certain categories outright) but narrower in application (they apply only to DLAs). The DPDP Act applies to all personal data processing, including data that the RBI framework does not specifically address, like behavioural analytics derived from in-app usage patterns.

A lending platform that scrupulously follows DLA restrictions may still violate DPDP if it processes in-app behavioural data, device metadata, or user interaction patterns without specific consent, because the RBI framework simply does not address these data types.

How Does Breach Notification Work for Fintechs?

Fintech companies in India now face a triple-reporting obligation for data breaches, which is arguably the most operationally demanding compliance requirement in the sector.

Parameter	CERT-In Directions 2022	DPDP Act (Section 8(6))	RBI Incident Reporting
Reporting authority	CERT-In (cert-in@cert-in.org.in)	Data Protection Board of India (DPBI)	Respective RBI regulatory department
Timeline	6 hours from detection	72 hours from identification	"Immediately" (no specific hour threshold defined in most circulars)
Scope	All cybersecurity incidents	Personal data breaches only	IT security incidents affecting banking/payment operations
Notification to individuals	Not required	Required (to each affected Data Principal)	Not typically required
Penalty for non-compliance	Up to ₹17.6 crore per violation	Up to ₹200 crore (Schedule, Item 2)	Regulatory action, potential licence implications

The CERT-In clock starts first: six hours from when you detect the incident. If you discover a breach at 2 AM on a Saturday, your incident response team has until 8 AM to file an initial report with CERT-In, whether or not you have completed your forensic assessment.

For a detailed walkthrough of the CERT-In vs DPBI reporting process, see our breach notification guide.

The RBI reporting obligation adds a third layer. RBI-regulated entities must report significant IT security incidents to their respective regulatory departments. The timeline language varies across RBI circulars (some say "immediately," some say "within 2-6 hours"), but the practical expectation is prompt escalation.

A fintech that experiences a personal data breach affecting customer financial data must:

1. Report to CERT-In within 6 hours
2. Report to the relevant RBI department immediately or per the applicable circular
3. Report to the DPBI within 72 hours
4. Notify each affected Data Principal individually within the DPDP timeline

Missing any one of these is a separate regulatory violation with its own penalty framework.

What About UPI and Payment Data?

Payment data occupies a unique position in the Indian regulatory landscape. The RBI's April 2018 circular on Storage of Payment System Data mandates that all data related to payment systems operated in India must be stored exclusively on servers located in India. This applies to:

• Payment system operators (including UPI apps)
• Payment aggregators
• Payment gateway operators
• Any entity in the payment chain processing transaction data

The DPDP Act does not override this requirement. While Section 16 permits cross-border data transfers unless a country is blacklisted, the long-established RBI data localisation mandate creates a sector-specific floor that is stricter than the DPDP Act's general framework.

For UPI operators specifically, the data includes transaction logs, user registration details, VPA (Virtual Payment Address) mappings, and beneficiary information. All of this is personal data under the DPDP Act and simultaneously payment system data under RBI rules. Both frameworks apply concurrently.

What Should Indian Fintechs Do Before May 2027?

The compliance deadline is roughly fourteen months away as of March 2026. Based on conversations with fintech compliance leads and the regulatory landscape as it stands today, here is the priority sequence.

1. Map your data against both frameworks simultaneously.

Do not run a DPDP data audit and an RBI compliance review as separate projects. Build a unified data inventory that tags every data field with its DPDP purpose, its RBI regulatory basis, and its retention requirement under both frameworks. A comprehensive data audit is the starting point, but fintech-specific regulatory tagging makes it materially more complex than a standard DPDP audit.

2. Resolve the data retention conflict now, not later.

Implement purpose-tagged retention policies with automated deletion workflows. Fields governed by RBI retention requirements should be documented, access-restricted, and separated from fields governed solely by DPDP consent. Do not wait for regulatory clarity that may never come; build a defensible approach.

3. Layer DPDP consent on top of existing RBI consent mechanisms.

If you already have an AA consent architecture or DLA consent flows, you are halfway there. But you need to add DPDP-compliant plain-language notices (Section 5), ensure withdrawal is as easy as giving consent (Section 6(4)), and unbundle any forced consent. Do not rip out your existing consent infrastructure; extend it.

4. Build a triple-notification incident response plan.

Your breach response playbook must account for CERT-In (6 hours), RBI (variable, but fast), and DPBI (72 hours) simultaneously. Designate separate notification owners for each authority. Run tabletop exercises that simulate a breach discovered outside business hours. The penalty for missing the CERT-In window alone is up to ₹17.6 crore.

5. Review every third-party data sharing arrangement.

Every vendor, LSP, payment processor, or cloud provider that handles customer data needs a Data Processing Agreement under Section 8(2) of the DPDP Act. RBI-regulated entities already have vendor management frameworks; the DPDP layer adds specific contractual requirements around purpose limitation, data deletion upon purpose fulfilment, and breach notification cascading.

6. Prepare for Data Principal rights at scale.

Fintech customers who exercise their rights under the DPDP Act, access, correction, erasure, and nomination, will generate volume that manual processes cannot handle. A lending platform with a million active borrowers needs automated DSR workflows, particularly for erasure requests where you must distinguish between data you can delete (DPDP-governed) and data you must retain (RBI-mandated).

Frequently Asked Questions

Does RBI compliance automatically mean DPDP compliance for fintechs?

No. While RBI frameworks and the DPDP Act share principles like consent, purpose limitation, and data security, they are separate regulatory regimes with separate enforcement authorities. Compliance with RBI's Digital Lending Directions or KYC requirements does not satisfy DPDP Act obligations under Sections 5, 6, 7, and 8. Fintechs must comply with both independently. The DPDP Act adds obligations that RBI frameworks do not address, including providing a formal notice under Section 5, enabling Data Principal rights (access, correction, erasure, nomination), and notifying the Data Protection Board of India within 72 hours of a personal data breach.

Can a fintech refuse a customer's data erasure request because of RBI KYC requirements?

Partially. Section 8(7) of the DPDP Act 2023 permits retention when it is "necessary for compliance with any law." RBI's KYC Master Direction requires retaining customer identification and transaction records for a minimum of five years after the business relationship ends. A fintech can lawfully retain KYC data for the RBI-mandated period, but must erase all other personal data that does not have a separate legal retention requirement. The fintech must inform the Data Principal which data is being retained, the legal basis for retention, and the expected retention period.

How does the Account Aggregator consent framework interact with DPDP consent?

The AA consent framework uses structured Consent Artifacts that specify purpose, duration, frequency, and scope of data sharing. The DPDP Act's consent requirements under Section 6 introduce additional conditions: consent must be "unconditional" (no bundling with service access), withdrawal must be equally easy, and the Data Principal must receive a clear, plain-language notice before consent is obtained. As of March 2026, no regulatory guidance harmonises these two frameworks. The practical approach is to layer DPDP-compliant notices and consent flows alongside the AA architecture, treating them as complementary requirements.

What is the maximum penalty a fintech could face under the DPDP Act?

The Schedule to the DPDP Act 2023 specifies maximum penalties per violation category: up to ₹250 crore for failing to implement reasonable security safeguards resulting in a data breach, and up to ₹200 crore for failing to notify the DPBI and affected Data Principals of a breach. These penalties apply to each violation, making the theoretical exposure substantial for a fintech processing millions of customer records. These are in addition to any penalties under RBI's regulatory framework and CERT-In Directions.

Do payment aggregators need to comply with DPDP data localisation rules or RBI rules?

Both, but the RBI's data localisation mandate is the binding constraint for payment data. The DPDP Act permits cross-border data transfers unless the Central Government blacklists a country (no country has been blacklisted as of March 2026). However, the RBI's April 2018 circular requires all payment system data to be stored exclusively in India. For payment aggregators, the RBI rule is stricter and prevails for all payment-related data. Non-payment personal data (like marketing preferences or support ticket history) follows the DPDP Act's cross-border framework.

Simplify Your Fintech Compliance

This article is for informational purposes and reflects the DPDP Act 2023, DPDP Rules 2025, and RBI directions as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.

Indian fintechs face a regulatory environment where two complex frameworks operate in parallel, and missing either one carries real consequences. ComplyZero provides a self-serve DPDP compliance platform with automated consent management, privacy notices in 22 Indian languages, and audit-ready compliance records, designed for Indian businesses that need to build DPDP compliance without ripping out their existing regulatory infrastructure.

Join the waitlist →