Get in Touch
November 26, 2025

Navigating Cross-Border Data Transfers in Correspondent Banking under India’s DPDP Act

INTRODUCTION

The Digital Personal Data Protection (hereinafter referred to as “DPDP”) Act, 2023, marks a transformative shift in how Indian banks manage personal data, particularly within the context of correspondent banking, where cross-border data flows are an operational necessity. Correspondent banking where banks facilitate financial services for other banks, often in different jurisdictions relies heavily on the seamless exchange of personal data for transaction processing, compliance, and regulatory reporting. Under the DPDP Act, banks must now ensure that every cross-border transfer of personal data is lawful, secure, and transparent, aligning with both the Act’s data protection standards and sectoral regulatory requirements.

Section 16 of the DPDP Act establishes a “negative list” or blacklist approach to cross-border transfers, meaning personal data can be transferred outside India unless the Central Government specifically restricts such transfers to certain countries or territories through official notification. This approach is a significant departure from previous localization mandates, allowing greater flexibility for banks while maintaining the government’s authority to block transfers to jurisdictions with inadequate data protection or national security concerns. Even for permitted transfers, banks must fulfill several obligations: obtaining explicit consent from data principals, providing clear notice in privacy policies, and implementing contractual and technical safeguards to protect data throughout its journey.

The Act also requires banks to map their cross-border data flows, maintain audit trails, and conduct regular risk assessments, especially for significant data fiduciaries. These measures are essential to ensure that banks can demonstrate compliance not only to Indian regulators but also to their foreign counterparts and customers. In correspondent banking, where data may transit through multiple jurisdictions, robust contractual agreements such as Standard Contractual Clauses are critical to enforce DPDP standards and protect data subject rights.

In summary, the DPDP Act compels Indian banks to integrate comprehensive compliance frameworks into their correspondent banking operations. This includes updating consent mechanisms, strengthening data security, ensuring transparent disclosures, and maintaining rigorous oversight of cross-border transfers. By proactively addressing these requirements, banks can safeguard customer privacy, mitigate regulatory risks, and maintain the integrity of their international banking relationships in a rapidly evolving data protection landscape.

KEY PROVISIONS OF DPDP ACT ON CROSS-BORDER DATA TRANSFERS
  1. Legal Framework and Restrictions
  • The DPDP Act adopts a “negative list” approach: personal data can be transferred outside India unless the Central Government specifically restricts transfers to certain countries or territories through official notification.
  • Transfers to countries not on the blacklist are permitted, but banks must ensure all other DPDP obligations are met, such as obtaining valid consent, providing notice, and implementing robust security safeguards.
  • The Act does not distinguish between sensitive and non-sensitive personal data for cross-border transfers; sectoral regulators like the Reserve Bank of India (RBI) may impose additional requirements.
  1. Consent and Notice Requirements
  • Explicit consent from data principals (customers) is required before transferring their personal data abroad, except in cases where the transfer is permitted under Section 7 (legitimate use, such as payment processing or legal obligations).
  • Banks must provide clear notice in their privacy policies about the transfer, including the destination country, purpose, and categories of data involved.
  1. Security and Contractual Safeguards
  • Banks must implement contractual safeguards (such as Standard Contractual Clauses) with foreign processors to ensure ongoing protection, breach notification, and data subject rights parity as per Section 8 of the Act.
  • Technical security measures, including encryption and access controls, must be deployed for data in transit and at rest.
PRACTICAL COMPLIANCE STEPS FOR BANKS
  1. Mapping Data Flows
  • Conduct a comprehensive audit of all cross-border data flows, identifying data categories, destinations, and purposes for each transfer.
  • Classify data based on sensitivity (e.g., financial, biometric, identity) and regulatory requirements, mapping each flow to relevant DPDP and sectoral rules.
  • Maintain a live data flow register, updated regularly to reflect new products, services, or regulatory changes.
  1. Consent and Notice Management
  • Update consent mechanisms and privacy notices to explicitly cover cross-border transfers, ensuring clarity and transparency for customers.
  • Document all consents and maintain an audit trail, including withdrawal requests and responses.
  • Implement identity verification processes for sensitive data and minors to ensure consent authenticity.
  1. Implementing Security Controls
  • Conduct periodic stress testing, vulnerability assessments, and penetration testing to ensure resilience.
  • Use secure communication protocols and implement access controls, multi-factor authentication, and role-based permissions.
  1. Monitoring and Audit
  • Establish ongoing monitoring of data flows and compliance with DPDP requirements, including regular audits and risk assessments.
  • Maintain detailed logs and audit trails for all cross-border data transfers, including access logs, consent records, and incident reports.
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk transfers and significant data fiduciaries.
  1. Employee Training and Awareness
  • Implement comprehensive training programs for employees and contractors on data protection and privacy, integrating policy acknowledgment into onboarding and periodic training.
  • Regularly update staff on regulatory changes, new threats, and compliance requirements.
  1. Grievance Redressal and user Rights
  • Establish effective grievance redressal mechanisms, appointing a Data Protection Officer (DPO) and making their contact details easily accessible.
  • Ensure timely responses to data subject rights requests (access, correction, erasure, restriction) within 30 days, with written explanations for denials.
  • Facilitate complaint filing with the Data Protection Board of India for unresolved grievances.
  1. Incident Response and Breach Management
  • Develop and maintain a robust incident response plan for data breaches, ensuring swift action and compliance with DPDP Act reporting requirements.​
  • Promptly notify the Data Protection Board and affected data principals in case of a breach, regardless of the volume or risk.
  1. Data Minimization and Retention
  • Emphasize data minimization in policies, ensuring only necessary data is collected and processed for specific and legitimate purposes.​
  • Define and enforce data retention periods, securely deleting data once its purpose is fulfilled.
  1. Regular Compliance Reviews
  • Create a detailed compliance roadmap, prioritizing actions based on risk and impact.
  • Regularly review and update compliance policies, procedures, and controls to adapt to new threats and regulatory changes.
SECTORAL AND REGULATORY CONSIDERATIONS
  1. Reserve Bank of India (RBI) Directives
  • RBI has issued specific guidance requiring banks to adopt robust data governance frameworks, transparent consent management, and comprehensive documentation of data flows.
  • Banks must ensure that data is stored in India after processing and deleted from foreign systems within 24 hours or one business day, whichever is earlier.
  1. Additional Regulatory Obligations
  • Banks must comply with sectoral regulations, such as the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices 2023, which mandate strong data protection strategies and transparent consent management.
  • Annual data protection audits and Data Protection Impact Assessments (DPIAs) are required for significant data fiduciaries.
AMLEGALS REMARKS

Compliance with cross-border data transfer provisions in correspondent banking under the DPDP Act, 2023, requires Indian banks to adopt a structured and proactive approach. Mapping data flows, obtaining explicit consent, and implementing robust security and contractual safeguards are essential steps to ensure lawful and secure transfers. By adhering to these requirements, banks not only mitigate regulatory and reputational risks but also demonstrate their commitment to protecting customer privacy, which builds trust and strengthens their position in the global financial ecosystem.

Moreover, banks must continuously monitor and update their compliance frameworks to align with evolving regulatory expectations and sectoral guidelines, such as those from the Reserve Bank of India. Regular audits, incident response planning, and transparent communication with customers further reinforce compliance and resilience. This comprehensive approach not only safeguards against legal and reputational risks but also fosters a culture of privacy and security, ultimately enhancing the bank’s competitive advantage in an increasingly data-driven world.

 

In case of any query, please feel free to reach out to us at rohit.lalwani@amlegals.com

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree