Introduction

Lenders assessed creditworthiness using traditional indicators such as repayment history, income, and existing loans, with Credit Information Companies like CIBIL converting these into a credit score. AI-driven credit scoring is transforming this approach by analysing alternative data, including mobile usage, utility bill payments, digital transactions, app behaviour, and device patterns, to assess borrowers with little or no credit history. This has the potential to improve financial inclusion for India’s unbanked population. This also creates a growing regulatory gap between the rapid adoption of AI in lending and the legal framework governing personal data, making AI credit scoring one of the most challenging emerging issues in Indian privacy law.

Consent and the Alternative-Data Problem

The DPDPA’s entire architecture rests on consent that is free, specific, informed, and unambiguous. That standard was written with a mental model of a person reading a notice and agreeing to a defined, nameable use of their data. Alternative-data credit scoring strains this model close to breaking point. A lending app’s consent form may disclose that it will access “device and usage data” to assess creditworthiness, but it cannot meaningfully describe, in advance, that a model will also infer risk from how fast a user types, which apps they open at 2 a.m., or the geolocation pattern of their daily commute. Consent obtained for a named purpose becomes, in practice, consent for an open-ended inference exercise the applicant could not have anticipated. This is a live compliance gap: purpose limitation under Sections 5 and 8 requires that data be used only for the purpose specified at collection, yet the entire value proposition of alternative-data scoring depends on discovering unanticipated correlations in data the applicant never knew was predictive.

RBI's Role in AI-Driven Lending

While the DPDPA governs the processing of personal data, AI-based lending must also comply with the RBI’s Digital Lending Guidelines. These require explicit customer consent for data collection, restrict unnecessary access to personal information, and place responsibility on regulated entities for the actions of Lending Service Providers (LSPs), including outsourced technology partners. Together, the RBI framework and the DPDPA underscore that innovation in digital lending must be accompanied by robust privacy, security, and governance standards.

The Black Box and the Missing Right to Explanation

The DPDPA grants Data Principals the right to access information about how their personal data is processed under Section 11. However, unlike the EU’s GDPR, it does not provide a specific right to an explanation of fully automated decisions or require human review of such decisions. Consequently, an applicant whose loan application is rejected by an AI-based credit model may know that their data was processed but cannot readily demand an explanation of how the model reached its decision. This reflects the well-known “black box” problem, where complex AI models generate highly accurate predictions through decision-making processes that are often difficult to interpret, even by their developers.

While regulators in several jurisdictions increasingly encourage explainable AI and robust model governance, India has yet to introduce comparable statutory requirements for automated credit decisions. Until clearer regulatory guidance emerges, explainability remains largely a matter of good governance rather than a legal obligation for lenders.

Discrimination as a Data Protection Harm, Not Only a Fairness Problem

AI credit models are trained on historical lending data, which may reflect longstanding inequalities based on factors such as geography, occupation, or other indirect indicators. Even without explicitly processing sensitive attributes like gender or caste, these models can produce discriminatory outcomes by relying on proxy variables such as location, device type, or spending patterns. While this is often viewed as a consumer protection or fair-lending issue, it also raises important data protection concerns. Where personal data is processed in a manner that results in unfair or disproportionate outcomes, it may attract scrutiny under the DPDPA’s broader obligation to process personal data lawfully. Consequently, algorithmic bias is not merely a question of lending fairness but may also fall within the supervisory scope of the Data Protection Board of India, as the underlying harm stems from the manner in which personal data is processed rather than the lending decision alone.

Illustration: When AI Says 'No'

Consider a first-time borrower with no CIBIL score applying for a digital loan. Instead of relying on traditional credit history, the lender’s AI model analyses the applicant’s UPI transaction history, utility bill payments, salary credits, and device behaviour before rejecting the application. When the borrower seeks an explanation, the lender may only state that the application did not meet internal risk parameters. This raises an important legal question: can meaningful consent and accountability exist if an individual cannot understand the basis of an automated decision affecting their financial access?

Significant Data Fiduciary Status and What It Will Actually Demand

Large credit bureaus and high-volume digital lenders may be designated as Significant Data Fiduciaries (SDFs), subject to notification by the Central Government under the DPDPA. Once the Data Protection Board of India begins notifying that category in earnest. SDF status brings mandatory Data Protection Impact Assessments and independent data audits, which for an AI credit-scoring business means something genuinely difficult: documenting not just what data is collected, but how a model’s decision logic uses it, and periodically re-justifying that logic as models are retrained on fresh data. This is a heavier lift than a conventional compliance audit, because it requires the DPIA to interrogate the model itself, not only the surrounding data-handling infrastructure – but an exercise also most Indian lending platforms have not yet had to perform in this form.

AMLEGALS Remarks

Until the Data Protection Board of India issues guidance on AI-driven credit decisions, lenders operate within a legal framework that governs personal data but provides limited direction on automated decision-making. In the interim, organisations should prioritise explainability, bias testing, transparent consent, and auditable AI models as part of good governance. Embedding these safeguards early can reduce regulatory risk while ensuring AI-driven lending remains fair, privacy-conscious, and capable of withstanding future regulatory scrutiny. As India’s AI ecosystem evolves, the focus is likely to shift from whether consent was obtained to whether algorithmic decisions can be meaningfully justified.

For any queries or feedback, feel free to connect with Hiteashi.desai@amlegals.com or Khilansha.mukhija@amlegals.com

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.