Introduction
India’s Fintech ecosystem now operates like an extension of the traditional banking infrastructure. Financial data is not independently generated by apps like CRED, Groww, Zerodha, PhonePe, and many account-aggregator-enabled sites. On the contrary, they rely on ongoing, permission-based access via Application Programming Interfaces (“APIs”) to users’ bank-held data. The said architectural system has enabled seamless digital payments, personalized financial products and real-time credit evaluation often referred to as open banking. However, there are intricate legal issues that Indian law has not yet completely addressed beneath the surface of innovation and convenience. In order to determine who effectively controls financial data in India’s API-driven banking economy, the country’s open banking framework through the intersecting lenses of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Reserve Bank of India’s (“RBI”) data-sharing regime, contract law principles, and competition law, should be analysed.
The Architecture of Open Banking in India
A system known as “open banking” permits third-party service providers to access customer’s financial information through secure digital interfaces, presuming that the client gives permission. This framework has primarily evolved in India as a result of regulatory action rather than legislative mandates. The foundation of India’s open banking system is the RBI’s Account Aggregator (“AA”) framework, which permits consent-based financial information sharing between authorized companies. Fintech platforms frequently serve as Financial Information Users under this structure, whilst banks act as Financial Information Providers. Instead of being a data processor, the AA is intended to be a consent manager. Theoretically, this paradigm gives consumers the ability to decide how their data is shared and decentralizes control. However, in practice, banks still maintain control over the technical standards, access terms, and underlying infrastructure, while fintech platforms nevertheless depend on these agreements to operate. Understanding the legal conflicts pertaining to ownership, consent, and market power in India’s open banking ecosystem requires an understanding of this interdependent relationship.
Financial Data Ownership: A Question Without a Statutory Answer
The “ownership” of financial or personal data is not expressly recognized as a proprietary right under Indian law. The DPDP Act,2023 deliberately eschews the ownership language in favour of a rights-and-obligations framework. Consumers are acknowledged as Data Principals, while organizations that decide how and why to process data are categorized as Data Fiduciaries. From a legal perspective, this means that although consumers possess control over how their data is used but they do not actually own it. On the other hand, banks frequently claim custodial control over financial data because they gather, store, and preserve it in accordance with contractual and regulatory requirements. This stance becomes particularly significant when banks try to monetize data-sharing agreements or negotiate API access fees. The position of fintech companies is considerably more unclear. While they initially access data as processors or fiduciaries acting on user instructions, many platforms subsequently aggregate, analyse, and derive insights from that data. These derivative datasets, such as expenditure analytics or behavioural credit ratings, produce their own commercial value. Whether such value-added data belongs to the client, the original data holder, or the organization that developed it is still unclear under Indian law. In view of this, financial data in India is governed by contracts and infrastructure rather than by statutory ownership rights, creating a legal void.
Consent Under the DPDP Act and RBI Framework
Open banking is based on the legal principle of consent. Consent must be free, informed, specific, and revocable according to the DPDP Act and the RBI’s AA framework. On a theoretical level, India has one of the strongest consent architectures in the world, especially since consent dashboards and standardized consent artefacts were introduced.
However, this ideal is complicated by the operational realities of financial platforms. In many applications, allowing broad data permissions is a must for accessing essential features. Users are essentially forced to choose between data sharing and being excluded from digital financial services because they are rarely given viable alternatives if they refuse consent. This poses a crucial legal dispute whether consent can be deemed “free” in situations where refusal leads to service denial. The DPDP Act emphasizes voluntariness and purpose limitation even though it does not specifically forbid conditional consent. Fintech consent models that rely on broad, packaged rights may come under more scrutiny as regulatory enforcement develops. Furthermore, permission notices are sometimes long, technical, and difficult for users to understand. This compromises the “informed” component of consent, especially in an industry where financial choices have substantial ramifications. Therefore, in the absence of true user comprehension and choice, the increasing dependence on permission as a legal shield may prove brittle.
API Access and the Contractual Power of Banks
From a contractual standpoint, bilateral or multilateral agreements between banks and fintech startups regulate API access. Pricing, service levels, access restrictions, and termination rights are all governed by these agreements. Banks frequently justify charging for API access on the grounds of infrastructure costs, cybersecurity obligations, and regulatory compliance. Contractual freedom permits these kinds of agreements, but it also leads to power imbalances. Large banks have the power to impose conditions that smaller fintech businesses may be forced to accept, especially those with sizable customer bases. Restrictive terms or excessive API fees may act as indirect entry barriers that stifle competition and innovation. Banks are not obligated at present under Indian law to offer free or non-discriminatory API access. Unlike the European Union’s Payment Service Directive 2015/2366 (“PSD2”) regime, which mandates open access under defined conditions, India relies on regulatory discretion. Fintech companies are vulnerable to changing commercial and regulatory agendas because of this approach’s flexibility but lack of predictability.
Competition Law Implications of Data Control
Control over data access increasingly translates into market influence as financial data becomes a crucial input for digital financial services. Banks that manage substantial amounts of consumer data have the ability to affect downstream markets by controlling who has access to it and how much it costs. This oversight may attract scrutiny under the Competition Act, 2002 if it leads to misuse of dominant position. Discriminatory pricing, delayed access, and unwillingness to work with specific fintech companies are examples of practices that may be contested as exclusionary behaviour or denial of market access. The concept of data as an “essential facility” is gaining traction globally, particularly in digital markets where data cannot be easily replicated. Banks’ control over API access may be subject to increased competition law supervision if financial data is acknowledged as essential for competing in fintech industries. The readiness of India’s competition authorities to interact with data-driven market power in digital industries has already been demonstrated. Thus, it is inevitable that open banking practices will be scrutinized from an antitrust perspective.
India in the Global Open Banking Landscape
Open banking regimes around the world are a reflection of many regulatory ideologies. User rights and data portability are given priority under the EU’s GDPR and PSD2 framework, which requires non-discriminatory access. With stringent restrictions on cross-platform data sharing, China’s Personal Information Protection Law takes a more state-centric stance. India’s approach occupies a middle ground, depending more on regulatory supervision than on statutory obligations. Fintech has expanded rapidly owing to this flexibility, but it also creates uncertainty for companies who operate internationally. Cross-border fintech operations are legally complicated since compliance requirements differ based on the location of users, data storage, and processing firms.
AMLEGALS Remarks
The relationship between banks, fintech startups, and clients has evolved significantly as a result of India’s transition to API-driven banking. The DPDP Act improves individual rights and accountability, but it doesn’t address the more fundamental structural problem of who actually controls financial data. Fintech platforms rely on negotiated access, banks maintain their infrastructure dominance, and customers despite being acknowledged as data principals remain primarily passive participants. Consent, pricing, and access issues can no longer be seen in a vacuum as financial data becomes a source of competitive advantage. Data privacy enforcement, regulatory action, and competition law scrutiny will probably come together to determine the next stage of India’s open banking evolution.
For any queries or feedback, feel free to connect with Hiteashi.desai@amlegals.com or Khilansha.mukhija@amlegals.com