FinTechCross Selling by FinTechs – In the age of Data Privacy

November 3, 20230


Cross-selling is a practice employed by Fin-tech companies to offer additional financial products or services to existing customers, which has become essential to the business model for many Fin-Tech companies. Cross-selling is one of the primary methods of generating new revenue for many businesses, including Fin-Tech companies.

The practice of cross-selling relies heavily on the collection and utilization of personal data collected on the basis of previous order history, cookies etc. Therefore, the advent of the Digital Personal Data Protection Act (“DPDPA”) will have significant implications on the Fin-tech industry, particularly in the context of cross-selling due to heavy reliance on user data.

In this article, we attempt to delve into the key aspects of the DPDP Act and its impact on cross-selling by fintech companies, highlighting the challenges and opportunities it presents.


The companies in order to propose new products to its existing user data base frequently employ data analytics and machine learning algorithms to discern optimal cross-selling prospects.

Four Categories of Innovation in Cross-Selling are:

  1. Personalization Engine: This mechanism anticipates the most appropriate course of action based on a customer’s historical behavior. Envision a scenario where you access your banking application and are presented with a tailored recommendation for a high-yield savings account, precisely when you have just received your paycheck. Personalization engines are instrumental in translating data into customized experiences that foster cross-selling.
  2. Gamification: This strategy incorporates game-like elements to engage customers and incentivize them to make additional purchases. Fin-Tech applications leverage game-inspired rewards such as badges, points, and leaderboards to render cross-selling interactive and engaging.
  3. Contextual Recommendations: Real-time suggestions that align with the customer’s ongoing interaction or circumstances. Consider a scenario in which you are reviewing your investment returns on your application, and it recommends diversifying your portfolio with bonds or international stocks. These real-time, context-driven recommendations not only make cross-selling timely but also exceptionally pertinent.
  4. Chatbots: This category encompasses AI-powered assistants that direct customers toward supplementary purchases within the application environment. Visualize engaging in a conversation with an AI assistant that not only resolves your inquiries about credit card benefits but also proposes an irresistible personal loan offer. Chatbots, underpinned by machine learning, exhibit proficiency in identifying cross-selling opportunities within dialogues.


The Fin-tech companies initially under the guise of terms and conditions, used the consent obtained from their customer through a single click for all purposes, including the further sale or advertisement of other products or services.

However, with the advent of the DPDPA, this practice is no longer tenable as the DPDPA establishes a robust framework for data protection, requiring Fin-tech companies to obtain explicit consent from customers for cross-selling activities, ensuring transparency regarding the types of data collected and the specific products or services being offered.


Under the DPDPA, Fin-tech companies must obtain informed consent from customers before engaging in cross-selling. This includes providing clear and easily understandable information about the purpose of data collection, the intended use of the data, and the potential recipients of the data.

For instance, if a single consent is obtained from the customer, encompassing the use of their data to provide a service and present new products from the platform or its partners, this bundled consent may not suffice. However, if the user explicitly consents to two distinct aspects – first, the utilization of their data for service provision, and second, through a separate checkbox, the utilization of their data to receive new offers or products – this approach may prove acceptable.

Fin-tech companies must also ensure that customers have the option to withdraw their consent at any time. Transparency in cross-selling practices builds trust and empowers customers to make informed decisions about sharing their data.


Compliance with the DPDPA necessitates responsible data handling practices by Fin-tech companies. This includes implementing robust security measures to protect customer data from unauthorized access, ensuring data accuracy, and regularly reviewing and updating privacy policies.

Fin-tech companies must also adopt data minimization practices, collecting only the necessary data for cross-selling purposes. Responsible data handling not only ensures compliance but also fosters customer confidence in the security of their personal information.


Cross-selling entails two fundamental components: Firstly, presenting the customer with personalized advertisements, prompts, or offers for the new product; and Secondly, facilitating the user journey once the user encounters and engages with the prompt.

In the latter scenario, where the user is already interacting with the platform, notice and consent can be sought at that juncture. However, in the former situation, where the user has not yet engaged with the new product offering and the sole intention is to present them with a personalized prompt, there is no opportunity to secure consent or provide notice. This is where the complexity of the matter arises.

Hence, while the utilization of data for cross-selling is permissible, it necessitates the implementation of appropriate controls, user interface/user experience (UI/UX) adjustments, consent procedures, or records. Some of these measures may introduce certain complexities into the customer journey, but thoughtfully designed solutions can mitigate such hurdles while ensuring that users have access to relevant information to make informed choices


That compliance with the DPDPA although requires significant investments in data protection infrastructure, staff training, and business models yet in the longer run it is more beneficial not only to the user but also to the companies and entities which have a benefit to stalking user data as complying with the positions of this act would ensure that the data that is collected is more refined and accurate, meaning the quantity of data might be lesser but the accuracy and quality of it would be better.

The Fin-Tech companies shall also ensure to navigate the complexities of obtaining explicit consent and ensuring transparency not just in letter but also in spirit, which may impact the efficiency of cross-selling processes. Compliance can also lead to stronger customer relationships based on trust and transparency which is valuable in in the Fin-tech industry due to the volatile nature of the market.


Innovative cross-selling strategies are transformative in the realm of FinTech. They not only augment revenue but also elevate customer lifetime value (LTV), as technology advances, these methodologies are poised to become indispensable for any Fin-Tech enterprise aspiring to achieve sustainable growth.

However, take note that the advent of the DPDPA will significantly impacts cross-selling practices in the Fin-tech industry. Therefore, Fin-tech companies in order to comply with the DPDPA must prioritize data protection, consent, transparency, and responsible data handling. While compliance presents challenges, it also offers opportunities for Fin-tech companies to build trust, enhance customer relationships, and gain a competitive edge.

By embracing the requirements of the DPDPA, Fin-tech companies can navigate the evolving landscape of data privacy and cross-selling, ensuring the responsible use of personal data while delivering personalized and relevant financial products and services to their customers.


For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.