Introduction
India’s fintech ecosystem now operates under a “dual compliance mandate”. RBI issued sectoral (or industry) norms and compliance with horizontal obligations of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDPA”) now. The result is a very complicated legal requirement for young start-ups whose business models rely on data. Both regimes have the same objective which is to protect consumers and to ensure stability of the financial system, but due to their overlapping requirements with respect to consent, data governance, outsourcing, and accountability, it is especially challenging for start-ups to navigate and will significantly impact the structure and behaviour of the industry going forward.
RBI Norms as Sectoral Data Governance
RBI has changed over the last several years from being a regulator with limited authority over digital finance to one that has created numerous detailed rules in its Digital Lending Guidelines and 2025 Digital Lending Directions. These regulatory changes include requirements for obtaining explicit, informed consent from borrowers, limiting how much access lenders can have to a borrower’s mobile device (e.g., contacts, media), providing a Key Fact Statement (“KFS”) to the borrower, and ensuring that lenders store their lending data in India in accordance with stringent data retention and destruction/deletion policies.
Additionally, the Outsourcing of Information Technology Services Directions 2023 applies stringent requirements for cloud providers and other service providers used by banks, Non-Banking Financial Companies (“NBFCs”) and other regulated entities. The core principle is that although services may be outsourced to a third-party vendor, they do not diminish the board’s ultimate accountability to customers or the RBI’s ability to supervise the performance of the vendor with respect to the customer’s data.
The DPDP Act and Emerging Rules
The DPDPA creates an overall privacy framework applicable to all industries, including financial services and fintech. The DPDPA requires data fiduciaries to maintain accurate data, appropriately safeguard data, notify the Data Protection Board (“DPB”) and individuals affected by breaches and delete all personal data once the purpose is complete and/or retention is no longer legally required/necessary
The DPDPA imposes additional requirements for Significant Data Fiduciaries (“SDFs”), such as having an India based Data Protection Officer who reports to the board, conducting periodic Data Protection Impact Assessments (“DPIAs”) and obtaining independent audits of their data handling practices/controls.
Points of Overlap and Tension
At an abstract/conceptual level both RBI digital lending and outsourcing norms as well as DPDPA have similar guiding principles of limitation on purpose, data minimisation, informed consent, security by design and strong accountability. One instance of the overlap would include how under RBI norms, a digital lender must obtain consent from the borrower in order to collect and share their data, and may not access sensitive resources on the borrower’s device unless required to do so, while under DPDPA it would require that the borrower provide purpose specific consent to the lender for processing their data and prohibits the lender from processing the borrower’s data for an extended period beyond the purpose specified.
None-the-less, the regulations are not simply a matter of extending or applying the same standards across the regulations. For example, RBI rules require various record-keeping and data-storage practices for Know Your Customer (“KYC”), monitoring transactions and resolving disputes, whereas DPDPA pushes toward limiting the storage of and erasing records once their purpose has been served. Hence, startups will find themselves having to balance between the retention timeline imposed by financial regulation with the erasure rights specified by DPDP. Similarly, RBI’s IT outsourcing regulations focus primarily on supervisory access and operational risk while DPDPA focuses primarily on data subject rights and cross-border restrictions creating a complex regulatory environment for cloud-based architectures to be both operationally and privacy compliant.
Compliance Design Challenges for Startups
For a fintech company that is just starting out, the task of building a product design that meets both the requirements of the RBI and DPDPA can be quite challenging.
The process of design and development for consent flows includes creating a user interface that is clear to users about what loan terms, charges and how their personal information will be used, and ensuring these elements are documented properly in privacy notices, KFS documents, and in-app prompts. Additionally, since most fintechs develop their business model and partnerships over time, it is very important to keep the privacy notices, KFS documents and in-app prompts in alignment with one another throughout these changes, if not, the fintech will be in violation from both the fronts viz RBI and DPDPA.
Data mapping is also a major challenge for fintechs. Fintechs have a variety of sources of data that they collect, including, but not limited to, identity, behavioural and transactional data. Some of this data is processed on behalf of partner banks or NBFCs, while other data is used to conduct their own proprietary analytics. To comply with the RBI and DPDPA mandates, fintechs must be able to separate data streams, appropriately tag each stream and provide differential access control and/or deletion capabilities. All of this requires highly developed data engineering and data governance capabilities.
Outsourcing, Cloud and Vendor Management Burdens
The modern fintech stack relies heavily on cloud hosting and other third-party providers for a variety of services and thus rules regarding outsourcing have become one of the main operational issues faced by the regulated entities. The RBI’s Outsourcing of IT Services Directions require regulated entities to conduct due diligence, while the DPDPA Act requires data processors to enter into a contract to be governed by the Act so as to retain oversight on the data.
For startups that rely on “renting” almost all of the services they need to operate, they will likely need to re-negotiate vendor agreements, develop an extensive vendor risk framework to deal with the risk created by outsourcing, and possibly change their existing architecture to separate themselves from certain multi-tenant servers. In many cases, smaller companies do not have the negotiating power to negotiate with larger, global cloud service providers, however, while smaller companies are creating technology for use by regulated financial institutions (“RFIs”), they remain fully liable under both the RBI and the DPDPA when something goes wrong, creating an operational structural compliance asymmetry between smaller companies and larger, incumbent financial institutions.
AMLEGALS Remarks
The proposal to adopt a unified data governance framework aligning obligations under the RBI and the DPDPA is conceptually sound but requires nuance. RBI norms are prescriptive, while the DPDP framework is principles-based, necessitating reconciliation rather than full consolidation. Although integration may reduce duplication, conflicts such as retention versus data minimisation require layered compliance. Governance measures are appropriate but must reflect specific regulatory roles, including board accountability and DPO requirements. Overall, the approach is valid, but its success depends on careful implementation and alignment with both regimes.
For any queries or feedback, feel free to connect with Hiteashi.desai@amlegals.com or Khilansha.mukhija@amlegals.com