DPDP Act for BFSI & Fintech India: Complete Compliance Guide 2025 | KavachOne

🏦 BFSI & Fintech Sector Guide

DPDP Act
for BFSI &
Fintech India

India's financial sector is one of the largest processors of sensitive personal data in the country — transaction records, credit histories, income details, biometric KYC, and more. The DPDP Act 2023 imposes strict obligations on every bank, NBFC, insurer, payment aggregator, and fintech startup processing this data. Non-compliance carries penalties up to ₹250 crore — and the DPB will scrutinise BFSI players closely.

🏦 BFSI DPDP Assessment Sector-by-Sector Guide ↓

📊 BFSI PII Categories

🏦 Banking A/c numbers, KYC docs, transaction history, credit scores

💳 Payments UPI IDs, card details, VPA, payment patterns

📈 Lending Income data, employment, CIBIL, collateral details

🛡️ Insurance Health records, claim history, beneficiary data, premiums

⚠️ Likely Significant Data Fiduciaries Large banks, insurance companies & payment aggregators likely to be notified as SDFs — with additional DPO, DPIA & audit obligations

₹250 CrMax Penalty for Data Security Violations

72 HrsBreach Notification to DPB

SDFLarge BFSI Likely as Significant Data Fiduciaries

RBI+DPDPDual Regulatory Compliance Required

30 DaysDSAR Response Deadline

Financial PII

8 Categories of Financial Personal Data
Under DPDP

BFSI organisations process more categories of personal data — and more sensitive data — than almost any other sector. Each category carries specific consent, security, and processing obligations.

🪪

KYC Identity Data

Aadhaar, PAN, Passport, Voter ID, Driving Licence, CKYC records

Critical PII

🏦

Banking & Account Data

Account numbers, IFSC, debit/credit card details, net banking credentials

Critical PII

💰

Transaction History

Payment records, transfer history, UPI transactions, merchant payments

Sensitive PII

📊

Credit & Bureau Data

CIBIL score, credit history, loan repayment records, credit utilisation

Sensitive PII

💼

Income & Employment Data

Salary slips, ITR, Form 16, employer details, bank statements

Sensitive PII

🏥

Health & Insurance Data

Health declarations, medical reports, claim records, policy beneficiaries

Critical PII

👆

Biometric Data

Fingerprints, facial scan (video KYC), voice prints, retinal data

Critical PII

📱

Behavioural & Device Data

App usage patterns, device ID, location (ATM/branch visits), spending patterns

Standard PII

By Sub-Sector

DPDP Obligations by BFSI Sub-Sector

Each BFSI sub-sector faces a distinct compliance profile under the DPDP Act — shaped by the types of personal data processed, scale of processing, and regulatory overlap with sector-specific frameworks.

🏦

Commercial Banks

Likely Significant Data Fiduciaries — Highest Obligations

Large banks process data of millions of Indians — likely to be notified as SDFs, with additional DPO, Annual DPIA, and Regulatory Audit requirements.

Consent for all non-mandatory data processing (marketing, analytics, cross-sell)
Legitimate Use basis for regulatory-mandated KYC and AML processing
Data Principal Rights Portal for all customers — 30-day DSAR response
ROPA covering all 8 PII categories across core banking, mobile, and digital channels
DPIAs for credit scoring, fraud analytics, and customer profiling
72-hour breach notification — integrated with RBI incident reporting

💳

Payment Aggregators & Gateways

High Volume — Transaction Data + Merchant Data Obligations

Processing payment data for millions of transactions daily — RBI PA/PG Guidelines and DPDP overlap significantly, but DPDP adds consent and rights dimensions not covered by RBI alone.

Explicit consent for using transaction data beyond payment processing
No secondary use of transaction data for analytics/advertising without consent
DSAR capability — customers can access their transaction PII
DPA with all merchant partners processing customer payment data
72-hour breach notification for any payment data breach
PII Scanner deployed across all data stores including tokenised card vaults

📈

NBFCs & Digital Lenders

Credit Scoring, Bureau Pull, Repayment Tracking

Digital lenders process income, bank statement, and credit bureau data — often via automated credit decisions, requiring DPIA and consent specifically for bureau access and automated decisioning.

Explicit consent before pulling credit bureau (CIBIL, Experian, Equifax, CRIF) data
DPIA mandatory for automated credit decisioning systems
Consent for accessing device data via lending apps (contacts, location, SMS)
RBI FLDG / digital lending guidelines + DPDP dual compliance
Data Principal right to explanation for automated credit decisions
Strict limits on retention of rejected applicant data

🛡️

Insurance Companies

Health Data — Maximum Sensitivity Obligations

Insurers process health declarations, medical records, and family health history — the most sensitive PII under the DPDP Act — requiring the strongest consent and security standards.

Explicit, purpose-specific consent for all health data collection
Health data shared with reinsurers and TPAs requires DPA and data minimisation
DPIA for any health data analytics, risk scoring, or underwriting models
Policyholder DSAR rights — access, correction, and erasure obligations
Breach notification to DPB within 72 hours for any health data breach
IRDAI overlap — DPDP adds consent dimension to existing IRDAI data rules

📊

Wealth Management & Stock Brokers

Investment Portfolio + Financial Goals Data

Processing detailed financial profiles — income, assets, investment goals, risk appetite — for personalised advice. SEBI regulations and DPDP obligations must both be satisfied.

Consent for financial profiling used in investment recommendations
No secondary use of portfolio data for marketing or third-party sharing
DSAR — investors can access full financial profile held by the firm
DPIA for AI-driven portfolio management and robo-advisory systems
KYC / SEBI-mandated data: Legitimate Use basis; marketing data: Consent basis
TPRM for research providers and analytics vendors accessing client data

🚀

Fintech Startups

BNPL, Neobanks, Account Aggregators, Crypto

Fintechs often aggregate data from multiple sources — AA framework, bank APIs, UPI, GST data — creating high-risk composite profiles that require robust consent architecture and DPIAs.

AA (Account Aggregator) data: Consent explicitly required per RBI CM framework
DPIA for any composite financial profiling or credit underwriting model
ConsentiQo for purpose-specific consent across every data ingestion API
DPA with every data source partner (banks, GSPs, credit bureaux)
Children's data: BNPL and neobank apps must age-verify all users under §9
Data minimisation: only data strictly necessary for the stated financial service

Regulatory Overlap

RBI & SEBI Regulations vs DPDP Act — What Overlaps, What Gaps

India's BFSI sector is already heavily regulated for data security by RBI, SEBI, and IRDAI. But these frameworks focus on security and fraud — not privacy rights. DPDP fills the gap.

Data Protection Area	RBI / SEBI / IRDAI Framework	DPDP Act Addition	Compliance Status
Data security & encryption	RBI IT Framework, IS Audit — strong encryption mandates	DPDP §8(5) reinforces security obligations — no new requirements beyond RBI for most banks	Compatible
KYC data collection	Mandatory KYC under Prevention of Money Laundering Act (PMLA)	Legitimate Use basis applies — no separate DPDP consent needed for mandatory KYC	Covered
Customer consent for marketing	RBI guidelines on unsolicited communication — partial coverage	DPDP §6 requires explicit, purpose-specific, withdrawable consent — stricter than RBI marketing rules	DPDP Gap
Credit bureau data pulls	RBI permits bureau pulls for credit assessment — no specific consent requirement	DPDP requires explicit consent before accessing bureau data for individuals	DPDP Gap
Data breach notification	RBI cybersecurity framework requires RBI reporting within 6 hours	DPDP adds DPB notification within 72 hours AND affected customer notification — dual reporting needed	Dual Report
Customer rights (access, correction)	RBI Banking Ombudsman — limited grievance mechanism; no formal data access rights	DPDP §11–§14 creates full rights framework — access, correction, erasure, portability, nomination	DPDP Gap
Sharing data with third parties	RBI permits sharing with credit bureaux and regulators; limited third-party rules	DPDP requires DPA with all processors; consent for non-mandatory sharing; TPRM programme	DPDP Gap
Data localisation	RBI payment data localisation (2018 circular) — payment data must stay in India	DPDP restricts cross-border transfers — aligned with RBI for payment data; extends to all financial PII	Extends RBI

Consent Scenarios

DPDP Consent vs Legitimate Use — 6 BFSI Scenarios

Not all BFSI data processing requires consent under the DPDP Act. Understanding when Legitimate Use applies — and when explicit consent is mandatory — is the foundation of BFSI compliance.

Legal Obligation 🪪

KYC / AML Data Collection

Banks must collect Aadhaar, PAN, and address proof under PMLA and RBI KYC norms — the legal obligation is mandatory, not optional for the customer.

Basis: Legitimate Use (legal obligation) — No separate DPDP consent needed. Inform customer via privacy notice of the legal basis.

📧

Cross-Selling Other Products

Using a customer's banking data to market a credit card, insurance policy, or personal loan — this is secondary processing beyond the original banking purpose.

Basis: Explicit DPDP Consent — Separate, specific consent required for each product category being marketed. Withdrawable at any time.

📊

Credit Bureau Pull for New Applicant

An NBFC or bank pulls a customer's CIBIL report to assess creditworthiness for a new loan application — accessing externally held personal financial data.

Basis: Explicit DPDP Consent — Customer must consent to bureau pull before it occurs. Consent record must be maintained with timestamp.

Legitimate Use 🔒

Fraud Detection & Transaction Monitoring

Monitoring transaction patterns to detect fraudulent activity, AML suspicious transactions, and cybercrime — processing required to protect the customer and meet regulatory obligations.

Basis: Legitimate Use (security + legal) — DPIA advisable given scale and automated decisioning. No separate consent needed but must be disclosed in privacy notice.

🤝

Sharing Data with Third-Party Partners

Sharing customer financial data with co-lending partners, insurance subsidiaries, or fintech API partners for joint products or data monetisation.

Basis: Explicit Consent + DPA — Customer consent required for each sharing purpose; DPA mandatory with all recipients processing data on your behalf.

Legitimate Use ⚖️

Court Orders / Regulatory Disclosures

Producing customer data in response to court orders, SFIO, ED, IT department notices, or compulsory regulatory information requests.

Basis: Legitimate Use (legal obligation) — No consent required; document the legal basis for disclosure and inform the customer where legally permissible.

Is Your BFSI Organisation a
Significant Data Fiduciary?

The Central Government will notify organisations as Significant Data Fiduciaries (SDFs) based on volume and sensitivity of data processed. Large banks, insurers, and payment aggregators are almost certain to be notified — bringing additional obligations beyond standard DPDP requirements.

Processing personal data of very large numbers of data principals — likely millions for large banks

Processing sensitive data at scale — health, financial, biometric data

Potential for systemic risk to financial system if data is compromised

National security or public order implications of data processing

Impact on sovereignty, security, or critical infrastructure of India

Additional SDF Obligations for BFSI

👤 DPO Appointment: Designated Data Protection Officer — resident in India, reporting to Board

⚡ Annual DPIA: Mandatory DPIA for all significant data processing activities — not just high-risk ones

🔍 Independent Data Audit: Annual audit of data processing by independent Data Auditor empanelled by DPB

📊 Algorithmic Transparency: Maintain and publish information about algorithms used in automated financial decisioning

📋 Enhanced DPB Reporting: Mandatory periodic compliance reports to DPB — timeline and format to be specified

Compliance Roadmap

BFSI DPDP Compliance 4-Phase Roadmap

A structured, prioritised approach to achieving DPDP compliance across a BFSI organisation — from discovery to ongoing programme management.

Phase 1 — Months 1–2 🔍

Discover & Assess

PII Scanner deployed across core banking, mobile apps, CRM, analytics
All 8 financial PII categories identified and classified
Vendor inventory completed — TPRM scope defined
RBI vs DPDP gap analysis completed
Preliminary SDF risk assessment conducted

Phase 2 — Months 2–4 📋

Document & Govern

ROPA built across all BFSI processing activities
Consent vs Legitimate Use basis assigned to each activity
DPAs executed with all processors and data-sharing partners
DPIAs conducted for credit scoring, fraud analytics, health data
Privacy notices updated to DPDP standards

Phase 3 — Months 4–6 🛠️

Implement & Enable

ConsentiQo deployed for customer consent management
Data Principal Rights Portal live for all customers
Breach response plan tested and integrated with RBI reporting
TPRM assessments for Tier 1–2 vendors completed
DPO appointed (if SDF) and governance structure in place

Phase 4 — Ongoing 🔄

Monitor & Sustain

ROPA updated with every new product or data flow change
Annual DPIA reviews for all high-risk processing
TPRM re-assessments on schedule per vendor tier
DSAR SLA monitoring — 30-day response compliance tracked
Annual DPDP compliance report to DPB (if SDF)

DPDP Compliance for India's BFSI Sector

KavachOne brings ISO 27001:2022 certification and deep BFSI sector expertise to DPDP compliance — delivering PII scanning, ROPA, consent management, DPIA, TPRM, and breach response in a single integrated platform built for the regulatory complexity of India's financial services industry.

🏦 BFSI DPDP Assessment Explore ConsentiQo →

FAQs

Common Questions: DPDP Act & BFSI

Does RBI compliance cover DPDP obligations for banks — or is separate DPDP compliance needed? ▾

RBI compliance covers data security and operational risk — but it does not cover most of the DPDP Act's privacy-specific obligations. The most significant DPDP gaps for banks are: explicit consent for marketing and cross-sell, formal customer rights (access, correction, erasure, portability), purpose-specific consent for credit bureau pulls, contractual DPAs with all data processors, and the 72-hour DPB breach notification requirement. These are entirely new obligations that RBI compliance does not address, requiring a separate DPDP compliance programme.

How does the DPDP Act interact with RBI's Account Aggregator (AA) framework? ▾

The Account Aggregator framework is built on consent as its core principle — requiring explicit, purpose-specific consent for every data fetch. This aligns well with DPDP §6 requirements. However, the DPDP Act adds additional dimensions: the right to withdraw consent (which must now be operationalised in AA flows), data principal rights over AA-aggregated data, and DPDP's 30-day DSAR response requirement for all financial data including AA-sourced data. Fintechs using the AA framework should map their AA consent flows to DPDP §6 to confirm full compliance.

Can lending apps use device data (contacts, SMS, location) under DPDP? ▾

This is one of the most contentious areas in fintech DPDP compliance. Accessing contacts, SMS, and location data through lending apps requires explicit, informed consent under DPDP §6 — and the consent must be genuinely voluntary, not a condition of app access where practically refusing means no loan. RBI's 2022 digital lending guidelines already restricted excessive device data collection, and DPDP reinforces this by requiring purpose-limitation and data minimisation. Lenders must assess whether each device data category is strictly necessary for the stated processing purpose — and obtain separate, granular consent for each category they access.

Do insurance companies need separate DPDP consent for health data collected during underwriting? ▾

Yes — health data is among the most sensitive personal data under the DPDP Act, and its collection for underwriting purposes requires explicit, informed consent from the policyholder. The consent must be purpose-specific (underwriting only, or separately for claims processing, reinsurance sharing, etc.), and the policyholder must understand what health data is being collected and why. IRDAI does not provide an equivalent consent framework — DPDP adds this obligation on top of existing IRDAI data management requirements for insurers.

How should BFSI organisations handle the 72-hour DPB breach notification alongside RBI's 6-hour reporting requirement? ▾

BFSI organisations face a dual breach reporting obligation: RBI requires a 6-hour preliminary incident report for cyber incidents, while DPDP requires DPB notification within 72 hours of confirming a personal data breach. The 6-hour RBI report focuses on the security incident itself, while the DPDP DPB report must specifically address the personal data involved, affected individuals, and consumer notification plans. KavachOne's breach response module is designed to generate both notifications from a single incident workflow — ensuring the more urgent RBI timeline triggers the DPDP documentation process simultaneously.

DPDP Act BFSI India DPDP Fintech Compliance India Banking Data Protection India DPDP NBFC Compliance Financial Data DPDP India RBI DPDP Compliance Payment Data DPDP India Credit Bureau DPDP KavachOne BFSI Insurance DPDP India Lending App DPDP Compliance ConsentiQo Financial Consent Account Aggregator DPDP DPDP Act 2023 BFSI Significant Data Fiduciary

8 Categories of Financial Personal DataUnder DPDP

DPDP Obligations by BFSI Sub-Sector

RBI & SEBI Regulations vs DPDP Act — What Overlaps, What Gaps

DPDP Consent vs Legitimate Use — 6 BFSI Scenarios

Is Your BFSI Organisation aSignificant Data Fiduciary?

BFSI DPDP Compliance 4-Phase Roadmap

DPDP Compliance for India's BFSI Sector

Common Questions: DPDP Act & BFSI

8 Categories of Financial Personal Data
Under DPDP

Is Your BFSI Organisation a
Significant Data Fiduciary?