FINTECH AND DATA PRIVACY IN INDIA: WHEN RBI AND THE DPDP ACT PULL IN OPPOSITE DIRECTIONS
This article is written by Aryan Kadam from Symbiosis College of Arts and Commerce.
Abstract
India’s fintech sector is increasingly caught between two regulatory frameworks. For years, the Reserve Bank of India (RBI) governed how financial data could be collected, processed, and stored. The Digital Personal Data Protection Act, 2023 (DPDP Act) has now introduced a separate layer of obligations. While both seek to protect consumers and strengthen trust in digital finance, their requirements do not always align. This article examines the key areas of conflict and the need for greater regulatory coordination.
I. Introduction
Data forms the foundation of every modern fintech platform. Every loan application, UPI transaction, and credit score query generates personal information that is collected, stored, and protected. Until recently, RBI regulations, particularly the Digital Lending Guidelines, 2022, served as the primary framework governing these activities.
However, The DPDP Act, 2023 significantly changed this landscape. Rather than replacing existing regulations, it operates alongside them. As a result, fintech companies now face a dual compliance burden: complying with RBI requirements while also meeting data protection obligations under the DPDP Act. Although both frameworks share similar objectives, they often impose conflicting duties.
II. Two Regulators, One Problem
Most fintech services operate through a partnership between a regulated financial institution, such as a bank or NBFC, and a technology platform that customers directly interact with.
Under RBI regulations, responsibility for customer protection and data management primarily rests with the regulated entity. Under the DPDP Act, however, responsibility falls on the “Data Fiduciary” , the entity that determines how and why personal data is processed. In many situations, this role is performed by the fintech platform itself.
Consequently, the same customer data may be governed by two legal frameworks that allocate responsibility differently, creating uncertainty regarding accountability and compliance.
III. Where the Conflict Arises
A. Retention vs. Erasure
One of the most significant tensions concerns data retention. RBI rules require KYC records to be retained for at least five years after a customer relationship ends. In contrast, the DPDP Act promotes deletion of personal data once the purpose for which it was collected has been fulfilled.
This creates a practical dilemma. If a customer seeks deletion of their personal data, fintech companies may struggle to determine whether compliance with one framework could result in non-compliance with the other. At present, there is no clear statutory mechanism that fully reconciles these obligations.
B. Consent Requirements
Consent presents another challenge. RBI regulations generally permit broad consent obtained during onboarding for related processing activities. The DPDP Act adopts a more specific approach, emphasising informed and purpose-based consent.
This difference becomes particularly important for fintech firms that rely on AI-driven credit scoring, behavioural analytics, or other advanced data-processing tools. Existing onboarding processes may not satisfy the stricter consent requirements envisioned under the DPDP framework.
C. Data Storage and Localisation
Data storage requirements create a further area of uncertainty. The RBI has historically required certain categories of financial data to be stored within India. The DPDP Act, however, focuses primarily on regulating cross-border data transfers rather than imposing broad localisation requirements.
For fintech companies that rely on global cloud infrastructure, the absence of complete alignment between the two frameworks creates operational and compliance challenges.
IV. Progress and Remaining Gaps
Some efforts have been made to bridge the gap between financial regulation and data protection law. The RBI’s updated Regulatory Sandbox framework requires participating entities to comply with the DPDP Act, signalling an attempt to integrate privacy considerations into financial regulation. The DPDP Rules, 2025 have also provided greater clarity regarding issues such as breach reporting and cross-border transfers.
However, the most significant conflicts remain unresolved. There is still no comprehensive guidance from the RBI and the Ministry of Electronics and Information Technology (MeitY) explaining how overlapping obligations should be interpreted. Nor is there any clear legal hierarchy to determine which framework should prevail when conflicts arise.
V. Conclusion
The RBI’s regulatory framework and the DPDP Act ultimately pursue the same goal: protecting consumers and promoting trust in India’s digital economy. Yet overlapping and occasionally conflicting requirements have created uncertainty for fintech companies attempting to comply with both.
Greater coordination between regulators is therefore essential. Joint guidance, legislative clarification, or a formal inter-agency framework could help resolve existing ambiguities and provide much-needed certainty. Until then, fintech companies will continue operating in a regulatory grey area that risks undermining both compliance and innovation.
1. DPDP Act, 2023 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
2. RBI Guidelines on Digital Lending, 2022 https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12382
3. IndiaCorpLaw — DPDP Act: A Dilemma for Fintechs
https://indiacorplaw.in/2023/11/digital-personal-data-protection-act-2023-a-dilemma-for-fintechs.html
4. RBI Master Direction on KYC 2023
https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566
5. SARC Global — DPDP Act Compliance Gaps in Indian Banks https://sarc.global/insights/dpdp-act-compliance-gaps-indian-banks-rbi
6. Cyril Amarchand Mangaldas — FIG Paper No. 34 (NBFCs & Fintechs) https://corporate.cyrilamarchandblogs.com/2024/02/fig-paper-no-34-data-law-series-5-balancing-sectoral-regulation-and-dpdp-act-compliance-by-nbfcs-fintechs/
7. AM Legals — Navigating Dual Compliance: RBI & DPDP Rules https://amlegals.com/navigating-dual-compliance-rbi-norms-and-dpdp-rules-in-indias-fintech-ecosystem/
8. RBI Press Release — Regulatory Sandbox Revision (Feb 2024) https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57371
9. DPDP Rules, 2025 https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf
10. DPO India — Interplay Between DPDP Act and RBI/SEBI/IRDAI https://www.dpo-india.com/Blogs/interplay-india’s-dpdp-act/