DPDP for Fintech
UPI, Lending Apps & Digital Payments
Fintech companies are data fiduciaries under the DPDP Act 2023 — from UPI transaction data and digital lending customer records to payment aggregator merchant onboarding and Account Aggregator consent flows. Unified Chambers advises fintech companies on aligning RBI’s Digital Lending Guidelines, PA/PG regulations, and NPCI operational circulars with DPDP’s statutory obligations on consent, breach notification, and data principal rights. Penalties for non-compliance reach Rs 250 crore per contravention.
Senior Partner Advocate Subodh Bajpai, LLM, MBA (XLRI Jamshedpur), leads every engagement. We bring 25 years of financial sector litigation to the data protection table — the same institutions we represent at DRTs are the regulated entities whose lending apps and payment platforms must now comply with DPDP.
Why Fintech Companies Are
High-Risk Data Fiduciaries
India’s fintech ecosystem processes personal data at an unprecedented scale. A single UPI transaction generates data points across four entities: the payer’s app (PhonePe, Google Pay, Paytm), the payer’s bank, the payee’s bank, and NPCI as the central switch. Digital lending platforms collect bank statements, credit bureau scores, tax returns, and employment records within seconds through API integrations. Payment aggregators process merchant KYC including directors’ Aadhaar, PAN, and personal bank account details.
This data intensity makes fintech the sector most exposed to DPDP enforcement. Every fintech company must determine: what personal data it processes, under what legal basis, for which specific purpose, shared with which third parties, stored for how long, and secured with what safeguards. The answers differ across business models — a neobank, a lending app, a payment gateway, and a wealth management platform each have different data flows, different regulatory overlays, and different DPDP risk profiles.
The RBI has progressively tightened fintech data governance through a series of regulatory actions: the data localisation circular (April 2018) for payment data, the Digital Lending Guidelines (September 2022), the updated PA/PG framework (November 2023), and the Account Aggregator Master Direction. Each of these created sector-specific data handling requirements. DPDP now provides the statutory enforcement layer — with penalties that dwarf RBI’s penalty powers — converting what were regulatory expectations into legally enforceable obligations backed by Rs 250 crore per-contravention penalties.
Digital Lending Guidelines Meet DPDP
Consent, Data Minimisation & Purpose Limitation
The RBI’s Digital Lending Guidelines (September 2022) were India’s first comprehensive data governance framework for lending. They classified participants as Regulated Entities (REs), Lending Service Providers (LSPs), and Digital Lending Apps (DLAs), and imposed specific data handling requirements on each. The DPDP Act maps onto this structure: the RE is the data fiduciary, LSPs and DLAs are data processors.
Data Minimisation: The DLG mandate that lending apps collect only “need-based” data with proper audit trails. The DPDP Act reinforces this through Section 4(2): personal data shall be processed only to the extent necessary for the stated purpose. A lending app that collects phone contacts, gallery images, or SMS logs — practices that prompted the DLG in the first place — now violates both RBI regulations and DPDP. The penalty exposure is cumulative: RBI supervisory action plus DPDP penalties up to Rs 250 crore.
Consent Flow Design: The DLG require a Key Fact Statement (KFS) at loan origination disclosing all terms. DPDP requires a privacy notice informing data principals of the purpose, categories of data, and their rights before processing begins. A well-designed fintech onboarding flow must present both the KFS (for RBI compliance) and the DPDP privacy notice (for data protection compliance) in a manner that is genuinely informative without creating consent fatigue. Unified Chambers advises on consent architecture that satisfies both frameworks through integrated notice-and-consent workflows.
Third-Party Data Sharing: The DLG prohibit sharing borrower data with third parties without explicit consent. DPDP governs data sharing with processors (Section 8(2)) and requires the fiduciary to ensure processors implement appropriate security safeguards. For fintech companies that rely on credit bureaus, identity verification providers, underwriting partners, and collection agencies, each data sharing relationship requires a DPDP-compliant data processing agreement specifying the purpose, duration, security requirements, and sub-processing restrictions.
AI Credit Scoring & AA Framework
Under DPDP Scrutiny
Fintech companies have pioneered the use of artificial intelligence and machine learning in credit decisioning. Alternative credit scoring models analyse transaction patterns, social signals, device metadata, and behavioural data to underwrite borrowers without traditional credit histories. Under DPDP, this AI-driven processing creates specific compliance requirements that go beyond general data protection obligations.
Using customer data to train ML models constitutes “processing” under DPDP Section 2(x). The consent obtained at loan application for credit assessment may not extend to training models that will be used for future applicants. Model training on historical customer data requires either: fresh consent for the training purpose, legitimate uses under Section 7 (if applicable), or demonstrable anonymisation where the data no longer relates to identifiable individuals. Fintech companies must also address the right of data principals to know about automated decision-making — borrowers rejected by an AI model have a legitimate interest in understanding the algorithmic basis. Our AI compliance practice advises on building DPDP-compliant AI governance frameworks for lending.
The Account Aggregator ecosystem presents a more advanced consent model that fintech companies can learn from. The AA consent artifact is granular: it specifies purpose, data categories, data life (how long the FIU can retain data), frequency of access, and an expiry date. DPDP’s notice-and-consent framework is broader but less granular. Fintech companies operating as Financial Information Users (FIUs) within the AA framework must comply with both: the AA consent artifact terms and DPDP’s overarching requirements. When the AA consent expires, the fintech must erase the data — even if DPDP consent technically remains valid — because the more restrictive framework governs.
The intersection of these frameworks creates a compliance matrix that few fintech companies have mapped. A lending fintech that obtains bank statements through AA, credit bureau data through CIBIL API, and identity verification through DigiLocker/UIDAI operates under four simultaneous consent regimes: AA consent, credit bureau consent, Aadhaar consent, and DPDP consent. Each has different revocation mechanics, retention periods, and enforcement bodies. Unified Chambers maps this matrix and designs unified compliance architectures.
The Fintech Startup
Compliance Burden
DPDP does not exempt startups. A pre-revenue lending app processing personal data of its first 100 borrowers faces the same statutory obligations as a listed payment company processing data of 100 million users. The penalty framework is per-contravention, not proportional to revenue — a startup violating DPDP faces the same Rs 250 crore maximum as an established institution.
Practically, this means fintech startups must build DPDP compliance into their product architecture from day one — not bolt it on before an IPO or after a regulator inquiry. The minimum compliance framework includes: DPDP-compliant privacy notice, consent management mechanism, data principal rights workflow, data breach incident response SOP, data processing activity mapping, and vendor data processing agreements. For startups seeking RBI registration (NBFC, PA/PG, or AA), DPDP compliance is likely to become a pre-condition for regulatory approval.
Investor due diligence increasingly includes data protection compliance assessment. Series A and beyond investors, particularly those with portfolio companies that have faced regulatory action (such as the RBI crackdowns on lending apps in 2022-23), now require evidence of DPDP readiness before committing capital. A fintech that cannot demonstrate a compliance framework risks both regulatory penalty and investment friction. Unified Chambers provides compliance readiness assessments designed to withstand both regulatory and investor scrutiny.
Explore Our DPDP Practice
DPDP for Fintech — Key Questions
Are fintech companies data fiduciaries under the DPDP Act 2023?
Yes. Any fintech company that determines the purpose and means of processing personal data is a data fiduciary under the DPDP Act. This includes digital lending platforms (that decide which borrower data to collect and how to assess creditworthiness), payment aggregators (that process transaction data for merchant settlements), UPI-enabled apps (that access user bank account information), neobanks (that collect KYC and transaction data), and InsurTech platforms (that process health and financial data for underwriting). Even fintech companies that operate as technology intermediaries may be classified as data fiduciaries if they exercise control over data processing decisions rather than merely executing instructions from a regulated entity.
How does UPI transaction data fall under DPDP?
UPI transaction data is personal data under DPDP Section 2(t) because it relates to an identifiable individual — every UPI transaction is linked to a Virtual Payment Address (VPA) that maps to a specific bank account holder. UPI apps process: sender and receiver names, VPA identifiers, bank account details (masked), transaction amounts, timestamps, merchant names, and geolocation data. The National Payments Corporation of India (NPCI) governs UPI data through its operational circulars, while RBI mandates payment data localisation in India. DPDP adds: (a) consent requirements for processing transaction data beyond payment execution; (b) purpose limitation — UPI data collected for payment cannot be repurposed for marketing without separate consent; (c) breach notification obligations if UPI transaction data is compromised.
What are the DPDP implications of the Account Aggregator framework?
The Account Aggregator (AA) framework, regulated under RBI's NBFC-AA Master Direction, enables consent-based financial data sharing between Financial Information Providers (FIPs) and Financial Information Users (FIUs). The AA framework's consent artifact model is more granular than DPDP's general consent — it specifies purpose, data types, frequency, and duration. However, DPDP applies additional requirements: (a) the FIU (typically a lending fintech) that receives data through AA must independently comply with DPDP consent, purpose limitation, and storage limitation; (b) data obtained through AA cannot be retained beyond the consented period, even if the FIU has a separate business relationship with the customer; (c) if the AA consent expires or is revoked, the FIU must erase the data per DPDP Section 8(7). Fintechs building on the AA ecosystem must design their data pipelines to honour both AA consent expiry and DPDP erasure obligations.
Can fintech companies use customer data to train AI/ML credit scoring models?
This is one of the most consequential DPDP questions for fintech. Using customer personal data to train machine learning models constitutes processing under the Act. Section 4(1) defines processing as "wholly or partly automated operation or set of operations performed on digital personal data" — model training clearly qualifies. The data fiduciary must: (a) obtain consent for the specific purpose of model training (generic "improve our services" consent is unlikely to survive DPBI scrutiny); (b) ensure the training data is anonymised if the purpose can be served without identifying individuals; (c) provide data principals with information about automated decision-making, as they have a right to know that AI models are influencing credit decisions. RBI's draft guidelines on AI in banking further require explainability of credit decisions — a fintech that cannot explain why its model rejected a loan application faces both DPDP and RBI risk.
What compliance burden does DPDP impose on fintech startups?
DPDP applies equally to a Series A lending startup and a listed payment company — there are no exemptions based on size or revenue. However, the practical compliance burden scales with data volume and processing complexity. At minimum, every fintech startup must: (1) publish a DPDP-compliant privacy notice; (2) implement a consent management mechanism with opt-in/opt-out capability; (3) establish a data principal rights request workflow (access, correction, erasure); (4) build a data breach incident response SOP; (5) map all personal data processing activities and their legal bases; (6) review data sharing agreements with third-party vendors, banking partners, and LSPs. Startups classified as Significant Data Fiduciaries face additional obligations: DPO appointment, data auditor, and DPIA. Unified Chambers offers a tiered engagement model — from a compliance readiness assessment (Rs 50 lakh minimum) to full ongoing advisory.
How do payment aggregators comply with both RBI PA guidelines and DPDP?
Payment Aggregators (PAs) licensed under RBI's PA/PG Guidelines (March 2020, updated November 2023) face dual compliance. RBI requires PAs to: maintain data security standards (PCI DSS), store payment data in India, not store card data (except in tokenised form), and undergo annual security audits. DPDP adds: consent for data processing beyond payment facilitation, breach notification to DPBI and affected merchants/consumers, purpose limitation on transaction data, and erasure obligations when the merchant-PA relationship ends. The intersection is critical at the merchant onboarding stage — PAs collect merchant directors' personal data (Aadhaar, PAN, bank details) for KYC, which is now protected under DPDP. PAs must also assess whether their fraud detection systems, which process personal data algorithmically, comply with DPDP's automated decision-making requirements.
Does Unified Chambers represent fintech companies before the Data Protection Board?
Yes. Unified Chambers represents data fiduciaries — including fintech companies, lending platforms, and payment companies — before the Data Protection Board of India (DPBI) in complaint proceedings and penalty adjudication. We also handle appeals from DPBI orders before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Our differentiation for fintech clients: we understand both the regulatory architecture (RBI, NPCI, SEBI) and the data protection framework (DPDP, CERT-In). When a borrower files a complaint with the DPBI alleging that a lending app misused their data, and the same borrower is also a defaulter being pursued in DRT proceedings, Unified Chambers handles both matters — no conflicting strategies, no coordination overhead. Minimum engagement: Rs 50 lakhs.
Fintech DPDP Compliance Starts With
One Conversation
WhatsApp Advocate Subodh Bajpai directly. Whether your fintech needs a DPDP compliance audit, consent architecture design, AI governance framework, or Data Protection Board representation — senior-level engagement from day one. Minimum matter value: Rs 50 lakhs.