DPDP for NBFCs & HFCs
RBI Compliance + Data Protection
NBFCs and housing finance companies process some of the most sensitive personal data in India’s financial sector. DPDP Act 2023 compliance for NBFCs requires aligning existing RBI regulatory frameworks — the IT Framework Master Direction, Digital Lending Guidelines, and KYC norms — with new statutory obligations on consent, breach notification, and data principal rights. Unified Chambers advises NBFCs, HFCs, P2P lenders, and ARCs on building compliant data governance architectures that satisfy both RBI and the Data Protection Board of India.
Senior Partner Advocate Subodh Bajpai, LLM, MBA (XLRI Jamshedpur), leads every NBFC DPDP engagement personally. We already represent NBFCs and ARCs at all 39 DRTs for NPA recovery — the same borrower data that drives recovery is now protected under DPDP.
Why NBFCs Process the Most
Sensitive Financial Data
Non-banking financial companies occupy a unique position in India’s data protection landscape. Unlike banks that primarily process KYC and transaction data, NBFCs — particularly digital lending platforms, microfinance institutions, and housing finance companies — collect and process data that extends deep into a borrower’s personal life. A typical digital lending NBFC collects: Aadhaar e-KYC data, PAN and income tax returns, CIBIL/credit bureau scores, bank account statements (via Account Aggregator or direct upload), employment details, family member references, property documents, and geolocated device data.
This data is processed through multiple third-party systems: credit bureaus (CIBIL, Experian, Equifax, CRIF High Mark), digital identity providers (DigiLocker, UIDAI), Account Aggregators (Setu, Sahamati ecosystem), and lending service providers (LSPs) that act as agents for the NBFC. Each data sharing constitutes a separate processing activity under the DPDP Act, requiring distinct consent and purpose limitation compliance.
The RBI has already flagged data governance failures in the NBFC sector. The Digital Lending Guidelines of September 2022 were prompted by widespread complaints about lending apps accessing borrowers’ phone contacts, galleries, and messages — data that has no legitimate connection to credit assessment. DPDP now imposes statutory penalties of up to Rs 250 crore per contravention on the same practices that RBI sought to curb through regulatory direction.
For systemically important NBFCs (NBFC-ND-SI with asset size above Rs 500 crore), the regulatory exposure is doubled: RBI can impose penalties under the RBI Act for non-compliance with IT Framework directions, and the DPBI can separately impose penalties under the DPDP Schedule. These are cumulative — a single data breach event can trigger sanctions from both regulators.
RBI IT Framework Meets
DPDP Act Obligations
The RBI Master Direction on Information Technology Framework for the NBFC Sector (2017, updated periodically) already mandates IT governance, information security policy, cyber security framework, and IT audit for NBFCs above Rs 500 crore asset size. The DPDP Act layers additional statutory obligations on top of this existing framework. Understanding the overlap and gaps is critical for compliance efficiency.
Consent Architecture: The RBI Digital Lending Guidelines require that borrower data be collected only with “explicit consent of the borrower” at the time of loan origination. DPDP Section 6 requires consent that is “free, specific, informed, unconditional, and unambiguous,” evidenced by a clear affirmative action. An NBFC’s consent mechanism must satisfy both: RBI’s Key Fact Statement requirements and DPDP’s notice-and-consent framework. A single consent flow, properly designed, can address both.
Data Localisation: RBI requires all payment-related data to be stored in India. DPDP permits cross-border transfer of personal data to countries not restricted by the Central Government. The intersection matters when an NBFC uses cloud infrastructure, analytics vendors, or collection agencies based outside India. RBI’s localisation requirement is more restrictive than DPDP’s default permissive stance — but DPDP’s restrictions, when notified for specific countries, will carry the higher penalty.
Incident Reporting: RBI requires NBFCs to report cyber incidents to CERT-In within 6 hours and to the RBI supervisory team. DPDP requires notification to the Data Protection Board of India and each affected data principal “without delay.” An NBFC must run parallel notification workflows: CERT-In (6 hours), RBI supervisory team (per directions), DPBI (expeditious), and affected borrowers/depositors (per DPDP). The forensic evidence preservation requirements differ between the cybersecurity and data protection frameworks.
Data Retention: RBI’s KYC Direction requires customer records to be maintained for at least five years after the business relationship ends. DPDP’s purpose limitation principle requires personal data to be erased when “the purpose for which it was processed is no longer being served.” NBFCs must reconcile these: maintain KYC records for the RBI-mandated period while ensuring that data beyond this period is erased per DPDP. The reconciliation is particularly complex when NPA accounts are involved — recovery proceedings may continue for years after the loan was classified as NPA.
Digital Lending Apps, P2P Platforms
& the Consent Problem
The RBI’s Digital Lending Guidelines (September 2022) were India’s first sector-specific data governance framework for lending. They classified the digital lending ecosystem into three participants: the Regulated Entity (bank or NBFC), Lending Service Providers (LSPs — the apps), and Digital Lending Apps (DLAs — the technology interface). Under DPDP, the Regulated Entity remains the data fiduciary, while LSPs and DLAs are data processors.
The Guidelines mandated several data protection practices that DPDP now reinforces with statutory penalties: (a) only the NBFC (not the LSP or DLA) may store borrower data; (b) data collected must be need-based with audit trails; (c) data collected through one-time access cannot be stored permanently; (d) borrowers must have access to their data with an option to delete; (e) any data collection outside of the stated purpose is prohibited. An NBFC whose lending app violates these provisions now faces not only RBI supervisory action but DPDP penalties up to Rs 250 crore.
P2P lending platforms (NBFC-P2P) face a unique challenge: they process personal data of both lenders and borrowers. The borrower’s credit profile, financial statements, and repayment capacity data is shared with potential lenders on the platform — each disclosure is a processing activity requiring consent under DPDP. The platform’s credit scoring algorithm, if AI-driven, also triggers obligations around automated decision-making and algorithmic transparency that we address under our AI compliance practice.
The Account Aggregator framework (regulated under RBI’s NBFC-AA Master Direction) creates another data flow that intersects with DPDP. When a borrower uses an AA to share bank account data with a lending NBFC, the consent artifact generated by the AA framework must align with DPDP’s consent requirements. The AA framework’s purpose-specific, time-limited consent model is actually more advanced than DPDP’s general consent framework — but the NBFC must ensure that data obtained through AA is not repurposed beyond the consented purpose.
The ARC Data Transfer Problem
When NPAs Change Hands
When an NBFC or bank assigns its NPA portfolio to an Asset Reconstruction Company under Section 5 of the SARFAESI Act 2002, the financial rights transfer along with the underlying loan documentation. This documentation contains extensive personal data: borrower KYC, guarantor details, credit bureau scores, income proof, property valuations, and repayment history.
Under DPDP, this data transfer raises fundamental questions. The borrower originally consented to the NBFC processing their data for loan servicing. When the loan is assigned to an ARC, the ARC becomes the new data fiduciary — but the borrower never consented to the ARC processing their data. Section 6 of DPDP requires consent for each “specified purpose.” The ARC’s purpose (NPA recovery, enforcement under SARFAESI, legal proceedings) differs from the NBFC’s original purpose (credit assessment, loan servicing).
Unified Chambers advises on structuring assignment agreements with DPDP-compliant data transfer clauses. This includes: notice to data principals about the assignment and the new data fiduciary, updated privacy notices from the ARC, purpose re-specification, and data minimisation (transferring only the data necessary for the ARC’s stated purpose, not the entire customer file). For NBFCs with large NPA books facing assignment, this structuring must happen before the transfer — not after a data principal files a complaint with the DPBI.
The problem intensifies in Swiss Challenge auctions where multiple ARCs bid on the same portfolio. Due diligence data rooms expose borrower personal data to competing ARCs before the assignment is finalised. Each ARC accessing the data room is a separate data processor (or fiduciary, depending on the arrangement) under DPDP. The confidentiality agreements traditionally used in portfolio sales must now be supplemented with DPDP-compliant data processing agreements.
HFC-Specific Data Protection
Considerations
Housing finance companies process uniquely sensitive data during the home loan lifecycle. Beyond standard KYC and financial data, HFCs collect: property ownership chains (title search data involving multiple family members), property valuation reports (containing neighbourhood and household information), builder agreements (third-party personal data of developers and their directors), home insurance details, and property tax records linking borrowers to specific addresses over decades.
The long tenure of housing loans (15 to 30 years) creates a data retention challenge unique to HFCs. A home loan originated in 2010 carries KYC data collected under the pre-DPDP regime. When this loan is serviced in 2025 and beyond, the HFC must retrospectively comply with DPDP’s notice-and-consent requirements for the continued processing of historical data. Section 5(1) of DPDP is clear: processing of personal data is permitted only in accordance with the Act, regardless of when the data was originally collected.
HFCs that have been brought under RBI regulation (transferred from NHB to RBI in 2019) must also comply with the RBI Scale-Based Regulation framework if classified in the upper or middle layer. The compliance burden stacks: NHB legacy obligations, RBI IT Framework requirements, and DPDP statutory duties. Unified Chambers provides integrated compliance advisory that maps all three frameworks into a single data governance architecture.
DPDP Penalties for NBFCs
Per Contravention
NBFC fails to implement reasonable security safeguards — digital lending app data leak, unsecured API exposing borrower data.
NBFC fails to notify DPBI and affected borrowers of a personal data breach — compounding CERT-In 6-hour reporting obligation.
EdTech loan platforms processing student data without verifiable parental consent — relevant for education loan NBFCs.
Systemically important NBFCs classified as Significant Data Fiduciaries failing DPO, Data Auditor, and DPIA obligations.
Any other DPDP violation: consent failure, purpose limitation breach, storage beyond necessity, cross-border transfer without authorisation.
Explore Our DPDP Practice
SDF Obligations and Costs
When “Significant” Means Significant Liability
Most large NBFCs — systemically important non-deposit-taking NBFCs (NBFC-ND-SI), large housing finance companies, and major asset reconstruction companies — will be designated as Significant Data Fiduciaries under Section 10 of the DPDP Act. The Central Government makes this determination based on volume and sensitivity of personal data processed, and the financial sector processes some of the most sensitive data in the Indian economy.
SDF classification triggers a cascade of mandatory obligations: appointment of a Data Protection Officer who must be based in India and serve as the point of contact for both the DPBI and data principals; engagement of an independent Data Auditor to evaluate compliance periodically; conducting Data Protection Impact Assessments before any significant new data processing activity; and implementing algorithmic fairness measures where automated decision-making (credit scoring, loan approval, risk assessment) affects data principals. Each of these obligations carries real operational cost — DPO compensation, auditor fees, DPIA consulting, and technology investments for algorithmic transparency.
Breach of SDF-specific duties carries penalties up to Rs 150 crore under Schedule Sl.4 — on top of general breach penalties up to Rs 250 crore under Sl.1. A single data breach at a Significant Data Fiduciary that also reveals DPO non-compliance and missing DPIAs could face cumulative exposure exceeding Rs 400 crore. Unified Chambers helps NBFCs prepare for SDF designation proactively — structuring DPO appointments, Data Auditor engagements, and DPIA frameworks before the notification is issued.
DPDP for NBFCs — Key Questions
Does the DPDP Act 2023 apply to NBFCs registered with RBI?
Yes. The Digital Personal Data Protection Act 2023 applies to every entity processing digital personal data in India, regardless of sector. NBFCs — whether deposit-taking (NBFC-D), non-deposit (NBFC-ND), systemically important (NBFC-ND-SI), housing finance companies (HFCs), or P2P lending platforms (NBFC-P2P) — are all data fiduciaries under DPDP. They must comply with consent requirements, data principal rights, breach notification obligations, and purpose limitation principles. The penalties apply equally: up to Rs 250 crore per contravention.
How do the RBI Digital Lending Guidelines interact with DPDP?
The RBI Digital Lending Guidelines (September 2022) and the DPDP Act create overlapping but complementary obligations. The DLG mandate that borrower data must be collected only with explicit consent, stored only in India, and not shared with third parties without consent. DPDP reinforces these with statutory penalties. Key overlaps: (a) DLG requires a Key Fact Statement at loan origination — DPDP requires a privacy notice at data collection; (b) DLG prohibits lending apps from accessing phone contacts and media — DPDP prohibits processing beyond stated purpose; (c) DLG requires data to be deleted when the loan relationship ends — DPDP imposes storage limitation. NBFCs must satisfy both frameworks simultaneously.
What happens to borrower consent when a loan portfolio is sold to an ARC?
This is one of the most complex DPDP questions for the financial sector. When a bank or NBFC assigns an NPA loan account to an Asset Reconstruction Company under the SARFAESI Act, the borrower's personal data — KYC records, credit bureau data, repayment history, guarantor details — transfers with the portfolio. Under DPDP, the ARC becomes the new data fiduciary. The critical question is whether the original consent given to the bank covers processing by the ARC. Section 6 of DPDP requires consent for each specified purpose. ARC recovery operations (calling borrowers, sending notices, pursuing enforcement) constitute new processing that likely requires fresh notice to data principals. Unified Chambers advises on structuring the data transfer clauses in assignment agreements to ensure DPDP compliance.
Is Aadhaar e-KYC data subject to DPDP for NBFCs?
Yes, with an important nuance. Aadhaar data processed through the UIDAI e-KYC framework is governed by the Aadhaar Act 2016 and UIDAI regulations. However, the personal data derived from or collected alongside Aadhaar e-KYC — such as the customer's name, address, date of birth, photograph, and phone number stored in the NBFC's systems — falls squarely under DPDP. NBFCs must ensure that: (a) Aadhaar data is used only for the purpose for which consent was obtained; (b) biometric data is not retained beyond the authentication transaction; (c) derived data stored in loan management systems is subject to DPDP consent, purpose limitation, and erasure requirements. The RBI Master Direction on KYC adds further obligations on retention periods and data accuracy.
Do P2P lending platforms have special DPDP obligations?
P2P lending platforms (NBFC-P2P registered with RBI) face heightened DPDP scrutiny because they process data of both lenders and borrowers on a single platform. They collect financial data (bank statements, income proof, credit scores), process it through algorithmic credit assessment models, and share borrower profiles with potential lenders. Each of these activities constitutes separate processing under DPDP requiring distinct consent. Additionally, P2P platforms using AI/ML models for credit scoring must address automated decision-making under DPDP — data principals have the right to know that decisions are being made algorithmically. The RBI P2P Master Direction (2017) already requires certain data governance standards; DPDP layers statutory penalties on top.
What is the RBI Master Direction on IT Framework for NBFCs?
The RBI Master Direction on Information Technology Framework for the NBFC Sector (2017) requires all NBFCs with asset size above Rs 500 crore to implement an IT governance framework covering: IT strategy, IS policy, IT operations, IS audit, cyber security, IT services outsourcing, and business continuity planning. NBFCs above Rs 500 crore but below Rs 5,000 crore must comply at a proportionate level. This direction creates the baseline IT governance that DPDP builds upon. The overlap is direct: RBI requires "adequate security of information assets" — DPDP requires "reasonable security safeguards" to prevent data breach. An NBFC that fails RBI's IT audit is also likely to fail DPDP's security obligations, creating dual regulatory risk.
Can Unified Chambers handle both DRT defence and DPDP compliance for NBFCs?
Yes — this is our core proposition. Unified Chambers already represents NBFCs, HFCs, and ARCs at all 39 Debt Recovery Tribunals, DRAT appellate benches, High Courts, and NCLT benches. The personal data that drives our debt recovery practice — borrower KYC, credit bureau pulls, guarantor information, NPA portfolio data — is the same data that DPDP now protects. When a defaulting borrower simultaneously files a DRT counter-claim and a DPDP complaint before the Data Protection Board alleging that the NBFC shared their data improperly during recovery, you need one firm that handles both. No coordination overhead, no conflicting strategies. Minimum engagement: Rs 50 lakhs.
NBFC DPDP Compliance Starts With
One Conversation
WhatsApp Advocate Subodh Bajpai directly. Whether your NBFC needs a full DPDP compliance audit, ARC data transfer structuring, or Data Protection Board representation — senior-level engagement from day one. Minimum matter value: Rs 50 lakhs.