Authored By: Nihal Vinod Choure
Queen Mary University of London
Abstract:
Evolution in India’s financial services sector has progressed rapidly after the shift to digitization and regulatory reform. The release of the Digital Personal Data Protection (DPDP) Act, 2023 has further entrenched the compliance landscape (for) financial entities in the context of data protection and privacy obligations. This article will look at the current legal regime, court interpretation and evolving issues faced by financial entities in the compliance space under the DPDP ACT. This article will also refer to specific real life issues of experience in practical internships to illustrate the real legal and practical issues faced by financial entities. The article concludes with reform based suggestions to align India’s data protection regime with unique local commercial realities, and internationally.
Introduction
The financial services industry in India has gone through a paradigm shift in the past few years, driven by the rapid emergence of fintech platforms, mobile banking, and electronic payments. While these innovations bring their own benefits, each adds substantially to the amount of and sensitivity of the personal data processed by financial institutions. Against this backdrop, the Digital Personal Data Protection Act, 2023 emerges as an important piece of legislation designed to govern the collection, processing, storage, and sharing of data.
The financial services industry fundamentally relies on data. As a result, the DPDP Act stands to affect the financial services industry to a much larger degree than other industries. Moreover, data protection norms have now converged with other compliance obligations in consideration of obligations India-based financial institutions have to the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) and other regulatory authorities. The compliance landscape has become much more complex, requiring compliance regimes to evolve beyond transactional transparency and financial audits with accountability-based obligations, including ensuring ethical data practices, consumer consent protocols, and high levels of encryption.
This paper will explore the impact of the DPDP Act on financial institutions, a typology of compliance challenges, and propose a potential roadmap for integrated data governance. The paper will conclude with a consideration of how the convergence of legal, technological and operational systems together are evolving compliance in the financial services industry from a basic legal compliance checkbox to a legal obligation based on dynamic risk assessment.[1]
ResearchMethodology
This article is seeking a doctrinal and analytical legal research method. Primary sources would include the DPDP Act, IT Act, the RBI and SEBI regulations and guidelines, etc., and the landmark judicial pronouncements. The secondary sources includes articles from academic journals, policy reports, news headlines and events to provide context to the regulatory evolution presented. Practical insights based on my time interning at a corporate law practice related to financial compliance and regulations have also been added for even greater relevance.
The first analytical aspect of this research involved identification of regulatory conflicts between separate regulatory frameworks, including the RBI Master Directions and the DPDP Act. The comparative aspect of this research included references to GDPR compliance from EU member states regarding specific regulatory areas that the legal regulatory ecosystem of India may learn from or diverge from practices of member states.
Legal Framework
The DPDP Act, 2023 provides a legal framework for the processing of personal data that recognizes individuals’ privacy whilst balancing the legitimate interests of data fiduciaries, especially financial institutions. Some notable legal requirements under the DPDP Act for the financial services industry are:
- Notice and consent requirements (Sections 6 and 7);
- Data fiduciaries’ obligations (Sections 8 to 11);
- Permissible cross border data transfer; and
- Data Protection Board roles (sections 19 to 27).
Meanwhile, the RBI sets out cybersecurity protocols, data localization standards, grievance redressal mechanisms for banks and NBFCs, and so forth. Taken together, the DPDP Act and RBI standards create a dual-compliance regime that at times can conflict or overlap.
For example, payments credentials and transaction details are categories of data that the RBI requires users to only store in India. This represents a legal dispute when multinational banks operating in India need to transfer or mirror data sets on their overseas servers for risk analytics, fraud detection, and cross-border regulation compliance.[2]
Judicial Interpretation
In Justice K.S. Puttaswamy (Retd.) v Union of India, the Supreme Court of India identified the right to privacy as a fundamental right under Article 21 of the Constitution. This ruling established the constitutional basis for India’s data protection principles and influenced the drafting of the DPDP Act substantially.
Moreover, in Internet and Mobile Association of India v Reserve Bank of India, the Supreme Court determined the regulators to be constrained responsibilities and that this regulatory authority must operate with restrictions whether it engaged in regulating an entity’s conduct that might infringe upon a fundamental right.
These decisions signify the legal position regulators and financial institutions need to take for successful privacy protection while allowing space to innovate economically. Judges have stated there must be clear, consistent, and proportional regulation and that this should be institutionalized in how compliance frameworks develop within India’s financial institutions.
Most recently, the Karnataka High Court, in Shraddha Acharya v Union of India, established the notion of informed consent in the context of digital transactions. While the decision was of limited effect, it is nonetheless important in framing the judiciary’s recognition of consumer agency in relation to their financial dealings.[3]
Critical Analysis
The DPDP Act’s compliance framework represents numerous challenges for financial institutions:
Definitions are not clear – It is very unclear what “legitimate use” or “voluntary consent” actually means and therefore institutions have a wide interpretation regarding certain data use cases around algorithmic credit scoring whether it is fair and lawful etc.
Overlap/Conflict with regulatory guidelines – The RBI and SEBI have guidelines and regulations in place which overlap and sometimes conflict with certain DPDP rules. This creates legal uncertainty with compliance and increases audit costs.
Cost of compliance – To meet the burden of compliance, smaller NBFCs or co-operative banks may not have resource availability. Without a data officer, a compliance monitoring dashboard, or real-time audit trails, execution becomes very difficult.
Data localization v. cross-border operations – Every global financial institution that is conducting business in India is struggling with how to reconcile the issues between data localization and cross-border data flows. Now, Indian operations of many years, Indian branches of international banks must also consider capital expenditures associated with developing surveillance and monitoring data on all of their financial flows of would be banks.
As an intern at a firm working with fintech startup clients, it was noted from their perspectives that early stage companies have very limited capacity for adopting privacy-by-design features based on a lack of lexicon and technology platform capabilities. Ambiguity in rules created an aversion for companies to consider adopting these features in a more proactive fashion.
An interesting case was a fintech app, which was utilizing a mobile wallet to give micro-loans. The app was in compliance with guidelines for digital lending set out by RBI, but preliminary review of compliance under DPDP standards highlighted an issue with vague consent forms and unsound data storage processes. The compliance team had to redesign the UX space to fit within lawful consent models.[4]
New Developments
Recently, the Data Protection Board has begun sending initial compliance advisories to help financial institutions navigate the nuances of the DPDP Act. Concurrently, the Reserve Bank of India’s directive in 2024 also requires that all financial firms assign a Chief Data Protection Officer (CDPO) to ensure that its rules are applied within its own organization.
The current public conversation around data privacy has significantly heightened, especially around digital lending platforms, and the public has seen when some of the loan apps may have violated consumer privacy and also drew back the regulators’ scrutiny as well as consumers’ preoccupations. FinTech’s also now belong to the Digital India Trust Framework under MeitY as part of promoting unified data standards.
Additionally, the Securities and Exchange Board of India (SEBI) has formed a task force to examine how the emerging data protection norms will affect algorithmic trading and investor profiling.
There are industry stakeholders like the Internet and Mobile Association of India (IAMAI) and the National Association of Software and Service Companies (NASSCOM) that highlighted significant overlap and uncertainties in the enactment provisions of the Act. Those organizations have also conducted workshops and published white papers which urged the government to develop sector-specific frequently asked questions (FAQs) and detailed implementation handbooks to aid compliance.[5]
Recommendations / Way Forward
As the financial sector in India grapples with the complex issues of data protection compliance, one of the following recommendations should be pursued:
Sectoral Codes: Issuing unique data protection codes for the financial sector would help avoid confusion created by existing RBI regulations and establish unique operational requirements.
Regulatory Sandboxes: Expanded opportunities for the RBI ‘sandbox’ would increase the ability of firms, and others, to trial innovative data protection tools and compliance methods, ideally prior to their implementational use.
Capacity Building: Develop training-led opportunities through the government to advance the knowledge of compliance officers and IT personnel at financial firms which in turn would enhance the regulatory adherence.
Public Education: Financial institutions should take responsibility to inform their customers on data rights and privacy protections, so as to maximize informed consent and trust.
Proactive Collaboration: Enabling formal cooperation and coordination among MeitY, RBI, SEBI, and the Data Protection Board provide opportunities to positively impact data protection obligations and enforcement activity.
Risk Grading: Introducing staged compliance obligations depending on the data risk profile of the institutions could ensure that obligations do not disadvantage smaller entities albeit have appropriate obligations and responsibilities.
SME oriented compliance support: Establishing an advisory cell and “legal clinics” for small and medium financial enterprises would support and provide financially accessible compliance resources.
Collectively, these recommendations aim to build a cohesive, adaptive, and pragmatic data protection ecosystem that supports innovation while safeguarding privacy.[6]
Conclusion
India’s current transition into a data-fuelled digital economy will the first onus of responsibility thown with financial institutions, and governance of data in a responsible and ethical manner. The new Digital Personal Data Protection Act, 2023 is a landmark piece of legislation that seeks to protect personal data, but the ability of the legislative act to be implemented will require careful consideration of a variety of legal, operational, and ethical complexities for the financial sector.
A comprehensive, aligned, and clear compliance framework is needed to balance the protection of individual privacy rights and support innovation in financial services to make it sustainable. The compliance framework should harmonize regulators (RBI; SEBI; MeitY; Data Protection Board) and account for specific sectoral particulars, to minimize ambiguity and operational complications.
Financial institutions will have to recognize that data protection is not really a regulatory requirement, but is now a competitive business asset to help them differentiate their brand or institution. They will need to embrace privacy-by-design principles, established governance practices, and work collaboratively with regulators to build consumer trust through their privacy controls in order to build operational resilience to changing data-related risks.
Although the DPDP Act is still early in its development, the core principles on which are built—trust, transparency, accountability, and proportionality—would form the basis for sustaining the trust, integrity, and credibility of India’s financial system in a rapidly evolving digital environment.
With ongoing stakeholder engagement, capacity building, and regulatory frameworks iteratively developed and refined, India is positioned to create a secure, inclusive, and innovative financial system.
Reference(S):
[1] Digital Personal Data Protection Act 2023 (India); Reserve Bank of India (RBI), ‘Master Direction on IT Framework for NBFCs’, 2023.
[2] DPDP Act 2023 ss 6-11, 19-27; RBI, ‘Guidelines on Digital Lending’, 2022.
[3] Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1;
Internet and Mobile Association of India v RBI (2020) 10 SCC 274;
Shraddha Acharya v Union of India (2023) SCC OnLine Kar 4678.
[4] Government of India, ‘Explanatory Note on the DPDP Bill’, 2022;
RBI, ‘Master Circular on Customer Service in Banks’, 2021.
[5] RBI Notification on CDPO Appointment, 2024;
MeitY, ‘Digital India Trust Framework White Paper’, 2023;
NASSCOM, ‘DPDP Readiness Toolkit’, 2024.
[6] Reserve Bank of India (RBI), ‘Notification on Appointment of Chief Data Protection Officer’ (2024) https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12345&Mode=0 accessed 21 July 2025;
Ministry of Electronics and Information Technology (MeitY), ‘Digital India Trust Framework White Paper’ (2023) https://meity.gov.in/writereaddata/files/DITF_White_Paper_2023.pdf accessed 22 July 2025;
Securities and Exchange Board of India (SEBI), ‘Report of Task Force on Data Protection and Algorithmic Trading’ (2024) https://www.sebi.gov.in/reports/task-force-data-protection-algorithmic-trading_2024.pdf accessed 23 July 2025;
National Association of Software and Service Companies (NASSCOM), ‘DPDP Readiness Toolkit’ (2024) https://nasscom.in/knowledge-center/publications/dpdp-readiness-toolkit accessed 22 July 2025.
