DPDP Act for Fintech & BFSI: Complete Data Protection Compliance Guide 2026

A sector-specific DPDP compliance guide for fintech, banking, and insurance companies covering RBI data localization overlap, KYC data handling, payment data, UPI records, credit scoring consent, and dual compliance strategies.

Why Fintech and BFSI Face the Highest DPDP Compliance Stakes

The fintech and BFSI (Banking, Financial Services, and Insurance) sector processes some of the most sensitive personal data in the Indian economy. From KYC documents and bank account details to credit scores and insurance claims, financial institutions handle data that can cause severe harm if mishandled. Under the Digital Personal Data Protection (DPDP) Act, this sector faces heightened scrutiny and potentially the strictest enforcement.

What makes DPDP compliance particularly complex for fintech and BFSI is the overlap with existing regulatory frameworks. The Reserve Bank of India (RBI) already mandates data localization for payment data. The Insurance Regulatory and Development Authority of India (IRDAI) has its own data handling guidelines. SEBI regulates data in the securities market. DPDP adds another layer on top of these existing requirements, creating a multi-framework compliance challenge that demands careful coordination.

This guide provides a practical, sector-specific roadmap for fintech and BFSI companies to achieve DPDP compliance while maintaining compliance with existing financial sector regulations.

RBI Data Localisation and DPDP: Understanding the Overlap

In April 2018, the RBI mandated that all payment system data must be stored exclusively in India. This directive, often called the "data localisation circular," predates the DPDP Act but intersects with it in important ways.

What RBI Requires

All data related to payment systems operated in India must be stored in systems located only in India
This includes full end-to-end transaction details, information collected, carried, and processed as part of the message or payment instruction
Foreign leg data of cross-border transactions may be stored abroad in addition to being stored in India

How DPDP Adds to RBI Requirements

While RBI's circular addresses where payment data is stored, the DPDP Act addresses how all personal data (including payment data) is collected, processed, and protected. The key additional requirements include:

Consent requirements: DPDP mandates informed consent for data processing that goes beyond what RBI requires
Purpose limitation: Data collected for payment processing cannot be used for unrelated purposes without separate consent
Data principal rights: Customers have rights to access, correct, and erase their personal data under DPDP, even if RBI regulations require data retention
Breach notification: DPDP requires notification to the Data Protection Board and affected individuals, in addition to any RBI-mandated reporting

Resolving Conflicts

When DPDP requirements appear to conflict with RBI mandates, the general principle is that sector-specific regulations may prevail for their specific domain, but DPDP provides the baseline for all personal data handling. In practice, this means complying with the stricter requirement in each case. Organisations should document their rationale for how they resolve any apparent conflicts.

KYC Data Handling Under DPDP

Know Your Customer (KYC) processes are fundamental to financial services, and they involve collecting extensive personal data. Under DPDP, KYC data handling requires specific compliance measures.

Data Collected During KYC

Aadhaar numbers and copies of Aadhaar cards
PAN numbers and copies of PAN cards
Passport details and copies
Voter ID, driving licence, and other government-issued identifiers
Photographs and biometric data (in some cases)
Address proof documents
Income proof and financial statements

DPDP Requirements for KYC Data

Purpose limitation: KYC data collected for account opening should not be used for marketing or cross-selling without separate consent
Data minimisation: Collect only the KYC data required by regulatory mandate, not additional data "just in case"
Retention limitation: KYC data should be retained only for the period required by applicable regulations (typically 5-8 years after account closure under PMLA)
Security: KYC documents containing sensitive identifiers like Aadhaar must be encrypted and access-controlled
eKYC and CKYC: Digital KYC processes must include proper consent flows and data security measures

Payment Data Processing Under DPDP

Payment data touches virtually every product and service in fintech and BFSI. Under DPDP, the processing of payment-related personal data requires specific compliance measures beyond what RBI regulations mandate.

UPI Transaction Records

UPI has become India's dominant payment method, generating billions of transactions. Each UPI transaction creates personal data including:

Sender and receiver identifiers (VPA/UPI ID)
Transaction amounts and timestamps
Bank account references
Merchant identifiers and transaction descriptions
Device and location data used for fraud detection

Under DPDP, consent for processing UPI data for the primary purpose of payment processing may be covered under legitimate uses. However, using UPI transaction data for analytics, credit scoring, targeted advertising, or sharing with third parties requires separate, explicit consent.

Credit and Debit Card Data

Full card numbers must never be stored (PCI DSS and RBI tokenisation requirements)
Transaction records must be retained per RBI guidelines but protected per DPDP security requirements
Card-linked offers and rewards programmes require consent for the profiling and targeting involved

Digital Lending Data

The RBI's digital lending guidelines and DPDP together create comprehensive requirements for lending platforms:

Consent must be obtained before accessing phone contacts, SMS, or other device data for credit assessment
Borrower data cannot be shared with third-party recovery agents without disclosure
Credit decision data must be accessible to the data principal upon request

Insurance Claim Data and DPDP

Insurance companies process highly sensitive personal data including medical records, accident reports, and financial information. DPDP compliance for insurance requires specific attention to several areas.

Key Compliance Requirements

Health data sensitivity: Medical records used for underwriting and claims processing must be handled with enhanced security measures
Consent for underwriting: Clearly disclose how personal data will be used in underwriting decisions
Third-party medical providers: Data sharing with hospitals, labs, and medical examiners requires proper agreements
Claims investigation: Using personal data for fraud investigation must be disclosed and, where possible, consented to
Agent and broker data sharing: Insurance intermediaries who access customer data must be bound by data protection agreements

Credit Scoring and Consent

Credit scoring involves processing personal data to evaluate an individual's creditworthiness. Under DPDP, this activity has specific compliance implications.

Requirements

Inform individuals that their data will be used for credit scoring
Disclose the data sources used in credit assessment
Obtain consent for accessing credit bureau data
Provide transparency about how credit decisions are made, particularly when automated decision-making is involved
Allow individuals to access and challenge their credit information

The intersection of DPDP with the Credit Information Companies (Regulation) Act adds complexity. Fintech companies should ensure their consent mechanisms cover both frameworks.

Cross-Border Financial Data Transfers

Global fintech companies and multinational banks frequently transfer financial data across borders. Under DPDP, these transfers are permitted to countries not on the government's restricted list, but additional safeguards are needed.

Common Cross-Border Scenarios

Correspondent banking: Transaction data shared with foreign correspondent banks
Global treasury operations: Financial data consolidated at international headquarters
Cloud infrastructure: Data processed or backed up in international data centres
Outsourced operations: Customer service or back-office operations in other countries
Regulatory reporting: Data shared with foreign regulators for compliance purposes

Compliance Measures

Map all cross-border data flows and document the legal basis for each
Ensure data processing agreements are in place with all foreign recipients
Implement additional security measures for data in transit
Monitor the government's restricted country list and adjust flows as needed
Consider data localisation as the default, with cross-border transfer as the exception

Dual Compliance Strategy: RBI Guidelines + DPDP

Successfully managing compliance with both RBI regulations and DPDP requires a coordinated strategy. Here is a practical framework:

Area	RBI Requirement	DPDP Requirement	Harmonised Approach
Data Storage	Payment data in India only	No restricted country transfers	Store all data in India by default
Data Retention	Per specific guidelines (varies)	No longer than necessary	Apply the longer retention period, then delete
Consent	Limited consent requirements	Comprehensive consent framework	Implement DPDP-level consent for all processing
Breach Notification	Report to RBI within 6 hours	Report to DPB without delay	Unified incident response with parallel notifications
Data Access Rights	Limited provisions	Full data principal rights	Implement full DPDP rights framework
Security Controls	Specific technical requirements	Reasonable security safeguards	Apply the more specific/stricter requirement

Leveraging Multi-Framework Compliance Platforms

The complexity of dual or multi-framework compliance in fintech makes manual compliance management impractical. Platforms that support multiple frameworks simultaneously can significantly reduce the compliance burden.

Complynz supports multiple compliance frameworks including DPDP, ISO 27001, and SOC 2 in a single platform. This is particularly valuable for fintech companies because:

Common controls across frameworks are mapped automatically, reducing duplication
A single dashboard provides visibility across all compliance obligations
Evidence collection for one framework can be reused for others
The assessment engine identifies gaps across multiple frameworks simultaneously
The TPRM module evaluates vendors against all applicable frameworks

Getting Started

Fintech and BFSI companies should approach DPDP compliance as an extension of their existing regulatory compliance programmes, not a separate initiative. Start by:

Running a free DPDP scan of your customer-facing digital properties
Completing a DPDP assessment to identify compliance gaps
Mapping DPDP requirements against your existing RBI/IRDAI/SEBI compliance measures
Identifying gaps where DPDP adds requirements beyond existing frameworks
Implementing incremental changes starting with the highest-risk areas

The DPDP Guide provides detailed, section-by-section analysis to help you understand exactly what the Act requires and how it applies to financial services.