DPDP Compliance for Fintech Companies
India's fintech sector processes billions in transactions daily. Here's how the DPDP Act 2023 impacts payment gateways, lending platforms, and digital wallets — and what compliance looks like.
Why Fintech Faces Unique DPDP Challenges
India’s fintech sector sits at the intersection of financial regulation and data privacy. Companies like Razorpay, Paytm, and PhonePe process millions of transactions daily, each generating a trail of sensitive personal data — PAN numbers, bank account details, spending patterns, and credit histories.
The challenge? Fintech companies already navigate a complex web of RBI, SEBI, and PMLA compliance. The DPDP Act 2023 adds an entirely new layer. Unlike sector-specific regulations, DPDP covers all personal data processing, not just financial data. That marketing email analyzing your spending patterns? That’s now under DPDP jurisdiction too.
The Consent Problem
Most fintech apps bundle consent at onboarding — you accept the terms to use the app, and that covers everything from transaction processing to targeted advertising. Under DPDP Section 6, this bundled approach doesn’t fly. Users must be able to consent to payment processing without consenting to spending pattern analysis for cross-sell recommendations.
KYC Data: A Double-Edged Sword
KYC (Know Your Customer) data is collected under RBI/PMLA mandate — that’s a legitimate use under DPDP Section 7. But what happens when that KYC data gets used for credit scoring, insurance cross-selling, or partner marketing? That’s where the DPDP line gets crossed.
Data Retention Blind Spots
Banking regulations mandate 10-year transaction record retention. But what about:
- App usage analytics and behavioral data?
- Marketing interaction logs and campaign engagement?
- Credit score check histories?
- Third-party API call logs containing personal data?
These aren’t covered by financial regulations but are squarely within DPDP scope. Most fintech privacy policies leave these undefined — a significant compliance gap.
The Cross-Border Challenge
Fintech companies heavily rely on global cloud infrastructure (AWS, GCP, Azure) and international payment networks. Under DPDP Section 16, data can only be transferred to jurisdictions approved by the Central Government. The current approved list is still evolving, creating uncertainty for fintech infrastructure planning.
Fintech Company Analyses
IndusInd Bank
IndusInd Bank's official privacy policy URL leads to a 'page not found' error, making it impossible to assess their DPDP Act 2023 readiness. This fundamental lack of an accessible privacy policy is a severe compliance gap, preventing customers from understanding how their sensitive financial data is collected, processed, and protected.
Groww
Groww's provided privacy policy text is incredibly sparse, acting more as a placeholder than a comprehensive statement. For a major fintech player handling sensitive financial data, this complete lack of detail regarding consent, data principal rights, security, and retention under the DPDP Act 2023 presents extreme regulatory and reputational risk.
Bank of Baroda
Bank of Baroda's privacy policy is a generic, pre-DPDP document lacking specific compliance with the new Act. Its reliance on implied consent, vague security, and complete silence on critical user rights and data retention creates substantial regulatory risk for India's third-largest public sector bank.
Kotak Mahindra Bank
Kotak Mahindra Bank's privacy policy is geared towards traditional legal frameworks, not India's new DPDP Act, 2023. With vast amounts of sensitive financial data, the policy critically lacks DPDP-mandated granular consent, specific data retention timelines, and explicit data principal rights, creating significant regulatory risks.
Axis Bank
Axis Bank's privacy policy, while detailing data types, largely pre-dates DPDP Act 2023 requirements. Major shortcomings include a lack of specific data retention periods, absence of explicit Data Principal rights, and reliance on bundled consent. These gaps create substantial regulatory exposure for one of India's largest banks.
Federal Bank
Federal Bank's privacy policy is comprehensive on data collection and security but lacks critical alignment with the DPDP Act 2023. Key gaps include non-specific consent, undefined data retention, and absence of explicit Data Principal rights, leaving significant regulatory exposure for customer financial data.
Indian Bank
Indian Bank's 'IB Merchant App' privacy policy is foundational but largely fails DPDP Act 2023 requirements. Its lack of explicit DPDP alignment, especially around granular consent, data retention, and Data Principal rights, poses significant risks for merchant data.
IDBI Bank
IDBI Bank operates on a legacy privacy framework that prioritizes bank secrecy over modern data principal rights. While its security measures are robust, the lack of granular consent and the absence of clear deletion timelines create significant compliance gaps under the new DPDP Act.
HDFC Bank
HDFC Bank's privacy policy is detailed regarding data collection and security standards, notably its ISO 27001:13 compliance. However, it currently lacks explicit alignment with the Digital Personal Data Protection Act 2023. Key areas requiring immediate attention for DPDP compliance include a more granular and 'freely given' consent mechanism, specific data retention periods, comprehensive detailing of all Data Principal rights (including nomination), clear grievance escalation to the Data Protection Board, and transparent cross-border data transfer policies. As a major financial institution handling sensitive personal data, updating its policy to explicitly reflect DPDP requirements is crucial to mitigate regulatory and reputational risks.
ICICI Bank
ICICI Bank's Privacy Commitment is detailed but significantly lags in explicit alignment with the Digital Personal Data Protection Act 2023. While it outlines general data protection principles and security measures, the absence of specific DPDP Act references, bundled consent, vague data retention periods, and lack of DPDP-specific data principal rights and grievance mechanisms pose considerable regulatory compliance risks. Given its position as a major financial institution in India, a comprehensive update to reflect DPDP Act 2023 requirements, particularly around granular consent and data principal empowerment, is critical.
Fi Money
Fi Money offers a slick user experience, but its privacy framework remains stuck in the pre-DPDP era. While bank-grade security is a plus, the lack of specific consent controls and the current inaccessibility of policy pages create significant legal risks under the new Act.
PhonePe
PhonePe's privacy policy handles 500M+ users' financial data but scores poorly on DPDP alignment. As a Walmart subsidiary, its cross-border data sharing with global affiliates and vague retention policies create significant exposure under DPDP's stricter framework.
Upstox
Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.
BharatPe
BharatPe's policy is built on the old 'I Agree' checkbox model which doesn't fly under India's new law. While they score well on keeping data in India, their consent process is too broad and lacks the control users are now legally entitled to.
Paytm
Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.
Jupiter
Jupiter has a clean, readable policy but it still feels like it was written for the old laws. While they are transparent about what they take, they lack the specific 'delete-on-request' and 'granular consent' rules that the new Indian law demands.
Razorpay
Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.
Canara Bank
Canara Bank's privacy policies for its website and mobile application are generally comprehensive regarding data collection and security under existing legal frameworks. However, they currently lack explicit alignment with the Digital Personal Data Protection Act 2023. Significant updates are needed, particularly around obtaining granular and freely given consent, detailing specific data retention periods, outlining the Data Protection Board as a grievance escalation channel, and addressing the full spectrum of Data Principal rights, including nomination. While the policies demonstrate a commitment to customer privacy, their current wording and framework may pose compliance challenges as the DPDP Act's provisions become fully enforceable.
Bajaj Finserv
Bajaj Finserv shows strong technical security but fails on the DPDP Act’s requirement for 'unbundled' consent. While their retention transparency is better than most, their control over your data remains heavily weighted in favor of the company rather than the individual.
CRED
CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.
Angel One
Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.