Digital lending platforms and fintech applications process large volumes of borrower data to enable instant onboarding, automated credit assessment, loan disbursal, monitoring, and recovery. This data includes identity records, financial information, credit history, behavioural patterns, device details, and transaction activity. In earlier years, several lending apps misused such data by accessing mobile contacts, collecting unrelated personal information, and adopting coercive recovery practices. These concerns created significant privacy risks for borrowers and prompted regulatory action to ensure that personal and financial data is collected only for legitimate purposes and handled with proper security and accountability.

India now follows a layered legal approach where multiple laws regulate the entire lifecycle of borrower data. The Digital Personal Data Protection Act and DPDP Rules introduce consent requirements, user rights, and security safeguards. RBI Digital Lending Directions impose sector-specific limits on data collection, storage, and app permissions. The IT Act and SPDI Rules protect sensitive financial data, while cybersecurity reporting norms and KYC retention obligations ensure traceability and oversight. Together, these measures promote transparency, prevent misuse of borrower information, and strengthen trust in digital lending systems.

In this article, CA Manish Mishra talks about Data Protection Rules for Fintech and Lending Apps.

Status of Fintech Lenders as Data Fiduciaries

Fintech lenders determine how and why borrower data is processed and therefore qualify as Data Fiduciaries. Lending service providers and analytics vendors act as Data Processors.

Categories of Personal Data Processed

• Identity details such as PAN and Aadhaar (where permitted)

• Financial data including bank statements and credit scores

• Transaction history and repayment behaviour

• Device and location metadata linked to individuals

The fiduciary bears primary responsibility for lawful processing, security, and user rights.

Core Data Protection Principles

• Lawful Purpose: Borrower data must be collected only for legitimate lending functions such as underwriting or servicing.

• Purpose Limitation: These principles ensure that borrower data is collected and processed lawfully, fairly, and securely throughout the lending lifecycle.

• Purpose Limitation: Data collected for credit assessment, underwriting, or loan servicing must not be reused for unrelated activities such as marketing, profiling, or cross-selling without obtaining fresh and specific consent from the borrower.

• Data Minimisation: Fintech lenders must collect only the information that is strictly necessary for evaluating creditworthiness. Blanket access to contacts, SMS, call logs, or photo galleries is prohibited as it exceeds operational requirements.

• Accuracy: Borrower data used for automated or manual credit decisions must be accurate and regularly updated to avoid incorrect loan approvals, rejections, or credit reporting errors.

• Storage Limitation: Personal data must be deleted once the lending purpose is fulfilled unless retention is required for statutory obligations such as KYC and audit records.

• Security Safeguards: Strong technical controls, including encryption, role-based access, continuous monitoring, and secure APIs, must be implemented to protect sensitive financial information.

Consent and Privacy Notice Framework

Consent forms the primary legal basis for processing borrower data in digital lending. Fintech platforms must provide a clear and detailed privacy notice before collecting any personal information.

Mandatory Elements of Privacy Notice

• Nature and Categories of Data Collected: Borrowers must be informed about what personal and financial data will be accessed.

• Purpose of Processing: The specific use of the data, such as credit scoring or loan servicing, must be disclosed.

• Retention Period: The duration for which data will be stored must be clearly stated.

• Third-Party Sharing Details: Borrowers must be informed if data will be shared with lending service providers or other entities.

• Grievance Redressal Mechanism: Contact details and procedures for filing complaints must be provided.

Features of Valid Consent

• Free and Informed: Consent must not be obtained through coercion or misleading disclosures.

• Specific and Granular: Separate consent must be taken for different purposes.

• Unambiguous and Affirmative: Consent must be given through clear user action such as selecting an option.

Withdrawal of Consent

Borrowers must be able to withdraw consent easily through the application interface. After withdrawal, data processing must stop and personal data must be deleted unless retention is legally required.

Significant Data Fiduciary Obligations

Large fintech platforms handling substantial volumes of sensitive financial data may be classified as Significant Data Fiduciaries due to the higher risk they pose to individuals.

Additional Compliance Requirements

• Appointment of a Data Protection Officer in India: A designated officer must oversee compliance, handle grievances, and act as a contact point for regulators.

• Periodic Data Protection Impact Assessments: Risk assessments must be conducted to evaluate how data processing affects borrower privacy.

• Independent Data Audits: External audits must verify the effectiveness of security controls and governance mechanisms.

• Privacy-by-Design Policy: Organisations must embed privacy safeguards into system architecture and business processes.

These measures ensure accountability, strengthen risk management, and promote responsible handling of borrower data.

RBI Digital Lending Directions: Data Protection Controls

The RBI Digital Lending Directions introduce specific safeguards to protect borrower data in app-based lending. These rules ensure that regulated lenders retain control over data, prevent misuse by fintech intermediaries, and promote transparency in digital credit delivery.

Restrictions on Data Collection

• Need-to-Know Basis: Lenders and lending service providers may collect only data that is directly required for loan processing, credit assessment, and servicing. Collection of unrelated personal or behavioural data is not permitted.

• Explicit Borrower Consent: Clear and informed consent must be obtained before accessing any personal data, and the purpose of such access must be disclosed to the borrower.

Prohibition on Excessive App Permissions

• Limited Access to Device Data: Digital lending apps cannot access contacts, photo galleries, call logs, or other personal device information unless such access is demonstrably necessary for a specific lending function.

Data Storage Requirements

• India-Based Storage: All borrower personal data must be stored on servers located within India to ensure regulatory oversight and data security.

• Restrictions on LSP Storage: Lending service providers are not allowed to store borrower personal data except minimal operational data required for their role.

Direct Flow of Funds

Loan disbursal and repayment must occur directly between the regulated lender’s bank account and the borrower’s bank account, eliminating unauthorised intermediaries.

Approved App Disclosure

Regulated lenders must publish a list of authorised digital lending apps to help borrowers identify legitimate platforms and prevent data misuse

Outsourcing and Lending Service Provider Compliance

Most digital lending structures operate through collaborations between regulated NBFCs or banks and fintech entities functioning as Lending Service Providers (LSPs). While LSPs handle customer onboarding, application processing, data analytics, and platform management, the regulated lender remains the legal owner of the lending relationship and the primary custodian of borrower data. Regulatory expectations require that outsourcing arrangements do not dilute the lender’s accountability for data protection, customer privacy, and compliance with digital lending norms.

Role of LSPs as Data Processors

LSPs act only as data processors and must handle borrower information strictly according to the documented instructions of the regulated lender. They cannot independently determine the purpose of data processing, store borrower data beyond permitted limits, or share it with other entities. Their system access must be role-based, time-bound, and limited to operational requirements.

Mandatory Contractual Safeguards

• Confidentiality and Data Security Clauses: Service agreements must obligate LSPs to implement encryption, access controls, monitoring systems, and confidentiality measures to protect borrower data.

• Restrictions on Data Usage: Borrower information must be used solely for authorised lending functions and cannot be reused for marketing, profiling, or cross-selling without lender approval and borrower consent.

• Audit and Inspection Rights: Regulated lenders must have the contractual right to conduct periodic audits, security assessments, and compliance reviews of LSP infrastructure and processes.

• Breach Reporting Obligations: LSPs must promptly notify the lender of any data breach, cyber incident, or unauthorised access to enable timely regulatory reporting and mitigation.

Ultimate Liability

Despite outsourcing operational functions, the regulated NBFC or bank remains fully liable for any data misuse, security failure, or non-compliance by its LSP partners, making continuous vendor monitoring and risk management essential.

Borrower Rights Under the Data Protection Regime

The data protection regime gives borrowers legal control over their personal data and requires fintech lenders to ensure transparency, accuracy, and accountability in data processing. Platforms must provide simple in-app mechanisms for users to exercise these rights and respond within prescribed timelines.

• Right to Access Information: Borrowers can obtain confirmation of data processing, details of the personal data collected, the purpose of use, retention period, and information about any third parties with whom the data has been shared.

• Right to Correction: Fintech entities must promptly correct inaccurate, incomplete, or outdated personal and financial data to prevent incorrect credit assessment or reporting.

• Right to Erasure: Personal data that is no longer required for lending or legal purposes must be securely deleted to avoid unnecessary storage and misuse.

• Right to Withdraw Consent: Borrowers may withdraw consent at any time, after which processing must stop except where retention is required by law.

• Grievance Redressal: Fintech platforms must appoint a grievance officer, provide complaint channels, and resolve borrower issues within prescribed timelines.

Data Retention and KYC Compliance

Financial regulations require fintech lenders and NBFCs to retain KYC documents, transaction records, loan agreements, and audit trails for a specified statutory period. This ensures traceability of financial transactions, supports fraud detection, and enables regulatory inspections and law enforcement requests when necessary.

Statutory Retention

KYC and related financial records must generally be preserved for at least five years after the closure of the loan account or completion of the business relationship. During this period, the data must be stored securely with restricted access and proper audit controls.

Harmonisation with DPDP

While the DPDP regime requires deletion of personal data once the purpose is fulfilled, it permits retention where mandated by law. However, retained data must be used strictly for regulatory, audit, or legal purposes and cannot be processed for marketing, profiling, or analytics beyond compliance requirements.

Cybersecurity and Breach Reporting

Fintech lenders handle highly sensitive financial and identity data, making them prime targets for cyberattacks such as phishing, ransomware, and unauthorised system access. Therefore, they must establish strong cybersecurity frameworks that protect data throughout its lifecycle. These frameworks should include preventive, detective, and corrective controls to ensure confidentiality, integrity, and availability of borrower information.

Technical Safeguards

• Encryption of Financial Data: All sensitive data must be encrypted both at rest and during transmission to prevent unauthorised access or interception.

• Multi-Factor Authentication: Access to internal systems and customer accounts should require multiple authentication factors to reduce the risk of credential compromise.

• Network Monitoring and Logging: Continuous monitoring and maintenance of system logs help detect suspicious activity and support forensic investigations.

• Periodic Vulnerability Testing: Regular security assessments and penetration testing identify system weaknesses and enable timely remediation.

Breach Reporting Obligations

• Notification to the Data Protection Board: Data breaches involving personal data must be reported to the regulatory authority within prescribed timelines.

• Intimation to Affected Users: Borrowers must be informed so they can take protective measures.

• Reporting to Cybersecurity Authorities: Incidents must also be reported to designated national cybersecurity agencies as required.

Cross-Border Data Transfer and Localisation

Cross-border data transfer refers to the movement of borrower personal data from India to foreign jurisdictions for processing or storage. Under the DPDP regime, such transfers are allowed only to countries that are not specifically restricted by the government. Fintech entities must ensure that adequate security safeguards, contractual controls, and access restrictions are in place before transferring data outside India.

• DPDP Transfer: The DPDP approach follows a permission-based model where data can be transferred to permitted jurisdictions subject to lawful purpose, valid consent, and implementation of reasonable security measures. Fintech companies must maintain records of such transfers and ensure that borrower rights remain enforceable even when data is processed overseas.

• RBI Localisation Requirement: RBI mandates that payment and lending data must be stored on servers located within India. Fintech companies using global cloud infrastructure must implement local data storage or mirrored servers to ensure regulatory access, auditability, and protection of sensitive financial information.

• IT Act and SPDI Rules Compliance: Sensitive personal data, including financial information, passwords, and biometric identifiers, is governed by the SPDI Rules under the IT Act. These rules continue to apply alongside the DPDP framework and impose additional security and consent obligations on fintech entities.

Key Obligations

• Publication of Privacy Policy: Fintech platforms must publish a clear privacy policy describing data collection, usage, storage, and sharing practices.

• Written Consent for Sensitive Data: Explicit consent must be obtained before collecting financial or biometric information.

• Reasonable Security Practices: Organisations must implement recognised security standards such as encryption, access controls, and risk assessments.

Failure to protect sensitive personal data may result in compensation liability for negligence and regulatory action.

AI-Based Credit Scoring and Ethical Use of Data

AI-based credit scoring allows fintech lenders to assess borrower creditworthiness using automated models and alternative data such as transaction patterns, repayment behaviour, and digital activity. While this improves speed and financial inclusion, it must follow fairness, transparency, and purpose limitation principles to prevent biased or unlawful decision-making. Borrowers should not be denied credit based on irrelevant personal attributes or opaque algorithms.

Compliance Considerations

• Avoid Discriminatory Profiling: Credit models must not use factors that lead to unfair bias based on gender, religion, caste, location, or other sensitive attributes. Lenders should regularly test algorithms to detect and remove discriminatory outcomes.

• Ensure Explainability of Credit Decisions: Borrowers should be able to understand the key reasons for loan approval or rejection. Fintech entities must maintain documentation of model logic and provide meaningful explanations when requested.

• Use Only Relevant Data for Scoring: Only data directly related to credit risk should be used. Accessing contacts, social data, or unrelated behavioural information for scoring violates data minimisation and purpose limitation principles.

Penalties and Regulatory Enforcement

Penalties and regulatory enforcement represent the legal and supervisory actions taken against fintech and digital lending entities for non-compliance with data protection and digital lending requirements. These measures ensure that borrower data is processed lawfully, securely, and transparently, and act as a deterrent against misuse of personal and financial information.

Purpose of Enforcement

Regulatory enforcement aims to compel organisations to implement proper consent mechanisms, strong security safeguards, and responsible data handling practices. It also protects borrowers from unauthorised data access, coercive recovery methods, and unlawful third-party data sharing.

Role of Regulatory Authorities

The Data Protection Board and the Reserve Bank of India have powers to investigate violations, impose monetary penalties, restrict business operations, and issue corrective directions. Enforcement actions may arise from data breaches, excessive data collection, weak vendor controls, or failure to comply with digital lending norms.

Recent Regulatory Developments

Implementation of DPDP Rules

Fintech entities must update consent flows to make them granular and withdrawable. Clear privacy notices, data retention controls, and user rights features must be built into apps. Companies must maintain processing records, strengthen encryption and access controls, and implement breach reporting mechanisms before full enforcement.

Consolidated Digital Lending Directions

Revised directions require compliance certification by senior management and clearer disclosures on lender identity, loan terms, and data usage. Lending service providers face stricter limits on data collection and storage, ensuring regulated entities retain control over borrower data and fund flows.

Increased Regulatory Scrutiny

Regulators are monitoring recovery conduct, third-party data sharing, and app permissions. Excessive data access and coercive practices are being penalised, and non-compliant digital lending apps risk removal and operational restrictions.

Practical Compliance Strategy for Fintech Entities

A privacy-by-design approach is essential because fintech platforms handle highly sensitive financial and personal data throughout the lending lifecycle. Data protection controls must be embedded in mobile applications, APIs, analytics tools, and cloud environments from the initial development stage. This ensures lawful data collection, restricted access, encryption, monitoring, and proper deletion once the purpose is fulfilled, thereby reducing regulatory and reputational risks.

Key Compliance Measures

• Data Mapping and Classification: Fintech entities must conduct a detailed data inventory to identify what borrower data is collected, where it is stored, how it flows across systems, and which third parties process it. Classifying data into KYC, financial, behavioural, and operational categories helps apply appropriate access controls, retention schedules, and security safeguards.

• Consent Management Systems: A robust consent framework should record when and how consent was obtained, the specific purpose, and the version of the privacy notice shown. It must allow easy withdrawal of consent and maintain audit trails to demonstrate lawful processing during regulatory inspections.

• Vendor Due Diligence and Monitoring: Third-party service providers must be evaluated for cybersecurity standards, data handling practices, and legal compliance. Contracts should include confidentiality clauses, data usage restrictions, audit rights, and breach reporting obligations, along with periodic security reviews.

• India-Based Data Storage Infrastructure: Borrower personal data must be stored on servers located in India with encryption, role-based access controls, and monitoring systems to ensure regulatory access, data integrity, and protection against unauthorised transfer.

• Incident Response and Breach Management Plan: A documented breach response plan should define detection mechanisms, escalation procedures, containment steps, regulatory reporting timelines, and user notification processes, supported by regular testing and simulation exercises.

• Periodic Internal and External Audits: Regular audits help assess the effectiveness of data protection controls, identify compliance gaps, validate vendor practices, and ensure continuous alignment with evolving regulatory and cybersecurity requirements.

Conclusion

Data protection for fintech and digital lending platforms in India is now governed by the DPDP Act, RBI Digital Lending Directions, IT Act provisions, cybersecurity requirements, and outsourcing rules. These laws regulate how borrower data is collected, processed, stored, shared, and deleted. Fintech lenders must obtain clear and granular consent, collect only necessary information, store personal data on India-based servers, and ensure strict monitoring of lending service providers. The objective is to prevent misuse of sensitive financial data while promoting transparency and accountability in digital lending operations.

In the coming years, strong data governance will determine the credibility and sustainability of fintech businesses. Companies must adopt privacy-by-design systems, robust cybersecurity practices, and simple mechanisms for data access, correction, and deletion. Regulatory scrutiny on app permissions, recovery conduct, and third-party data sharing will continue to increase. Fintech entities that prioritise ethical data use, secure infrastructure, and effective grievance redressal will reduce legal exposure and build long-term borrower trust in the digital lending ecosystem.

Frequently Asked Questions (FAQs)

Q1. Which laws govern data protection for fintech and lending apps in India?

Ans. Data protection is governed by the Digital Personal Data Protection Act, 2023, DPDP Rules, RBI Digital Lending Directions, IT Act and SPDI Rules, cybersecurity reporting norms, KYC retention requirements, and outsourcing guidelines, creating a comprehensive framework regulating borrower data collection, processing, storage, sharing, and security.

Q2. Are fintech lenders considered Data Fiduciaries under the DPDP Act?

Ans. Yes, fintech lenders qualify as Data Fiduciaries because they determine how borrower data is collected, processed, stored, and shared. They remain legally responsible for consent management, security safeguards, breach reporting, and user rights, even when processing activities are outsourced to third-party service providers.

Q3. Can lending apps access mobile contacts, SMS, or photo galleries?

Ans. Lending apps cannot access contacts, SMS, call logs, or media files unless strictly necessary for loan processing and supported by explicit consent. Excessive data collection violates data minimisation principles and RBI directions, which aim to prevent misuse of personal data during profiling and recovery activities.

Q4. Is borrower consent mandatory for data collection in digital lending?

Ans. Yes, valid borrower consent is mandatory before collecting personal data. Consent must be free, informed, specific, and unambiguous. Fintech platforms must clearly disclose purpose, retention period, and third-party sharing. Separate consent is required for marketing, analytics, or any secondary data processing activities.

Q5. Can a borrower withdraw consent after taking a loan?

Ans. Borrowers have the right to withdraw consent at any time. After withdrawal, the fintech entity must stop processing and delete personal data unless retention is required for legal obligations such as KYC records, fraud monitoring, dispute resolution, or regulatory compliance under financial sector laws.

Q6. Where must fintech lenders store borrower data?

Ans. Borrower personal data must be stored on servers located in India as per RBI digital lending norms. Fintech companies using global cloud systems must ensure local storage or mirrored servers in India to maintain regulatory access, auditability, and protection of financial information.

Q7. What are the data retention requirements for lending apps?

Ans. KYC records, transaction data, and audit trails must be retained for statutory periods, generally five years after account closure. Retained data must be used only for regulatory compliance and cannot be processed for unrelated purposes such as marketing, profiling, or analytics.

Q8. Are fintech companies responsible for data breaches caused by third-party vendors?

Ans. Yes, the regulated lender or fintech Data Fiduciary remains fully responsible for breaches caused by lending service providers, analytics vendors, or cloud partners. Outsourcing agreements must include confidentiality clauses, security standards, audit rights, and breach reporting obligations to mitigate third-party risks.

Q9. What borrower rights exist under the data protection framework?

Ans. Borrowers have the right to access their personal data, correct inaccuracies, request deletion of unnecessary data, withdraw consent, and file grievances. Fintech platforms must provide user-friendly in-app mechanisms and time-bound processes for exercising these rights and resolving complaints.

Q10. Is automated credit scoring using AI permitted under Indian law?

Ans. Automated credit scoring is permitted but must follow fairness, transparency, and purpose limitation principles. Fintech lenders should avoid discriminatory profiling, use only relevant data, maintain explainable models, and allow borrowers to seek clarification regarding credit decisions based on automated processing.