RBI and DPDPA Rules Create Dual Compliance Challenge for Fintech Startups in India
RBI directs fintech companies to comply with Digital Personal Data Protection Act (DPDPA) rules along with existing guidelines, raising concerns over data privacy compliance, customer consent, and increased costs for fintech startups in India.
Tech Author
The Reserve Bank of India (RBI) has directed fintech and payment companies to comply with the Digital Personal Data Protection Act (DPDPA), in addition to existing RBI restrictions. This measure aims to enhance data privacy, user protection, and cybersecurity in India's fintech sector.
However, many fintech companies have expressed concern about the difficulty and cost of complying to both RBI standards and DPDP rules at the same time. According to industry sources, companies believe that maintaining dual regulations in a short time frame is challenging.
The primary challenge for fintech companies is the overlap between RBI regulations and DPDP data protection requirements. While both effort to protect users, their goals differ. The DPDP Act focuses on data privacy, user permission, and data deletion, while the RBI focuses on financial security, fraud prevention, and transaction records.
The difference causes complexity for businesses when dealing with customer data, storage, and regulatory needs. Fintech companies claim that achieving DPDP compliance will require significant system upgrades, additional resources, and time. One key challenge is data storage policies. While the RBI requires companies to maintain data for long periods of time (up to 10 years), DPDP regulations may demand deleting or updating consumer data after use. This results in an issue on how data should be managed.
Another critical issue concerns user consent and data collecting. According to DPDP regulations, organizations must verify that consumers provide express permission before collecting or using personal data. However, many fintech companies operate as intermediates, which means they do not gather user data directly. Instead, they turn to banks or third-party platforms. This makes it difficult to secure data accuracy and consent.
The RBI highlighted that it manages payment providers, but the Data Protection Board of India will be in charge of ensuring DPDP compliance. The deadline for full compliance has been set for May 2027. Authorities are also collaborating with other regulators to create established standards and decrease uncertainty among fintech companies.
This development shows that data protection and privacy laws in India are becoming stricter. While the goal is to improve security, fintech companies must now adapt to new compliance standards. Going forward, businesses will need to balance data privacy, regulatory requirements, and operational efficiency to continue growing in India’s digital economy.
Information referenced in this article is from Trading View
