BFSI Sector — Regulatory Convergence

DPDPA for Banking, Insurance & Financial Services

Q: How does DPDPA apply to banks in India?

DPDPA applies to all banks processing digital personal data of individuals in India. This includes customer data, employee data, vendor data, and data received from regulators. Banks must comply with DPDPA alongside existing RBI circulars on data localisation, cyber security, and customer data protection. The key challenge is harmonising DPDPA's consent requirements with RBI's KYC norms and account maintenance obligations.

Q: Do banks need separate DPDPA consent for KYC?

KYC processing may qualify under Section 7 (deemed consent/legitimate uses) for statutory compliance obligations. However, the processing of KYC data for purposes beyond statutory compliance — such as credit profiling, marketing, or cross-selling — requires explicit consent under Section 6. Banks must clearly segregate statutory processing from commercial processing of the same data.

Q: What is the relationship between RBI data localisation and DPDPA?

RBI mandates that payment system data be stored only in India (2018 circular). DPDPA Section 16 adds a cross-border transfer framework with a negative-list approach. For banks, this creates a dual obligation: RBI's strict localisation for payment data AND DPDPA's broader framework for all personal data. IRDAI and SEBI impose their own localisation requirements for their regulated entities.

BFSI faces a convergence challenge no other sector does — DPDPA layered on RBI, IRDAI, SEBI, and sectoral data localisation mandates. Compliance requires navigating four regulatory tracks simultaneously.

RBI + DPDPAIRDAI + DPDPASEBI + DPDPAKYC × Consent6 Sub-Sectors

BFSI is the only sector where DPDPA intersects with three independent regulators, each with their own data governance requirements. A standalone DPDPA programme without sectoral alignment creates compliance gaps, not compliance.

Sub-Sector Analysis

DPDPA Challenges by BFSI Sub-Sector

Commercial & Retail Banks

Regulator: RBI

›KYC data processing — lawful basis segregation between statutory obligation and commercial use
›RBI data localisation (2018 circular) layered with DPDPA Section 16
›Customer data shared across group entities for cross-selling
›Account closure data retention vs DPDPA's erasure rights under Section 12
›Digital lending data sharing with NBFC partners

NBFCs & Lending Institutions

Regulator: RBI

›Credit scoring and profiling — consent for automated processing
›Co-lending data sharing arrangements and processor responsibilities
›Recovery agent data access and third-party controls
›Borrower data retention post loan closure
›Digital lending app data collection (RBI DLG + DPDPA)

Insurance Companies

Regulator: IRDAI

›Health data processing for underwriting and claims — sensitive processing without explicit DPDPA "sensitive data" category
›Agent and broker data sharing networks
›Telematics and IoT data from motor/health insurance devices
›Reinsurer data transfers (often cross-border)
›IRDAI Information and Cyber Security Guidelines overlay

Mutual Funds & Asset Management

Regulator: SEBI

›KYC data across RTAs, distributors, and AMCs
›SEBI CSCRF compliance alongside DPDPA
›Investor data shared with registrars and custodians
›Digital onboarding consent flows
›Nominee and joint-holder data processing

Payment Aggregators & Gateways

Regulator: RBI

›Transaction data processing at scale — processor vs fiduciary classification
›RBI PA/PG guidelines + DPDPA harmonisation
›Merchant data processing and sharing
›Card-on-file tokenisation data governance
›UPI transaction data retention and purging

Fintech / Neo-Banks

Regulator: Multiple

›Multi-regulator compliance (RBI, SEBI, IRDAI depending on products)
›Embedded finance data flows across partner ecosystems
›Open banking and account aggregator data processing
›Behavioural data for credit decisions
›Third-party analytics and marketing data processing

5 DPDPA Compliance Pillars for BFSI

Consent × KYC Segregation

Separate statutory processing (KYC, AML, regulatory reporting) from commercial processing (credit scoring, cross-selling, analytics). Different lawful bases, different consent requirements.

Section 6, Section 7

Multi-Regulator Data Localisation

RBI payment data localisation, IRDAI information security guidelines, SEBI CSCRF — each with DPDPA Section 16 overlay. Map every cross-border data flow against all applicable regimes.

Section 16, RBI Circular 2018

Processor Chain Governance

Banks use hundreds of vendors — IT service providers, cloud platforms, analytics firms, collection agencies. Section 8(2) creates effectively non-delegable responsibility for every processor in the chain.

Section 8(2), Rule 6

Customer Rights Infrastructure

Build grievance redressal, correction, and erasure mechanisms that work alongside existing RBI customer complaint frameworks. Integration, not duplication.

Section 11-13, Rule 8

Breach Response Convergence

DPDPA Board notification (Section 8(6), Rule 7) + CERT-In 6-hour reporting + RBI/IRDAI/SEBI incident reporting — a single breach triggers four notification tracks.

Section 8(6), Rule 7, CERT-In

Related DPDPA Resources

DPDPA Compliance Checklist

8-phase implementation guide

Cross-Border Transfers

Section 16 + RBI/SEBI overlay

Vendor Governance

Section 8(2) processor controls

Breach Response

Multi-regulator notification playbook

DPDPA for Startups

Fintech compliance playbook

Consent Management

Section 5 & 6 deep dive

Enterprise Governance

Board-level compliance framework

DPDPA Consulting

Counsel-led advisory services

BFSI-Specific DPDPA Advisory

Regulatory convergence demands sector-specific counsel. AMLEGALS brings 27 years of financial sector regulatory experience to DPDPA implementation for banks, NBFCs, insurers, and fintechs.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Insights & Answers

What practitioners and boards are asking

How does DPDPA apply to banks and financial services in India?

BFSI faces unique DPDPA compliance challenges because of regulatory convergence. DPDPA layered on RBI data localisation circulars, IRDAI information security guidelines, and SEBI CSCRF requirements. Key issues include KYC data processing (segregating statutory vs commercial lawful bases), multi regulator breach notification (DPDPA Board + CERT In + RBI/IRDAI/SEBI), cross border transfer restrictions, and processor chain governance across hundreds of vendors. AMLEGALS provides sector specific DPDPA advisory for banks, NBFCs, insurers, mutual funds, and fintechs.