Sector wise readiness

Fintech and BFSI: triggered obligations versus day one duties

29 June 2026 · about 4 minutes

One misconception I keep seeing when fintech and lending startups read DPDP checklists: they assume every box applies from day one. It does not.

A lending app on its first 10,000 users is not expected to operate like HDFC Bank. A two founder neobanking startup does not need every compliance product a large NBFC buys. A sector map is a superset, not a launch checklist.

What applies from the start, whatever your size

• ✅ Notice
• ✅ Consent and easy withdrawal
• ✅ Security safeguards (encryption, tokenisation and access control on KYC, account and transaction data)
• ✅ Rights handling
• ✅ Grievance mechanism
• ✅ Processor contracts, including overseas core banking, cloud and analytics vendors
• ✅ Breach response

What may not apply to you yet

• ❌ SDF obligations. These switch on only if the Central Government notifies you as a Significant Data Fiduciary. Scale and systemic risk make large BFSI entities strong candidates to assess, but size alone does not make you an SDF.
• ❌ Data localisation
• ❌ Annual DPIAs
• ❌ Independent audits
• ❌ Dedicated DPO
• ❌ Enterprise grade tooling

Two things fintech founders consistently get wrong

The retention clocks contradict each other, and you must reconcile them on paper. DPDP says erase when the purpose ends. RBI, SEBI, IRDAI and PMLA say keep, for years. The lawful hook is the Rule 8(3) proviso, retention permitted where another law requires it, not an assumption. An auditor wants to see a documented reconciliation, not a guess.

The consent broker line trips people up. If you act as a consent broker, the Account Aggregator framework and DPDP Consent Manager registration are not the same thing. Clarify which hat you wear before you build the flow.

The better question

The better question is not "does fintech have this requirement?"

It is "have I actually triggered this requirement?"

Law creates obligations. Scale and risk influence implementation. Confusing the two is how fintech startups spend on tools they do not need while missing the basics.

Which fintech data assumption do you think will age worst? Drop it in the comments.

Next in this series: EdTech ›

#DPDP #DataProtection #Fintech #BFSI #Privacy #Compliance

This is part of a sector wise DPDP readiness mapping covering 28 sectors. It separates statutory obligations from common audit expectations and tooling suggestions. General information about the DPDP Act 2023 and the DPDP Rules 2025, not legal advice.