As the Digital Privacy Act (DPDP) nears full implementation, the industry is pushing back on several key provisions in the Act. Two people familiar with the discussions said the Fintech Association for Consumer Empowerment (Face), a self-regulatory organization recognized by the Reserve Bank of India (RBI), along with some of its member firms, filed several representations with the Ministry of Electronics and Information Technology (MeitY) to seek an exemption under Section 17 of the Act.
According to the first person quoted above, the industry is seeking relief to allow lenders to continue to access and use specified borrower data throughout the life of the live loan, even if the borrower tries to revoke consent midway through the term. This person is a policy expert who advises fintech firms.
According to the person, the case of the industry depends on how digital lenders manage post-payday credit risk, particularly with early warning systems that signal repayment stress before default occurs.
Two people familiar with the matter said the dealerships are seeking irrevocable approval for two stages of lending: underwriting and post-disbursement monitoring. They said this would involve repeated access to signals such as bank transaction alerts and statement data, either through the RBI-regulated Account Aggregator (AA) system or through authorizations routed through the lender’s own app on the borrower’s phone.
In effect, the application seeks to treat such monitoring as a “mandatory” part of servicing a regulated credit agreement, rather than an optional layer that can be turned off by the user.
But lawyers who advise fintech lenders caution that the industry body’s request for exemptions may not fly.
Lawyers do it Mint talked to said lenders already have an independent legal basis under existing sectoral obligations and exemptions from the DPDP Act to process borrower data for core credit functions such as underwriting, servicing, repayment monitoring and collection, particularly when an account becomes in arrears. Other uses, such as early warning analytics and predicting a borrower’s propensity to pay, would require revocable consent, they said.
Emails sent to FACE and MeitY on January 2 did not elicit a response as of press time.
What is consent?
Consent itself is at the heart of the problem. According to the DPDP Act, consent must be “free, specific, informed, unconditional and unequivocal with a clear affirmative action” and that the user has the right to withdraw it “at any time” with an ease “comparable to the ease with which the consent was given”.
This principle is at odds with digital lending models that rely on continuous data flows that go beyond loan approvals.
Alternative use of data
The data trail can be used even after the initial loan decision, including refining underwriting models over time and offering repeat loans or other financial products through marketing messages, emails and push notifications.
Sugandh Saxena, CEO of FACE, said that many fintech platforms rely on a wide set of alternative data inputs, not only for credit assessment, but also for fraud checks and tailoring of loan offers. “As lenders start to acquire a customer, device intelligence signals such as metadata and behavioral biometrics also come into play, feeding into models to assess whether the applicant looks legitimate,” Saxena said.
FACE’s member list includes companies such as KreditBee, CASHe, LoanTap, Kissht, CRED, Navi, Paytm and MobiKwik.
For example, CRED asks users at signup for permission to read their Gmail inbox—including emails and attachments—to check credit card bills and delinquencies. Users can later remove this access from Google’s own permissions panel, independent of the app.
But lawyers and industry observers at Mint say a tougher question arises in lending once consent is tied to an active loan agreement and whether a borrower can opt out of certain categories of data processing mid-term under the DPDP Act.
Regulated reality
Naqeeb Ahmed Kazia, partner, CMS IndusLaw, said the right to revoke consent under the DPDP Act is not absolute in highly regulated sectors such as lending led by non-banking finance companies (NBFCs). Industry rules may require regulated entities to retain borrower records for longer periods of time, meaning that a later request to withdraw consent may not result in deletion or an immediate halt to all processing.
“If there is a law that requires data to be retained for a longer period of time, then that law will supersede (user consent),” Kazia said.
In sectors overseen by regulators such as the RBI and, in the case of insurers, the Insurance Regulatory and Development Authority of India (Irdai), entities often have independent obligations to maintain and process records for audits, regulatory reporting and credit documentation, even if the customer later tries to withdraw their consent.
Account Aggregators Explained
For most credit pathways, bank transaction data is entered into underwriting in one of two ways: borrowers upload statements manually or lenders retrieve them through the RBI’s Regulated Account Aggregator (AA) framework, which allows financial information to be shared between regulated entities on a consent basis.
Since the bill collection system is a regulated financial infrastructure, access is largely limited to banks, NBFCs and similar entities, not unregulated intermediaries.
Krishna Prasad, founder of OneMoney, said AA has digitized what was previously a manual process. “This is now being replaced by a fully digital process where users go to OneMoney during a loan application… and once the user gives consent, it becomes a consent artifact. OneMoney then presents that signed consent artifact to the bank in an encrypted format,” Prasad said.
Tejinder Pal Singh, managing director of CAMSFinserv, an RBI-licensed Account Aggregator, said India now has about 17 functional AAs covering data from about 240 million accounts. The system processes roughly two million consents per month, resulting in roughly 40 million monthly data deliveries.
Phone data limits
Yet many fintech credit pathways have historically relied on direct access to the borrower’s phone – transactional SMS and device-level signals – permissions that the RBI’s digital lending guidelines have explicitly sought to curtail.
The person quoted above said the RBI has drawn clear red lines. “RBI… told digital lenders that they can’t look at photos on your phone… and you can’t contact other people on your contact list… because it was outrageous behavior… so RBI blocked it,” the person added.
If consent is used for non-essential purposes such as marketing, users must be able to withdraw it. “You have to stop doing that.
Follow-up after rental
A sharper point of contention is what happens after the loan is paid off, with some lenders trying to monitor borrowers for early warning signs.
Within the AA ecosystem, periodic downloads of bank balances or statements can be built into recurring consent artifacts, although AA guidelines impose strict “fair use” limits.
Vamsi Madhav, managing director of Finvu AA, said lenders are increasingly asking for post-loan data to “monitor the deposit account once they lend”. Some are experimenting with closer monitoring. “The third use case that has emerged is lenders proactively asking consumers for their consent to monitor their balance, not transactions, just the balance,” he said.
But outside the AA system, similar monitoring has often been attempted through continuous access to SMS messages or device metadata, raising questions about whether borrowers can revoke such consent mid-loan.
Mandatory vs
FACE’s Saxena said borrowers may not be able to revoke every authorization once a loan is in progress because some processing is tied to regulatory obligations.
“But … the industry will have to really distinguish between what is a mandatory requirement of a regulated use case … and something … where they have the ability to revoke consent,” she said.
Lawyers note that while underwriting, servicing and regulatory reporting may have an independent legal basis, post-payout monitoring may not. “Outside of the permitted exception … everything else still has to be consent-based,” the person quoted earlier said.
Separately, Kazia noted that 24/7 access to phone storage has already been restricted under the RBI’s digital lending guidelines. Under digital lending guidelines, a lender cannot continuously access the phone’s memory or phone storage data, he said.
