Data Protection Law Puts Digital Lenders in a Bind
India's new Digital Personal Data Protection (DPDP) Act promises users simple consent withdrawal. However, this promise clashes directly with how digital lending platforms operate. These lenders rely on continuous data streams to price loans, monitor borrowers, and manage risk.
Industry Seeks Key Exemptions
The Fintech Association for Consumer Empowerment (FACE) has made multiple representations to the Ministry of Electronics and Information Technology. They seek relief under Section 17 of the DPDP Act. The industry wants lenders to continue accessing borrower data throughout a live loan, even if consent is withdrawn mid-tenure.
Digital lenders argue they need non-revocable consent for two critical stages: underwriting and post-disbursal monitoring. This includes recurring access to bank transaction alerts and statement data. They want such monitoring treated as a mandatory part of servicing regulated loan contracts.
Legal Experts Express Caution
Lawyers advising fintech firms caution that these exemption requests may not succeed. They point out lenders already have legal grounds under existing sectoral obligations. The DPDP Act's exemptions allow processing borrower data for core loan functions like underwriting, servicing, and recovery.
For other uses, such as early-warning analytics and predicting payment propensity, withdrawable consent remains necessary. The industry must distinguish between mandatory regulated requirements and optional data processing.
The Consent Conundrum
At the heart of this conflict lies the DPDP Act's definition of consent. Consent must be free, specific, informed, unconditional, and unambiguous. Users have the right to withdraw it at any time with comparable ease to how they gave it.
This principle conflicts with digital lending models that depend on continuous data flows. Many platforms use alternative data inputs beyond traditional credit checks. These include device-intelligence signals, metadata, and behavioral biometrics to assess legitimacy and prevent fraud.
Regulatory Realities Create Complexity
Naqeeb Ahmed Kazia, partner at CMS IndusLaw, notes the consent-withdrawal right is not absolute in regulated sectors like NBFC-led lending. Sectoral rules often require entities to retain borrower records for extended periods. Later withdrawal requests may not translate into immediate data deletion or processing halt.
In RBI-regulated sectors, entities have independent obligations for audits, regulatory reporting, and loan documentation. These obligations persist even if customers later seek to withdraw consent.
Account Aggregator System Plays Key Role
Most lending journeys use the RBI-regulated account aggregator (AA) framework for consent-based financial data sharing. This system digitizes what was previously a manual process. India now has about 17 operational AAs covering data from roughly 240 crore accounts.
The system processes about two crore consents monthly, resulting in roughly 40 crore data deliveries. Within this ecosystem, lenders can build periodic bank balance or statement checks into recurring consent artefacts, though strict fair use limits apply.
Phone Data Access Faces Restrictions
Many fintech lending journeys historically relied on direct phone access for transaction SMSes and device-level signals. RBI's digital lending guidelines explicitly sought to curb such practices. The central bank has drawn clear red lines, prohibiting lenders from accessing photographs or contact lists.
Where consent is used for non-essential purposes like marketing, users must be allowed to withdraw it completely. Lenders cannot continuously access phone storage data under current guidelines.
Post-Loan Monitoring Emerges as Flashpoint
The sharpest contention arises around post-disbursal monitoring. Some lenders attempt to keep monitoring borrowers for early-warning signals. Outside the AA system, similar monitoring has often been attempted through continuous SMS or metadata access.
Vamsi Madhav, CEO of Finvu AA, notes lenders increasingly request post-loan data to monitor deposit accounts. Some experiment with narrower monitoring, asking consumers for consent to monitor just balances rather than full transactions.
Balancing Protection with Practicality
The digital lending industry faces a complex balancing act. They must comply with new data protection requirements while maintaining effective risk management. As the DPDP Act nears full implementation, these tensions will likely intensify.
Both regulators and industry players must navigate this challenging landscape. They need to protect consumer privacy while ensuring financial stability and preventing fraud in India's growing digital lending sector.
