Dual compliance: Fintechs must follow DPDP rules and RBI norms, says central bank
April 17, 2026
Startups flag dual compliance and lack of clarity on customer consent as RBI tells payment firms that DPDP Board will be the final authority on data protection rules
Fintechs and payment firms need to follow all the Digital Personal Data Protection Act rules over and above its guidelines, the Reserve Bank of India (RBI) has told startups.
Sources said the RBI, which met representatives of fintech companies in late March, said while it regulates payment firms, the Data Protection Board will be the final authority to ensure compliance with DPDP rules.
“Fintechs have raised their concerns that complying with RBI guidelines and DPDP rules simultaneously is tough within the given timeline,” said a senior executive with a payments firm. The executive did not wish to be identified as the discussions with the RBI have not been made public.
Startups flagged some rules as onerous, given the aggressive compliance timeline, sources present in the meeting said. The RBI, however, said it was not for it to decide on DPDP compliance.
The DPDP compliance deadline is May 2027.
“The confusion arises because a lot of regulations and data protection mandates overlap considerably, but also differ when it comes to customer data,” said a senior executive with a payments firm. The person did not wish to be identified as the discussions with the RBI were not public.
Dual regulations
Meeting DPDP rules will be expensive and labour-intensive, fintechs said.
“The RBI requirements are mostly critical and can be managed. But doing it alongside DPDP rules is a multi-month effort. It requires some effort to build it,” a payments firm founder said on condition of anonymity.
Maintaining audit history is the biggest area of concern, as the RBI and the DPDP Act mandate vastly different regulatory reasons for data storage.
While DPDP regulations focus on customer privacy, consent and deletion or correction of data after a transaction, RBI’s focus is on financial stability, fraud prevention, security and robust consumer protection through audit trails.
RBI rules are mission-critical
“Payment firms follow most of the RBI guidelines already, as those are required for internal and legal requirements when customer complaints arise or when payment failures occur. It is also important when some of these transactions are suspicious,” the CEO of a payment firm said on condition of anonymity. Most fintechs differ with RBI on the 10-year timeframe for data storage.
No control over payment flow
Another key concern for fintechs is the DPDP requirements regarding the lawful purpose of data collection and how customer consent is integrated into a specific payment.
These data fiduciary requirements ensure that firms secure clear, unambiguous consent from customers every time they collect or store data.
“Payment firms or fintechs are often intermediaries without a direct connection with the customers. We do not have visibility of the customer data collection or KYC if it comes through another regulated entity or a fintech. Hence, there is a lack of clarity on some of these DPDP provisions,” a senior executive with a data security firm, which works with fintechs, said.
DPDP rules hold companies accountable for data accuracy and completeness, but fintechs rely on third-party sources such as banks or MF Central, and cannot know if the original data is flawed or incomplete.
MF Central is the central repository for all the customer mutual fund-related data.
The RBI said that it was in discussions with other regulators, including the Data Protection Board, on the implementation and clarity on some of these rules.
Sources said the RBI, which met representatives of fintech companies in late March, said while it regulates payment firms, the Data Protection Board will be the final authority to ensure compliance with DPDP rules.
“Fintechs have raised their concerns that complying with RBI guidelines and DPDP rules simultaneously is tough within the given timeline,” said a senior executive with a payments firm. The executive did not wish to be identified as the discussions with the RBI have not been made public.
Startups flagged some rules as onerous, given the aggressive compliance timeline, sources present in the meeting said. The RBI, however, said it was not for it to decide on DPDP compliance.
The DPDP compliance deadline is May 2027.
“The confusion arises because a lot of regulations and data protection mandates overlap considerably, but also differ when it comes to customer data,” said a senior executive with a payments firm. The person did not wish to be identified as the discussions with the RBI were not public.
Dual regulations
Meeting DPDP rules will be expensive and labour-intensive, fintechs said.
“The RBI requirements are mostly critical and can be managed. But doing it alongside DPDP rules is a multi-month effort. It requires some effort to build it,” a payments firm founder said on condition of anonymity.
Maintaining audit history is the biggest area of concern, as the RBI and the DPDP Act mandate vastly different regulatory reasons for data storage.
While DPDP regulations focus on customer privacy, consent and deletion or correction of data after a transaction, RBI’s focus is on financial stability, fraud prevention, security and robust consumer protection through audit trails.
RBI rules are mission-critical
“Payment firms follow most of the RBI guidelines already, as those are required for internal and legal requirements when customer complaints arise or when payment failures occur. It is also important when some of these transactions are suspicious,” the CEO of a payment firm said on condition of anonymity. Most fintechs differ with RBI on the 10-year timeframe for data storage.
No control over payment flow
Another key concern for fintechs is the DPDP requirements regarding the lawful purpose of data collection and how customer consent is integrated into a specific payment.
These data fiduciary requirements ensure that firms secure clear, unambiguous consent from customers every time they collect or store data.
“Payment firms or fintechs are often intermediaries without a direct connection with the customers. We do not have visibility of the customer data collection or KYC if it comes through another regulated entity or a fintech. Hence, there is a lack of clarity on some of these DPDP provisions,” a senior executive with a data security firm, which works with fintechs, said.
DPDP rules hold companies accountable for data accuracy and completeness, but fintechs rely on third-party sources such as banks or MF Central, and cannot know if the original data is flawed or incomplete.
MF Central is the central repository for all the customer mutual fund-related data.
The RBI said that it was in discussions with other regulators, including the Data Protection Board, on the implementation and clarity on some of these rules.