Why RBI's dual compliance mandate is worrying start-ups
What's the story
The Reserve Bank of India (RBI) has mandated fintech and payment companies to comply with the Digital Personal Data Protection Act (DPDP), in addition to its own guidelines. This dual compliance requirement has raised concerns among start-ups about their ability to keep up. The final decision on DPDP compliance rests with the Data Protection Board, but RBI continues to monitor the situation closely.
Compliance challenges
Difficulty to navigate both sets of rules
Start-ups are finding it difficult to navigate both sets of rules, especially since DPDP emphasizes privacy and consent. Meanwhile, RBI's focus is on fraud prevention and financial stability. The differing data storage requirements have created complications, while obtaining clear customer consent becomes tricky when third-party data sources are involved. With a May 2027 deadline approaching, many in the industry are calling for clearer guidance to ensure smooth operations and customer satisfaction.
Compliance clarification
Final authority on DPDP compliance is Data Protection Board
The RBI has clarified that while it regulates payment firms, the Data Protection Board will be the final authority to ensure compliance with DPDP rules. This means fintechs and payment companies must adhere to all DPDP rules in addition to RBI guidelines. The central bank also acknowledged concerns from start-ups about the difficulty of complying with both sets of rules within the given timeline.
Compliance concerns
Start-ups express concerns over DPDP compliance
Start-ups have flagged some DPDP rules as onerous, given the aggressive compliance timeline. They are worried about the cost and labor intensity of meeting these rules. However, a payments firm founder said that while RBI requirements are critical and can be managed, it is still a multi-month effort requiring significant resources to implement.
Data concerns
Audit history and data storage concerns
Fintechs are particularly concerned about maintaining audit history, as RBI and DPDP Act mandate different regulatory reasons for data storage. While DPDP regulations focus on customer privacy, consent, and deletion of data after a transaction, RBI's focus is on financial stability, fraud prevention security through audit trails. Most fintechs disagree with RBI on the 10-year timeframe for data storage.
Data accuracy
DPDP requirements and data accuracy accountability
Another major concern for fintechs is the DPDP requirements regarding the lawful purpose of data collection and how customer consent is integrated into a specific payment. These data fiduciary requirements ensure firms obtain clear, unambiguous consent from customers every time they collect or store data. The DPDP rules also hold companies accountable for data accuracy and completeness, but fintechs rely on third-party sources such as banks or MF central and can't know if the original data is flawed or incomplete.