Indian fintech sits at an unusual intersection under the DPDPA. On one side, financial regulators — the RBI, SEBI, IRDAI — mandate extensive data collection as part of KYC, AML, and customer due diligence requirements. On the other, the DPDPA instructs that only the minimum data necessary for a stated purpose should be collected. At first glance, these seem to pull in opposite directions. Understanding how they coexist is one of the more practically important questions for the financial services sector right now.
The resolution lies in purpose specification. KYC data collected to meet a regulatory obligation has a defined, legitimate purpose — and that purpose is recognised under the DPDPA. What the law challenges is not the KYC collection itself, but what happens to that data after the regulatory purpose is fulfilled. A lending app that collects PAN, Aadhaar, and bank statements for a loan application cannot then use that same data to build a broader financial profile for cross-selling insurance products without fresh, specific consent. The data collected for one purpose cannot quietly migrate to serve another. The fiduciary responsibility is to hold a clear boundary between these use cases.
For business leaders in fintech and banking, this requires something that most organisations have not yet built — a clear, documented map of every data point collected, the specific purpose it serves, the regulatory or contractual basis for holding it, and the point at which it should be deleted or archived. Many institutions hold customer data across legacy systems with no clear ownership or lifecycle framework. The DPDPA does not give that ambiguity a pass. Getting data architecture right is now a compliance requirement, not just a good practice.
