An analysis of key fintech regulations which govern data, the patterns they reveal, and the best practices that fintechs can adopt to ensure compliance.

For the last 5 years, data lawyers have been like the boy who cried wolf. The data bill is always being tabled "in the next session of Parliament". We've seen explainers, primers, deep dives, checklists (well, including our own) to help prepare for the law. The fourth version of the draft law is now out for public consultation. Meanwhile, the RBI has stepped in as a stopgap regulator for financial data for regulated entities (REs) and fintechs. As fintechs grapple with more existential questions: how much should you worry about data? Our fintech and data teams join forces to tell you what to do. We break down five key RBI regulations to help you identify priorities for 2023.

Local storage of payments data by payment system providers

The RBI brought in stringent data regulation with its data localization direction. It asked payment system providers to store payments data in India. Payments data can be processed outside India but must be brought back within 24 hours of processing. It can be accessed from outside India for activities like settlement processing and chargebacks (but must still be stored in India).This direction is limited to a subset of financial data – 'payments data' – which forms part of a payments instruction or transaction. It covers end-to-end transaction details, including customer information, beneficiary account details, transaction details, etc. And it extends only to certain types of entities – payment system operators or PSOs (and through PSOs, to all system participants in the payments chain).Which means PSOs must map their data, identify what is and what isn't 'payments data', identify whether they need offshore access (for e.g., for global banks, payments processing may take place centrally outside India), re-orient systems to delete data from offshore systems within 24 hours of processing, and contractually agree with vendors/ other processors to store data within India.

No access to transaction data for co-branding partners

RBI's master directions on credit card and debit card (RBI Card Directions) set out dos and don'ts for co-branding arrangements. Co-branding partners are barred from accessing transaction information. This is because a co-branding partner's role is limited to marketing/ distribution of the card.

Transaction information isn't defined in RBI Card Directions. It seems to cover any data related to an activity on the card post its issuance. Such as spends, chargebacks, rewards, etc. on the card. But not activities pre-issuance. Such as the cardholder's name, address, contact details, etc. Which means a co-branding partner can't directly be given data about spends, chargebacks, rewards, etc. to run loyalty programmes or other incentive schemes. But it can still access cardholder's name and contact details – information that it needs to carry out its function as a distributor/ marketer.
Only co-branding partners are barred from accessing transaction data. Not outsourced service providers generally – since the outsourcing guidelines don't have a similar prohibition. If this were to be extended to outsourced service providers generally, it would mean functions like running reward or loyalty programmes, etc. couldn't be outsourced.

Limited access to borrowers' data by unregulated lending service providers (LSPs)

RBI's digital lending guidelines (DLG) were predominantly data guidelines – no surprise, given that data is a vital ingredient in underwriting and default predictions.

The guidelines are entity-specific. Meaning they extend to lenders, and through lenders, to lending service providers and digital lending applications. Under the DLG, data collection by digital lending apps must be need-based and with the prior, explicit consent of the borrowers. Apps must inform users of the purpose of obtaining their consent at the appropriate stage of the app interface. The DLG restricts access to mobile phone resources (such as contact lists and telephony functions) which lenders usually rely upon. It allows certain permissions to be taken once, with the borrowers' explicit consent (such as location access for the purpose of onboarding/KYC requirements). Overall, the DLG promotes transparency, data minimisation, and purpose limitation – as seen in global data privacy laws.

The restrictions are also proportionate to the criticality of the data. For example, the DLG encourages access to the economic profile of the borrower (such as age, occupation, income, etc.). But it restricts access to location data, which can only be taken for the purpose of onboarding borrowers. Interestingly, RBI has imposed limitations on location data, despite acknowledging that it's required to prevent fraud.

Storing card data

Last year, the RBI also implemented the card tokenization mandate – prohibiting all entities, except card issuers and card networks, from storing actual card data. The restriction also seems to be based on the criticality of actual card data, which, if stolen, could cause serious harm to users.

Limited access to credit information

The RBI regulates access to/ sharing of credit information. Credit bureaus can only share credit information with 'specified users' (which usually includes regulated entities). This is understood as a 'hard pull' – where a potential borrower's credit score is pulled by a lender from the credit bureau without the borrower's consent. Specified users are further restricted from sharing such data with any unauthorised person. Fintechs also access credit information of users through 'soft pull' – where they access credit information from credit bureaus on behalf of the user with the user's consent.


The RBI has sporadically regulated data. RBI's data regulation is entity-specific (meaning, because you are a certain type of fintech, you may/ may not access data or must only use it a certain way) or data-specific (meaning, because the data is of a certain nature – sensitive or critical – it must be handled a certain way). The RBI is also increasingly exploring core privacy principles like data minimization (collect only the data that you need), purpose limitation (use it only for a specific purpose), consent (tell users what you're doing and get their approval) – drawing from the draft data laws we've seen over the years.

Importantly, the RBI is regulating for the absolute reckless – those that are leaving banana peels on the floor or leaving their doors unlocked – those with little or no data hygiene.

What should you focus on?

Know your data. The RBI is worried about certain types of data. For instance, card details are sensitive and if shared/ stored willy-nilly, could expose an individual to fraud. Transaction data can be a treasure trove of information about an individual. And so, the RBI only wants you to share it with partners who need it (and not co-branding partners whose job is only to market the card). Location data is highly sensitive, as its unauthorized disclosure could put an individual at risk of physical harm. And so, the RBI only wants digital lenders to collect it once for user onboarding. So, fintechs must know what data they collect, why they need it, can they do without it, how long they need it, and so on.

Share with care. The RBI is worried about wanton data-sharing. For instance, credit information can only be shared by credit bureaus with 'specified users'. Borrowers' data can be shared with lending service providers only on a need-to-know basis, with borrowers' explicit consent. So, regulated entities and their tech partners must evaluate who can access data, whether they can share data with an entity, can they limit access, etc.

Tell it all. The RBI is worried that individuals know nothing about their data. So, RBI wants digital lenders to disclose their purpose at the appropriate stage through the user interface and get borrowers' consent for data collection. Also, several privacy policies obfuscate more than they communicate. Consider this – "Notwithstanding anything to the contrary mentioned elsewhere, we may store and retain your Personal Information until the fulfilment of the duration which was conveyed to you at the time of collecting the Personal Information." What they mean is – "When you give us any personal information, we'll let you know how long we'll hold it for." Instead of word salads, fintechs must tell users plainly how their data is collected, used, shared, etc.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.