Edition #36 regtech

Consent was never the product. Under the DPDP Act, it becomes the infrastructure.

How India's Digital Personal Data Protection Act restructures compliance obligations for every bank, NBFC, and fintech holding personal financial data.

dpdp-actconsent-managementdata-protectionbfsi-compliancerbidata-fiduciary

FinSaAIstra Intelligence | DPDP Act Series | June 2026

Executive Signal

The Digital Personal Data Protection (DPDP) Act 2023 and its accompanying Rules 2025 do not add a compliance checkbox to existing financial regulation. They restructure the legal relationship between a financial institution and every data principal it has ever served.

This is not a data security upgrade. It is a consent architecture mandate.

Banks and NBFCs have been collecting personal financial data under a framework designed for operational efficiency. The DPDP Act requires them to rebuild that collection logic around a principle they have not operationalised before: the rights of the data principal, not the workflows of the institution.

Consent Debt — The accumulated regulatory liability that a BFSI institution carries when its consent infrastructure was built for operational efficiency rather than data principal rights, creating structural exposure under the DPDP Act that retroactive data mapping cannot resolve.

Verified Market Signals

🧭 The DPDP Rules 2025 were officially notified on 13 November 2025, setting a compliance deadline of 13 May 2027. Consent Management under Rule 4 becomes enforceable one year from notification, in November 2026. For banks, that is five months from the date of this publication. Most BFSI compliance programmes have not yet moved consent from a UX layer to an infrastructure layer. Source: MeitY, DPDP Rules, 2025.

🧭 Penalties under the DPDP Act reach ₹250 crore for failure to implement reasonable security safeguards (Section 8(5)), ₹200 crore for failure to notify the Data Protection Board or data principals of a breach (Section 8(6)), and ₹150 crore for non-compliance with Significant Data Fiduciary obligations (Section 10). For context, the RBI levied over ₹56 crore in total fines across 304 enforcement actions in calendar year 2024. The DPDP penalty regime is a different order of magnitude. Source: MeitY, DPDP Act 2023.

🧭 Consent Managers operating under the DPDP Act must be incorporated in India, maintain a minimum net worth of ₹2 crore, and operate an interoperable platform certified to Board standards. This creates a vendor qualification layer that most procurement teams have not built into their compliance vendor evaluation criteria. Source: MeitY, DPDP Rules 2025.

Structural Shifts

Operational Consent → Regulatory Consent — Consent in financial services was designed to enable the institution: onboarding, cross-sell, credit bureau sharing, marketing automation. The DPDP Act inverts this — consent now exists to enable the data principal to exercise rights.

Single-Regulator Risk → Multi-Regulator Risk Stack — BFSI entities already operate under RBI Master Directions. DPDP adds a parallel framework with its own enforcement body (Data Protection Board of India). Penalties are additive, not merged.

Data Mapping → Consent Architecture — A data map tells you where data lives. Consent architecture tells you why that data can be held, for what purpose, by what processor, for how long.

Vendor Relationship → Data Processing Agreement — Every third-party vendor handling personal financial data must now be bound by a formal DPA, including cloud providers, analytics vendors, credit bureau integrations, fraud detection platforms, and collection agencies.

Systemic Implications

Assumptions that are no longer valid:

  • RBI-compliant data practices are not sufficient for DPDP compliance — the two frameworks impose distinct obligations.
  • Consent given at account opening does not cover all subsequent uses of customer data. Purpose-specific consent is required.
  • Data processors do not carry their own compliance obligations under DPDP — the data fiduciary (bank/NBFC) remains liable for processor failures.

Where existing systems become liabilities:

  • Legacy core banking systems were not designed with consent as a data attribute — retrofitting purpose-field logic is architectural, not configuration.
  • CRM/marketing automation combining financial + behavioural data for cross-sell represents a structural consent conflict.
  • Third-party analytics for credit risk/fraud scoring often involve transfers to processors without DPDP-compliant DPAs.

Which functions are most exposed:

  • Marketing and Growth teams running data-driven personalization on non-purpose-limited consent.
  • Legal and Compliance teams running two parallel compliance stacks (DPDP + RBI) with no unified control view.
  • Technology and Data teams owning pipelines that need purpose-limitation fields, consent status checks, and erasure workflows built in, not bolted on.

CXO Action Layer

Board-Level The Board must approve an explicit DPDP compliance policy before the November 2026 Consent Management enforcement date. This is a fiduciary initiative, not just Legal or IT. Boards should ask: “What is our current Consent Debt, and what is the remediation plan?” The Board should establish a standing DPDP compliance metric (consent coverage, DPA execution, breach notification readiness) as a recurring agenda item.

Procurement Reality Every technology vendor contract must be assessed against DPDP DPA requirements before May 2027. Priority tiers: Cloud/Infrastructure providers, Credit Bureau/AA Framework Connectors, Fraud and AML platforms, Marketing Automation Vendors, Collections Agencies. Consent Manager selection is a long-term procurement decision — evaluate on audit trail retention, cross-platform compatibility, and rights-request handling at scale, not price.

Architecture Implication Build consent status as a first-class field in every data pipeline, queryable at the record level with purpose, timestamp, and withdrawal history. Design for data erasure at architecture level — erasure requests must cascade through core banking, CRM, fraud platforms, and analytics. Build a 72-hour breach notification workflow distinct from existing RBI cybersecurity reporting timelines.

FinSaAIstra Law: A bank’s consent architecture is its compliance posture under the DPDP Act, and most banks built theirs for conversions, not for rights.