Fintech Privacy / Consent

Fintech Consent Architecture

CA Nikhil Gupta·June 2026·3 min readFintech Privacy / Consent

Design fintech consent around regulated-lender identity, lending-service-provider roles, need-based data, app permissions, sharing, retention and grievance evidence.

Borrowers should know who lends, who operates the interface and which party receives each data field.

Quick View

Decision

Map the entire borrower journey from lead capture through underwriting, servicing, collections, closure and deletion.

First action

Map lender and LSP roles.

Core evidence

Lender-LSP agreement.

Main warning

Hidden lender identity.

Why It Matters

The Digital Personal Data Protection Act, 2023 and the final Rules notified in November 2025 follow phased commencement. As of 25 June 2026, organisations should separate duties already operative from consent, grievance, rights, children, Significant Data Fiduciary and other operational provisions scheduled for later commencement, while continuing to comply with the IT Act, CERT-In directions and sector-specific rules already in force.

RBI’s digital-lending framework already requires need-based data collection, explicit borrower consent, audit trails, restrictions on mobile resources, privacy policy and grievance arrangements.

DPDP consent and processor duties should be layered onto that sector framework as the relevant provisions commence.

Control Framework

AreaWhat to establishOperating rule
EntityRegulated lender, LSP and other vendors.Disclose roles.
CollectionField, permission and underwriting need.Avoid excessive access.
SharingRecipient and purpose.Log each transfer.
LifecycleServicing, recovery, closure and deletion.Define ownership.

Action Checklist

  1. Map lender and LSP roles.
  2. Review every app permission.
  3. Separate credit-consent and marketing choices.
  4. Record third-party disclosures.
  5. Test closure and deletion.
  6. Publish grievance and lender contacts.

Practical Example

A platform displays its own brand prominently but hides the regulated lender until after the borrower submits PAN, bank statements and device data.

Evidence to Keep

  • Lender-LSP agreement.
  • Borrower journey screenshots.
  • Permission and consent logs.
  • Data-flow map.
  • Privacy policy.
  • Grievance and deletion records.

Warning Signs

  • Hidden lender identity.
  • Contacts and call-log access.
  • One consent for unrelated products.
  • LSP retains data after closure.
  • No auditable sharing record.

Detailed Review

A reliable control should connect the individual, data field, purpose, notice or sector disclosure, system, employee access, vendor access, retention rule and closure evidence. A policy statement that cannot be traced through this chain is difficult to operate.

Maintain a legal-timing matrix. Record the DPDP provision, phased commencement status, current IT Act or sectoral duty, business owner, system dependency and implementation deadline. Avoid one blanket label such as compliant or not compliant.

Build controls into technology and workflow. A written instruction cannot stop an SDK from collecting contacts, a campaign tool from re-importing suppressed users or an agent from downloading medical records unless the system enforces the decision.

Use proportionate verification. Weak checks can expose another person’s information; excessive checks create more Aadhaar, health, payroll or bank data that must be protected and deleted later.

Generate evidence during ordinary operations: versioned screens, event logs, access approvals, vendor tickets, complaint chronology, deletion reports, test recordings and management decisions.

Map the regulated entity, platform, lending-service provider, recovery agent and technology vendors separately. Borrower-facing branding should not obscure accountability.

Customer-support and collections processes should prohibit requests for passwords, PINs, OTPs and remote-control access, and should preserve complaint and permission evidence.

Control Test

Select one real user or transaction journey and trace it from collection through sharing, access, retention, withdrawal, complaint or closure. Capture the evidence at each stage.

Test the control on production-like systems rather than screenshots alone. Review network traffic, event logs, suppression status, vendor responses, role access and deletion output.

Run an adverse scenario: the vendor is breached, the user is a child, the borrower alleges harassment, the employee leaves or the app permission is revoked. Record the response and gaps.

Compare public wording with actual behaviour. Product forms, call scripts, privacy notices, contracts, SDKs and support tools should tell the same story.

Assign a named owner, funded action and closure date to each gap. Retain the reason when management accepts residual risk or chooses a less intrusive alternative.

Escalation Route

Start with the privacy, security, product or regulated-business owner and preserve system evidence before changing configuration or deleting records. Separate current sector and CERT-In obligations from future DPDP readiness.

For serious complaints, children’s data, financial harassment, medical exposure or suspected cybercrime, involve qualified legal, privacy, cyber, banking, insurance or healthcare specialists and use the applicable official channel.

Frequently Asked Questions

Who is accountable to the borrower?
The regulated entity remains responsible under RBI’s framework, with clear LSP roles.
Can an app access contacts?
RBI’s digital-lending rules restrict mobile-resource access and require need-based collection.
Does one consent cover every lender?
Each purpose and recipient should be transparent and specific.
What should happen after loan closure?
Apply lawful retention, restricted access and documented deletion of unnecessary copies.