Fintech / Data Sharing

Fintech Data Sharing Controls

CA Nikhil Gupta·June 2026·3 min readFintech / Data Sharing

A loan app may be the interface, but the regulated lender remains central to customer protection and accountability.

Quick View

Decision

Map every field and permission from borrower to lender, lending-service provider and downstream vendor.

First action

Identify regulated entity.

Core evidence

Lender-LSP agreement.

Main warning

Hidden lender identity.

Why It Matters

The final Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025 with phased commencement. As of 25 June 2026, organisations should distinguish provisions already commenced from operational duties scheduled for later dates, while continuing to comply with the IT Act, CERT-In directions and sectoral rules already in force.

RBI’s digital-lending framework requires need-based collection with explicit consent and audit trail, restrictions on mobile resources, privacy policy and grievance arrangements.

DPDP obligations should be layered onto, not substituted for, existing RBI rules.

Control Framework

AreaWhat to establishOperating rule
EntityRegulated lender and LSP roles.Disclose clearly.
CollectionNeed-based data and permission.Avoid contacts and media.
SharingRecipient, purpose and contract.Maintain audit trail.
ComplaintGrievance officer and RBI route.Track closure.

Action Checklist

  1. Identify regulated entity.
  2. Map app permissions.
  3. Review borrower consent screens.
  4. Control LSP access.
  5. Publish grievance details.
  6. Retain complaint and deletion evidence.

Practical Example

A loan app requests contacts, call logs and photo gallery even though the lender can underwrite using bank and bureau data.

Evidence to Keep

  • Lender-LSP agreement.
  • Data-flow map.
  • Permission screenshots.
  • Consent logs.
  • Privacy policy.
  • Grievance tickets.

Warning Signs

  • Hidden lender identity.
  • Contacts access.
  • Pre-ticked permissions.
  • Data stored by LSP after exit.
  • No complaint escalation.

Detailed Review

Privacy governance should connect the personal data, individual, purpose, collection point, system, owner, recipient, access role, retention trigger and incident dependency. A policy that cannot be traced to this chain is difficult to operate.

Create a dated legal matrix rather than one status label. Record the DPDP provision, commencement date, present readiness action, current IT or sectoral obligation and the evidence owner.

Design controls in the product and system. A written rule cannot stop an SDK from firing, a shared folder from exposing payroll, or a vendor from retaining deleted users unless technology and operations enforce it.

Evidence should be generated during normal work: versioned notices, event logs, access approvals, request tickets, deletion reports, vendor registers, incident chronologies and management decisions.

Use proportionate identity and security checks. Excess verification creates more personal data, while weak verification can expose another person’s records or permit account takeover.

Sectoral regulation continues independently of DPDP commencement. The operating process should satisfy both privacy and financial or identity-specific rules.

Customer-support scripts must never request passwords, PINs, OTPs or remote-control access.

Control Test

Test the control using a real user journey from collection to deletion. Capture the notice shown, data stored, vendors called, employees with access, retention period and response if the user withdraws or complains.

Run a negative scenario: the vendor is breached, the user is a child, the employee exits, the phone is stolen, the data was inaccurate or the regulator asks for proof. Record which control fails.

Check that system records and public wording agree. Product forms, privacy notice, CRM fields, SDK behaviour, vendor contracts and support scripts should describe the same processing.

Assign a named owner and internal deadline for every gap. A risk register without funded action and closure evidence becomes an archive of known failures.

Retain the rejected alternatives and decision basis. This is especially important where the law is in phased commencement or a proportionate technical method is selected.

Escalation Route

Start with the system owner, privacy or security owner and the documented data flow. Preserve records before making changes, and separate current statutory reporting from future DPDP readiness.

For a breach, financial fraud, rights dispute, children’s-data issue or regulated-sector event, involve qualified legal, cyber, forensic and sector specialists and use the applicable official reporting or grievance channel.

Management Review

Management should record the risk owner, affected data population, financial or operational impact, current legal duty, future DPDP milestone and funded remediation date. A privacy register without accountable closure is only a list of known gaps.

The control should be tested with evidence rather than self-certification. Use screen recordings, exported logs, access reports, deletion output, vendor responses, tabletop minutes or complaint acknowledgements to prove that the workflow operates as designed.

Where several laws apply, maintain one incident or request chronology but separate each legal trigger and deadline. CERT-In, RBI, UIDAI, IRDAI, police, contractual and DPDP processes should not be collapsed into one generic notification decision.

Frequently Asked Questions

Can loan apps access contacts?
RBI’s framework restricts access to mobile-phone resources and requires need-based collection.
Who owns the grievance?
The regulated entity remains accountable, with disclosed grievance arrangements.
Does app consent solve everything?
No. Purpose, necessity, security and sectoral rules also apply.
Where can unresolved complaints go?
Use the regulated entity’s process and the RBI Ombudsman route where eligible.