Tap to consent, tap to revoke? India’s data law hits digital lenders

As the Digital Personal Data Protection (DPDP) Act nears full implementation, the industry is pushing back on a few key clauses in the Act. Two people familiar with the discussions said the Fintech Association for Consumer Empowerment (Face), a Reserve Bank of India (RBI)-recognized self-regulatory organization, has, along with some member firms, made multiple representations to the Ministry of Electronics and Information Technology (MeitY) seeking an exemption under Section 17 of the Act.

According to the first person cited above, the industry is seeking relief to let the lenders continue accessing and using specified borrower data for the entire duration of a live loan, even if the borrower tries to withdraw consent mid-tenure. The person is a policy expert consulting for fintech firms.

According to the person, the industry’s case rests on how digital lenders manage credit risk after disbursal, especially for early-warning systems that flag repayment stress before a default happens.

The two people familiar with the matter said the representations seek non-revocable consent for two stages of lending: underwriting and post-disbursal monitoring. They said this would include recurring access to signals such as bank transaction alerts and statement data, either via the RBI-regulated Account Aggregator (AA) system or through permissions routed through the lender’s own app on the borrower’s phone.

In effect, the request seeks to treat such monitoring as a “mandatory" part of servicing a regulated loan contract, rather than an optional layer that a user can switch off.

However, lawyers who advise fintech lenders caution that the industry body's ask for exemptions may not fly.

Lawyers that Mint spoke with said lenders already have independent legal grounds under existing sectoral obligations and the DPDP Act’s exemptions to process borrower data for core loan functions such as underwriting, servicing, repayment tracking and recovery, especially once an account turns delinquent. For other uses, such as early-warning analytics and predicting a borrower’s propensity to pay, a consent that is withdrawable would be required, they said.

Emails sent to FACE and MeitY on 2 January did not elicit a response until press time.

At the heart of the issue is consent itself. Under the DPDP Act, consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action", and that a user has the right to withdraw it “at any time", with the ease of doing so “comparable to the ease with which such consent was given".

That principle sits uneasily with digital lending models that rely on continuous data flows that go beyond approving loans.

The data trail can be used beyond the first loan decision, including for refining underwriting models over time and pitching repeat loans or other financial products through marketing messages, emails and push notifications.

Sugandh Saxena, chief executive officer of FACE, said many fintech platforms rely on a wide set of alternative data inputs, not just to assess creditworthiness, but also for fraud checks and tailoring loan offers. “When lenders start sourcing a customer, device-intelligence signals also come into play such as metadata and behavioral biometrics that feed into models to gauge whether the applicant looks legitimate," Saxena said.

The member roster of FACE includes firms such as KreditBee, CASHe, LoanTap, Kissht, CRED, Navi, Paytm and MobiKwik.

CRED, for instance, asks users at onboarding for permission to read their Gmail inbox—including emails and attachments—to check credit card bills and outstanding balances. Users can later withdraw that access from Google’s own permissions dashboard, independent of the app.

Lawyers and industry observers Mint spoke with, however, say that in lending, the harder question arises once consent is tied to an active loan contract, and whether a borrower can switch off some categories of data processing mid-tenure under the DPDP Act.

Naqeeb Ahmed Kazia, partner at CMS IndusLaw, said the DPDP Act’s consent-withdrawal right is not absolute in tightly-regulated sectors such as non-banking financial company (NBFC)-led lending. Sectoral rules can require regulated entities to retain borrower records for longer periods, meaning a later request to withdraw consent may not translate into deletion or an immediate halt to all processing.

“If there’s a law which sort of requires retention of data for a longer period, then that law will supersede (user consent)," Kazia said.

In sectors overseen by regulators such as RBI, and, for insurers, the Insurance Regulatory and Development Authority of India (Irdai), entities often have independent obligations to retain and process records for audits, regulatory reporting and loan documentation, even if the customer later seeks to withdraw consent.

In most lending journeys, bank-transaction data enters underwriting in one of two ways: borrowers upload statements manually, or lenders fetch them via the RBI-regulated account aggregator (AA) framework that enables consent-based sharing of financial information between regulated entities.

Because the account aggregator system is regulated financial infrastructure, the access is largely limited to banks, NBFCs and similar entities, not unregulated intermediaries.

Krishna Prasad, founder of OneMoney, said AA has digitized what was earlier a manual process. “That is now being replaced by a fully-digital process, where the users journey during the loan application transfers to OneMoney… and once the user provides consent, it becomes a consent artefact. OneMoney will then present this signed consent artefact to the bank in an encrypted format," Prasad said.

Tejinder Pal Singh, chief executive of CAMSFinserv, an RBI-licensed Account Aggregator, said India now has about 17 operational AAs, covering data from roughly 240 crore accounts. The system processes about two crore consents a month, resulting in roughly 40 crore monthly data deliveries.

Yet, many fintech lending journeys historically relied on direct access to a borrower’s phone—transaction SMSes and device-level signals—permissions that RBI’s digital lending guidelines explicitly sought to curb.

The person quoted earlier said RBI has drawn clear red lines. “RBI… has told digital lenders they can’t look into the photographs on your phone… and you can’t contact other people on the contact list… because those were egregious behaviours… so the RBI blocked it," the person added.

Where consent is used for non-essential purposes such as marketing, the source said, users must be allowed to withdraw it. “You have to stop doing it."

The sharper point of contention is what happens after loan disbursal, when some lenders attempt to keep monitoring borrowers for early-warning signals.

Within the AA ecosystem, periodic pulls of bank balances or statements can be built into recurring consent artefacts, though AA guidelines impose strict “fair use" limits.

Vamsi Madhav, CEO of Finvu AA, said lenders increasingly request post-loan data to “monitor the deposit account once they make a loan". Some are experimenting with narrower monitoring. “A third use case that has emerged is lenders proactively ask consumers for their consent to monitor their balance, not transactions, but just the balance," he said.

Outside the AA system, however, similar monitoring has often been attempted through continuous access to SMSes or device metadata—raising questions over whether borrowers can withdraw such consent mid-loan.

Saxena of FACE said that borrowers may not be able to withdraw every permission once a loan is underway, since some processing is tied to regulatory obligations.

“But…the industry will have to really distinguish between what is a mandatory regulated use case requirement… versus something…where they have option to withdraw the consent," she said.

Lawyers caution that while underwriting, servicing and regulatory reporting may have independent legal grounds, post-disbursal monitoring may not. “Outside the permitted exceptions… everything else still has to be consent-based," said the person quoted earlier.

Separately, Kazia noted that continuous access to phone storage was already restricted under RBI’s digital lending guidelines. As per the digital lending guidelines, a lender cannot continuously access phone memory or the phone storage data, he said.