DPDPA Meets RBI's Data Localization: How Indian Fintechs Must Reconcile Two Conflicting Regulatory Regimes
Indian fintechs are being squeezed from two directions at once. On one side, the Reserve Bank of India has been issuing data localisation requirements for years, mandating that certain categories of payment data be stored exclusively within India. On the other hand, the DPDPA has arrived with its own framework governing cross-border data transfers, which takes a different approach to where personal data can go and under what conditions.
These two frameworks were developed independently. They do not contradict each other in every respect. But where they diverge, fintechs must navigate the tension carefully. Getting this wrong means non-compliance with one regulator, the other, or both. And in a sector where regulatory standing is a prerequisite for operating, that is not a risk that can be managed with vague compliance intentions.
RBI's Data Localization Requirements
Under the DPDPA, a data principal has several rights they can exercise before filing a formal complaint. These include the right to access information about what personal data an organisation holds about them, the right to correct inaccurate data, the right to erase their data in certain circumstances, and the right to know who their data has been shared with.
In our simulation, let us say the data principal, a customer named Priya, received a marketing email from your organisation for a product she never signed up for. She believes your organisation obtained her email address without her consent and used it for marketing purposes. She sends a request to your organisation asking for information about what data you hold about her, where you obtained it, and on what basis you are using it for marketing.
At this point, the clock has started. The DPDPA requires that organisations respond to data principal requests. Priya has exercised a right. Your organisation must respond. If you have a data rights request process, this is where it kicks in. If you do not have one, this is where your problem begins.
RBI's Data Localization Requirements
The RBI’s data localisation mandate emerged from the Report of the High-Level Committee on Deepening of Digital Payments in 2019, and has been reinforced through subsequent circulars. The core requirement is that all data related to payment systems must be stored only in systems located in India. This applies to payment aggregators, payment gateways, card networks operating in India, and other regulated payment system operators.
The payment data that must be localised under RBI’s framework includes end-to-end transaction details, payment source information, payment destination information, payment query information, and payment supplementary information. This is a broad definition that captures most of the data that flows through a payment transaction.
The RBI has also imposed restrictions on mirroring this data abroad, even if a copy is maintained in India. For many Indian fintechs that use global cloud infrastructure or have international parent companies that need access to transaction data, this creates genuine operational challenges.
The DPDPA's Cross-Border Transfer Framework
The DPDPA takes a different and more permissive approach to cross-border data transfers, at least at the framework level. Section 16 of the Act allows the central government to notify countries or territories to which personal data may be transferred, subject to such terms and conditions as may be specified.
This is a whitelist approach. The government will notify which countries are approved for data transfers, and Data Fiduciaries can transfer personal data to those approved jurisdictions. The specific list of approved countries has not yet been finalised at the time of writing, but the framework suggests a more flexible approach than the RBI’s blanket localisation requirement for payment data.
The DPDPA also contains specific exemptions for certain categories of Data Fiduciaries and processing activities. Fintechs need to understand whether any exemptions apply to their specific operations and to what extent these exemptions interact with their RBI obligations.
Where the Two Regimes Diverge
The most significant tension arises in scenarios where a fintech wants to transfer data that falls under both the DPDPA’s cross-border transfer provisions and the RBI’s localization requirement.
Consider a fintech that processes payments for Indian customers but has its fraud detection systems hosted by a global vendor operating in a third country. Under the DPDPA, if the third country is on the government’s approved list, the transfer may be permissible. Under the RBI’s framework, the payment data involved in those transactions must remain in India. The two requirements point in different directions.
Another tension arises in the context of international remittances and cross-border payment products. Fintechs that process international payments must transmit transaction data across borders as part of the payment process itself. The RBI’s localization requirement includes exceptions for international transactions, but the scope of these exceptions and how they interact with the DPDPA’s transfer framework requires careful legal analysis.
The key principle that emerges from reading both frameworks together is that RBI’s localization requirement establishes a floor that cannot be lowered by the DPDPA’s more permissive transfer provisions. Where the RBI requires data to stay in India, it stays in India, regardless of what the DPDPA permits for transfers. The DPDPA’s transfer framework applies to the data that is not captured by a more restrictive sectoral requirement.
The Aadhaar and KYC Dimension
Indian fintechs that use Aadhaar-based eKYC for customer onboarding face an additional layer of regulatory complexity. Aadhaar authentication data is subject to the Aadhaar Act, 2016, and the regulations issued by the UIDAI, which impose their own data handling requirements. The intersection of Aadhaar regulations, RBI’s KYC master directions, and the DPDPA creates a three-way compliance matrix that most fintechs have not yet fully mapped.
The DPDPA’s provisions on sensitive personal data, which includes financial data and identity documents, apply to KYC data held by fintechs. The consent requirements, retention obligations, and security obligations of the DPDPA all apply to this data. But so do the RBI’s KYC master directions, which specify their own requirements for how customer identification data must be collected, verified, stored, and updated.
Fintechs must build compliance frameworks that satisfy all applicable requirements simultaneously. This requires a methodical approach to identifying which regulatory requirement is most restrictive for each category of data and building processes that meet the highest applicable standard.
The Operational Implications for Fintech Infrastructure
The practical implications of reconciling DPDPA and RBI requirements are significant for fintech infrastructure decisions. Cloud vendor selection, data architecture, and third-party integration decisions all need to be made with both frameworks in mind.
For cloud infrastructure, fintechs need to ensure that data subject to RBI localization is stored in India-based cloud regions and that their cloud architecture allows them to control data residency at a granular level. This may mean choosing cloud vendors with a strong India presence and data residency controls, and it may require re-architecting existing infrastructure that was built before these requirements were fully understood.
For third-party integrations, fintechs need to conduct careful due diligence on where their vendors and partners store and process data. A payment aggregator that uses a third-party risk engine hosted abroad may violate the RBI’s localization requirement even if the primary transaction processing happens in India.
Why ComplyPlanet
ComplyPlanet works with Indian fintechs to build compliance frameworks that address DPDPA obligations, RBI data localisation requirements, and the interaction between them in a coordinated and practical way.
We help you conduct a regulatory mapping exercise that identifies every category of data you process, the applicable regulatory requirements for each category, and the highest standard that must be met across all applicable frameworks. We then help you build data architecture, vendor management, and operational processes that meet these requirements consistently.
We also help you implement ISO 27001 controls that provide a governance framework strong enough to satisfy the security requirements of both the DPDPA and the RBI’s operational guidelines, and we prepare you for the periodic audits and regulatory examinations that regulated fintechs face.
Conclusion
Two regulators, two frameworks, one dataset. Indian fintechs that try to satisfy these requirements separately will find themselves caught between them. The only approach that works is a unified compliance framework that maps every data category against every applicable requirement and builds processes that satisfy the most demanding standard that applies. The DPDPA and the RBI are not going away. The fintechs that build compliance infrastructure capable of handling both will be the ones that scale without regulatory interruption.
ComplyPlanet can help your fintech navigate the intersection of DPDPA and RBI compliance. Talk to us today.
ComplyPlanet – Your Compliance Backbone