Indian PDP Bill’s Impact on Lending

As laws to protect personal data are debated, rejected, and adopted across the globe, individuals are becoming aware of their data rights. Privacy of data has become a source of company competitiveness with consumers seeking to engage with organizations that give them a semblance of control over their data. If that wasn’t enough, India is set to pass a regulation governing personal data this year.

The context for compliance

Inferring from the soon to be passed Personal Data Protection Bill 2019, lending is an area that is bound to be hit by a combination of compliance clauses. Data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the individual’s needs.

To remain compliant these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals. This blog explores the data rights that translate into areas of compliance across the lending process.

The primary rights which affect compliance for lenders are explained below:


These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, here is my take on the PDP’s impact on compliance:

  1. KYC process

The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent-based process.

The clauses that have some bearing on this step are:

  • Storage Limitation: after the loan has been repaid, the data principal can request the erasure of all the KYC data.
  • Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal.

2. Credit Underwriting

A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:

a. Public sources

This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.

b. Private sources

There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.

i. SMS reading

This considerably new method of credit assessment would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated with the SMS exchange.

ii. Bank login based pull

To evaluate a person’s financial history, lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank) trust and if consent would be required from them as well.

iii. Email login based pull

Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.

3. Credit Bureau Access

To ensure effective debt management, lenders share a customer’s personal data with credit bureaus and other third parties when servicing a loan. The transactions, details of the companies involved and justification for the data transfer must be explained to customers. Although credit scoring is a “reasonable purpose exception” in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII), implies that a data principal can request it be completely erased.

4. Non-traditional types of data

Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus. This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:

a. Google Places/ Yelp

b. Payment processors

c. E-commerce platforms

d. Shippers

Privacy by design

The bill mandates that every data fiduciary build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset. This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy is to be published on the organization and the authority’s website.


Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintechs and banks to start prepping for these compliance measures.

Dissent from lenders

The bill in its current form recognizes all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces. To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. With the current bill in place, this would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.


The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit for more information about us.

You can reach out to our team at

Written By:


Written by an insightful Signzian intent on learning and sharing knowledge.