The current framework presents a regulatory paradox in which two regulations with looming ambiguities pose an operational threat to the Fintech sector as a whole.
This article is one of the winning entries (Ranked 1st) of Lexathon organised by NLU, Odisha, a technology law conclave on AI, data protection, and innovation which took place in April, 2026.
Introduction
“Contextual integrity is the appropriate benchmark of privacy.”1
— Helen Nissenbaum
2016 witnessed the legislative revolution in India’s fintech landscape, with Reserve Bank of India (RBI) conceptualising the Reserve Bank of India (Non-Banking Financial Companies – Account Aggregator) Directions, 20252 (AA), which fervently proved to be a forerunner in global data protection regimes; built upon a strong foundation of data empowerment as opposed to data protection, this framework sought to disrupt the pre-existing notion of traditional power dynamics within the financial sector by placing individuals at the focal point of consent-based data sharing as opposed to them acting as passive data subjects.
This regulatory measure ensures the functionality of non-banking financial companies (NBFCs) as “blind conduits” that facilitate encrypted data flow between financial information providers (banks, mutual funds and insurers) with financial information users (wealth management systems, fintech platforms) operating solely on user-based consent. This semi-automated approach embeds consent and data minimisation within the technical system, making compliance structural rather than discretionary.3 By December 2025, a cumulative sum of 252.88 million users were onboarded onto the AA ecosystem.4 Furthermore, India’s Data Empowerment and Protection Architecture (DEPA), which indexed the AA framework, garnered international fame with G20 endorsing the framework, particularly the AA framework, as an emerging primacy model for data governance in developing economies.5
In retrospect, yet another crucial regulation, namely, the Digital Personal Data Protection Act, 2023 (DPDP Act), “seeks to lay the foundation for developing a strong privacy regime in the country”6. Two years later, the Indian Government put forth the Digital Personal Data Protection Rules, 2025 (DPDP Rules) in January for public consultation, and as per the Ministry of Electronics and Information Technology (MeiTY) circular, it is expected that by November 20267 the provisions pertaining to Consent Managers (CMs) will be operational as prescribed under Rule 4, which enforces that entities registered within the Data Protection Board (DPB) must enable individuals to categorically “give, manage review and withdraw consent” for personal data processing in the digital sphere.
This creates a discord between AAs managing consent with respect to financial data in accordance with RBI guidelines, and CMs managing all personal data under the purview of the DPB, hereby aggravating the inconsistency. Such implications have severe repercussions for fintech firms operating at the confluence of these frameworks, and these regulatory inconsistencies are reflected in higher compliance costs and cast a shadow over any business strategy such a firm might wish to undertake. Several questions arise in the process.
Most existing AAs separately register as CMs and subject themselves to multiple regulatory oversight mechanisms simultaneously? When consent-related violations do occur, does the RBI or the DPB exercise jurisdiction?
These questions are not hypothetical; they pose a real-time issue that requires an immediate solution. While both frameworks aim to empower individuals and promote user consent to be at the helm of data governance, the existing discord undermines the very idea they seek to enforce. This analysis aims to alleviate these issues by adopting an approach that harmonises regulations without disregarding the legislation’s objectives.
Problem statement
The current framework presents a regulatory paradox in which two regulations with looming ambiguities pose an operational threat to the Fintech sector as a whole. Such frameworks without sufficient amendments will enable inefficiency and encroach upon the sanctity of the data protection regime as opposed to Article 14 of the Constitution that aims to establish clarity and non-arbitrariness8 within State action in line with maintaining a harmonised approach that avoids jurisdictional overlap and regulatory arbitrariness while delineating a clear boundary between RBI and DPB in the light of a freshly consolidated consent management system to be integrated within Fintech bodies in particular.
On the one hand, the aforementioned regulatory bodies may choose to enforce their standards independently — RBI via Section 45-JA, Reserve Bank of India Act, 1934 (RBI Act) and the DPB via Section 33, DPDP Act. However, a lack of intelligible differentia in terms of a State action in either Act owing to the overlap and a lack of coherence demands a coordinated approach that prevents confusion and arbitrary actions.
Critical analysis
Although Account Aggregators operate under RBI oversight, their functions align with those outlined in the DPDP Rules under Rule 4. This rule mandates that any data fiduciary permitting users to grant, review, revoke, or modify permissions for data sharing must register as a CM, since the aggregators undertake such actions themselves, particularly with financial records.9 It is therefore unclear whether additional approval from the DPB is necessary, leaving room for ambiguity and potentially leading to significant overlaps in oversight unless further clarification is provided. This may lead to higher compliance costs and differing capital requirements for fintech companies. Without clear guidance on coordination among authorities, organisations risk performing the same tasks under separate regulations, leaving the ambiguity unresolved.
Another issue involves technical clarity. Within the AA framework, Reserve Bank Information Technology (ReBIT)10 establishes exact technical requirements, such as Application Programming Interface (API) designs, formats for consent records, and methods for securing data. Such rules apply consistently throughout banking institutions. On the other hand, the DPDP Regulations instruct CMs to support “interoperable platforms”, yet offer no detail on system-level requirements or confirm whether existing AA norms meet compliance needs. As a result, it remains unclear whether Fintech companies must adopt new architectures to handle personal information unrelated to finance, or whether such setup aligns with regulatory intent. Uncertainty of this kind affects how processes are managed.
Third, jurisdictional overlap. RBI regulates AAs for financial stability and inclusion under the RBI Act. The DPB regulates CMs under the DPDP Act to protect personal data and enforce privacy rights. If an AA’s activities trigger obligations under both frameworks, it is unclear which regulator has primary authority. The result is potential parallel enforcement, duplicative penalties, and uncertainty for regulated entities.
Constitutional perspective
The dual framework raises constitutional concerns under three fundamental rights provisions. Article 14‘s equality guarantee prohibits arbitrary State action and requires legislative classifications to satisfy two tests: (1) intelligible differentia distinguishing persons or things classified from those left out, and (2) rational nexus between the differentia and the legislative object. In Modern Dental College & Research Centre v. State of M.P.11, the Supreme Court held that regulatory burdens must be proportional to legislative objectives and cannot be excessive.
Article 19(1)(g) guarantees the right to practice any profession or carry on any trade or business, subject to reasonable restrictions under Article 19(6). In Papnasam Labour Union v. Madura Coats Ltd.12 the court established that restrictions must not be arbitrary, excessive, or go beyond the requirements of public interest. Dual registration requirements, with hiking compliance costs and obligations constitute unreasonable restrictions which are highly disproportionate.
Article 21’s right to life and personal liberty, interpreted in K.S. Puttaswamy (Privacy-9J.) v. Union of India13 to include informational privacy, requires any data governance regime to satisfy the test: (1) legitimate aim, (2) legality of measure, (3) proportionality, and (4) procedural guarantees. While both frameworks serve the legitimate aim of data protection, the question of procedural guarantees is left astray owing to the ongoing ambiguities present, leaving either regulation constitutionally non grata.
The Account Aggregator (AA) framework
Section 45-JA, RBI Act, 1934 allows banks to probe into NBFCs “in the interest of depositors” to ensure transparency and protection, and further exercises authority on NBFCs by means of AA Directions, in accordance with Section 45-K, which categorises NBFCs as a distinct category which includes fintech companies that can be adjudicated upon which. The statutory definition as laid down in Chapter I-F(4)14 “business of an account aggregator” as providing services in order to retrieve or “collecting such financial information pertaining to its customer, as may be specified by the Reserve Bank from time to time” and to consolidate and present such information, provided that “the financial information pertaining to the customer shall not be the property of the Account Aggregator, and not be used in any other manner”.
Further on under Chapter III-B Clause 1715, if a user must share his financial details they shall attach the following details to a consent artefact:
“(1) identity of the customer and optional contact information; (2) the nature of the financial information requested; (3) purpose of collecting such information; (4) the identity of the recipients of the information, if any; (5) uniform resource locator (URL) or other address to which notification needs to be sent every time the consent artefact is used to access information; (6) consent creation date, expiry date, identity and signature/digital signature of the NBFC-AA; and (7) any other attribute as may be prescribed by the Reserve Bank.”
Again, Chapter III-A 14(7)16 prohibits an AA from storing any financial information with respect to a customer and only allows for their transmission without reading such data but cannot retain the information and is “designed to be data blind”17, once consent on such platform expires the data flow stops subsequently. Furthermore, Chapter III-B 2118 also explicates upon a consent artefact to be “logged, audited, verified” to keep a traceable means of information transfer.
The Consent Manager framework
The DPDP regime takes a nuanced approach to consent management, while Section 6 of the Act clarifies that consent must be “free, specific, unconditional and unambiguous”, Rule 4, DPDP Rules operationalises that by enabling CMs as key players to help users provide, manage, review and withdraw their consent with respect to any personal data provided to the data fiduciary. In consonance, Part B of Schedule I imposes certain obligations, Item 9 says that CMs must “ensure that no conflict of interest arises on account of its Directors, key managerial personnel and senior management holding a Directorship, financial interest, employment or beneficial”19 Upon a literal reading, the provision implies that any corporate structure operating as a fiduciary and a CM simultaneously must be prevented from using such user data for its own business purposes.
CMs primarily handle record management of such consent, rather than data transmission, unlike AAs. CMs operate as consent brokers, i.e. maintaining records of consent given, denied or revoked by the user as the case may be; such records must be accessible to the data principals and kept for at least seven years from the date of consent withdrawal or expiry of consent,20 whichever the case may be, enabling both individual and regulatory supervision. Most importantly, Item 9 under Part A of Schedule 121 clarifies that CM platforms shall be “interoperable” to allow data principals to access such consent management systems from several providers; however, there is no prescription as to how such interoperability should be achieved it establishes interoperability as a mechanism without creating a roadmap for its implementation.
Jurisdictional conflicts and overlaps
The following regulatory overlaps transpire across these dimensions:
Firstly, AAs operate exclusively on “financial information” under Chapter 1 F(9) of the Act, which includes tradable securities, insurance and bank deposits, and other enumerated categories pertaining to financial data. CMs include sensitive personal information in its purview, and by definition, any form of financial information comes under its scope as well. If CM interoperability is set to include such financial information, the absence of a coordinated standard between RBI and the DPB means that these frameworks are developing in parallel without any compatibility.
Secondly, Clause 32 of Part III of the AA Directions further allocates ReBIT standards that fintech bodies must adhere to to ensure a “secured, duly authorised, smooth, and seamless” transfer of data. The DPDP Rules, on the other hand, do not have an equivalent or mandate for such CMs, creating yet another operational challenge: An entity cannot simultaneously comply with the given ReBIT standards for AA Rules while also being interoperable with other sectors without duplicating those systems.
Thirdly, upon violation of user consent, both regulators have varying enforcement powers. Section 33(1), DPDP Act empowers the Board to impose a sum of up to Rs 250 crores on data fiduciaries and up to Rs 50 crores for CMs. In parallel, Section 45-IA read with Section 58-B, RBI Act allows banks to charge a penalty of up to Rs 25 lakhs and, prospectively, cancel the licence of a defaulting NBFC, but there is no harmonisation between these frameworks. This creates unnecessary friction, and the current lacuna which either system aims to resolve is aggravated further.
International framework
The European Union approaches the transfer of financial data under the Payment Services Directive 2 (PSD2)22 and the General Data Protection Regulation23 (GDPR) offer an advisory role. Under PSD2 Article 6624, the customer may provide consent in any form to a bank to access their payment accounts, with the consent being revocable at the customer’s disposal. Fintech entities can request access to such information “on an objective, non-discriminatory basis and proportionate basis” while GDPR Article 6(1)(a)25 says that process of data processing shall be deemed as lawful only if the “data subject has given consent to the processing of his or her personal data”26. To address this, the European Data Protection Board (EDPB)27 clarified that “explicit consent” as mentioned under Article 94(2)28 and Article 67(2)(a)29, serves only contractual and transparency purposes. This form does not qualify as a valid legal ground under GDPR — its permitted bases remain strictly defined. Instead, separate compliance must be met, typically via Article 6(1)(b)30, tied to contract execution. As a result, overlapping consent demands do not arise. Both frameworks operate together, each fulfilling distinct roles. Clarity prevents redundancy. Legal coherence remains intact.31
Under Singapore’s Personal Data Protection Act, 2012, consent serves as the main basis for handling personal information. Yet exceptions emerge where sector-specific rules apply, shaped to align with broader legal duties. While permission generally guides data use, sub-section 4(4)(b) clarifies that other laws may override this rule. When regulations demand financial firms to collect or share data — say, for oversight or risk control — the need for individual approval fades. Such cases permit processing without consent, provided statutory demands exist. Thus, compliance with external mandates can displace the usual consent requirement.
Harmonisation
Sectoral exemptions under DPDP
A novel solution towards achieving harmonisation can be established foremost by creating a sectoral CM category. A new rule that clarifies a premise recognising AAs as already eligible for consent management and shall not require separate registration. A new rule which stipulates the following:
“Notwithstanding the provisions under Rule 4 or any other provision within the rules, any entity which operates retrospectively under any relevant Act, Rule or legislation in force and thereunder is empowered to regulate, facilitate or operationalise any form of user consent-based data sharing, shall be deemed operative as a valid Consent Manager.
Such an entity shall not require separate registration under Rule 4, provided that such entity operates strictly within the scope of its statutory mandates and complies with the obligations extended to Consent Managers under the given Act, Rule or legislation; however, the Data Protection Board reserves its right to probe into, examine, or initiate proceedings with respect to any act or omission that which, upon investigation satisfies the conditions of non-compliance with respect to the provisions of the said Act, Rule or legislation.”
Unified consent artefacts
In light of the Fintech industry, both the DPB and RBI should establish a Joint Committee to develop a consent artefact system that extends to both AAs and CMs. These standards should build on the existing ReBIT framework, but the scope should be increased beyond financial data. The standards should be built on:
(a) A common consent scheme outlining elements of the data category, purpose, recipient, duration, and consent withdrawal mechanism. Such facets should be operational on a multisectoral basis.
(b) Prescribing minimum encryption standards that need to be adhered to, while sectoral regulatory bodies can prescribe stringent mechanisms for the maintenance of sensitive data.
(c) Consent management systems shall have an interoperable basis by means of which users can access their account aggregator consent forms through preferred interfaces.
Integrating a central interoperable model will ensure that the AA ecosystem can maintain its standards regarding financial data while broader consent management protocols can be put in place as well.
Institutional solution: RBI-DPB mechanism
Legislative and systemic harmonisation alone will not be sufficient to sustain the aforementioned suggestions; therefore, RBI and DPB must coordinate as a whole to maintain this governance. A possible way to explore this is by executing a formal memorandum of understanding (MoU) that establishes the following facets:
(a) A quarterly review in a Board meeting presided over by Senior Board Members of RBI and the DPB to review emerging issues in light of Fintech bodies and their AA-CM intersection, creating robust policies that are aimed to prevent overlaps and ensure simpler compliance standards for their people.
(b) The protocols should explicitly mention the hierarchy of the management, i.e., Sectoral Regulator (RBI) is to exercise authority over licensed entities (Fintech bodies operating with AAs), whereas the DPB enforces data protection horizontally. Therefore, upon any violation, for instance, breach of any financial data owing to improper consent management, either regulators can come into the picture and conduct joint investigations and impose a singular penalty based on the gravity of the breach within a specific limit, to ensure a singular penalty is charged.
(c) Facilitating information transfer between the regulatory bodies to check audit reports, assess compliance, and ensure a thorough assessment. This mechanism allows the RBI to uphold financial data moderation while safeguarding the interests of fintech bodies, while the DPB can advise on a more considerate mechanism. This MoU should be recognised in the Gazettes through a notification to uphold its legal force and ensure the commitment of both bodies to a proper data governance regime.
Conclusion
India’s data protection regime is currently at a critical juncture, with the fintech sector booming and reaching 47 billion dollars in 202532. It is expedient that we aim to resolve any regulatory ambiguity to maintain consistency and uphold such standards. Uncertainty surrounding legislation will undoubtedly have a chilling effect on the industry. The proposed three-pillar harmonisation framework, legislative exemptions, technical standardisation, and institutional coordination, offer a path forward, preserving regulatory rigour while eliminating operational conflicts. Implementation requires political will to prioritise goodwill over bureaucratic protection for such bodies. The constitutional imperative is clear: Article 14’s non-arbitrariness and Article 21’s privacy protection demand governance frameworks that are proportional and coordinated. India’s fintech future and the financial inclusion of millions depend on resolving this regulatory paradox with the urgency it warrants.
*4th year BBA LLB (Hons.), Symbiosis Law School, Pune.
1. Helen Nissenbaum, “Privacy as Contextual Integrity” (2004) 79 Washington Law Review 119.
2. Reserve Bank of India (Non-Banking Financial Companies – Account Aggregator) Directions, 2025.
3. Martin Moore & Damian Tambini (Ed.), Regulating Big Tech: Policy Responses to Digital Dominance (OUP 2022) 234─251.
4. Sahamati Foundation, Account Aggregator Ecosystem Dashboard: Monthly Statistics, available at <https://sahamati.org.in/aa-dashboard/>.
5. G20 Digital Economy Working Group, Quad Principles for Development and Deployment of Digital Public Infrastructure (Bali Summit Declaration Annexure, November 2024).
6. Soumya Banerjee, ‘”Digital Personal Data Protection Act”—A Strudel Served Raw!’ (2024) 2024 Int’l J L Ethics Tech 85.
7. Ministry of Electronics and Information Technology, Digital Personal Data Protection Rules, 2025, G.S.R. 846(E), Notified on 13-11-2025, R. 4(1).
8. As held in E.P. Royappa v. State of T.N., (1974) 4 SCC 3 : 1974 SCC (L&S) 165.
9. Kishwar, Sanya Darakhshan, Sahani, Jaskaran Singhand Tyagi, Saumya, “Navigating India’s Draft DPDP Rules 2025: Implementation Challenges in Protecting Children’s Personal Data” (2025) 8(2) Journal of Data Protection & Privacy 144.
10. Reserve Bank Information Technology Pvt. Ltd. (ReBIT), Cyber Security Framework for NBFCs (ReBIT, 2017).
12. Papnasam Labour Union v. Madura Coats Ltd., (1995) 1 SCC 501.
14. Reserve Bank of India, Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions 2016 (RBI/DNBR/2016-17/26), Ch. I, Para F(4).
15. Reserve Bank of India, Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions 2016 (RBI/DNBR/2016-17/26), Ch. III-B, Para 17.
16. Reserve Bank of India, Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions 2016 (RBI/DNBR/2016-17/26), Ch. III-A, Para 14(7).
17. NITI Aayog, Data Empowerment and Protection Architecture (DEPA): Empowering Data to the People (2020).
18. Reserve Bank of India, Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions 2016 (RBI/DNBR/2016-17/26), Ch. III-B, Para 21.
19. Digital Personal Data Protection Rules, 2025, Sch. I Pt. B Item 9.
20. Digital Personal Data Protection Rules, 2025, R 4.
21. Digital Personal Data Protection Rules, 2025, Sch. I Pt. A Item 9.
22. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2) [2015] OJ L 337/35.
23. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation) [2016] OJ L 119/1.
24. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation) [2016] OJ L 119/1.
25. General Data Protection Regulation, Art. 6(1)(a).
26. Fiona Maclean, Christian McDermott, Calum Docherty and Amy Smyth, “Consent under PSD2 and the GDPR: Squaring the Circle” Butterworths Journal of International Banking and Financial Law (March 2021), available at <https://www.lw.com/admin/upload/SiteAttachments/Article%205%20-%20Smyth.1.pdf>.
27. European Data Protection Board, Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR (EDPB 2020).
28. Payment Services Directive 2, Art. 94(2). (EU).
29. Payment Services Directive 2, Art. 67(2)(a). (EU).
30. General Data Protection Regulation, Art. 6(1)(b).
31. Özgür, Hasan, “Personal Data Processing by Third Party Providers in Online Payment Transactions under GDPR and PSD2 an in-depth Legal Analysis for GDPR and PSD2 Compliance” (2021).
32. Press Trust of India, “FDI inflows to India surged by 73 per cent to $47 billion in 2025” The Economic Times (5-2-2025) available at <https://m.economictimes.com/news/economy/finance/fdi-inflows-to-india-surged-by-73-per-cent-to-47-billion-in-2025-un/articleshow/127292155.cms> last accessed 18-2-2026.
