The draft Digital Personal Data Protection (DPDP) rules, requiring explicit customer consent for using data beyond its original intent, are set to redefine data governance in the banking sector. These rules leave no room for regulatory arbitrage, compelling banks to enhance compliance mechanisms and formalise data-sharing agreements with third-party entities.

While banks generally follow good governance practices by obtaining consent for cross-selling products, instances of non-compliance have surfaced in the past. The formalization of these rules is expected to standardize data-sharing practices across the sector and align them with global privacy standards.

The operational impact of these rules is yet to be fully assessed. Banks, especially smaller players, will need to invest in technological infrastructure, financial resources, and training to implement robust consent management systems. These systems are expected to allow customers to easily provide, manage, or withdraw consent, thereby strengthening trust in the financial services ecosystem.

Larger banks

Larger banks, which have already begun preparing for DPDP compliance, are better positioned to adapt to the new requirements. However, the sector as a whole may face challenges in managing operational complexities, especially for activities like cross-leveraging group customers.

Regulatory guidance, potentially through frameworks provided by the Reserve Bank of India (RBI) and the Indian Banks’ Association (IBA), could help banks navigate these changes. A playbook outlining minimum acceptable operational norms is anticipated to support the industry’s transition.

Financial institutions, including banks and insurance companies, are reviewing the draft rules and are yet to finalize their feedback. The rules are open for public comment, providing stakeholders with an opportunity to influence the final regulations.

e DPDP Act intersects with existing regulations by the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI). Financial institutions must ensure their data practices comply with these frameworks to avoid breaching multiple regulatory mandates.
While the Act aims to enhance customer data protection, it could significantly impact functions like targeted marketing, fraud prevention, and product pricing, forcing the BFSI sector to recalibrate its strategies for managing data and customer relationships.