Data Regulations in India’s Financial Sector: Navigating Compliance and Security

Introduction

As reliance on digital transactions grows, the regulatory landscape governing data becomes increasingly complex. Privacy, security, and governance are critical as financial institutions work to safeguard sensitive personal and financial information. Regulatory frameworks, such as the Digital Personal Data Protection Act (DPDPA), Prevention of Money Laundering Act (PMLA), guidelines from the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI), impose obligations on financial institutions that are broadly categorized into three main types:

1. All-India financial institutions (AIFIs) which are large institutions that operate at a national level, and they are divided into:
   1. All-India development banks;
   2. specialized financial institutions focused on specific sectors like agriculture or housing;
   3. investment institutions involved in investments and securities; and
   4. refinance institutions that provide financial assistance to other financial institutions.
2. State-level institutions which include State Financial Corporations (SFCs) and State Industrial Development Corporations (SIDCs).
3. Other financial institutions such as the Export Credit Guarantee Corporation of India (ECGC) and the Deposit Insurance and Credit Guarantee Corporation (DICGC).

Thus, understanding and implementing such regulations is paramount, as organizations that fail to do so may face penalties, incurring not just heavy financial losses but also great reputational damage.

Data Privacy Obligations for Financial Institutions

1. Privacy Principles

As per the DPDP and other financial regulations, financial entities need  to adhere to privacy principles whereby they must:

• define the purpose of using financial information, with restrictions on usage and disclosure;
• ensure accuracy before sharing financial information with other entities;
• maintain financial information per regulations, including retention period, deletion procedures, and record maintenance; and
• enable networking among financial institutions through electronic means.

Securiti’s Data Privacy Solution automates compliance with evolving global privacy regulations and principles by implementing end-to-end encryption at rest and in transit, role-based access controls to limit data access to authorized personnel, and advanced data anonymization techniques to share data securely.

2. Consent

As per DPDPA, RBI’s directions, and other regulations such as the Adhaar Act, financial organizations should:

• collect consent at the time or before requesting data;
• ensure consent is given explicitly and freely, in a manner that it is specific, informed, unconditional, unambiguous, and clearly indicated through affirmative action;
• collect and use personal data only when it is essential for the specific purpose; and
• appoint a Consent Manager, to be the central point of contact for data principals (whose personal data is being processed) and enable them to give, manage, review, and withdraw their consent transparently and efficiently.

It is important to note that this may be done via Account Aggregators (AAs) who are licensed entities that securely collect and share individuals' financial data across different institutions with their consent. They act as intermediaries, enabling customers to access and share their financial information.

Securiti’s Consent Module automates consent tracking and management, simplifying the management of first-party and third-party consent, and enabling organizations to obtain, record, track, and manage individuals' explicit consent.

3. Data Collection

The SEBI Know Your Client (KYC) regulations and guidelines impose responsibilities on financial institutions concerning how they should collect data. Key obligations include:

• conducting thorough verification and authentication of client information;
• uploading verified KYC data, including scanned documents, to the  KYC Registration Agency (KRA) system while maintaining accurate records and providing necessary access; and
• promptly updating the KRA if there are changes in a client’s KYC information to ensure the data remains current and accurate.

Moreover, under the Payment and Settlement Systems Act, 2007 (PSSA), system providers in the payment sector have a fundamental duty to maintain the confidentiality of documents and information received from participants. Disclosure is strictly prohibited unless it is required by law, consent has been obtained from the participant or it is mandated by a court or statutory authority.

Securiti’s Data Mapping solution automates the discovery, classification, and cataloging of client data across systems, ensuring data is accurate and accessible. This supports compliance by enabling real-time updates to KYC records and maintaining secure access.

4. Data Principal Rights

Financial entities must ensure that the following rights are available to customers as per the DPDPA:

• Right to access their personal data.
• Right to have their personal data corrected, completed or updated.
• Right to have their personal data erased.
• Right to nominate another person to exercise their data privacy rights.
• Right to have an available means of grievance redressal.

Moreover, as per the RBI’s own Charter of Consumer Rights, banks are required to provide the following rights:

• Right to Fair Treatment: Customers and financial providers must be treated with courtesy, without discrimination based on gender, age, religion, caste, or physical ability.
• Right to Transparency: Contracts should be clear, and transparent, and disclose product pricing, risks, terms, and responsibilities. Customers must be free from unfair practices or coercion.
• Right to Suitability: Products must align with the customer’s financial needs, circumstances, and understanding.
• Right to Privacy: Personal information must remain confidential unless consented to or required by law, with customers informed of any mandated disclosures.
• Right to Grievance Redressal: Customers can seek redress for valid complaints, including issues with third-party products, and providers must outline their compensation policies for errors or delays.

Thus, organizations should:

• create portals where data principals can access and manage their data rights;
• draft standard operating procedures (SOPs) and have automated systems to handle data requests promptly and transparently, documenting response times and actions taken; and

• educate employees on data principal rights to ensure compliance.

Securiti’s Data Subject Rights Management solution automates handling requests like access, deletion, and correction. It streamlines request tracking, identity verification, and secure data transfer, ensuring timely compliance and reducing administrative workload.

5. Vendors and Third Parties

To ensure compliance with DPDPA, RBI guidelines on outsourcing, and SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), financial institutions should structure contracts to enable:

• adherence to data security protocols (including encryption, data residency, and real-time monitoring);
• formation of comprehensive termination clauses for seamless data retrieval and deletion support;
• vendor liability for breaches; and
• vendors to maintain and periodically test business continuity plans (BCPs).

They should ensure due diligence and security by:

• establishing contingency plans or alternative vendors to ensure uninterrupted operations if a primary vendor fails;
• mandating data localization within India for payment and regulatory data, and enforcing field-level encryption for personal information;
• maintaining detailed audit trails of vendor interactions;
• integrating security monitoring tools and performing regular vulnerability assessments and penetration testing (VAPT) to promptly address any security risks;
• assessing vendors’ security measures (encryption, localization, access controls); and
• validating compliance through audits (e.g., ISO 27001).

They should also allow RBI inspections and schedule regular reviews to ensure continuous alignment with regulatory standards.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, enabling organizations to assess third-party privacy risks, track subcontractor engagements, and provide automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

6. Assessment & Audits

As per the DPDPA, only those organizations that the central government has appointed as Significant Data Fiduciaries (SDF) are required to perform assessments. SDFs are appointed based on factors such as volume, data sensitivity, risks to data principal rights, and effects on national sovereignty and integrity. The SDF must conduct periodic Data Protection Impact Assessments (DPIA) outlining:

• data principals' rights;
• processing purposes; and
• assessment and management of risks to the rights of data principals.

Moreover, as per RBI’s Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, regulated entities must undergo a risk assessment guided by relevant security standards or IT control frameworks. In certain situations, as per the CSCRF, they are also required to conduct Vulnerability Assessment (VA) / Penetration Testing (PT) periodically.

Procedural guidance on assessments is given below in the Data Security Obligations section of this paper.

Securiti’s Assessment Automation solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

7. Privacy Policy

As per the DPDPA, any request for consent must be preceded or accompanied by a notice that should:

• use simple language to make the notice understandable for all customers (either in English or any of the 22 languages specified in the Indian Constitution);
• clearly outline the purposes for which data is being processed;
• clearly indicate the types of data being collected and specify the duration for which the data will be retained;
• include comprehensive information about customers’ rights concerning their personal data, grievance mechanisms, and how to report any misuse of their data; and
• complaint processes available to the data principles.

Securiti’s Privacy Policy and Notice Management enables organizations to rapidly build and deploy privacy notices, automate updates, and easily manage hundreds of privacy and cookie policies and notices via a unified privacy dashboard.

8. Grievance Officer & DPO

As per the DPDPA, every financial institution is required to appoint a Grievance Officer. This officer plays a crucial role in the data protection framework, with responsibilities including:

• receiving complaints regarding personal data processing; and
• addressing these complaints effectively within a period prescribed by the regulations.

Moreover, SDF’s must appoint a Data Protection Officer  to oversee data protection activities, including internal audits and impact assessments, and act as the main contact between the organization, data protection authorities, and data principals. Key points are that DPO should:

• represent the organization as per the DPDPA;
• be based in India;
• be responsible to the Board of Directors of the organization; and
• be the point of contact for the grievance redressal mechanism under the provisions of the DPDPA.

Securiti’s Data Mapping module can equip Data Protection Officers with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.

Data Security Obligations for Financial Institutions

The DPDPA and RBI guidelines such as the Directions for Payment Systems and SEBI’s CSCRF require financial institutions to implement technical and organizational measures to ensure data security, including purpose limitation, data localization, and data minimization. This guide outlines key steps for compliance and operational resilience.

1. Centralized Identity and Access Management (IAM)

Financial entities must ensure secure identity verification and access control for all personnel by enabling:

• an IAM Program which includes assigning a DPO and an IT Security Manager to oversee IAM, verifying compliance with RBI and SEBI standards;
• a Single Sign On (SSO) for secure, streamlined access across platforms;
• regular policy review; and
• all payment data, including transaction and personal details is stored within India.

2. Multi-factor Authentication (MFA) and Privileged Access Management (PAM)

To protect sensitive data and reduce the risk of unauthorized access, financial institutions should:

• require MFA for all users across systems and train employees in using it;
• set up PAM to limit access to high-risk accounts, monitored in real-time by the Security Operations Center (SOC);
• establish formal workflows for elevated access and have them overseen by the compliance team so that the organization is ready for an audit; and
• secure all Application Programming Interfaces (APIs) with authentication, rate limiting, and regular monitoring to prevent unauthorized access.

3. Data Encryption and Protection

To enable encryption of personal data, along with storage of it within India, financial institutions should ensure:

• SaaS providers and others use on-premises or India-based cloud storage to localize data;
• Advanced Encryption Standard (AES)  or RSA encryption for data at rest and in transit;
• control of encryption keys directly, in line with RBI and DPDPA standards;
• full-disk encryption, file-based encryption, and endpoint security measures to protect data; and
• layered encryption approaches to secure sensitive information at all stages.

4. Continuous Threat Monitoring and Automated Patch Management

To ensure continuous monitoring and vulnerability management, financial institutions should:

• establish a Security Operation Centre (SOC) for real-time monitoring and incident response to detect and mitigate potential threats; and
• enable automated patch deployment to manage vulnerabilities.

Securiti’s Data Security Posture Management empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.

5. Regulatory Compliance and Auditing

To ensure regulatory compliance, financial institutions are required to:

• submit system audit report (SAR) within six months of regulatory notification;
• perform routine security audits to verify data protection and access management controls;
• implement audit and system logging for IT Applications;
• engage external auditors for ISO and SOC 2 certifications; and
• document compliance, such as maintaining data logs, transferring records and categorizing data to streamline regulatory reporting.

Securiti's Compliance Management helps organizations streamline data privacy and security compliance across multiple regulations by automating risk assessments, audits, and reporting. It offers centralized control to ensure ongoing adherence to global data protection standards and policies

6. Incident Response and Breach Notifications

The DPDPA defines a “personal data breach” as any unauthorized access, use, disclosure, or loss of personal data that compromises confidentiality, integrity, or availability. In the event of a breach, the affected individuals and the Data Protection Board of India must be notified, following the prescribed format. As per the IT CERT Rules 2013 and relevant directives, financial institutions should notify the Indian Cyber Security Emergency Response Team (CERT-In) with a detailed breach report within 6 hours of noticing it.

Financial institutions are required to establish policies that:

• classify incidents, conduct root-cause analysis, and apply corrective measures;
• assign key roles for incident management, with escalation protocols for senior management;
• include clear communication plans for notifying affected customers and authorities; and
• conduct regular tests and simulations to enhance incident response and recovery processes.

Securiti’s Breach Management solution automates breach notifications and compliance actions, providing incident response workflows that help organizations respond to privacy incidents promptly and effectively.

7. Data Retention & Deletion Requirements

According to the DPDPA, personal data must be erased when consent is withdrawn; and as soon as it can reasonably be concluded that the specified purpose is no longer being served. While there are detailed and varying retention requirements for different types of data, the Master Circular – Know Your Customer (KYC) norms / Anti-Money Laundering (AML) standards/Combating of Financing of Terrorism (CFT)/Obligation of banks under Prevention of Money Laundering Act (PMLA), 2002 states that banks must record and preserve:

• transaction records for at least ten years, ensuring quick retrieval and reconstruction of individual transactions to support criminal prosecutions;
• customer identification records, including documents like passports and utility bills for ten years after the business relationship ends; and
• complex or unusual transactions and all related documents for ten years to support audits and regulatory scrutiny under PMLA, 2002.

Furthermore, such identification records and transaction data should be readily accessible for competent authorities upon request.

For Video-based Customer Identification Process (V-CIP) records, all associated data and video recordings should be stored in secure systems located within India. These video recordings should be safeguarded with secure, time-stamped storage to allow easy historical data searches. Additionally, an activity log should be maintained that records the credentials of the official conducting the V-CIP, ensuring this information is preserved in a secure manner to support data integrity and compliance.

Organizations can:

• develop schedules for data retention based on legal and business requirements, specifying timelines for various data types;
• implement systems that automatically delete data once it meets the retention schedule; and
• conduct yearly reviews to align retention practices with evolving regulatory expectations.

Securiti’s SDI solution uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies​. It enables organizations to leverage granular insights and discover the security posture of data assets across on-premise, IaaS, SaaS, and data clouds.

8. Confidentiality Requirements

This RBI charter mandates that all financial service providers, including banking service providers (BSPs), must keep customers' personal information confidential unless one of the following conditions is met:

• the customer has explicitly consented to the disclosure;
• disclosure is required by law;
• information is shared for a mandated business purpose, such as with credit information companies; and
• customers are informed in advance about potential mandated business purposes, and they retain the right to protection from any communications that violate their privacy.

Data Governance

1. Governance Frameworks

As per the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices issued by the RBI, regulated entities must establish an IT Governance Framework that includes:

• defined governance structure and processes to achieve business and strategic objectives;
• clear roles, authority, and responsibilities for the board of directors, board-level committees, and senior management; and
• oversight mechanisms to ensure accountability and manage IT, cyber, and information security risks.

Moreover, the operational risk management policy should include regular assessments of IT-related risks, covering both inherent and potential risks. There should also be a separate cybersecurity policy that defines the company's strategy for combating cyber threats, specifically addressing cyber risks and detailing necessary measures to mitigate those threats.

Securiti’s Data Governance provides a unified approach to managing data assets, ensuring compliance, security, and data quality across the organization. It automates policies, access controls, and data lifecycle management, enabling transparent, accountable, and consistent data practices aligned with regulatory standards.

2. Data Classification and Integrity

To comply with the DPDPA, organizations must know whether they are an SDF and how to classify the type of data they process and retain. Furthermore, organizations must ensure data accuracy and completeness, verifying the integrity of personal data before using it to make decisions. To comply, organizations can create governance frameworks that:

• have procedures to validate data upon entry, especially for high-risk operations like customer onboarding;
• set up a structured process for data principals to request data corrections or updates; and
• use automated tools to track data accuracy and flag inconsistencies in real-time.

Securiti’s Data Catalog organizes and classifies data across systems, enabling easy discovery, access control, and compliance. It provides automated data mapping and insights to ensure consistent governance and regulatory alignment.

3. Data Quality

Maintaining high data quality standards is critical for financial institutions, particularly in compliance with various regulations and building trust with customers. The Master Direction – Know Your Customer (KYC) Directions, 2016 emphasizes the need for banks to conduct due diligence procedures and ensure the quality of data they collect and process. Below are key considerations and measures that can be implemented to uphold data quality, as pointed out by the Data Security Council of India:

• collecting only the necessary and relevant personal data required for specific purposes;
• deleting unnecessary data and ensuring that the data retained is accurate, complete, and up-to-date;
• developing protocols for addressing inaccuracies that may arise from breaches;
• creating protocols to assess the quality of data obtained from third-party sources; and
• conducting regular assessments to ensure that data remains accurate and relevant over time.

Moreover, the Credit Information Companies (Regulation) Act, 2005 requires organizations to take measures to ensure credit information they process is accurate, complete, and necessary for the purposes of processing.

Securiti’s Data Quality solution enhances data accuracy by automating profiling, validation, and monitoring to ensure consistent, reliable, and compliant data across systems.

Conclusion

Thus, with evolving regulations and increasing cybersecurity threats, financial institutions in India must prioritize robust data governance frameworks, implement comprehensive security measures, and foster a culture of data privacy.

Securiti, the pioneer of the Data Command Center, offers a powerful centralized platform that ensures the secure use of data and enables responsible GenAI integration. With its unified approach to data intelligence, control, and orchestration across hybrid multi-cloud environments, Securiti empowers financial institutions to protect sensitive information, enhance customer trust, and confidently meet complex regulatory standards.

Securiti Gencore AI enables organizations to safely connect to hundreds of data systems while preserving data controls and governance as data flows into modern GenAI systems. It is powered by a unique knowledge graph that maintains granular contextual insights about data and AI systems.

Request a demo to learn more.