The Current State — Why Existing Consent Frameworks Fail DPDPA
Most digital lenders currently collect consent through a single checkbox or screen in the loan application — "I agree to the Terms and Conditions and Privacy Policy." This consent covers, in one sweep, KYC verification, credit bureau inquiry, bank statement analysis, employment verification, collection activities, marketing, and data sharing with partners.
DPDPA treats each of these as a separate purpose requiring separate consent. A borrower must be able to consent to KYC verification (mandatory for loan processing) while declining consent for marketing — and the NBFC must be able to honour that choice without refusing the loan.
The Eight Consent Items a Digital Lender Must Separately Capture
Consent to collect and process Aadhaar, PAN, photograph, and address proof for KYC purposes
Explicit consent to make a hard enquiry to CIBIL/Experian/Equifax/CRIF — noting that this affects the credit score
Consent to access bank statements (via Account Aggregator or net banking) for income and cash flow assessment
Consent to upload KYC records to the Central KYC Registry and to fetch CKYC data
Consent to process account data (repayments, outstanding balance, overdue status) during the loan tenure
Consent to contact the borrower (and guarantors) for repayment collection — specifying channels and timing
Consent to report repayment behaviour to all four CICs on an ongoing basis
Consent to use borrower data for marketing, product recommendations, and cross-sell — this is the only truly optional consent
What Legacy LOS Systems Must Be Retrofitted For
The LOS is the primary system where borrower consent is collected in digital lending. Most legacy LOS platforms were not designed with DPDPA's granular consent architecture in mind. The key retrofit requirements are:
Consent screen redesign — separate screens or toggles for each consent item, not a single checkbox
Consent audit trail — timestamp, IP address, and consent version stored immutably for each consent given
Withdrawal mechanism — a real-time pathway for borrowers to withdraw any non-mandatory consent
Conditional processing logic — if a borrower withdraws marketing consent, the system must stop processing for marketing without affecting loan servicing
Legacy borrower re-consent — a systematic workflow to refresh consent from existing customers during routine interactions
API integration with consent management platform — if consent is managed centrally, the LOS must integrate for real-time consent status checks
The Behavioural Scoring Problem
Digital lenders that use behavioural signals — device metadata, app usage patterns, location data, social media indicators — for credit scoring face an additional challenge. DPDPA classifies these as processing of personal data for automated decision-making. The borrower must be informed that such signals are used, must consent to their use, and must have the right to seek human review of an automated credit decision. Lenders whose models depend on these signals will need to redesign consent flows and potentially revisit model architecture.
Is your LOS ready for DPDPA's granular consent requirements?
A DPDPA consent architecture review will map your current onboarding flow, identify every gap against the eight consent items above, and build a LOS retrofit plan.
Book a DPDPA Consent Review