A retail bank reports loan data to credit bureaus per RBI mandate. A BNPL fintech pulls bureau scores and separately initiates an Account Aggregator (AA) consent for bank statement access. The fintech uses both data sources to build a proprietary credit model. The customer's bank loan agreement mentioned credit bureau reporting but not AA use or BNPL fintech use.

The bank reports to credit bureaus under RBI mandate. Does DPDP consent apply here?

The RBI Credit Information Companies Regulation Act (CICRA) 2005 mandates credit information reporting. This is §7(b) lawful basis — "necessary for compliance with any law." Consent is not required for this reporting. However, the bank must still inform customers in the loan agreement that credit reporting will occur (transparency obligation under §8) and document the CICRA mandate as the legal basis in its ROPA. Only the mandated data fields should be shared — not additional profiling or behavioural data.

The AA consent was for a specific transaction. Can the fintech use this data to train a permanent credit model?

Prohibited. The Account Aggregator framework is consent-based and purpose-bound per the RBI AA Master Direction. The consent artefact has a defined validity period and is not a perpetual licence. Using AA-pulled bank statement data to permanently train and retain a proprietary credit scoring model goes beyond the transaction-specific consent purpose. The fintech may retain derived analytical outputs (the credit decision, the risk score for that account) for loan management — but the raw bank statements must be deleted per the consent artefact terms.

A customer is denied a BNPL loan and suspects the credit score is wrong. What are the DPDP-mandated redress steps?

Step 1: Request credit report from the bureau under §11 (right to access). Step 2: Submit correction with supporting documentation under §12(2). The bureau must correct or provide written explanation. Step 3: If the error originates from the bank's reporting (incorrect NPA marking), the bank has a §8(4) accuracy obligation to correct inaccurate personal data. The DPDP Act's accuracy obligation applies to the Fiduciary that holds and uses the inaccurate data — both the reporting bank and the bureau.