Introduction
In 2025, Indian banks and financial institutions reported 248 confirmed data breaches — a number that Kraver.ai has compiled from CERT-In disclosures, RBI circulars, and public breach notifications. That is nearly five breaches every single week, exposing the personal and financial data of millions of Indian citizens. And 2025 was the year before the DPDPA's enforcement machinery became fully operational. Now, in 2026, the Data Protection Board of India (DPBI) is active, the DPDP Rules are in force, and the penalty framework is live. According to Chambers and Partners, 2026 marks the beginning of active enforcement, with the DPBI empowered to investigate complaints, conduct inquiries, and impose penalties of up to ₹250 crore. For India's BFSI sector — banking, financial services, and insurance — this is not a theoretical risk. It is ground zero. The sector processes the most sensitive categories of personal data at the highest volumes, faces the most complex regulatory landscape, and has the most documented history of breaches. This article examines why BFSI is the DPDPA compliance ground zero and what institutions must do to prepare.
248 Breaches: What the Numbers Tell Us
The 248 confirmed breaches in 2025 represent only the visible surface of India's BFSI data security crisis. CERT-In's incident reporting framework captures reported incidents, but industry estimates suggest that for every reported breach, three to five go unreported or undetected. Applying a conservative multiplier, the actual number of BFSI data security incidents in 2025 likely exceeded 700. The breaches span every category of financial institution — public sector banks, private banks, NBFCs, payment processors, insurance companies, stockbrokers, and fintechs. The most common attack vectors were compromised credentials (34% of incidents), API vulnerabilities (22%), phishing attacks targeting employees (18%), and third-party vendor compromises (14%). According to EY India's cybersecurity analysis, the average cost of a data breach in India's financial sector reached ₹19.5 crore in 2025, up 23% from the previous year — and that figure does not include DPDPA penalties, which could dwarf the breach cost itself.
- Public sector banks — 67 confirmed breaches, with an average of 1.2 million records exposed per incident
- Private sector banks — 48 confirmed breaches, often involving API and mobile banking vulnerabilities
- NBFCs and fintechs — 89 confirmed breaches, the highest count, reflecting rapid digitisation without proportionate security investment
- Insurance companies — 24 confirmed breaches, frequently involving health and life insurance policyholder data
- Payment processors and UPI platforms — 20 confirmed breaches, exposing transaction data and linked bank account details
The Overlapping Regulatory Landscape: DPDPA Meets RBI, SEBI, and IRDAI
What makes BFSI compliance uniquely challenging is the overlay of multiple regulatory frameworks. The DPDPA does not replace existing sectoral regulations — it adds to them. Banks must simultaneously comply with the DPDPA's consent, notice, and data processing requirements; the RBI's data localisation directive; SEBI's cybersecurity and cyber resilience framework for market intermediaries; IRDAI's information and cybersecurity guidelines; and CERT-In's incident reporting requirements. Each regulator has its own timelines, reporting formats, and compliance standards. A single data breach at a bank could trigger reporting obligations to the DPBI under the DPDPA, to CERT-In under the IT Act, to the RBI under its circular on cyber security framework, and potentially to SEBI if the bank has market intermediary subsidiaries. As PwC's regulatory analysis observes, the lack of a unified reporting mechanism means institutions face significant operational overhead in managing parallel compliance streams.
- DPDPA — Consent management, Data Principal rights, breach notification to DPBI, penalties up to ₹250 crore
- RBI — Data localisation for payment data, cybersecurity framework compliance, incident reporting within 6 hours
- SEBI — Cyber Security and Cyber Resilience Framework (CSCRF), periodic vulnerability assessment and penetration testing
- IRDAI — Information and Cybersecurity Guidelines, data handling and privacy requirements for policyholder data
- CERT-In — Mandatory 6-hour incident reporting, log retention for 180 days, designation of point of contact
DPDPA Consent vs RBI Data Localisation: The Harmonisation Challenge
One of the most complex compliance challenges for banks is harmonising the DPDPA's consent framework with the RBI's data handling requirements. Under the DPDPA, processing personal data requires either free, specific, informed consent or a legitimate use exemption. Under the RBI's framework, certain data processing activities are mandated by regulation — customer due diligence, transaction monitoring, fraud detection, and regulatory reporting. The question of whether regulatory mandates constitute 'legitimate uses' under the DPDPA is not yet definitively settled. The DPDPA provides an exemption for processing required by law, but the scope of this exemption in the context of RBI-mandated processing requires careful legal analysis. For example, a bank must conduct KYC verification (mandated by RBI), which involves processing Aadhaar numbers, PAN details, and biometric data. Under the DPDPA, this data is personal data requiring either consent or a legitimate use basis. The bank must determine whether the RBI mandate constitutes sufficient legal basis, or whether it must also obtain DPDPA-compliant consent. According to Lexology's analysis, the prudent approach is to implement DPDPA-compliant consent mechanisms even for RBI-mandated processing, using the regulatory mandate as a supplementary legal basis rather than a replacement for consent. This ensures compliance under both frameworks, even if the regulatory mandate alone might suffice under a narrow reading of the DPDPA's legitimate use provisions.
BCBS 239 and DPDPA: Data Governance as Common Ground
For larger banks, the Basel Committee's BCBS 239 principles on risk data aggregation and reporting provide an unexpected bridge to DPDPA compliance. BCBS 239 requires banks to have comprehensive data governance frameworks, accurate and complete risk data, and the ability to aggregate risk data rapidly. These capabilities — data inventories, data lineage tracking, data quality controls, and governance structures — map directly to DPDPA requirements for data mapping, purpose limitation, accuracy obligations, and retention management. Banks that have invested in BCBS 239 compliance have a significant head start on DPDPA compliance. The data governance infrastructure built for BCBS 239 can be extended to cover personal data classification, consent tracking, and rights management. Conversely, banks that have neglected BCBS 239 face a double remediation burden — they must build the foundational data governance capabilities that both frameworks require. As IAPP notes, organisations with mature data governance frameworks achieve DPDPA compliance 60% faster than those starting from scratch.
Fintechs: Moving Fast and Breaking Compliance
India's fintech sector — the third largest in the world — is perhaps the most exposed segment within BFSI. Fintechs have built their businesses on data-driven innovation: AI-powered credit scoring, personalised financial products, behavioural analytics, and automated decisioning. Much of this innovation relies on processing large volumes of personal and financial data, often using AI models hosted on foreign cloud infrastructure. The 89 confirmed breaches in the NBFC and fintech segment in 2025 reflect a systemic underinvestment in security and compliance relative to growth velocity. Many fintechs were founded with a 'move fast and fix later' mentality that works for product development but creates catastrophic risk under a regulatory framework with ₹250 crore penalties. The compliance challenges for startups are compounded in fintech by the sensitivity of financial data and the additional regulatory overlay from RBI, SEBI, and the Financial Stability and Development Council. A fintech processing loan applications, for instance, handles Aadhaar numbers, PAN details, bank statements, credit bureau data, and employment records — a concentration of sensitive personal data that demands the highest level of protection under the DPDPA.
- Consent debt — Years of pre-DPDPA data collection without compliant consent, requiring retrospective notice and re-consent exercises
- Vendor sprawl — Dozens of third-party integrations (credit bureaus, payment gateways, analytics platforms) each creating data processing relationships that must be governed
- Cross-border AI — AI models for credit scoring and fraud detection often trained and deployed on foreign infrastructure
- Data retention excess — Retaining customer data indefinitely for model training purposes, violating DPDPA's purpose limitation and retention principles
The DPDPA Penalty Exposure for BFSI: A Quantified Analysis
The financial exposure for BFSI institutions under the DPDPA is staggering when quantified. Consider a mid-sized bank with 20 million customers that suffers a data breach affecting 5 million records. Under the DPDPA penalty schedule, the bank faces up to ₹250 crore for failure to implement reasonable security safeguards, plus up to ₹150 crore for failure to notify the DPBI and affected Data Principals — a combined maximum exposure of ₹400 crore from a single incident. For context, this exceeds the annual net profit of several listed Indian banks. Now multiply this by the frequency of incidents: with the BFSI sector averaging nearly five breaches per week in 2025, the aggregate penalty exposure across the sector runs into thousands of crores. Even if the DPBI imposes penalties at a fraction of the maximum, the financial impact would be material for most institutions. According to Kiteworks' compliance analysis, the DPDPA's penalty structure is designed to make non-compliance economically irrational — the cost of compliance should always be lower than the cost of penalties. For BFSI institutions that have deferred investment in data protection, this calculus has shifted decisively.
Building a BFSI-Specific DPDPA Compliance Framework
A compliance framework for BFSI must account for the sector's unique characteristics: high data volumes, regulatory overlay, legacy systems, and interconnected third-party ecosystems. Cookie-cutter compliance programmes designed for general industry will not suffice. BFSI institutions need a sector-specific governance framework that maps DPDPA obligations to existing RBI, SEBI, and IRDAI compliance structures, identifies gaps, and implements targeted remediation. The framework should leverage existing compliance infrastructure wherever possible — for example, extending AML/KYC data governance to cover DPDPA requirements, or expanding CERT-In incident reporting workflows to include DPBI notifications.
- Unified data inventory — Create a single data inventory that maps personal data across all systems, satisfying both DPDPA and RBI requirements
- Harmonised consent architecture — Build a consent management platform that captures granular consent for DPDPA purposes while maintaining RBI-compliant data handling
- Integrated breach response — Develop a single incident response plan with parallel notification tracks for DPBI, CERT-In, RBI, and SEBI/IRDAI as applicable
- Vendor risk management — Implement rigorous third-party data processing assessments covering all fintech partners, cloud providers, and analytics vendors
- Automated compliance monitoring — Deploy continuous compliance monitoring that tracks adherence to all applicable frameworks simultaneously
- Board-level reporting — Establish quarterly data protection reporting to the board, demonstrating governance maturity to regulators
How Kraver.ai Serves India's Most Regulated Industry
Kraver.ai was purpose-built for India's most complex compliance environments, and the BFSI sector is at the core of our platform's design. Our AI-native compliance platform provides pre-configured templates for banking, insurance, and fintech that map DPDPA obligations alongside RBI data localisation, BCBS 239, SEBI CSCRF, and IRDAI guidelines into a unified compliance dashboard. The platform's automated data discovery engine scans across core banking systems, CRM platforms, data warehouses, cloud storage, and third-party integrations to build a comprehensive personal data inventory — the foundation of both DPDPA and RBI compliance. Our breach notification module automates multi-regulator incident reporting, generating parallel notifications for the DPBI, CERT-In, and RBI from a single incident record. And our penalty risk assessment engine quantifies your institution's specific exposure under the DPDPA penalty schedule, enabling data-driven investment decisions in compliance infrastructure.
Conclusion
The 248 confirmed breaches in 2025 are not an anomaly — they are a structural feature of an industry that has digitised faster than it has secured its data. With the DPBI now operational and the compliance timeline in force, every one of those breaches would today trigger enforcement proceedings with penalties running into hundreds of crores. The BFSI sector does not have the luxury of treating DPDPA compliance as a future project. The breaches are happening now. The enforcement machinery is active now. The penalties are real now. Institutions that have already invested in comprehensive data privacy and compliance frameworks will weather the enforcement wave. Those that have not will face a reckoning that combines regulatory penalties, reputational damage, customer trust erosion, and operational disruption. The cost of compliance is a fraction of the cost of non-compliance. The time to act is not next quarter — it is today. Kraver.ai stands ready to help India's BFSI sector navigate this critical transition with the speed, accuracy, and sector-specific expertise that the moment demands.