Click here to download the full paper (PDF)
Authored By: Priyanka Arumainayagam, 4th Year, B.A.LL.B, Erode College of Law, Erode, Tamil Nadu, India,
Click here for Copyright Policy.
ABSTRACT:
In this Gen Z, the evolving expansion in Financial Technology (Fin Tech) are in numerous ways. For instances digital payments, e-wallets, online lending platforms, apps and blockchain (digital ledger technology). As the technology continues to bring unrivalled change across banking, investing, payments and insurance, the FinTech industry has emerged as a universal fast track and with the capacity to bring transformative development. But these fast developments put the privacy and rights of the consumers in doubt. As FinTech are mainly focused for phishing, ransomware, identity theft, data breaches, unauthorized digital transactions. Beside all these, the Indian legal framework and rigid structure. Those are Digital Personal Data Protection Act 2023, Information Technology Act 2000, IT Rules 2011: Reasonable Security Practices & Sensitive Personal Data Rules, Computer Emergency Response Team Guidelines, RBI Cybersecurity Framework for Banks & NBFCs, RBI Digital Lending Guidelines 2022, Consumer Protection Act 2019, RBI Integrated Ombudsman Scheme 2021, Payment and Settlement Systems Act 2007. This paper is about the triangular connectivity between Data privacy, Cyber security and Consumer Protection with FinTech. To make a wider view this paper also includes the mentioned laws, also the remedy to reduce these cyber risks can be obtained only by the features like encryption, two-step verification, fraud detection and global co-operation. By this the consumer’s data privacy and security can be protected and can gain the consumer’s trust.
Keywords: FinTech, E-commerce, Data privacy and security, Consumer protection, Cyber security, E-governance.
I. INTRODUCTION:
As India witnessing a rapid growth in FinTech marketing as per the data given by the Invest India. India is emerging as one of the fastest-growing FinTech marketplaces globally.[1] With over 2,000 FinTech businesses officially recognized by Department for Promotion of Industry and Internal Trade, the Indian FinTech sector is experiencing exponential growth. Projections indicate that the total addressable market for the Indian FinTech industry is set to reach 1.3 trillion by 2025. Furthermore, by 2030 it is expected that assets under management will amount to 1 trillion, while revenue is predicted to reach 200 billion.[2] The Indian FinTech landscape is undoubtedly poised for significant expansion in the coming years. Data privacy is essential as it guards the personal information of the consumers as they are collected and used as exchange of data. Moreover, data privacy plays a vital role in preventing identity theft and fraud. Cybercriminals often exploit vulnerabilities in data security to gain unauthorized access to personal information, which can lead to financial losses, reputational damage and emotional distress. By prioritizing data privacy, individuals and organisations can mitigate the risk of such malicious activities and protect themselves from the devastating consequences of identity theft. In summation, data privacy protects our personal information, prevents identity theft, fraud and maintains the trust and reputation of individuals and businesses alike. As FinTech continues to evolve, it is crucial that data experts prioritize data privacy and take proactive measures to protect the digital identities of those who have placed trust in their respective organisations.
II. CYBERSECURITY CHALLENGES IN FINTECH:
Early cybersecurity efforts focused on physical security and basic encryption, but as digitalisation accelerated, so did cyber threats. And the cyber criminals now exploit AI, deepfake and data breaches putting financial data at risk. The modern financial institutions combat evolving threats is through AI fraud detection, analysing transaction patterns in real time and flagging suspicious activities before they cause damage. Blockchain enhances security by ensuring tamper proof transactions, while biometric authentication, fingerprint and facial recognition add an extra layer of protection for online banking. From the recent publication of FinTech, the paper observes that, there are four major challenges. A report disclosed that the rate of identity fraud cases in the FinTech industry increased by 73% between 2021 and 2023. Cybercriminals can use the stolen data to make purchases, take out loans and open new accounts. Malware, phishing attacks and weak passwords are common causes of FinTech data breaches. Insider threats are a major concern in FinTech.[3] They originate from former or current business partners, employees or contractors and can cause severe damage. Since insiders usually have authorized access to sensitive data and systems, insider threats aren’t easy to detect and prevent.
III. CASE STUDY:
Landmark case laws which question the data privacy and security of consumers in FinTech, In the matters of PhonePe Private Limited vs. State of Karnataka and Anr, W.P. No. 3757 of 2023, this case is indirectly crucial for data privacy and consumer safety in FinTech, even though it primarily addressed stamp duty on digital transactions. The Court’s decision acknowledged that digital transactions and electronic records are a distinct legal category and that the State cannot control or impose responsibilities on them unless they are subject to unique updated laws.[4] FinTech firms manage sensitive financial and personal data, thus any government access, intervention or obligation such as requesting information about digital instruments must be supported by explicit laws that safeguard user privacy. The Court underlined that consumer digital data cannot be controlled, accessed or taxed without clear legal protection by refusing to regard digital transactions as physical papers in the absence of appropriate legislation. This idea emphasizes the necessity of robust data security, privacy protection and open regulatory frameworks in the FinTech industry to prevent the improper use or exposure of customer’s digital information. Also, in the matters of Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India and Ors, 2017 10 SCC 1, a retired judge contested the Aadhaar program’s constitutionality, claiming that it infringed resident’s right to privacy by gathering and keeping their personal information without enough protections. The primary question on the Supreme Court was whether the Indian Constitution guarantees the right to privacy as a Fundamental Right. This landmark decision was made by a nine – judge bench of the Supreme Court of India and the court ruled that, Right to Privacy is a fundamental right and it is the part right to life and personal liberty under Article 21 and the State must restrict persons from non-essential or unwanted data gathering and that privacy encloses physical, informational and decisional liberty.[5]
IV. TECHNOLOGICAL SAFEGUARDS:
IV.I ENCRYPTION AND AUTHENTICATION:
In FinTech, encryption and authentication are essential cybersecurity techniques. Similar to how UPI or banking apps convert your payment information into protected codes, encryption entails safeguarding financial information with a private code, preventing any unauthorized person from accessing or abusing it. Accessing methods like passwords, OTPs or biometrics like fingerprints and face recognition, authentication entails confirming the legitimacy of the person accessing the service. Customers are protected from fraud and cyber risks by encryption which protects the data and authentication, and which verify that only authorized person can access it.
IV.II FRAUD DETECTION AND AI TOOLS:
AI and fraud detection technologies are crucial for maintaining FinTech security. Identifying suspicious or illegal conduct, such as fraudulent or illegal transactions, identity fraud, or unusual account activity is known as fraud detection. AI systems help by rapidly analyzing more financial data and seeing trends that humans would overlook. For example, AI systems can recognize an unexpectedly large payment made by a user in a foreign nation as suspicious and stop the transaction. To stop fraud these system uses machine learning, predictive analytics and consumer behavior tracking. By reducing risks and defending consumer rights and trust, AI improves the security of digital banking.
V. FINTECH LAWS AND REGULATIONS 2025 – INDIA:
The Reserve Bank of India (RBI) has supported the development of the country’s FinTech sector by fostering innovation, advancing financial inclusion, maintaining regulatory oversight and protecting consumer interests within the rapidly growing digital financial landscape. The following are some of the RBI’s key initiatives aimed at promoting FinTech development in India:[6]
RBI FinTech department,
- Framework for Self-Regulatory Organisation in the FinTech sector (Self-Reg Framework).
- Digital payment systems for persons with disabilities.
- Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the financial sector.
Over the years, the RBI has encouraged the use of electronic payments to meet its objective of a ‘cash-less’ society. FinTech companies promptly introduced solutions like mobile payment applications, digital wallets and quick response QR code payments using Unified Payments Interface UPI to facilitate contactless payments transactions.
Indian financial services regulators have introduced technologies driven initiatives in the FinTech regulatory space to support the industry, which include:
- The ‘PRAVAAH’ portal.
- RBI Retail Direct portal.
- FinTech Repository.
- The Finquery Initiative.
- MuleHunter AI.
With the implementation of regulations for the highly innovative FinTech products, India is poised for an interesting journey with both industry players and regulators likely to mature in their outlook and practices. The FinTech industry stares at a bright future with higher capital inflows and more-than-ever technological innovation, including from the domestic industry.
VI. BARRIERS TO EFFECTIVE ENFORCEMENT:
FinTech yielding is not a small task and an easy work. Thus, to overcome these regulatory obstacles the state and its technology require a great planning and discipline. And we can achieve consistent financial growth with unpredictable profits, lower chances of losses with better understanding in markets which can improve the decision making and analysing skills. With a solid plan we can achieve a great financial stability and confidence by reducing risks which lasts for long term.[7]
Staying Ahead of the Curve:
The constant regulations changes can be powerful on companies, particularly for smaller firms with limited resources like no enough money, tools and workers. The financial and technological industries are made to frequent updates and amendments to existing rules, so the company must ensure the regularly changes are perfect by checking often. Thus, if the FinTech regulation must change its rules before the legal and official enforcement of those rules.
Data Management and Integration:
Investment data is more complex as it is collected from many sources and spread in multiple systems, so it can be more difficult to manage all the data accurate and consistent. Thus, ensuring data accuracy in every stage, completeness and compliance during collection, processing and storage is much complicated. Sometimes small mistake can end up in major financial crashes and errors. FinTech and investment software providers must implement strong data governance frameworks to check whether it follows all the regulatory standards. and invest in advanced technologies that enable smooth data integration and validation. Through this we can attain an error-free data environment which support both business and the regulatory system.
Third-Party Risk Management:
Mostly FinTech depends on third-party vendors for data, infrastructure or other services. Developing and managing relationships with third-party and ensuring their compliance with relevant regulations is a major challenge to FinTech. Conducting thorough due diligence, establishing clear contractual agreements regarding their service and its levels and must monitor every action of the third-party to ensure safety and they are essential for mitigating risk.
Cybersecurity Vulnerabilities:
FinTech firms are the primary targets for cyberattacks as it handles the sensitive financial and personal data. Many cyberattacks happened due to their week passwords, not updated software and not handling the data properly. By fake messages of bank and mails made by the hackers can easily allow them into then software without notice and access all the personal details of the consumers. So, they must develop a strong security wall by implementing robust security measures, conducting regular vulnerability assessments and having an incident response plan in place are vital for protecting against breaches and minimizing potential damage.
Balancing Innovation and Compliance:
As constant innovation is key to success and growth of the company in the FinTech industry, it’s important to balance it with compliance considerations. New features and functionalities must be designed with legal requirements in mind from the outset. This requires close collaboration between product development teams and compliance experts to ensure that innovation doesn’t compromise security or regulatory adherence. The teamwork can give an effective growth both legal and safe, the company must deal with penalty and loss when they ignore compliance, and this can affect the company reputation.
VII. INDIAN LEGAL FRAMEWORK:
- Digital Personal Data Protection Act, 2023
- Information Technology Act, 2000
- Consumer Protection Act, 2019
VII.I DIGITAL PERSONAL DATA PROTECTION ACT, 2023:
This law safeguards our personal data when it is shared or used online. Under this we have the right to know how and why our data is being used and no business, app or government agency may obtain or use our data without our express consent. Additionally, it gives us the option to update our information, request that it be removed or revoke our consent at any time. Also, Data Protection Board established to ensure that these regulations are adhered to. This board has the authority to look into complaints and penalise companies that misuse people’s data.[8]
VII.II INFORMATION TECHNOLOGY ACT, 2000:
India created the Information Technology Act, 2000 to address issues pertaining to computers and the internet. Prior to this law, there were no explicit regulations governing internet work such as sending emails, making purchases online or using a mobile device to make bank payments. In essence, this Act serves as a digital security handbook. In addition to assisting us in using the internet safely, it gives penalty to those who abuse it by spreading illicit content, hacking accounts, stealing passwords and cheating on payments made online[9]. Therefore, this Act serves to safeguard our online activities and ensure that the internet is utilized responsibly and safely in India.
VII.III CONSUMER PROTECTION ACT, 2019:
To safeguard consumers who purchase goods or utilize services, India passed the Consumer Protection Act, 2019. It functions as a safety net for consumers, preventing retailers, businesses or internet vendors from defrauding us, selling subpar goods or charging exorbitant rates. If we receive a defective product, a fraudulent marketing, an incorrect bill or subpar service, this legislation enables us to file a complaint. Additionally, a new mechanism known as the Consumer Protection Authority was created which has the ability to verify deceptive advertisements and penalize businesses. The nicest thing is that we don’t have to spend a lot of money to make complaints online.[10] Thus, this rule ensures that consumers receive fair treatment and decent value for their money.
VIII. LIABILITY OF FINTECH COMPANIES DURING DATA BREACHES:
FinTech firms handle very sensitive data, including passwords, digital payment histories, bank account data, Aadhaar details and even biometric information. They must protect the sensitive data they gather from hackers, fraudsters and anybody else who could exploit it. The FinTech organisation cannot avoid accountability if a data breach occurs as a result of inadequate security measures, weak passwords or negligence on their part. Every FinTech business is regarded as a data fiduciary under Digital Personal Data Protection Act 2023, which means that it must safeguard personal information in the same way as a trustee safeguards a valuable asset.[11] The corporation may be subject to severe penalties and legal action if personal information is stolen or released due to improper actions. In order to preserve its image, the corporation is also required by law to promptly notify users of any breaches.[12] Additionally, every customer has the right to be shielded from deceptive and risky online financial activities under Consumer Protection Act of 2019.[13] Customers can register complaints and demand reimbursement from a FinTech service if they experience financial loss, identity theft or stress as a result of a company’s wrongdoing. When a data breach is [14]being investigated, the corporation must also assist law enforcement, cyber cells and regulatory agencies. To prevent such legal issues, FinTech companies must implement robust cybersecurity techniques including data encryption, multi-factor authentication and frequent security assessments.[15] Being accountable involves more than just abiding by the law, it also involves safeguarding customer confidence as even a single violation may harm a company’s reputation and discourage customers from using digital payments. Therefore, how carefully businesses secure customer data and bond to legal obligations without taking short cuts will determine the future of FinTech.
IX. CONCLUSION AND SUGGESTION:
The fast growth of FinTech has undoubtedly altered the financial landscape, bringing unparalleled convenience, speed and accessibility. However, this digital transition has resulted in significant issues in data privacy, cybersecurity and consumer protection. Financial information, due to its extremely sensitive nature, attracts the attention of unscrupulous persons and any breach may result in major financial losses, reputational damage and a loss of consumer trust. Thus, securing customer data is not just an obligation but also a critical commercial need for any FinTech companies. To ensure solid security, FinTech organizations must employ a multifaceted cybersecurity approach. This includes the full encryption of financial transactions, secure authentication methods like multi-factor authentication and biometric checks, routine security assessments and continuous system monitoring for irregularities. AI and machine learning technologies can improve fraud detection and risk management, enabling businesses to recognize questionable activities before they develop into breaches. Compliance with rules such as the Digital Personal Data Protection Act and international best practices is equally important. Organizations must ensure that data is collected, stored and handled in a fair and accessible manner, while effectively communicating privacy policies and consent processes to users. Regulatory compliance should not be considered as a one-time chore, but rather as a continuing commitment woven into the organization’s operations and ethos. To summarize, customer awareness is critical in improving the digital banking system. Informing people about secure digital habits, spotting phishing scams, maintaining passwords properly and understanding their data protection rights allows them to actively protect their own information. Finally, the way forward is a complete combination of technology, legislation and awareness.
Cite this article as:
Priyanka Arumainayagam, “Data Privacy, Cybersecurity And Consumer Protection In Fintech”, Vol.6 & Issue 5, Law Audience Journal (e-ISSN: 2581-6705), Pages 05 to 14 (7th July 2026), available at https://www.lawaudience.com/data-privacy-cybersecurity-and-consumer-protection-in-fintech/.
Footnotes:
[1] IBM, Definition of Term FinTech, https://www.ibm.com.
[2]Invest India, FDI in FinTech, (May 29, 2023), https://www.investindia.gov.in/team-india-blogs/fdi-FinTech
[3]Medium, Cybersecurity Challenges in the Financial Sector, (March 14, 2025), https://medium.com/digital-society/cybersecurity-challenges-in-the-financial-sector-3d2c214c4868
[4] PhonePe Private Limited v. State of Karnataka and Anr, W.P. No. 3757 of 2023
[5] Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors, 2017 10 SCC 1
[6]Indiankanoon, FinTech Laws and Regulations 2025, (September 1, 2025), https://indiankanoon.org/doc/168663220/?type=print.
[7]FinTech, 5 biggest FinTech compliance challenges, (September 3, 2024), https://www.empaxis.com/blog/FinTech-compliance-challenges
[8] Digital Personal Data Protection Act, No.22 of 2023, India Code (2023).
[9] Information Technology Act, No.21 of 2000, India Code (2000).
[10] Consumer Protection Act, No.35 of 2019, India Code (2019).
[11] Digital Personal Data Protection Act, No. 22 of 2023, §§ 2( i ), 8, India Code (2023).
[12] Digital Personal Data Protection Act, No. 22 of 2023, §§ 8, 9, India Code (2023).
[13] Consumer Protection Act, No. 35 of 2019.
[14] Information Technology Act, No. 21 of 2000.
[15] Reserve Bank of India, Master Direction on Digital Payment Security Controls, (2021).