Open Finance’s Blind Spot: Why India Must Address Data Privacy in SME Lending Before It’s Too Late
When India launched the Account Aggregator (AA) framework as the third pillar of its digital public infrastructure following the success of Aadhaar and UPI it was hailed, rightly, as a financial game-changer. For the country’s 70 million small and medium enterprises (SMEs), the promise was clear: ditch paperwork, skip branch queues and access credit faster through secure, consent-based sharing of financial data.
Two years into deployment, the platform’s architecture is solid. Its ambitions are noble. But beneath the elegant simplicity of one-click consent lies a blind spot the system is yet to confront with sufficient urgency: data privacy.
While Open Finance was designed to democratize credit access, its rapid expansion has begun to outpace the regulatory and ethical frameworks needed to ensure small borrowers fully understand what they’re consenting to, and what risks they are exposed to in the process.
The Quiet Data Revolution in Lending
To understand the scale of transformation, consider this: the AA framework now enables an SME to share bank statements, GST returns, TReDS invoices and more all through a secure, tokenized flow that requires no paperwork or physical presence. As of early 2025, over 5 crore accounts have been linked through AA platforms, with more than 30 regulated Financial Information Providers (FIPs) onboarded, according to Sahamati, the industry alliance managing the AA ecosystem.
Fintechs have eagerly built on this foundation. Lending platforms now ingest real-time data to train machine learning models that generate instant credit scores, approve loans in under 48 hours and disburse funds with minimal human intervention. For many MSMEs, especially those previously excluded from formal finance, this is a long-overdue upgrade.
Consent Is Not Understanding
Yet, the nature of consent in this system deserves scrutiny. A joint study by Dvara Research and CGAP in late 2023 revealed a troubling insight: over 70% of MSMEs who shared data through Account Aggregators believed it was for one-time access only. In reality, some fintech lenders request recurring or broad-scope access without fully explaining downstream usage.
What’s more concerning is that consent interfaces often in English, and rarely contextualized fail to communicate critical nuances such as duration of access, third-party involvement or data retention policies.
This isn’t just poor UX; it borders on regulatory failure. In a digital system where data is currency, SMEs are being asked to trade value without fully knowing the price.
When Data Follows, So Does Risk
Once shared, data enters a complex value chain. A lender may pass the data to a scoring engine, which may feed it into an AI model trained on behavioural indicators. That score may influence not just loan eligibility, but interest rates, repayment terms and insurance offers.
Without clear audit trails or opt-out mechanisms, SMEs risk being profiled by systems they can’t interrogate and judged by parameters they don’t understand.
In 2024, the Data Security Council of India flagged rising concerns over “consent fatigue” and “data spillover” in unsecured fintech networks. Its report cited 27 incidents of data overreach by non-banking lenders, including cases where transaction data was used for cross-selling without explicit consent.
India’s Digital Personal Data Protection Act (DPDPA), passed in 2023, provides a legal framework for redress. But its enforcement is fragmented when it comes to small fintechs or third-party credit engines operating outside the traditional regulatory perimeter.
The Policy Disconnect
This is where India must tread carefully. Open Finance is not a pilot anymore it is becoming infrastructure. Yet, the supporting ecosystem of grievance redressal, consent literacy and data stewardship hasn’t kept pace with the scale of deployment.
Despite RBI’s proactive stance in tightening guidelines for digital lending apps and laying out consent norms under the AA framework, there’s still no uniform mandate on how consent must be explained to MSMEs, in what languages, or with what visual standards.
Meanwhile, the demand for consent-based data is only growing. As banks push further into unsecured MSME credit driven by government guarantees and fintech partnerships the pressure to ingest more granular, real-time data is rising. If privacy fails here, it fails at scale.
What Must Change Before It’s Irreversible
India has built a digital finance highway. But it now needs speed limits, safety rails and signposts especially for its most vulnerable users.
Firstly, consent must be reimagined not as a checkbox, but as a conversation. Interfaces should be localised, visual and layered showing not just what data is being shared, but why, for how long and with whom. A dashboard that gives SMEs real-time visibility and revocation powers is no longer optional it’s foundational.
Secondly, regulators must bring AI and credit-scoring intermediaries into the oversight net. Whether the algorithm is built by a fintech startup or a legacy NBFC, it must answer to a single question: can a borrower appeal or explain the decision made?
And finally, fintechs must be held to higher standards of data dignity. That means resisting the temptation to over-collect, monetise or repurpose SME data. Trust, not just throughput, will determine the longevity of India’s Open Finance promise.
The Stakes Are Real
For a sector that contributes nearly 30% of India’s GDP and employs over 110 million people, MSMEs deserve more than digital convenience they deserve digital fairness.
Open Finance has already shown its potential to change lives. But without thoughtful regulation and empathetic design, its future could drift from inclusion to exploitation. India’s fintech ecosystem has earned global admiration for its scale and innovation. Now, it must lead with responsibility and remember that every data point it collects belongs to a person, a livelihood and a leap of trust.
