Partnering with Banks or NBFCs? Ask These Questions First

This is something I tell every founder:

Never avoid difficult conversations early in a partnership.

Because unresolved tension creates cracks in your foundation.

And those cracks widen under the weight of growth — until everything collapses.

That’s why you must discuss equity, roles, decision-making power, and exit strategies upfront.

The same principle applies beyond co-founder relationships.

Fintechs partnering with Indian banks or NBFCs face a similar risk. When expectations aren’t clearly aligned at the beginning, problems don’t disappear - they compound.

And with the RBI increasingly cracking down on vague or loosely structured partnerships, clarity is no longer optional.

If you're a fintech working with an Indian bank or NBFC, here are five questions you must ask upfront - /before lawyers even touch the contracts.

5 Points You Need Clarity On

1. Who actually bears regulatory risk?

One of the most common assumptions fintech founders make is this: “The NBFC handles compliance. We’re just the tech layer.”

That assumption is dangerous.

In practice, when the RBI audits digital lending flows, customer onboarding journeys, or data practices, it does not accept finger-pointing. If something is non-compliant, both entities will face scrutiny. The regulated entity may be directly licensed, but the fintech is very much within the supervisory lens.

So you need to ask, explicitly:

If the RBI audits customer data storage, underwriting models, or lending practices — who responds? Who coordinates the reply? Who bears financial penalties if they arise?

A clear division of responsibility is essential. Typically, the NBFC must retain full ownership of lending compliance and regulatory reporting.

The fintech, in turn, must take unequivocal responsibility for technology delivery, data security, uptime, and system integrity. Anything in between is a grey zone — and grey zones attract notices.

2. Who owns the data — and how granular is customer consent?

Many partnerships begin with a casual line: “We’ll share data.”

That sentence alone can create months of regulatory exposure.

Under the RBI’s Digital Lending Guidelines and India’s data protection regime, consent cannot be broad, implied, or bundled. It must be specific, purpose-driven, and traceable. Customer data flows must be mapped precisely — what is collected, where it travels, who processes it, and where it is stored.

You need to ask:

What exact data flows from the app to the NBFC? Who captures granular consent from the customer? Is consent separate for KYC, underwriting, analytics, collections, and marketing? Where is financial data stored — and is it fully resident in India?

The partnership must clearly define consent per use case. KYC consent cannot automatically mean underwriting analytics consent. Collections access cannot automatically mean marketing usage. And financial data localization must comply with RBI expectations. If this architecture isn’t clean on Day 1, it becomes extremely expensive to fix later.

3. Who owns grievance redressal?

Here is where regulators move fast.

When customers have complaints and the response is, “Please contact our partner,” regulators see fragmentation. If complaints bounce between the fintech and the NBFC, the RBI interprets that as weak oversight and poor customer protection.

So ask upfront:

Who owns the customer-facing grievance portal? Whose name appears in the complaint acknowledgment? What are the joint service-level agreements?

A compliant structure usually includes a shared grievance mechanism with clearly defined timelines — acknowledgment within 7 days, resolution within 30 days, and a documented escalation matrix. Both entities must know who investigates what, who signs off responses, and how complaints are tracked. Silence, delays, or blame-shifting are exactly the patterns regulators look for.

4. What happens if the partnership ends?

Most teams negotiate entry terms aggressively. Very few negotiate exits with equal seriousness.

That is a mistake.

If termination triggers are unclear, you risk two extremes: either you are stuck in a non-performing relationship, or you face a chaotic breakup where customer data, loan records, and servicing rights become contested.

You should be asking:

What constitutes automatic termination? Repeated SLA breaches? Regulatory violations? Capital adequacy failures? Who can trigger exit — and how fast?

Equally important: how is customer data handed over? On 30 days’ notice, is there a guaranteed full export of loan books, transaction logs, KYC documents, and consent artifacts? In what format? Under whose supervision?

Clean exit clauses are not pessimistic — they are professional. They protect customers, ensure continuity, and reduce regulatory suspicion during transitions.

5. What audit rights exist — and how often?

From the NBFC’s perspective, the regulator will ask a simple question: “How are you overseeing your fintech partner?”

If the answer is vague — “We trust them” — that is not oversight.

Both sides must define audit rights clearly. What systems can be reviewed? How frequently? Are there quarterly audits of data handling practices, KYC processes, underwriting logic, and transaction logs? Is there access to raw data trails, or only summary dashboards?

Mutual quarterly audits, documented findings, and remediation timelines create defensibility. Without this, the regulated entity cannot demonstrate effective control and that is a red flag in any supervisory review.

The Bigger Point

These are not legal technicalities. They are foundational alignment questions.

Vague answers today become RBI notices tomorrow.

Ambiguous ownership today becomes operational chaos at scale.

Unclear accountability today becomes reputational damage later.

Strong partnerships are not built on optimism. They are built on clarity.

The founders who succeed long-term are not the ones who avoid difficult conversations to “keep things smooth.” They are the ones who have the uncomfortable discussions early — about risk, control, data, complaints, exits, and oversight.

Because difficult conversations now prevent foundation cracks later.

And in regulated industries, foundations matter more than speed.