In an interaction with Finance Outlook India, Rohith Reji, Co-founder & CEO of Neokred Technologies, shares why 2026 is emerging as the year of the fintech utility player, as financial institutions increasingly prioritize secure, compliant, and scalable digital infrastructure over standalone consumer-facing solutions. Drawing on his expertise in open banking, digital payments, identity verification, consent management, and financial infrastructure, Rohith Reji highlights how technologies such as Zero-Trust Architecture (ZTA), Privacy-by-Design frameworks, Privacy-Preserving Computation, and Zero Trust Network Access (ZTNA) are becoming critical for organizations navigating India’s evolving Digital Personal Data Protection (DPDP) Act.He emphasizes that fintechs must move beyond reactive compliance and embed privacy, security, and consent management into the core of their digital ecosystems.

Rohith Reji further notes that infrastructure platforms are enabling banks and financial institutions to strengthen customer onboarding, safeguard sensitive data, streamline payments, and maintain regulatory readiness while fostering trust and operational efficiency. As fintech infrastructure continues to evolve, he believes organizations that invest in automated governance, auditable systems, and privacy-centric architectures will be best positioned to scale sustainably in an increasingly data-driven financial landscape.

How does Zero-Trust Architecture satisfy the “Reasonable Security Safeguards” requirement under India’s DPDP Act?

The DPDP Act requires organizations to safeguard the personal data of their customers with utmost security from collection to deletion, throughout the entire customer lifecycle. Zero-trust architecture inherently follows that, as it undermines the old assumption that anything inside the network is automatically safe. ZTA ensures continuous verification, least-privilege access, strong identity controls, session monitoring, encryption, masking, and granular authorization before data is exposed.

These safety guardrails align perfectly with what DPDP demands and save businesses from DPDP Act’s hefty penalties for failing to maintain reasonable safeguards.  For enterprises, this is especially important as threats often stem not just from external hackers, but also internal mishaps like overprivileged access and weak controls around sensitive workflows. Therefore, zero-trust is the cleanest way to make their architecture make breaches and misuse materially harder.

What are the 7 core principles of Privacy-by-Design for Indian fintechs implementing DPDP-ready systems?

Privacy-by-design is about building systems where privacy is the default state of the product and where the user’s control over their data is visible, usable, and enforceable at every step. For fintechs, the seven core principles can be translated into very practical system behaviors.

1. Proactive not reactive:  In order to establish privacy from the outset, businesses should weigh in all the plausible risks before features go live. You do not wait for a breach, a complaint, or a regulator to force privacy controls into the system.
2. Privacy as the default: The user should not have to fight the system to protect their data. The system should collect the minimum necessary information, share it only where needed, and make the most privacy-protective option the one that happens by default. Fintechs should move from fragmented, manual consent handling to a structured control layer where privacy is built into the product experience by default.
3. Privacy embedded into design: Privacy should sit inside the fintech’s digital architecture itself. Consent records should be linked to data flows, consent purposes should be put out across every touchpoint, and the withdrawal mechanism should automatically cascade across the user flow. If a user revokes permission, the system should respond instantly and consistently.
4. Positive-Sum, not Zero-Sum: Privacy should earn customer trust, not force trade-offs between design objectives and compliance. Our platform, Blutic, proves this is possible.  Delivering end-to-end privacy controls without compromising platform UX or technical capabilities.
5. End-to-End Security: Data protection shouldn’t end with its connection.  It should autonomously remain protected through storage, processing, sharing, retention, and deletion. This builds customer confidence for the brand across the system.
6. Visibility and transparency: Users should understand what data is being collected, why it is being collected, and how it will be used. Internal teams should also have visibility into data lineage, consent status, and access history. This is how fintechs can make data governance understandable and clear.
7. Respect for User Privacy: Data consent, withdrawal, correction, and preference management must be simple, intuitive, and accessible. Even our product Blutic enables users to give the end users a central platform to understand and control their digital footprint. Making the process simple and seamless makes privacy an operational reality.

Also Read: How AI Is Shaping Fintech in India

How can Indian financial institutions transition from traditional VPNs to ZTNA to mitigate insider threats?

Unlike VPN, ZTNA gives access to specific services that the user grants, not the entire network. It continuously verifies who is asking, from which device, and under what conditions. Moreover, they are specifically built for modern infrastructures and are scalable to meet future demands.

The transition from VPNs to ZTNA should happen in phases. First, identify high-risk applications, especially those handling customer PII, payments, fraud signals, and operational admin tools. Next, layer identity controls, MFA, device posture checks, conditional access, and least-privilege policies on top of those apps before gradually shrinking VPN dependence. This way, internal risks start to diminish as they no longer get broad network visibility or lateral movement by default.

The architectural shift is important because insider risks often go unnoticed and spiral into larger damages. ZTNA limits blast radius. It makes access contextual, not blanket-based. And in a DPDP environment, that is exactly the kind of control posture regulators and auditors expect to see.

What is the impact of Privacy-Preserving Computation like Secure MPC on data utility in a Zero-Trust financial ecosystem?

Privacy-Preserving Computation, such as MPC, allows multiple parties to compute on shared problems without exposing raw data. It enables use cases like fraud detection, risk scoring, and ecosystem analytics while keeping sensitive customer records local. Instead of moving data, computation is distributed across participants, reducing unnecessary exposure.

There is a trade-off. MPC introduces added complexity, latency, and engineering overhead, and in some cases requires adapting models to work within secure computation constraints. However, in a Zero-Trust financial ecosystem, this trade-off is often justified. In short, privacy-preserving computation allows institutions to collaborate without weakening their security or control boundaries.

What are the specific obligations for Significant Data Fiduciaries regarding annual audits and DPIAs?

Significant Data Fiduciaries have a much higher compliance bar because the law expects them to handle risk more systematically. They are expected to conduct a periodic Data Protection Impact Assessment and are also required to appoint an independent data auditor to evaluate whether the organization is actually meeting its obligations under the DPDP framework.

They are required to furnish relevant information to the Data Protection Board when required. In addition, SDFs are expected to appoint a Data Protection Officer, maintain stronger governance, and perform due diligence on technical systems that process personal data. This means the compliance posture has to be continuous.

The real strategic implication is that SDF status forces maturity. If your security and privacy controls are weak, annual audits will expose that quickly. If your architecture is strong, the audit becomes proof of trustworthiness. That is why firms with mature data governance, automated controls, and auditable infrastructure are better positioned than those still relying on manual compliance processes.