How Private Sector Banks Like Kotak Mahindra & HDFC Stealing Data From MCA and Harassing Young Startups. Even RBI & Government Has No Control On Them Despite DPDP Act.

An investigation into the industrial-scale leakage of corporate registration data from the Ministry of Corporate Affairs, the private banks waiting at the other end of the pipeline, and the regulatory silence that lets the racket run.

A founder fills out his incorporation paperwork on the MCA portal. He uploads scans of his PAN. He uploads his Aadhaar. He keys in his personal mobile number — the one his mother calls — because the form demands one and there is no option to fence it off. He hits submit. He waits for the Ministry of Corporate Affairs to come back with a certificate of incorporation.

What comes back first is not the certificate.

What comes back first is IDFC First Bank on the phone. Then HDFC Bank. Then Kotak Mahindra Bank. Then Federal Bank. All within twenty-four hours. None of these institutions have any prior relationship with the founder. All of them know his name, his email, his registered mobile, and — as one of them demonstrated by sending a representative to his doorstep the next morning — his PAN and Aadhaar as well, displayed openly on the employee’s mobile screen.

The certificate from MCA arrives a day or two later.

This is not an anecdote. It is the standard onboarding experience for an Indian entrepreneur in 2026. And it is built on what increasingly looks like a systematic theft of personal and corporate data from the Ministry of Corporate Affairs’ own pipeline — data the Ministry has admitted, in writing, it does not officially publish.

The pattern is too clean to be coincidence

The accounts now circulating on LinkedIn, X, and founder WhatsApp groups read like carbon copies of one another. A founder, often a first-time entrepreneur, incorporates a private limited company or an LLP through the MCA’s V3 portal. Within hours — frequently before the Ministry has issued its own confirmation email — the founder’s phone begins to ring.

The callers cluster around a tight roster of private sector banks. Kotak Mahindra Bank. HDFC Bank. ICICI Bank. IDFC First Bank. Federal Bank. Axis Bank. IndusInd Bank. South Indian Bank. Deutsche Bank. Each pitches a current account. Each addresses the founder by name. Each, when pressed about how they obtained the contact, deflects.

In one account documented by the financial publication Moneylife, an ICICI Bank marketer made the slip that has since become the defining quote of this scandal. Asked how he had obtained the founder’s number before the official MCA confirmation had even gone out, the marketer told him plainly: “We receive this information from the back-end.”

Behind the banks comes a second wave: compliance-services intermediaries with names like Filingbuzz, Falcon Ebiz, Bizz At Ease, H&G Ebiz, My Biz Development, Filingbuddy.in, all pitching identical bouquets of “startup mentorship,” “annual filings,” and access to “government schemes.” Behind them, rubber-stamp makers, letterhead designers, trademark agents, and website builders. One email even arrived branded as “MCA Support” — a phishing-grade impersonation — two days before the genuine Ministry communication.

But it is the banks that occupy the front of the queue. And it is the banks that now stand accused of being the principal end-users of a stolen data stream.

The smoking gun: MCA’s own RTI reply

For a long time, the official line — when the question was asked at all — was that company registration data is public information. This is true in part. What MCA actually publishes, however, was clarified in an RTI reply obtained earlier this year by the World Cyber Security Forum (WCSF). The Ministry’s answer, in summary:

1. Corporate data is published via a Monthly Information Bulletin.
2. Master data is made available through the MCA Master Data Service.
3. Publicly available information cannot be restricted under the RTI Act.

When the WCSF actually inspected what those public channels contain, the answer was revealing. The Monthly Information Bulletin is essentially a statistical e-magazine — counts, totals, sectoral breakdowns, nothing personal. The Master Data Service does contain registration details and the names of directors. It also contains directors’ email addresses.

It does not contain directors’ phone numbers.

That single absence is the smoking gun. Every harassed founder is being called on the personal mobile number they entered into the MCA’s e-forms. If those numbers are not in any of the data channels the Ministry officially makes public, then no amount of “publicly available data” theory explains the call. The numbers are leaving the system through a route the Ministry has not disclosed and, on the available evidence, does not control.

That is not scraping. That is not aggregation. That is a leak.

Where the chain actually runs

The MCA V3 portal does not exist in isolation. It runs on infrastructure operated and maintained by external vendors. Filings pass through automation layers, validation engines, customer-support back-ends, and data-warehousing systems. At any of those nodes, a privileged user — an engineer, a database administrator, a customer-support agent, a vendor employee, a contractor on a short-term assignment — has access to raw registrant data, including phone numbers and uploaded KYC documents.

A “fresh leads” list of newly incorporated entities, complete with founder name, mobile number, email, registered address, and in some cases scanned PAN and Aadhaar, is a commercially priceless object. For a private bank chasing current-account openings — the most lucrative first relationship a bank can capture from a new business — it represents pre-qualified, time-sensitive, hot-prospect data. For a compliance services firm, it is a list of guaranteed buyers in the first ninety days of a company’s life. The market is large, the buyers are repeat, and the seller — somewhere in the chain — is almost certainly internal.

This is the architecture that the Moneylife column described as a “fat pipeline stealing all your personal and corporate data, directly from MCA.” Senior officials at the Ministry, when alerted, are reportedly investigating. As of the latest available reporting, no findings have been published, no vendor has been named, no contract has been suspended, and no prosecution has been initiated.

The doorstep visit: from spam to statutory offence

There is a tier of this scandal that has not yet received the regulatory attention it deserves, and it is the one that should trouble the Reserve Bank of India most.

In one widely shared account, the founder did not merely receive calls. A bank employee arrived at his home the next morning, uninvited, with the founder’s PAN, Aadhaar, name, email, and mobile number visibly displayed on his mobile phone. Those are not records the founder had ever shared with that bank. Those are the exact documents he had uploaded to the MCA portal.

This is qualitatively different from spam. This is the unauthorised circulation of identity documents whose handling is governed by statute.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the unauthorised sharing of Aadhaar information attracts penalties under Sections 29 and 38, with imprisonment that can extend to three years and fines. Under the Information Technology Act, 2000, Section 72A criminalises the disclosure of personal information in breach of a lawful contract, with imprisonment up to three years or fine up to five lakh rupees. Section 43A of the same Act imposes liability on any body corporate that handles sensitive personal data without reasonable security practices.

A bank employee walking around with another person’s Aadhaar copy on his phone, obtained without that person’s consent and without any banking relationship, is not a marketing irritant. It is, on the face of it, a chain of statutory offences. The bank that dispatched him is, at minimum, a recipient of stolen sensitive personal data — and under settled principles of receiver liability, that recipient cannot plead ignorance once the source asymmetry is obvious.

What the banks were legally required to do — and didn’t

The defence the banks are likely to mount, if pressed, is some version of “we obtained the data from a marketing agency / direct selling agent / lead generation partner.” That defence does not survive contact with the regulatory framework these banks operate under.

The Reserve Bank of India’s Master Direction on Know Your Customer, 2016 (as periodically amended) and its Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks, 2006 (and its successors), require regulated entities to conduct due diligence on every third-party vendor and lead-generation partner. Banks are required to ensure that data they ingest for customer acquisition was lawfully obtained. Banks are required to maintain audit trails of how each marketing lead was sourced. Banks are required to ensure that their direct selling agents do not violate privacy law in the course of working for them.

The Digital Personal Data Protection Act, 2023 — India’s first comprehensive privacy statute — adds a further layer. Under the Act, a private bank is a Data Fiduciary. It is required to process personal data only for a lawful purpose and only with valid consent (Sections 4 to 7). It owes duties of accuracy, security, and purpose limitation (Section 8). Banks designated as Significant Data Fiduciaries face additional obligations under Section 10, including data protection impact assessments and the appointment of a Data Protection Officer. Penalties under the Act can run up to ₹250 crore per category of failure.

A bank that calls a stranger within hours of his MCA filing, armed with his Aadhaar copy, has no lawful basis to process that data. It has not obtained consent. It has not verified the source. It has not conducted purpose-limited processing. Each of those is, on the face of the statute, an actionable failure.

The fact that none of these failures has yet resulted in a single significant enforcement action against a named private bank is the more telling story.

The regulators are not acting — and the architecture explains why

The RBI has, for years, run a complaints framework for consumer banking grievances through the Banking Ombudsman scheme. Privacy and unsolicited marketing complaints fall, in principle, within its scope. In practice, complaints about marketing calls from one’s own bank are routinely closed with the entry “issue resolved on assurance from the bank that the customer will be removed from the calling list.” Complaints about marketing calls from a bank with which the complainant has no relationship at all — which is the precise grievance here — do not even fit the existing complaint categories. There is no field in the Ombudsman form for “a bank I do not bank with obtained my Aadhaar from somewhere and sent a man to my house.”

The Telecom Regulatory Authority of India’s Telecom Commercial Communications Customer Preference Regulations, 2018 — the framework that produced the DND registry — does in principle bite. Banks that contract with telemarketers are supposed to ensure registration and consent flows. The TCCCPR’s enforcement mechanism, however, is operated by the telecom service providers themselves, and the penalty regime is a small fraction of the commercial upside of running spam at scale. It has not deterred this market.

The Data Protection Board contemplated under the DPDP Act, 2023 — the body that is supposed to receive, investigate and penalise data-fiduciary failures — was notified in parts during 2025, with the substantive operational rules issued in November 2025. As of writing, its institutional capacity, staffing, and case-handling protocols are still in early formation. The first significant adjudications against named private banks under the Act have not yet been delivered. Until they are, the deterrent value of the headline ₹250-crore penalty remains theoretical.

The Ministry of Electronics and Information Technology, which administers both the IT Act and the DPDP Act, has not publicly intervened in the MCA-leak question even though the leak — if confirmed — is one of the largest and most reproducible privacy breaches the Indian state itself is implicated in.

The Ministry of Corporate Affairs has confirmed, through its officials, that an internal investigation is under way. No public findings have been issued.

The cumulative picture is of a regulatory architecture in which every relevant body has jurisdiction over some part of the offence, none has clear primary responsibility for the whole, and none has chosen to act.

The deeper structural problem the DPDP Act doesn’t solve

The Digital Personal Data Protection Act, 2023 is often described as India’s strongest privacy law to date. Measured against what came before, it is. Measured against the specific architecture of harm exposed by the MCA leak, it has two structural weaknesses that the current debate is not adequately confronting.

First, the Act gives the Central Government wide exemption powers over state instrumentalities processing personal data in the interests of sovereignty, public order, and similar grounds. A leak at MCA itself — as distinct from a leak at a private bank — sits in awkward territory. The Ministry can plausibly argue that any processing of registrant data falls within its statutory mandate, and that vendor failures are operational rather than fiduciary breaches under the Act. The Act provides no mechanism by which a citizen-data principal can extract accountability from a Ministry that has lost control of his Aadhaar.

Second, the Act’s enforcement is funnelled through a single Data Protection Board whose effective bandwidth, especially in its formative years, is finite. The MCA leak is not a single complaint. It is, on the evidence, a continuous structural breach affecting every new incorporation. No single Board, however well-resourced, will adjudicate the volume of individual complaints this generates. The architecture invites systemic enforcement — vendor audits, mandated tiered access, criminal referrals — and the Act does not directly compel it.

Mr Nandkumar Sarvade, the former IPS officer and data security expert quoted in the Moneylife column, put the diagnosis at its sharpest: “In our country, privacy has been the neglected younger sibling of cyber security, which itself is a malnourished child, waiting for the State to start giving it some proper diet.” The DPDP Act fed the malnourished child. It has not yet fed the neglected sibling.

What recourse does a founder actually have today

The current options available to a harassed founder are these, in increasing order of friction:

A founder can register on the DND registry under TRAI’s TCCCPR framework. This will not stop calls from banks operating through unregistered marketing agents or DSAs, but it generates a paper trail and is a precondition for some downstream complaints.

A founder can file a written complaint with the Banking Ombudsman against each named bank, identifying date, time, caller name and number, and the specific personal data the caller possessed without lawful basis. This is more effective when filed simultaneously against multiple banks demonstrating the same pattern, because it forces the RBI to confront the systemic dimension.

A founder can file an RTI application with MCA seeking — at minimum — the list of vendors and contractors with access to registrant data, the data-handling protocols mandated in those contracts, the date on which the current internal investigation into leakage began, and the steps taken to date. Even partial replies are useful, because they create a public record.

A founder can lodge a formal grievance under Section 13 of the DPDP Act, 2023 against each bank that processed his data without consent, asking the Data Protection Board to investigate and impose penalty. As the Board’s procedures stabilise, this is likely to become the most consequential route.

A founder can, in the most serious cases — particularly the doorstep delivery of Aadhaar copies — file a First Information Report under the Aadhaar Act, 2016 and the IT Act, 2000, naming the bank and, where identifiable, the individual employee. The local police are not, in general, well-equipped to handle such complaints, but the FIR itself, once registered, becomes an admissible record.

Each of these is friction-heavy. None of them, individually, will stop the racket. Collectively, in volume, they begin to shift the cost-benefit calculation for the institutions at the receiving end.

The bottom line

The MCA data leak is not a glitch. It is, on the evidence available, a market — an organised market in which someone inside the Ministry’s data-handling chain harvests registrant information in near-real time and sells it to a stable clientele of private banks and compliance vendors who, in turn, use it to acquire customers for whom they did not earn the consent.

The named private banks — Kotak Mahindra, HDFC, ICICI, IDFC First, Federal, Axis, IndusInd, and others recurring across complaint after complaint — are not bystanders in this market. They are its principal funders. Every call placed, every doorstep visit made, every Aadhaar copy displayed on a marketer’s mobile is, in legal substance, an exercise in the unauthorised processing of sensitive personal data. The bank’s defence that the data was supplied by a vendor is precisely the kind of defence that RBI’s outsourcing directions and the DPDP Act’s purpose-limitation principle were written to demolish.

The Reserve Bank of India has not acted. The Ministry of Corporate Affairs is investigating, quietly. The Ministry of Electronics and Information Technology has not intervened. The Data Protection Board is still finding its feet. The DPDP Act, India’s much-celebrated privacy statute, is — for the founder whose Aadhaar arrived at his doorstep yesterday morning — a piece of paper.

Sucheta Dalal’s Moneylife column captured the larger condition with a phrase borrowed from the late Narayanan Vaghul — the MAFA syndrome, Mistaking Articulation For Action. India has articulated a privacy regime. It has not, on the evidence of the MCA pipeline and the banks waiting at the end of it, built one.

Until that changes, every new entrepreneur in Digital India should expect the same welcome: a phone that will not stop ringing, an inbox full of bank offers from institutions he has never approached, and the unsettling realisation that the documents he handed to the State the day before are, by the next morning, in someone else’s hand.

This article is based on publicly reported accounts from incorporators of new companies and LLPs in India, the published RTI reply obtained by the World Cyber Security Forum from the Ministry of Corporate Affairs, the investigative reporting of Moneylife on the MCA data pipeline, and the regulatory framework comprising the Aadhaar Act 2016, the Information Technology Act 2000, the Digital Personal Data Protection Act 2023, RBI’s Master Direction on KYC 2016, and RBI’s Directions on Outsourcing of Financial Services.