Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
Password-protected bank statement PDFs from Indian private sector banks cannot be parsed until the correct password is resolved, creating workflow failures when applicants cannot recall their password.
A consent-based collection workflow captures the password from the applicant at submission; when that fails, a derived-candidate approach attempts publicly documented bank-specific password formats before returning a clean failure status.
The lender's application form must include a password field and a clear consent disclosure covering the underwriting purpose, with derived-candidate logic configured per bank in the parser.
Either a fully unlocked and parsed transaction table ready for analysis, or a documented failure status with guidance for the credit team to request a fresh statement from the applicant.
Most Indian private sector bank PDFs arrive with a password. For an NBFC processing 200 loan applications per month, the password-protected bank statement problem is not a rare edge case — it is the default condition for every HDFC, ICICI, Axis, Kotak, and Yes Bank applicant in the pile. A password protected bank statement parser for India must handle consent-based collection, known derivation patterns for common banks, and a clean fallback when neither method works.
Why Indian Bank PDFs Are Password-Protected
Indian banks began password-protecting net-banking PDF downloads in the mid-2010s as a customer data security measure. The logic is simple: a statement downloaded to a device and later accessed by an unauthorised person without the password is protected. The password is almost always deterministic — derived from the customer’s own data fields rather than a user-set passphrase — so the customer can always reconstruct it without remembering it separately.
This protection aligns with RBI’s account security guidelines and was reinforced by guidance under the KYC master direction framework. Most private sector banks apply it by default; PSU banks (SBI, Bank of Baroda, PNB) are more variable, with some branches applying protection and others not.
For a lender, the implication is that a bank statement PDF cannot be parsed until the password is resolved. A parsing error that reports “password incorrect” is not a document quality problem — it is a workflow problem in how the password was collected.
How Lenders Handle Password Collection
Consent-Based Agent Workflow
The primary method is direct collection. During the loan application process, the agent or loan origination system prompts the applicant to provide the password for their bank statement PDF. The applicant either knows it (for regularly used banks) or regenerates it by logging in to net banking and downloading a fresh statement. The password is submitted through the application form, used to unlock the PDF for parsing, and not retained beyond that transaction.
This is the cleanest path: the customer retains full awareness of what is shared and the parser gets the correct key on the first attempt.
Derived-Password Approach
When an applicant cannot recall the password — common for applicants who rarely download statements manually — a derived-password approach attempts a limited set of candidate passwords based on publicly documented formats for major Indian banks.
The candidate set is built from the data the applicant has already supplied in their loan application: name, PAN number, date of birth, and registered phone number. The system tries the known format patterns for the bank that issued the statement. This does not involve brute-force scanning — it uses structured knowledge of how specific banks generate their default passwords.
UIDAI Aadhaar and PAN together anchor most Indian individual identity records, and the same data points that banks use to generate default PDF passwords are the data points lenders already collect at application.
When Password Resolution Fails
If both the customer-supplied password and the derived candidates fail, the system returns a definitive failure status rather than attempting further guesses. The credit team is notified to request a fresh statement. Some lenders prefer to ask the applicant to download a new PDF with password protection disabled (an option available in the net-banking portals of several banks), which avoids the password problem entirely on the second submission.
Password Format Reference: Major Indian Banks
| Bank | Default PDF Password Format | Source |
|---|---|---|
| ICICI Bank | First 4 chars of customer name (uppercase) + DDMMYYYY of date of birth | ICICI net-banking help documentation |
| HDFC Bank | Date of birth in DDMMYYYY format | HDFC net-banking help documentation |
| Axis Bank | Last 4 digits of registered mobile + DDMMYYYY of date of birth | Axis net-banking help documentation |
| Kotak Mahindra Bank | Date of birth in DDMMYYYY format | Kotak net-banking help documentation |
| Yes Bank | Combination of PAN first 5 chars + date of birth | Yes Bank net-banking help documentation |
| SBI (YONO) | Account number (variable by branch / portal version) | SBI YONO help documentation |
India-Specific Context
The password-protection practice is more prevalent in India than in most comparable banking markets because Indian banks implemented it as a default, not an option. An NBFC operating across states will encounter protected PDFs from virtually every private sector bank in its applicant pool.
The consent and derivation workflow described above becomes significant at scale. An underwriting desk processing 500 applications per month, where 70% are from password-protected private bank statements, faces 350 password resolution events. Manual follow-up per failed password — contacting the applicant, waiting for resubmission — adds 1 to 3 days to the application cycle. An automated derived-password step that resolves most of these without applicant intervention compresses that delay to seconds for the majority of cases.
The bank statement OCR engine in TransactIQ handles password-protected PDFs through both the consent-supplied password path and the derived-candidate approach, with a clean failure status for cases where neither resolves.
For the full underwriting picture after the password is resolved, the bank statement analysis platform produces structured transaction data, income classification, FOIR, and fraud signals from the unlocked statement.
The five questions credit teams ask most often about password-protected statement handling are answered below.