Skip to main content

Compliance Vault

The Regulatory Mediator between RBI and DPDP Act 2023.

RBI mandates 10-year KYC retention. The DPDP Act requires erasure on demand. Two Indian regulators. Two conflicting obligations. One enforcement window.

The Compliance Vault implements a Legal Obligation Override — a documented, auditable mechanism that classifies statutory-retain data, isolates it from consent-based data, and produces DPBI-ready denial documentation for every rejected erasure request.

This is not a workaround. It is a documented compliance framework for regulated entities operating under both regimes simultaneously.

Start Compliance Assessment

Regulatory Confirmation — April 22, 2026

RBI circular RBI/DPSS/2026-27/396, issued April 22, 2026, established a dual-audit standard for regulated entities holding data under RBI retention mandates while subject to DPDP Act erasure obligations. The circular confirms that deletion cannot proceed without a documented statutory retention review. The Compliance Vault is the operational implementation of that requirement.

The Conflict

Two regulators. Two conflicting mandates.

The table below maps each data category to its RBI requirement, the conflicting DPDP obligation, and how the Compliance Vault resolves both simultaneously.

Data Category RBI Requirement DPDP Act 2023 ConsentOS Resolution
KYC data Retain for 10 years (RBI Master Direction on KYC) Erase on fulfillment of purpose Legal Obligation Override applied: classified as statutory-retain, isolated from consent data, erasure denied with documented justification
Transaction records PMLA: retain for 5 years post account closure Erase on request PMLA Override applied; denial register entry generated with statutory instrument cited
Consent records No specific retention requirement Must retain proof of consent for audit Consent record retained separately under DPDP obligation; not subject to erasure

How It Works

The Legal Obligation Override: three steps.

ConsentOS implements the override as a structured, auditable workflow — not a policy document. Every data category is classified at ingestion. Every erasure request is checked. Every refusal is documented.

01

Classify

ConsentOS tags each data category: consent-based or statutory-retain. KYC records, PMLA transaction data, and credit data are classified as statutory-retain. Marketing preferences and contact opt-ins are classified as consent-based.

02

Isolate

Statutory-retain data is held in a separate retention schedule, outside the erasure flow. Data principals can exercise DPDP rights — access, correction, erasure — only against consent-based data. Statutory-retain data is not in scope for erasure.

03

Document

Every rejected erasure request generates a denial register entry with the specific statutory obligation cited (e.g., RBI Master Direction 2016), the retention period and end date, and a DPBI-ready audit evidence package.

Walkthrough

An NBFC receives a DPDP erasure request. Here is what happens.

From the moment a data principal submits a deletion request to the moment a DPBI-ready evidence pack is generated, ConsentOS handles every step.

01

The Request

A data principal submits a DPDP erasure request via the ConsentOS portal. Name, address, loan history, KYC documents — all marked for deletion.

02

The Check

ConsentOS cross-references the request against the retention schedule. KYC and loan records are classified as statutory-retain under the RBI Master Direction on KYC. Erasure cannot proceed.

03

The Override

The Legal Obligation Override is applied. The statutory justification is logged to the denial register: obligation type, retention period, statutory instrument cited. The data principal receives a compliant refusal notice within 30 days.

04

The Evidence

The denial register entry is packaged into a DPBI-ready audit evidence pack. If the Data Protection Board investigates, ConsentOS generates the complete audit trail on demand.

What's Included

The Compliance Vault tier.

Built for regulated BFSI entities. Designed around the dual RBI/DPDP compliance requirement. Priced at ₹5,00,000 implementation + ₹75,000/month.

Compliance Vault module with Legal Obligation Override
Retention schedule dashboard — per data category
Denial register for statutory erasure exceptions
RBI / DPDP conflict resolution workflows
DPBI-ready audit evidence packs
72-hour breach notification pipeline
Use-restriction enforcement across data categories
Dedicated compliance support manager

Who It's For

Regulated BFSI entities under dual enforcement.

Any entity operating under both RBI regulation and the DPDP Act faces this conflict. The Compliance Vault is the enforcement layer.

NBFCs

Face the full RBI/PMLA/CIBIL/DPDP stack simultaneously. The Legal Obligation Override is designed specifically for the NBFC regulatory profile.

NBFC compliance guide →

Fintech Lenders

Digital lenders with RBI NBFC registration or P2P lending licences face the same KYC retention conflict. The Compliance Vault resolves it with the same documented override.

Brokers & Insurance

SEBI-registered brokers and IRDAI-regulated insurers carry their own statutory retention obligations. The Compliance Vault's retention schedule handles multiple regulatory instruments simultaneously.

Not ready to subscribe? Start with a one-time Readiness Assessment — 30 days, board-ready output

Start your Compliance Assessment.

The free assessment takes 10 minutes. You receive a personalised compliance report covering your RBI/DPDP dual obligations, with a prioritised action list.

Start Free Assessment Talk to a compliance specialist