What is the Legal Obligation Override?

The Legal Obligation Override is a documented compliance mechanism that classifies data held under a statutory mandate (RBI KYC, PMLA) as statutory-retain, isolates it from the DPDP erasure flow, and generates a denial register entry with DPBI-ready audit evidence for every rejected erasure request.

Can a regulated NBFC refuse a DPDP erasure request for KYC data?

Yes. Where data is held under a statutory obligation (RBI Master Direction on KYC, PMLA), the DPDP Act's erasure right does not override the statutory obligation. ConsentOS documents this exception in a denial register and generates DPBI-ready justification automatically.

Which regulated entities need the Compliance Vault?

The Compliance Vault is designed for NBFCs, fintech lenders, registered stockbrokers, and insurance companies that face simultaneous obligations under RBI regulations, PMLA, and the DPDP Act 2023.

Compliance Vault

The Regulatory Mediator between RBI and DPDP Act 2023.

RBI mandates 5-year KYC retention. The DPDP Act requires erasure on demand. Two Indian regulators. Two conflicting obligations. One enforcement window.

The Compliance Vault implements a Legal Obligation Override: a documented, auditable mechanism that classifies statutory-retain data, isolates it from consent-based data, and produces DPBI-ready denial documentation for every rejected erasure request.

This is not a workaround. It is a documented compliance framework for regulated entities operating under both regimes simultaneously.

Start Compliance Assessment

Regulatory Signal: RBI Advisory 3/2026

RBI Advisory No. 3/2026, issued March 25, 2026 by the Department of Supervision, directs supervised entities toward a unified platform that captures, tracks, and updates customer consent consistently and in an auditable manner, alongside automated data discovery and board-level data protection accountability. The RBI Responsible Business Conduct Amendment Directions, notified as final in May 2026, require per-product explicit consent, a ban on bundled and pre-ticked consent, and auditable customer consent control, effective July 1, 2026. The Compliance Vault operationalizes both. It holds the unified consent record the Advisory describes and the granular, per-product consent the Directions require from July 1.

Regulatory Watch: May 19, 2026

On May 19, 2026, the Supreme Court directed the Ministry of Electronics and IT to examine a petition seeking the recovery of stolen personal data held on foreign servers. Cross-border data handling is drawing judicial attention.

The Conflict

Two regulators. Two conflicting mandates.

The table below maps each data category to its RBI requirement, the conflicting DPDP obligation, and how the Compliance Vault resolves both simultaneously.

Data Category	RBI Requirement	DPDP Act 2023	ConsentOS Resolution
KYC data	Retain for 5 years (RBI Master Direction on KYC)	Erase on fulfillment of purpose	Legal Obligation Override applied: classified as statutory-retain, isolated from consent data, erasure denied with documented justification
Transaction records	PMLA: retain for 5 years post account closure	Erase on request	PMLA Override applied; denial register entry generated with statutory instrument cited
Consent records	No specific retention requirement	Must retain proof of consent for audit	Consent record retained separately under DPDP obligation; not subject to erasure

How It Works

The Legal Obligation Override: three steps.

ConsentOS implements the override as a structured, auditable workflow, not a policy document. Every data category is classified at ingestion. Every erasure request is checked. Every refusal is documented.

Classify

ConsentOS tags each data category: consent-based or statutory-retain. KYC records, PMLA transaction data, and credit data are classified as statutory-retain. Marketing preferences and contact opt-ins are classified as consent-based.

Isolate

Statutory-retain data is held in a separate retention schedule, outside the erasure flow. Data principals can exercise DPDP rights (access, correction, erasure) only against consent-based data. Statutory-retain data is not in scope for erasure.

Document

Every rejected erasure request generates a denial register entry with the specific statutory obligation cited (e.g., RBI Master Direction 2016), the retention period and end date, and a DPBI-ready audit evidence package.

Walkthrough

An NBFC receives a DPDP erasure request. Here is what happens.

From the moment a data principal submits a deletion request to the moment a DPBI-ready evidence pack is generated, ConsentOS handles every step.

The Request

A data principal submits a DPDP erasure request via the ConsentOS portal. Name, address, loan history, KYC documents, all marked for deletion.

The Check

ConsentOS cross-references the request against the retention schedule. KYC and loan records are classified as statutory-retain under the RBI Master Direction on KYC. Erasure cannot proceed.

The Override

The Legal Obligation Override is applied. The statutory justification is logged to the denial register: obligation type, retention period, statutory instrument cited. The data principal receives a compliant refusal notice within 30 days.

The Evidence

The denial register entry is packaged into a DPBI-ready audit evidence pack. If the Data Protection Board investigates, ConsentOS generates the complete audit trail on demand.

What's Included

The Compliance Vault tier.

Built for regulated BFSI entities. Designed around the dual RBI/DPDP compliance requirement. Priced at ₹5,00,000 implementation + ₹1,50,000/month.

Compliance Vault module with Legal Obligation Override

Retention schedule dashboard, per data category

Denial register for statutory erasure exceptions

RBI / DPDP conflict resolution workflows

DPBI-ready audit evidence packs

72-hour breach notification pipeline

Use-restriction enforcement across data categories

Dedicated compliance support manager

Who It's For

Regulated BFSI entities under dual enforcement.

Any entity operating under both RBI regulation and the DPDP Act faces this conflict. The Compliance Vault is the enforcement layer.

NBFCs

Face the full RBI/PMLA/CIBIL/DPDP stack simultaneously. The Legal Obligation Override is designed specifically for the NBFC regulatory profile.

NBFC compliance guide →

Fintech Lenders

Digital lenders with RBI NBFC registration or P2P lending licences face the same KYC retention conflict. The Compliance Vault resolves it with the same documented override.

Brokers & Insurance

SEBI-registered brokers and IRDAI-regulated insurers carry their own statutory retention obligations. The Compliance Vault's retention schedule handles multiple regulatory instruments simultaneously.

Not ready to subscribe? Start with a one-time Readiness Assessment. 30 days, board-ready output →

Start your Compliance Assessment.

The free assessment takes 10 minutes. You receive a personalised compliance report covering your RBI/DPDP dual obligations, with a prioritised action list.

Start Free Assessment Talk to a compliance specialist