Can an NBFC refuse a DPDP erasure request for KYC data?

Yes. Where data is held under a statutory obligation (RBI Master Direction on KYC, PMLA), the DPDP Act's erasure right does not override the statutory obligation. ConsentOS documents this exception in a denial register and generates DPBI-ready justification automatically.

Does PMLA transaction retention conflict with DPDP Act?

PMLA requires 5-year retention post-closure independent of consent. ConsentOS classifies PMLA-governed records as statutory-retain, isolating them from the DPDP erasure flow. Both obligations are met simultaneously.

How does ConsentOS handle CIBIL data sharing consent under DPDP?

CIBIL data sharing is treated as a separate consent purpose. ConsentOS captures purpose-specific consent at origination, documents the consent chain, and maintains the audit record required by both DPDP Act and RBI CIBIL guidelines.

Is our NBFC classified as a Significant Data Fiduciary under DPDP?

Large NBFCs processing high volumes of financial data are likely candidates for SDF classification. ConsentOS's Scale and Compliance Vault tiers are built for SDF compliance — DPO support, DPIA workflows, and enhanced audit trails included.

NBFC

DPDP Readiness Infrastructure for RBI-Regulated NBFCs

When an RBI inspector asks about your DPDP posture in 2026, your answer must be a documented readiness position. NBFCs face a compliance challenge that generic consent platforms cannot resolve: RBI mandates 10-year KYC retention while the DPDP Act requires erasure on demand. PMLA creates independent 5-year retention obligations. CIBIL data sharing requires documented consent chains. ConsentOS builds the Legal Obligation Override infrastructure that addresses all three simultaneously, giving your Board Risk Committee a printable readiness report and your RBI inspector a verifiable compliance position.

Critical Risk: Dual RBI/DPDP/PMLA Enforcement Risk

10,000+

NBFCs registered with RBI in India

10 years

RBI KYC retention mandate (Master Direction)

250 Cr

Maximum DPDP penalty per incident

RBI Inspection Readiness

RBI inspectors are already asking NBFC compliance teams about their DPDP preparedness posture. The answer "we are evaluating our options" is not a compliance position. RBI circular RBI/DPSS/2026-27/396 (April 22, 2026) established a dual-audit standard for entities holding data under statutory retention mandates. The dual-audit standard mandated in that circular is what the Compliance Vault implements operationally. ConsentOS gives your Board Risk Committee a printable readiness report and your RBI inspector a documented, verifiable answer.

Obligations

Your DPDP Obligations as a NBFC Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to nbfc operations.

RBI / DPDP Retention Conflict

Master Direction on KYC mandates 10-year retention. DPDP Act requires erasure on request. Legal Obligation Override documents the exception and generates denial evidence.

PMLA Obligation Override

PMLA requires 5-year retention of all transaction records post account closure, independent of data principal consent. Override applied automatically.

CIBIL Data Sharing Consent

Credit bureau data sharing requires explicit, purpose-specific, documented consent chains under both DPDP Act and RBI CIBIL guidelines.

FIU-IND Reporting

Suspicious transaction reporting under PMLA creates special data handling and access obligations that intersect with DPDP data principal rights.

Data Principal Rights vs Lending

DPDP erasure and access rights reconciled with RBI lending regulations. Rights exercised only against consent-based data, not statutory-retain loan records.

KYC Data Localisation

RBI localisation requirements and DPDP cross-border provisions apply simultaneously for NBFCs with foreign investors or cross-border operations.

Periodic Re-KYC Consent

Periodic re-KYC obligations create recurring consent refresh cycles under DPDP. Each re-KYC event requires documented consent, not just data update.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Build your RBI inspection readiness position

Map all personal data processing across KYC, lending, PMLA records, and CIBIL data sharing. Document your DPDP posture before your next RBI inspection cycle.

Q3 2026

Implement Legal Obligation Override

Deploy the Compliance Vault: classify statutory-retain data, isolate from erasure flow, configure denial register.

Nov 2026

Consent Manager registration

Q1 2027

Data principal rights workflows

Implement access, correction, and erasure workflows with statutory exemption handling for RBI/PMLA records.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Dual RBI/DPDP non-compliance exposes NBFCs to enforcement from both regulators.

Penalty Exposure for NBFC Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

KYC/financial data breach (failure to implement safeguards) Up to ₹250 Cr

Failure to notify breach to Board and data principals Up to ₹200 Cr

Non-compliance with consent and rights obligations Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Compliance Vault for NBFC

NBFCs operating under RBI, PMLA, and DPDP simultaneously require the Legal Obligation Override, retention schedule dashboard, and denial register that only the Compliance Vault tier provides.

Implementation

₹5,00,000 one-time

₹75,000 /month

Legal Obligation Override (RBI / PMLA)
Retention schedule dashboard — per data category
Denial register for statutory erasure exceptions
DPBI-ready audit evidence packs
72-hour breach notification pipeline
Dedicated compliance support manager

Start with a free assessment Compare all plans

Learn how the Compliance Vault resolves the RBI/DPDP conflict →

Not ready to subscribe? Start with a one-time Readiness Assessment →

Resources

Essential Reading for NBFC

Deep dives into the DPDP provisions most relevant to your sector.

Industry Guides

NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India

How the DPDP Act 2023 interacts with RBI's KYC retention mandates, PMLA transaction record obligations, CIBIL consent requirements, and FIU-IND reporting for Non-Banking Financial Companies.

11 min read min read

Regulatory Updates

What Is the DPDP Act 2023? Guide for Indian Business Compliance

The Digital Personal Data Protection Act 2023 decoded. What it requires, who it applies to, and what happens if you ignore it.

6 min read min read

Regulatory Updates

DPDP Penalties: ₹250 Crore Risk and Enforcement Tiers in India

A breakdown of every penalty provision in the DPDP Act 2023. Understand the financial exposure, the enforcement mechanism, and what triggers each penalty tier.

7 min read min read

When the RBI Inspector Asks, Have the Answer Ready

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist