Can an NBFC refuse a DPDP erasure request for KYC data?

Yes. Where data is held under a statutory obligation (RBI Master Direction on KYC, PMLA), the DPDP Act's erasure right does not override the statutory obligation. ConsentOS documents this exception in a denial register and generates DPBI-ready justification automatically.

Does PMLA transaction retention conflict with DPDP Act?

PMLA requires 5-year retention post-closure independent of consent. ConsentOS classifies PMLA-governed records as statutory-retain, isolating them from the DPDP erasure flow. Both obligations are met simultaneously.

How does ConsentOS handle CIBIL data sharing consent under DPDP?

CIBIL data sharing is treated as a separate consent purpose. ConsentOS captures purpose-specific consent at origination, documents the consent chain, and maintains the audit record required by both DPDP Act and RBI CIBIL guidelines.

Is our NBFC classified as a Significant Data Fiduciary under DPDP?

Large NBFCs processing high volumes of financial data are likely candidates for SDF classification. ConsentOS's Scale and Compliance Vault tiers are built for SDF compliance. DPO support, DPIA workflows, and enhanced audit trails included.

NBFC

DPDP Readiness Infrastructure for RBI-Regulated NBFCs

When an RBI inspector asks about your DPDP posture in 2026, your answer must be a documented readiness position. NBFCs face a compliance challenge that generic consent platforms cannot resolve: RBI mandates 5-year KYC retention while the DPDP Act requires erasure on demand. PMLA creates independent retention obligations. CIBIL data sharing requires documented consent chains. ConsentOS builds the Legal Obligation Override infrastructure that addresses all three simultaneously, giving your Board Risk Committee a printable readiness report and your RBI inspector a verifiable compliance position.

Critical Risk: Dual RBI/DPDP/PMLA Enforcement Risk

10,000+

NBFCs registered with RBI in India

5 years

RBI KYC retention mandate (Master Direction)

250 Cr

Maximum DPDP penalty per incident

RBI Inspection Readiness

RBI is moving on consent. Advisory No. 3/2026, issued March 25, 2026, directs regulated entities toward centralized consent management and automated data discovery. The RBI Responsible Business Conduct Amendment Directions, notified as final in May 2026, require per-product explicit consent, a ban on bundled and pre-ticked consent, and auditable customer consent control, effective July 1, 2026. The answer "we are evaluating our options" is not a compliance position. ConsentOS gives your Board Risk Committee a printable readiness report and the centralized, documented consent record the Advisory expects today.

Obligations

Your DPDP Obligations as a NBFC Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to nbfc operations.

RBI / DPDP Retention Conflict

Master Direction on KYC mandates 5-year retention. DPDP Act requires erasure on request. Legal Obligation Override documents the exception and generates denial evidence.

PMLA Obligation Override

PMLA requires 5-year retention of all transaction records post account closure, independent of data principal consent. Override applied automatically.

CIBIL Data Sharing Consent

Credit bureau data sharing requires explicit, purpose-specific, documented consent chains under both DPDP Act and RBI CIBIL guidelines.

FIU-IND Reporting

Suspicious transaction reporting under PMLA creates special data handling and access obligations that intersect with DPDP data principal rights.

Data Principal Rights vs Lending

DPDP erasure and access rights reconciled with RBI lending regulations. Rights exercised only against consent-based data, not statutory-retain loan records.

KYC Data Localisation

RBI localisation requirements and DPDP cross-border provisions apply simultaneously for NBFCs with foreign investors or cross-border operations.

Periodic Re-KYC Consent

Periodic re-KYC obligations create recurring consent refresh cycles under DPDP. Each re-KYC event requires documented consent, not just data update.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Build your RBI inspection readiness position

Map all personal data processing across KYC, lending, PMLA records, and CIBIL data sharing. Document your DPDP posture before your next RBI inspection cycle.

Q3 2026

Implement Legal Obligation Override

Deploy the Compliance Vault: classify statutory-retain data, isolate from erasure flow, configure denial register.

Nov 2026

Consent Manager registration

Q1 2027

Data principal rights workflows

Implement access, correction, and erasure workflows with statutory exemption handling for RBI/PMLA records.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Dual RBI/DPDP non-compliance exposes NBFCs to enforcement from both regulators.

Penalty Exposure for NBFC Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

KYC/financial data breach (failure to implement safeguards) Up to ₹250 Cr

Failure to notify breach to Board and data principals Up to ₹200 Cr

Non-compliance with consent and rights obligations Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Compliance Vault for NBFC

NBFCs operating under RBI, PMLA, and DPDP simultaneously require the Legal Obligation Override, retention schedule dashboard, and denial register that only the Compliance Vault tier provides.

Implementation

₹5,00,000 one-time

₹1,50,000 /month

Legal Obligation Override (RBI / PMLA)
Retention schedule dashboard, per data category
Denial register for statutory erasure exceptions
DPBI-ready audit evidence packs
72-hour breach notification pipeline
Dedicated compliance support manager

Start with a free assessment Compare all plans

Learn how the Compliance Vault resolves the RBI/DPDP conflict →

Not ready to subscribe? Start with a one-time Readiness Assessment →

Resources

Essential Reading for NBFC

Deep dives into the DPDP provisions most relevant to your sector.

Industry Guides

NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India

How NBFCs reconcile DPDP Act 2023 with RBI KYC retention, PMLA record-keeping, CIBIL consent and FIU-IND reporting. Legal Obligation Override explained.

11 min read

Regulatory Updates

What Is the DPDP Act 2023? Guide for Indian Business Compliance

India's Digital Personal Data Protection Act 2023 decoded: 7 obligations for every Data Fiduciary, 8 rights for Data Principals, penalties up to ₹250 crore.

6 min read

Regulatory Updates

DPDP Penalties: ₹250 Crore Risk and Enforcement Tiers in India

A breakdown of every penalty provision in the DPDP Act 2023. Understand the financial exposure, the enforcement mechanism, and what triggers each penalty tier.

7 min read

When the RBI Inspector Asks, Have the Answer Ready

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist