Can a bank refuse a data erasure request under the DPDP Act?

Yes, but only for the specific fields a law requires it to retain. Section 8(7) of the DPDP Act preserves retention that is necessary for compliance with any law in force, which covers KYC and transaction records held under the RBI KYC Master Direction and the PMLA Rules. The bank must erase every field not covered by a statutory mandate and record what it retained and why.

For how many years should KYC records be retained in India?

Five years. Identity records must be kept for five years after the business relationship ends, and transaction records for five years from the date of each transaction, under the RBI Master Direction on KYC, 2016 and the PMLA (Maintenance of Records) Rules, 2005. The DPDP Act does not shorten this. Section 8(7) preserves retention that another law mandates, so a customer's erasure request cannot remove KYC records inside the statutory window.

How long must a bank retain KYC records after an account is closed?

Five years after the business relationship ends, under the RBI Master Direction on KYC, 2016 read with the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. Transaction records carry the same five-year minimum from the date of the transaction. A ten-year period is sometimes quoted, but that reflects legacy PMLA rules or the Payment and Settlement Systems Act, 2007, not the current KYC minimum.

Does the DPDP Act override RBI regulations?

No. The two operate at the same time. Section 8(7) of the DPDP Act preserves retention required by other laws, so a bank keeps data where the RBI or the PMLA mandates it while still meeting the DPDP Act's duties on purpose limitation, security, grievance redressal, and erasure of non-mandated data.

Are banks Significant Data Fiduciaries under the DPDP Act?

Most scheduled commercial banks are likely to be notified as Significant Data Fiduciaries given the volume and sensitivity of the personal data they process. That classification triggers the additional obligations in Section 10: an India-based Data Protection Officer, periodic Data Protection Impact Assessments, and an independent data auditor.

What is the penalty if a bank fails to erase data it was not required to retain?

Up to ₹50 crore per instance for non-fulfilment of obligations to Data Principals, under the Schedule to the DPDP Act. A Significant Data Fiduciary that fails its additional obligations faces a separate tier of up to ₹150 crore, and a security-safeguard failure that causes a breach reaches up to ₹250 crore.

When does DPDP enforcement begin for banks?

The DPDP Rules were notified on 13 November 2025. The Consent Manager registration window opens in November 2026. Substantive penalty enforcement is expected from May 2027. Banks should treat Q3 2026 as the practical readiness point to account for implementation lead time.

Industry Guides

DPDP Compliance for Banks: RBI KYC Retention vs Erasure Rights

RBI requires 5-year KYC retention. The DPDP Act grants erasure rights. Section 8(7) decides which wins. How banks resolve the conflict field by field.

10 min read 4 Jun 2026

Two Mandates Govern the Same Customer Record

A customer closes a savings account and submits a request to erase their personal data. The Digital Personal Data Protection Act 2023 gives them that right. The RBI Master Direction on KYC and the Prevention of Money Laundering Act require the bank to keep the same records for years after the account is closed. Both obligations bind the bank. Both carry penalties. They point in opposite directions over the same data.

This is the structural compliance problem every scheduled commercial bank in India now holds. It is not resolved by choosing one law over the other. The DPDP Act provides a defined mechanism, the legal-obligation carve-out in Section 8(7), that lets a bank retain data where a law mandates it. The carve-out is not a blanket exemption. It applies field by field, purpose by purpose, and every retention decision must be recorded with a documented justification.

This guide is written for compliance officers, Data Protection Officers, and technology heads at banks. It covers what each framework requires, where the override applies, how a bank’s specific data maps to its retention basis, and the Significant Data Fiduciary duties that apply to banks before substantive enforcement begins in May 2027.

For the same conflict viewed from the lending side, see DPDP compliance for NBFCs. For the full field-by-field resolution framework, see the RBI-DPDP retention conflict guide.

What Each Framework Requires

The DPDP Act erasure obligation

Section 8(7) of the DPDP Act requires a Data Fiduciary to erase personal data when the purpose of processing is no longer served or when the Data Principal withdraws consent, “unless retention of such personal data is necessary for compliance with any law for the time being in force.” Section 12(3) gives the Data Principal the right to request that erasure directly.

The carve-out is the operative phrase. Where another law requires retention, the bank has a lawful basis to keep the covered data. Where no law requires it, the data must be erased on request.

RBI KYC and PMLA retention

The RBI Master Direction on Know Your Customer (KYC) Direction, 2016 requires regulated entities to preserve customer identity records for at least five years after the business relationship ends. The Prevention of Money Laundering (Maintenance of Records) Rules, 2005 set the same five-year minimum: identity records for five years from the cessation of the relationship, and transaction records for five years from the date of the transaction.

A ten-year figure circulates in industry guidance. It is not the current KYC minimum. It traces to legacy PMLA rules amended in 2012, to the Payment and Settlement Systems Act, 2007 for certain system operators, or to a bank’s own conservative policy. For standard KYC identity and transaction records, the statutory floor under the RBI and the PMLA is five years.

The conflict is therefore precise. A customer’s erasure request arrives. The RBI and the PMLA say the KYC and transaction records must stay for five years. Neither obligation is optional.

The Override Lives in Section 8(7)

The resolution is the carve-out itself, applied with discipline. A general claim of “RBI requirements” does not satisfy the Act. To rely on Section 8(7), a bank must identify the exact statutory provision that mandates retention of a specific data category, record the retention period that provision sets, isolate that data from the standard erasure workflow, and tell the Data Principal which fields were retained and on what basis.

This classify-isolate-document pattern is the same mechanism the industry applies across regulated finance. The RBI-DPDP retention conflict guide sets out the full framework: the three retention classes, the separate retention tracks, and the denial register that records every refused erasure request. Rather than repeat that framework here, this guide applies it to a bank’s specific data.

A Bank’s Data, Mapped to Its Retention Basis

The override covers only the fields a law requires a bank to retain. Everything else follows the ordinary erasure rule. The grey zone between the two is where audit risk sits, so each category must be mapped to a named provision.

Bank data field	Retention basis	Period	Override applies
Account-opening KYC (PAN, identity, address proof)	RBI KYC Master Direction; PMLA Rules	5 years post-closure	Yes
Customer photograph and CDD records	RBI KYC Master Direction	5 years post-closure	Yes
Deposit and transaction history	PMLA (Maintenance of Records) Rules	5 years from transaction	Yes
SWIFT and cross-border wire transfer records	PMLA Rules; RBI wire transfer requirements	5 years (10 only for PSS Act system operators)	Yes
Safe-deposit locker agreements and access logs	RBI locker directions; contract law	Per applicable mandate	Partial
Net-banking and mobile-app usage logs	None	None mandated	No, erase on request
Marketing preferences and campaign history	DPDP consent	Duration of purpose	No, erase on request
Cross-sell and behavioural analytics	DPDP consent	Duration of purpose	No, erase on request

Two failure modes follow from getting this wrong. Over-erasure deletes records the PMLA requires, which the bank discovers during an inspection. Over-retention keeps everything to avoid the first error, which breaches the DPDP Act’s storage limitation. A bank needs both tracks running, with the classification driving system behaviour rather than sitting in a policy document. Build the map first through a personal data inventory.

Most Banks Will Be Significant Data Fiduciaries

This is where bank obligations exceed those of a smaller lender. The Central Government may notify any Data Fiduciary, or class of Data Fiduciaries, as a Significant Data Fiduciary based on the volume and sensitivity of personal data processed, the risk to Data Principals, and the potential effect on the security of the State. Scheduled commercial banks sit at the high end of every one of those factors.

A bank that is classified as a Significant Data Fiduciary carries the additional obligations in Section 10:

Appoint a Data Protection Officer based in India, responsible to the board, who serves as the contact point for grievance redressal.
Conduct periodic Data Protection Impact Assessments covering the processing activities that carry elevated risk to Data Principals.
Engage an independent data auditor to evaluate compliance against the Act.

These duties run alongside the grievance-redressal mechanism every Data Fiduciary must establish under Section 8(10), with the Data Principal’s right to that redressal set out in Section 13. A bank should assume Significant Data Fiduciary status in its planning rather than wait for notification, because the lead time to stand up a DPO function and an audit cycle is measured in quarters. See the Significant Data Fiduciary guide for the full set of duties.

Dual Breach Reporting for Banks

A single security incident at a bank triggers reporting obligations under more than one framework, each with its own recipient and clock.

Trigger	Report to	Timeline	Basis
Cyber incident	CERT-In	6 hours	CERT-In Directions 2022
Cyber incident at a regulated entity	RBI (CSITE / incident reporting)	Per RBI framework	RBI cyber security framework
Personal data breach	Data Protection Board	72 hours	DPDP Act Section 8(6)
Personal data breach	Affected Data Principals	Without delay	DPDP Act Section 8(6)

One breach can therefore set four notifications in motion, in different formats and on different clocks. The DPDP duty to notify the Board and affected individuals sits under Section 8(6). The full procedure is covered in the breach notification guide. A catch block that swallows a failed notification is itself a Section 8(6) exposure, so the reporting path must be instrumented, not assumed.

Penalty Exposure

DPDP penalties are independent of, and additional to, any RBI enforcement action. The Schedule to the Act sets the maximum financial penalty per category.

Violation	Maximum penalty
Failure to take reasonable security safeguards that results in a breach	₹250 crore
Failure to notify the Board or affected Data Principals of a breach	₹200 crore
Non-fulfilment of obligations relating to children’s data	₹200 crore
Non-fulfilment of a Significant Data Fiduciary’s additional obligations	₹150 crore
Non-fulfilment of any other obligation, including a Data Principal’s erasure right	₹50 crore

For a bank, two of these tiers are specific to its scale. The ₹150 crore Significant Data Fiduciary tier applies to the DPO, audit, and impact-assessment duties that smaller entities do not carry. The ₹50 crore tier attaches to each mishandled erasure request. Both run on top of any penalty the RBI may impose under its own framework. Estimate the exposure with the penalty calculator.

Common Errors Banks Make

Treating RBI compliance as a DPDP exemption. “We are already RBI-regulated, so the DPDP Act is covered” does not hold. RBI compliance addresses some retention. It does not address consent management, purpose limitation, breach notification to individuals, or the right to correction. The DPDP obligations run independently.

Retaining everything for the longest period. Holding all customer data for ten years to be safe breaches the DPDP Act’s storage limitation. Only the fields covered by a named statutory mandate qualify for the override. The rest must be erased when the purpose ends or on request.

No documented basis per field. During an inspection, the Data Protection Board will ask for the legal basis for retaining a specific field. “The RBI requires it” is not an answer. The bank needs field-level documentation naming the instrument and the retention period.

Ignoring consent for non-mandated processing. Cross-selling, marketing, and behavioural analytics are not covered by the legal-obligation carve-out. They require separate, purpose-specific consent records, each traceable to the notice version in force at the time.

How ConsentOS Handles This for Banks

ConsentOS is built for regulated entities where data protection duties collide with sector-specific retention mandates. Its Compliance Vault applies the Section 8(7) carve-out as operating infrastructure rather than policy text.

Field-level retention mapping. Each data field is tagged with its governing instrument, RBI KYC, PMLA, or DPDP consent, and its retention period is calculated from the relationship-end date.
Erasure workflows that respect the override. When a Data Principal requests erasure, ConsentOS separates the fields that can be erased at once from those held under a statutory mandate, generates the compliant response to the individual, and schedules deferred deletion for when each retention period expires.
A denial register for audit. Every refused erasure request is recorded with the statutory basis, the retention expiry date, and the reviewing officer, available for the Data Protection Board on inspection.
Dual-framework breach reporting. A single trigger routes notifications to CERT-In, the RBI, the Data Protection Board, and affected Data Principals in the correct formats and on the correct clocks.

Start by finding where the current posture falls short. Run the free Compliance Gap Assessment to identify the retention, consent, and breach-readiness gaps specific to a banking operation, then map them to the DPDP compliance timeline.

Know where you stand on DPDP compliance

Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, or model your penalty exposure.

Start Free Assessment Calculate Penalty Exposure

Resources

Continue Reading

Related DPDP Act 2023 guidance from the ConsentOS knowledge base.

Industry Guides

NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India

How NBFCs reconcile DPDP Act 2023 with RBI KYC retention, PMLA record-keeping, CIBIL consent and FIU-IND reporting. Legal Obligation Override explained.

11 min read

Industry Guides

RBI-DPDP Retention Conflict: KYC Erasure Rules for Indian Fintechs

The RBI and PMLA mandate five-year KYC retention. The DPDP Act requires erasure on request. For Indian fintechs and NBFCs, these obligations are in direct conflict. This article explains the Legal Obligation Override framework that resolves both simultaneously.

9 min read

Industry Guides

RBI Consent Rules for BFSI: Advisory 3/2026 and the July 1 Business Conduct Directions

The RBI Business Conduct Directions on consent are final and effective July 1, 2026. What banks and NBFCs must have in place, alongside Advisory 3/2026.

9 min read

Compliance Areas

DPDP Breach Notification Timeline: 72-Hour Rule (India 2026)

DPDP Act breach reporting: notify the Data Protection Board within 72 hours and CERT-In within 6 hours. Two-stage filing, penalties up to ₹200 crore.

9 min read