NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India

NBFCs Operate Under Three Data Regimes Simultaneously

Non-Banking Financial Companies (NBFCs) registered with the Reserve Bank of India now operate under three independent data frameworks, each with its own enforcement authority and penalty structure. The DPDP Act 2023 establishes baseline data protection obligations for all organisations processing personal data of Indian residents. The RBI’s Master Direction on Know Your Customer (KYC) imposes separate retention and verification obligations. The Prevention of Money Laundering Act (PMLA) 2002, enforced by the Financial Intelligence Unit-India (FIU-IND), creates independent transaction record retention mandates.

None of these frameworks exempts compliance with the others. An NBFC that satisfies RBI’s KYC retention requirements is not, by that fact alone, compliant with the DPDP Act. The reverse is equally true. PMLA obligations operate independently of both. This three-way compliance burden is what makes NBFCs one of the most exposed categories of entity under the DPDP Act. Generic consent platforms that solve only the DPDP Act dimension leave NBFCs exposed to enforcement from the other two directions.

The operational challenge is not whether these regulations apply to your NBFC. They do. The challenge is building a compliance architecture that resolves conflicts between these regimes without creating policy contradictions that expose you to enforcement from any of them.

The RBI / DPDP Retention Conflict

The conflict between RBI’s KYC retention mandate and the DPDP Act’s erasure right is the most structurally significant compliance problem NBFCs face. Understanding it precisely is necessary before any compliance programme can be designed.

What RBI Requires

The Reserve Bank of India’s Master Direction — Know Your Customer (KYC) Direction, 2016 (updated through 2023) requires all Regulated Entities, including NBFCs, to retain KYC records for a minimum period of ten years after the cessation of the business relationship. The retention obligation applies to:

• Customer identification documents (PAN, Aadhaar, passport, voter ID)
• Address verification documents
• Photographs and biometric data where collected
• Risk categorisation records
• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) records
• Beneficial ownership information

These are all personal data under the DPDP Act. The ten-year clock does not start running until the business relationship ends, not when the data was collected.

What the DPDP Act Requires

Section 8(7) of the DPDP Act requires a Data Fiduciary to erase personal data upon consent withdrawal, or when the data is no longer necessary for the purpose for which it was collected, “unless retention of such personal data is necessary for compliance with any law for the time being in force.”

Section 12 grants Data Principals the right to erasure. When a customer requests deletion of their personal data, the NBFC must either erase it or invoke a documented legal basis for retention.

The Conflict Resolution: Legal Obligation Override

The DPDP Act’s Section 8(7) carve-out for legal retention obligations is the operational key, but it must be applied precisely. A vague claim of “regulatory requirements” does not satisfy the Act. The NBFC must:

1. Identify exactly which statutory provision mandates retention of which data
2. Document the specific retention period required by that provision
3. Isolate that data from the standard DPDP erasure workflow
4. Communicate to the data principal what was retained and why

This structure (classifying statutory-retain data, isolating it from consent-based data, and maintaining a documented denial register for rejected erasure requests) is what ConsentOS implements as the Compliance Vault. The Legal Obligation Override is not a workaround. It is the mechanism the DPDP Act explicitly provides for exactly this situation.

PMLA Transaction Record Obligations

The Prevention of Money Laundering Act creates a second, independent retention obligation that operates alongside RBI’s KYC mandate.

Rule 3 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 requires NBFCs and other Reporting Entities to maintain:

• Records of all cash transactions above ₹10 lakh
• Records of all cross-border wire transfers above ₹5 lakh
• Records of suspicious transactions regardless of amount
• All customer account files and business correspondence

The retention period is five years from the date of the transaction, or five years after the business relationship ends, whichever is later. This is independent of the RBI KYC retention obligation. An NBFC may have data that must be retained for 10 years under RBI KYC rules AND five years under PMLA, with the two clocks running differently for different categories of data held about the same customer.

The DPDP Act does not override PMLA. Section 8(7) explicitly carves out retention required under law. But the carve-out only applies to data that genuinely falls within the PMLA scope. Data collected for purposes beyond PMLA compliance (marketing preferences, behavioural analytics, product interest signals) carries no PMLA retention basis and must be erased on demand.

Compliance requires data classification: each category of data must be mapped to its retention basis (consent, RBI KYC, PMLA, or other statutory obligation) with a documented retention schedule that reflects the applicable law.

CIBIL Data Sharing Consent

Credit bureau data sharing is a third area where DPDP obligations intersect with RBI regulatory requirements.

The RBI’s Credit Information Companies (Regulation) Act 2005 and its associated regulations require credit institutions (including NBFCs) to submit credit information to credit information companies such as CIBIL, CRIF Highmark, Experian, and Equifax. This submission is mandatory. However, the DPDP Act imposes additional consent obligations on top.

The credit bureau submission is not automatically covered by the consent a customer provides when applying for a loan. The DPDP Act requires:

• Specific disclosure at the point of consent that credit information will be shared with credit information companies
• Named recipients: the specific bureau(s) to whom data will be submitted must be identified
• Purpose specification: credit scoring, lending decision support, and bureau maintenance are each distinct processing purposes
• Consent record: a tamper-proof timestamp linking the customer’s consent to the specific notice version in effect at the time

NBFCs that bundle credit bureau data sharing into a general loan agreement terms clause, without a dedicated consent record that identifies the bureau, the purpose, and the period, are carrying unresolved DPDP compliance risk on every loan originated.

Periodic re-KYC creates a compounding issue. Each re-KYC event is a new data collection and processing activity. It requires its own documented consent, not just a data update against the existing loan record.

Data Principal Rights in an NBFC Context

The DPDP Act grants Data Principal rights that apply to all personal data, including financial records. For NBFCs, the practical application of these rights is more constrained than for generic businesses, but the constraints must be documented, not assumed.

Right to Access

Section 11 grants Data Principals the right to obtain confirmation of processing and a summary of what personal data is held. For NBFCs, this means providing a structured response that identifies:

• KYC data held and its retention basis (RBI KYC Direction)
• Transaction records held and their retention basis (PMLA)
• Consent-based data (marketing, analytics, product preferences)
• Credit bureau submission records

The right to access applies to all categories. The response must distinguish between data that can be erased on request and data that is held under a statutory retention obligation.

Right to Erasure

Section 12 grants the right to erasure. For NBFC data:

Data Category	Erasure Response
Consent-based marketing data	Erase immediately on request
KYC records (active relationship)	Retain under RBI KYC Direction; document basis
KYC records (post-closure, within 10 years)	Retain under RBI KYC Direction; document basis
PMLA transaction records	Retain under PMLA Rules; document basis
Loan origination data (within statutory period)	Retain under applicable law; document basis
Behavioural/analytics data beyond stated purpose	Erase on request

The key requirement: every retained-over-erasure-request decision must be documented, with the specific statutory basis, and communicated to the Data Principal.

FIU-IND Reporting and Data Rights

Suspicious Transaction Reporting (STR) and Cash Transaction Reporting (CTR) under PMLA create special data handling obligations that intersect with DPDP Data Principal rights in a particular way.

Section 12 of PMLA prohibits disclosure to any person that a transaction has been reported to FIU-IND. This creates a potential conflict with the DPDP Act’s access right: if a Data Principal requests to know what personal data is held about them, and the NBFC holds STR-related data, disclosing the existence of that report may violate PMLA’s tipping-off prohibition.

The correct operational approach is to acknowledge that PMLA-related data exists but that specific details cannot be disclosed under PMLA Section 12. This satisfies the DPDP Act’s access right (acknowledgement of processing) without triggering the PMLA tipping-off prohibition.

This is an area requiring legal documentation: the justification must be prepared in advance, not constructed on a case-by-case basis when an access request arrives.

Building Dual Compliance into Your NBFC Infrastructure

Compliance is an infrastructure problem, not a policy document problem. For NBFCs, the following components are non-negotiable.

Data Classification at Origination

Every personal data element collected from a customer must be classified at the point of collection, before it enters any system:

• Consent-basis data: Collected with explicit consent, erasable on demand or consent withdrawal
• Statutory-retain data: Held under RBI KYC Direction, PMLA, or other specific law, isolated from the DPDP erasure workflow with documented retention schedule
• Mixed data: Data that starts as consent-basis and transitions to statutory-retain (e.g., a loan applicant becomes a customer; their KYC data transitions from consent-basis to statutory-retain on account opening)

Without this classification at origination, erasure compliance is impossible to manage at scale.

The Legal Obligation Override Register

For every erasure request that is refused because of a statutory retention obligation, the NBFC must maintain a denial register that records:

• The Data Principal’s erasure request (date, method, data requested for erasure)
• The statutory basis for denial (specific section of RBI KYC Direction or PMLA rule)
• The applicable retention period and its end date
• Communication sent to the Data Principal explaining the denial

This register is the documentary evidence base for a regulatory inspection by the Data Protection Board. An NBFC that cannot produce this register on inspection cannot demonstrate DPDP Act compliance.

Consent Management for Loan Origination

Every loan origination workflow must capture distinct, purpose-specific consent records for:

1. KYC verification and identity confirmation
2. Credit bureau submission (naming the specific bureaus)
3. Marketing communications (separate, optional)
4. Product analytics and profiling (separate, optional)
5. Data sharing with co-lenders or DSAs if applicable

These are four or five separate consent records, not a single terms-and-conditions acceptance. Each must be traceable to the specific notice version in effect at the point of signature.

For periodic re-KYC, a new consent record must be captured, not just a data update against the existing loan record.

Assess Your NBFC’s Compliance Position

The triple regulatory burden on NBFCs (RBI KYC, PMLA, and DPDP Act) is not a future concern. The DPDP Act’s enforcement timeline is defined. NBFCs that have not resolved the statutory retention vs. erasure conflict are carrying unquantified regulatory risk from two directions simultaneously.

The first step is to understand where your current posture falls short. Run your free Compliance Gap Assessment to identify the specific areas where your NBFC operation requires remediation. The assessment covers consent management, data retention practices, breach readiness, and Data Principal rights infrastructure.

For a complete view of DPDP obligations specific to the NBFC sector, see our NBFC Industry Guide. To understand how the Compliance Vault resolves the RBI/DPDP retention conflict, see Compliance Vault. To estimate your financial exposure, use the Penalty Calculator.