Written by

Sumeshwar Pandey

View Profile
10 min read

RBI vs DPDP: Erasure When KYC Retention Still Applies

How BFSI leaders can design erasure operations that respect DPDP while staying compliant with RBI KYC and PMLA record-keeping.
Key takeaways
  • DPDP grants individuals a right to erasure but explicitly allows retention where laws like RBI’s KYC Direction and PMLA require records to be kept.
  • For financial institutions, the real tension is not core KYC and transaction data, which must be retained, but surrounding marketing, profiling, analytics, and log data.
  • Classifying datasets into retain, minimise, and erase buckets enables consistent handling of erasure requests across core systems, CRM, analytics platforms, and archives.
  • An operating model built on clear data maps, retention schedules, orchestration workflows, and decision logs reduces regulatory risk and manual firefighting.
  • A consent and rights control layer such as Digital Anumarti - Service can coordinate DPDP rights, KYC retention exceptions, and downstream actions across complex BFSI stacks.

When a DPDP erasure request collides with KYC retention obligations

Picture a former current-account holder who closed their relationship with your bank three years ago. They have repaid every loan, withdrawn remaining balances, and moved to a competitor. One morning your grievance redressal inbox receives a formally worded DPDP erasure request: delete all my personal data from your systems and confirm within a fixed timeline.
Front-line staff know that DPDP recognises a right to erasure once the purpose is complete or consent is withdrawn. Your privacy officer is copied and starts drafting a response. At the same time, the AML head reminds everyone that RBI’s KYC Master Direction, read with PMLA rules, still requires retention of customer identification and transaction records for at least five years after the end of the business relationship. IT, already managing multiple archives and backups, is unsure which systems can safely purge what.
In the absence of a clear, organisation-wide design for reconciling these obligations, three things happen quickly: legal and compliance disagree on how much to erase, technology teams hesitate to touch core banking or KYC repositories, and customer-facing staff give inconsistent answers. Over-erasure risks breaching statutory record-keeping duties; under-erasure risks a DPDP complaint and creates an impression that you are ignoring the new privacy regime. That combination makes DPDP erasure in a high-retention sector a board-level topic rather than a narrow legal question.
Under the Digital Personal Data Protection Act, a data principal can ask a data fiduciary to erase personal data that is no longer necessary for the original processing purpose, or where they have withdrawn consent. The fiduciary must ensure that both its own systems and those of any engaged processors honour the request. However, the same provision states that data may be retained where this is necessary for compliance with any law in force. In financial services, most core KYC and transaction processing relies on this law-compliance basis rather than pure consent.[2]
DPDP also clarifies how it sits alongside other statutes. It operates in addition to existing laws, and in the event of an inconsistency it is meant to prevail. That does not mean it automatically cancels sectoral record-keeping rules. Because the Act itself recognises a law-compliance exception to erasure, a bank or NBFC that is required by RBI, PMLA, tax, or company-law provisions to retain particular data is expected to keep that data until the relevant period expires, even if the individual has asked for erasure.[1]
RBI’s KYC Master Direction, built on the Prevention of Money Laundering Act framework, is explicit on retention. Regulated entities must maintain records of customer identification and address, account files, and business correspondence for at least five years after the business relationship has ended, and must preserve transaction records for at least five years from the date of each transaction. Additional retention obligations may arise from suspicious transaction reporting, internal investigations, and directions from enforcement agencies, all of which assume that certain records remain intact and accessible.[3]
Beyond RBI and PMLA, many financial groups are simultaneously subject to SEBI, IRDAI, income-tax, and Companies Act record-keeping rules. Together, these regimes mean that for KYC documentation and core transaction histories, erasure in the DPDP sense usually does not mean literal deletion on request. Instead, DPDP’s real impact is to narrow the purposes for which retained data can be used and to bring surrounding datasets—marketing, profiling, analytics, and logs—firmly within the scope of erasure and minimisation.[6]

Decision matrix: what to erase, minimise, or retain when KYC retention still applies

To turn this legal position into operational clarity, it helps to classify your major datasets into three outcomes when faced with an erasure request: data that must be retained because of explicit legal obligations, data that should be minimised or moved to controlled archives, and data that should ordinarily be erased or irreversibly anonymised. The matrix will not look identical for every institution, but the broad buckets are similar across banks, NBFCs, and fintech lenders.
KYC identity proofs, account master data, and detailed transaction histories usually sit in the ‘must retain’ column. RBI and PMLA require these records for defined periods, and they underpin your ability to respond to tax enquiries, fraud investigations, and customer disputes. Here, the DPDP-aligned response to an erasure request is not deletion but purpose limitation and hardening. That typically means taking these datasets out of day-to-day analytics and marketing use, confining access to compliance and audit teams, and, where possible, migrating them from operational systems into encrypted regulatory archives with strict role-based controls.
Credit and fraud-risk models, bureau pulls, collection scores, and derived risk indicators often fall into a ‘minimise or archive’ category. Some elements may need to be retained to evidence underwriting decisions or collection actions, but many features can be aggregated, pseudonymised, or detached from direct identifiers once the active relationship ends. For exited customers who invoke erasure, it is usually possible to keep only the minimum data required to reconstruct key decisions, while aggregating the rest into non-personal datasets used for portfolio analytics and model tuning.
CRM records, marketing lists, cross-sell and upsell segments, behavioural analytics from mobile apps and websites, and many categories of system log data tend to rely primarily on consent or business necessity rather than on explicit legal mandates. For these, the default position under DPDP should be erasure or strong anonymisation when the individual withdraws consent or requests deletion. That includes stopping outbound campaigns, deleting or obfuscating personal identifiers in analytics warehouses, and tuning log-retention policies so that full-fidelity, identifiable logs are kept only as long as needed for security and audit. In a strategic trade-off view, the regulatory risk of under-deletion is highest in these edge datasets, while the risk of over-deletion is highest in the statutory KYC and transaction core.
Strategic trade-offs for common BFSI datasets when responding to DPDP erasure requests.
Data category Default outcome on erasure request Primary legal driver Strategic trade-off
KYC identity documents and account master records Retain in restricted regulatory archives; remove from optional analytics and marketing uses RBI KYC Direction, PMLA, tax and company-law record-keeping rules High risk if over-deleted (regulatory breach, weak investigation readiness); low flexibility on retention duration
Transaction histories and account statements Retain with tight access controls; progressively move from operational stores to cold archives after account closure PMLA, RBI KYC Direction, tax and dispute-handling requirements Balancing fast access for disputes and audits against minimising exposure in day-to-day analytics stacks
Credit models, fraud scores, and risk indicators Minimise: keep only features needed to evidence key decisions; aggregate or anonymise the rest Legitimate interest in evidencing underwriting and collections; some records needed for disputes and supervision Preserve the ability to explain historic decisions while reducing personal-data volume in modelling datasets
CRM, cross-sell lists, and marketing segments Erase or strongly anonymise; keep narrow suppression records where needed to prevent re-targeting Consent or business necessity, without explicit statutory retention mandates Regulatory and reputational risk sits on under-deletion; commercial risk comes from over-restricting future marketing
Behavioural analytics and system log data Tiered retention: keep identifiable logs only as long as needed for security and audit, then aggregate or anonymise Security, fraud monitoring, and operational audit requirements; limited explicit statutory durations Balance incident-response needs against DPDP expectations on data minimisation and erasure for exited customers

Operating model: architecting erasure and retention across BFSI systems

Once you know what belongs in the retain, minimise, and erase buckets, the challenge is to execute those decisions consistently across a heterogeneous stack: core banking platforms, card processors, LOS and LMS systems, CRM and marketing tools, data warehouses, and archival stores. The main risk is not that the rules are unclear on paper, but that every system team interprets them differently, leading to fragmented responses and weak auditability.
The starting point is a live data map that links customer journeys to systems and datasets. For each major data class—KYC documents, account and transaction records, risk and fraud data, CRM and marketing, analytics, and logs—your architecture team should know which applications hold it, what the primary processing purpose is, which lawful basis applies, which regulators drive retention, and what the configured retention period is. Tagging data with this metadata enables you to route it into distinct storage zones: hot operational stores for active relationships, warm stores for recent exits where some processing continues, and cold regulatory archives where data is kept only for statutory and dispute-resolution purposes.[4]
On top of that map, you need a rights and retention workflow. When a DPDP erasure request arrives, the process should authenticate the individual, identify all linked systems, and apply rules per data category. For some datasets, the workflow will instruct deletion or anonymisation; for others, it will shift records into restricted archives and mark them as blocked from marketing or profiling use. Every step—what was requested, which datasets were affected, which legal bases justified continued retention, who approved any overrides, and what was communicated back to the individual—should be recorded in a decision log that can be produced to the Data Protection Board or RBI supervisors if questioned. Governance makes this architecture stick: typically, the Data Protection Officer, chief compliance officer, and heads of IT and operations should jointly own the remediation playbook, including SLAs for responding to erasure requests, criteria for imposing litigation or investigation holds that pause deletion, and escalation paths for ambiguous cases. For multi-entity groups spanning banking, NBFC, brokerage, and insurance units, a group-level policy needs to distinguish which obligations attach to which entity, even if data is held in shared warehouses.
A structured sequence helps turn this model into day-to-day practice across your systems and teams.
  1. Build and maintain a customer-level data map
    Inventory which applications hold KYC, transaction, risk, marketing, analytics, and log data, and tie each dataset back to specific customer journeys and entities within your group.
  2. Attach lawful bases and retention periods to each data class
    For every dataset, document the primary purpose, lawful basis under DPDP, and the regulator- or law-driven retention obligations that constrain erasure decisions.
  3. Design hot, warm, and cold storage zones
    Place data for active relationships in hot stores, move recent exits to warm stores with limited processing, and shift long-term statutory records into encrypted cold archives with strict access controls.
  4. Implement orchestrated rights workflows
    Build a standard erasure workflow that validates identity, fans out to all relevant systems, applies dataset-specific rules, and records each decision and action in a central log.
  5. Formalise governance and escalation paths
    Assign joint ownership to the DPO, compliance, IT, and operations, agree SLAs, and define how difficult cases and potential investigation holds are escalated and resolved.
  6. Test complex scenarios before volume scales
    Run dry runs on offboarding and historic customer scenarios across entities to prove that retention rules, erasure logic, and audit trails behave as designed.

Troubleshooting erasure and retention conflicts in practice

Even with a clear framework, the first few erasure requests will surface weak spots in legacy systems and routines. Treating those cases as structured tests rather than one-off firefights makes it easier to harden your model before volumes increase.
  • Different systems apply different rules: If core banking, CRM, and data-lake teams are working from separate interpretations of DPDP and KYC retention, lock down a single written standard and route all erasure decisions through it, with sign-off from the DPO and compliance.
  • Manual scripts cause over-deletion: Where DBAs and developers are using ad-hoc SQL or storage clean-ups to respond to rights requests, require use of the standard workflow and separate regulatory archives so that statutory records are never touched directly.
  • You cannot reconstruct past decisions: If you struggle to explain how a previous erasure request was handled, prioritise building a central decision log and dashboard that capture scope, legal basis, actions taken, and approvals for every request.
  • Vendors lag behind your policies: When processors or cloud providers cannot yet support your retention and erasure rules, tighten contractual obligations, set migration timelines, and, where necessary, narrow the datasets they receive until their capabilities catch up.

Coordinating erasure and retention through a consent and rights layer such as Digital Anumarti - Service

In many large institutions, attempting to hard-code DPDP rights and KYC retention logic separately into every application quickly becomes unmanageable. An alternative pattern is to introduce a dedicated consent and rights layer that sits between customer channels and back-end systems. This layer maintains a single view of notices, consents, lawful bases, and retention rules, receives erasure and other rights requests, determines where legal or regulatory exceptions apply, and then orchestrates downstream deletion, archival, or restriction actions while capturing an audit trail.
Digital Anumarti - Service is an example of such a DPDP-focused consent and rights orchestration platform. When evaluating whether to build internally or adopt a specialised platform, senior teams should look for the ability to model Indian lawful bases, encode RBI, PMLA, and other regulator-driven retention rules, handle partial fulfilment where KYC records must be retained, integrate with core banking, lending, CRM, and data-warehouse systems at scale, and produce clear evidence for regulators on how each request was handled. If you are exploring this architecture, it is worth comparing dedicated offerings such as Digital Anumarti - Service with in-house builds to understand design options, integration effort, and the level of auditability each approach provides, and you can learn more on the Digital Anumarti - Service site.[7]

How Digital Anumarti - Service supports DPDP-era erasure and retention

Digital Anumarti - Service

1

API-driven consent ledger integrated with core systems

Digital Anumarti - Brand case studies describe an API-driven consent ledger integrated directly with transactional systems so that consent capture and mapping are digitised at the point of data entry, rather than on paper or in disconnected tools.

Why it matters for you

For BFSI teams, this pattern makes it realistic to coordinate DPDP notices and consents with KYC and transaction flows across core banking, LOS/LMS, and card platforms without relying on manual reconciliations.

2

Automated retention and cold-storage pipelines

In one deployment, Digital Anumarti - Brand highlights automated data-retention and deletion pipelines that move records from active operational databases into encrypted cold-storage logs once legal retention periods expire or consent is withdrawn, while keeping medico-legal obligations intact.

Why it matters for you

The same pattern can help banks and NBFCs honour DPDP erasure requests for non-statutory data while preserving KYC and transaction records in secure archives for RBI and PMLA compliance.

3

Event-driven handling of consent withdrawals

Case studies describe a revocation pipeline where, when an individual withdraws consent, Digital Anumarti - Service triggers cascading updates that remove data from active processing systems and place it into encrypted retention logs aligned to legal obligations.

Why it matters for you

For financial institutions, this demonstrates how consent withdrawals and DPDP erasure requests can be propagated automatically across CRM, analytics, and downstream processors while keeping statutory KYC records intact but quarantined.

4

Server-side preference centre for marketing and outreach

In another deployment, Digital Anumarti - Brand reports a server-side preference centre that uses event-driven syncing and webhooks to update CRM systems when individuals reject marketing cookies or opt out, halting automated WhatsApp and email campaigns.

Why it matters for you

This capability maps closely to the need in BFSI to decouple statutory KYC and transaction data from optional marketing and cross-sell activity, ensuring that erasure of marketing profiles does not disturb mandatory records.

5

Logged rejections and purpose limitation enforcement

Digital Anumarti - Brand highlights deployments where explicit rejections of secondary processing are logged in the consent ledger and enforced at database level, reducing the risk of unauthorised data sharing penalties.

Why it matters for you

For regulated financial entities, a similar ledger can demonstrate to DPDP and sectoral regulators that marketing, analytics, and profiling uses are automatically constrained once consent is withdrawn or erasure is requested.

6

Single source of truth for consent with emergency overrides

Healthcare implementations described by Digital Anumarti - Brand show a single, real-time source of truth for consent that all departments reference, with carefully governed emergency override flows logged for audit.

Why it matters for you

In BFSI, a unified consent and rights layer with controlled override capabilities can support exceptional access for fraud, AML, or regulatory investigations while still demonstrating that DPDP rights and erasure limits are respected in normal operations.

Evidence Digital Anumarti - Brand case studies

Executive checklist and cost of delaying an erasure-ready KYC strategy

At an executive level, a practical way to test readiness is to ask a series of pointed questions.
  • Do we have an up-to-date data map that shows, for any given customer, where KYC, transaction, risk, marketing, and analytics data reside across our stack?
  • For each of those datasets, have we documented the primary purpose, lawful basis, regulator-driven retention period, and the person accountable for approving changes?
  • When an erasure request arrives, is there a single orchestrated workflow with defined SLAs, or do teams improvise on email threads?
  • Are our privacy notices, KYC forms, and offboarding screens explicit about which data cannot be deleted due to RBI, PMLA, tax, or other legal obligations, and which data will be erased or minimised?
  • Can we, within a short timeframe, demonstrate to internal audit how the last few erasure requests were handled end-to-end?
If the honest answer to several of these questions is ‘not yet’, the cost of inaction is real. On one side lies the risk of DPDP complaints, investigations, and penalties for failing to honour erasure where no legal exception applied, or for being unable to show how decisions were made. On the other side lies the risk of over-deletion: destroying KYC or transaction records before minimum retention periods expire, weakening your position in fraud cases or tax audits, and inviting scrutiny from RBI, FIU-IND, and other agencies. Operationally, handling each request as a bespoke exercise consumes scarce senior time, increases the chance of inconsistent treatment across entities and geographies, and often forces emergency IT work on legacy systems.
There is also an opportunity-cost dimension. Institutions that put a coherent erasure-and-retention architecture in place gain a clearer view of their data estate, reduce noisy debates between privacy and business teams, and are better placed to design new analytics and personalisation use cases that respect DPDP constraints from day one. Those that delay are more likely to face hurried, tactical fixes driven by individual complaints or regulatory findings, which tend to be more expensive and harder to unwind.[5]

Common questions about erasure when KYC retention still applies

Even with a clear framework, senior teams encounter recurring questions once they start operationalising DPDP erasure alongside KYC and PMLA retention. Most of these are not about the obvious core—nobody suggests deleting active-account KYC documents—but about the surrounding grey zones: marketing data tied to account numbers, shared services across group entities, cloud vendors, and how much detail to share with customers about what will and will not be erased.
The following questions capture issues that frequently arise in board and executive discussions. Addressing them in your own context, with input from compliance and legal, will help anchor your operating model and reduce friction when the first high-profile erasure request lands.
FAQs

In general, no. Where RBI’s KYC Master Direction and PMLA rules require you to maintain customer identification and transaction records for defined periods, those obligations anchor the law-compliance exception in the DPDP Act. That means you should not delete KYC documents or core transaction histories before the minimum retention period expires simply because an individual has requested erasure. The main exceptions are where the statutory period has already lapsed and no other legal, regulatory, or litigation hold applies, or where the data was collected or stored in excess of what any law requires—for example, duplicate copies scattered across test environments or ad-hoc spreadsheets. A well-designed policy distinguishes clearly between mandated records, which are non-negotiable, and surplus copies, which should be minimised.

Marketing, cross-sell, and profiling data linked to KYC or transaction records usually relies on consent or business necessity rather than explicit statutory mandates. When an individual withdraws consent or requests erasure, the default move is to stop further marketing and profiling, delete or anonymise marketing-specific attributes in CRM and analytics platforms, and ensure those changes propagate to downstream tools such as email, SMS, and in-app engagement systems. Where you need to retain limited information to honour suppression—for example, a hashed identifier to avoid re-adding a customer to marketing lists—you should document this as a narrow, clearly justified exception. The key is to decouple marketing and profiling from the statutory KYC and transaction core so that legal retention requirements do not become a pretext for holding on to optional uses of the data.

Regulators are likely to focus less on the outcome in a single edge case and more on whether your decision was made under a structured, well-documented process. For each erasure request that is refused or only partially granted, you should be able to show: the original request and how the requester’s identity was verified; the datasets identified as in scope; the lawful basis and applicable retention rules for each dataset; the specific grounds on which you concluded that certain data had to be retained; any approvals or legal opinions that informed the decision; what was actually erased or anonymised; and the explanation provided to the individual. Capturing this in a central decision log, rather than in scattered email threads, makes it much easier to demonstrate accountability to the Data Protection Board, RBI, or internal audit.

Clarity early in the relationship is more effective than defensive explanations at offboarding. Privacy notices, account-opening forms, and digital consent flows should state in plain language that certain records—such as KYC documents and transaction histories—must be retained for specific periods to comply with RBI, PMLA, tax, and other laws, and will only be used for those regulatory and dispute-resolution purposes once the relationship ends. At the same time, they should make clear that marketing and optional analytics uses are subject to consent and can be withdrawn. When responding to a concrete erasure request, explain which categories of data you have deleted or minimised and which you are required to keep, referencing the underlying legal obligations rather than generic ‘policy’. Customers are more likely to accept limits when they can see that you are applying a consistent, law-based rule rather than improvising.

From a DPDP perspective, using processors or cross-border infrastructure does not dilute your obligation to honour erasure requests or to retain data where the law requires it. Contracts with processors and cloud vendors should require them to support your retention schedules and erasure workflows, including the ability to delete, archive, or restrict data on your instructions and to provide evidence of those actions. Where data is transferred outside India, you also need to account for any government notifications that restrict transfers to particular jurisdictions, but the basic logic remains the same: for data that can be erased, your processors must execute deletions end-to-end; for data that must be retained under RBI, PMLA, or other laws, they must preserve it securely for the required period and not repurpose it beyond your documented instructions.

Sources
  1. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Ministry of Law and Justice, Government of India (Gazette of India)
  2. Digital Personal Data Protection Rules (2025) – PwC India overview - PwC India
  3. FAQs – The Digital Personal Data Protection Act, 2023 - Cyril Amarchand Mangaldas
  4. Record Maintenance Policy of the Bank (Updated up to Dec-2022) - Central Bank of India
  5. Unravelling the Importance of the DPDP Act for the BFSI Sector - CyberNX
  6. Frequently Asked Questions: Digital Personal Data Protection Framework – Notice Management - Data Security Council of India (DSCI)
  7. Digital Anumati – DPDP Act Consent Management Solution - Digital Anumati

Related pages

Updated At Apr 18, 2026

Consent Logging for Regulated Financial Services

A business-style article for technical evaluators about consent logging for regulated financial services, aimed at regulated finance teams balancing customer

 Updated At May 23, 2026

Co-Lending Consent Chain: From Lead Source to NBFC to Bank

How Indian banks, NBFCs, and fintech LSPs can design an auditable co-lending consent chain from lead source to NBFC to bank under RBI and DPDP requirements.

 Updated At May 19, 2026

Insurance Journeys: Consent for Underwriting, Wellness, and Marketing

Procurement-focused guidance for Indian insurers designing DPDP-compliant consent journeys across underwriting, wellness programmes, and marketing, and evaluating consent-management platforms for complex BFSI stacks.

 Updated At May 18, 2026

Deletion Pipelines: How to Operationalize Erasure Requests

A technical guide for Indian engineering leaders on designing event-driven deletion pipelines that operationalize DPDP Act erasure rights across OLTP, analytics, logs, backups, and third-party processors, with defensible audit evidence.

 Updated At May 16, 2026

Handling Legacy Data Collected Before DPDP

For Indian CXOs: how the DPDP Act and Rules treat personal data collected before commencement, and how to run a 12–18 month legacy data remediation programme.

 Updated At Apr 18, 2026

Log Retention, Deletion, and Audit Trails: Building an Evidence Program

A business-style piece for technical evaluators that explains log retention, deletion, and audit trails— building an evidence program and turns policy

 Updated At May 19, 2026

Data Processors vs Data Fiduciaries: Operational Responsibilities Explained

For Indian procurement and leadership teams: a practical guide to data fiduciary vs data processor roles under the DPDP Act, with contract, RFQ, scorecard, and vendor-risk implications.

 Updated At May 18, 2026

What Evidence Do You Need to Defend Consent before the DPB?

Executive guide for Indian leadership teams on evidence needed to prove valid consent under the DPDP Act before the Data Protection Board and how to embed it into operations.

 Updated At May 18, 2026

What Counts as a Reasonable Security Safeguard under DPDP?

A strategic guide for Indian CXOs on how DPDP’s “reasonable security safeguards” duty translates into concrete controls, governance, vendor oversight, and audit-ready evidence.

 Updated At May 17, 2026

The 2026 DPDP Audit Checklist: 50 Things Auditors Will Ask For

A procurement-focused guide for Indian business leaders that turns the DPDP Act 2023 and DPDP Rules 2025 into a 50-point 2026 audit checklist, with concrete artefacts, RFQ questions, and vendor scorecard criteria.