DPDP vs RBI KYC Guidelines: Which Law Overrides Which?
Listen to This Article
When India’s Digital Personal Data Protection Act (DPDP Act) came into force, it handed citizens a powerful new right — the right to erase their personal data from any company’s systems. For bank customers, this raised an obvious question: Can I ask my bank to delete my KYC records?
Get a callback
The answer is not straightforward. Banks in India operate under a parallel set of obligations — the RBI’s KYC Master Direction, 2016, and the Prevention of Money Laundering Act (PMLA), 2002 — both of which require them to retain your KYC data for mandated periods. These rules don’t disappear just because the DPDP Act exists.
So when two laws clash — a privacy law that demands deletion and a financial regulation that demands retention — which one wins?
This article breaks down the conflict clearly, so customers and compliance teams both know exactly where they stand.
What the DPDP Act Says About Data Erasure
The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted on August 11, 2023, and its rules were notified on November 13, 2025. At its core, the Act gives individuals — called Data Principals — significant control over their personal data.
Under the DPDP Act, you have the right to:
- Withdraw consent for the processing of your personal data at any time
- Request erasure of your personal data once the purpose for which it was collected is fulfilled or your consent is withdrawn
- Receive a response to such requests within 90 days
The Act places the obligation on Data Fiduciaries (organisations that collect and process your data — including banks) to delete personal data once it is no longer needed for its original purpose or legally required to be retained.
Crucially, the Act also prohibits indefinite retention of personal data. If a company has no active purpose or legal obligation to keep your data, retaining it becomes unlawful under the DPDP Act.
However, the Act includes a key exception: data can be retained beyond the point of withdrawal or purpose-completion if another law specifically requires it. This is exactly where the conflict with RBI guidelines begins.
What RBI KYC Guidelines Say About Data Retention
The Reserve Bank of India’s Master Direction — Know Your Customer (KYC) Direction, 2016 (last updated August 2025) is the primary regulation governing how banks collect, verify, and store customer identity information.
Under these directions, all RBI-regulated entities — including banks, NBFCs, and payment system providers — are required to maintain KYC records for a minimum of five years after the business relationship ends or the account is closed, whichever is later.
In practice, the retention timeline looks like this:
| Record Type | Minimum Retention Period |
| KYC documents (ID proof, address proof) | 5 years after account closure |
| Transaction records | 5 years from date of transaction (as per PMLA) |
| NPO registration records | 5 years after business relationship ends |
| Periodic KYC updation records | Retained through active relationship + 5 years |
Additionally, the RBI’s 2025 Commercial Banks KYC Directions require periodic KYC re-verification based on customer risk profiles:
- High-risk customers: Every 2 years
- Medium-risk customers: Every 8 years
- Low-risk customers: Every 10 years
This means a low-risk customer’s KYC data is periodically refreshed and retained for the entire duration of the banking relationship — plus five years after it ends — with no hard upper limit.
The PMLA adds another layer: records of all transactions must be retained for at least five years from the date of the transaction, not just the closure of the account.
The Core Legal Conflict: Erasure Right vs. Retention Mandate
Here is where the tension becomes clear.
Imagine a customer closes their bank account and withdraws consent for the bank to process their data. Under the DPDP Act, the bank should erase personal data once the purpose is over. But under RBI KYC rules and PMLA, the bank must retain that data for at least five more years.
These two obligations point in directly opposite directions.
The DPDP Act’s erasure right states that a Data Fiduciary must erase personal data unless its retention is necessary to fulfil the original purpose or comply with legal obligations.
This is the resolution clause — and it is decisive.
Which Law Overrides Which? The Legal Answer
RBI KYC guidelines and PMLA take precedence over the DPDP Act’s erasure right when a statutory retention obligation exists.
This is not a loophole — it is by design. The DPDP Act itself carves out an exception for retention obligations imposed by other laws. The Act was designed to coexist with India’s existing sectoral regulations, not override them.
Here is how the hierarchy works in practice:
- DPDP Act sets the general rule: Delete data once the purpose is served or consent is withdrawn
- DPDP Act’s own exception: Retention is permitted when required by law
- RBI KYC Direction and PMLA qualify as “law”: Both impose statutory retention obligations
- Result: Banks can lawfully refuse a KYC data deletion request if the statutory retention period has not yet expired
Legal experts have confirmed this position clearly: when a digital bank receives a data erasure request, it may lawfully refuse deletion where retention is mandated by RBI regulations. However, simply refusing is not enough. The bank must:
- Clearly communicate to the customer the legal basis for retaining their data
- Ensure that non-essential data — data not covered by the retention mandate — is deleted
- Maintain proper documentation to justify its retention decision if audited
What This Means for Bank Customers
If you close a bank account and ask your bank to delete all your KYC data under the DPDP Act, here is what can happen:
The bank can legally say no — for the mandated records. Your KYC documents, transaction history, and identity records must be kept for at least five years after account closure under RBI and PMLA rules. Your erasure request cannot override this.
But the bank cannot retain everything indefinitely. Any data that falls outside the scope of the statutory mandate must be erased once the purpose is complete. For example, marketing data, browsing behaviour on the bank’s app, or preference data not tied to KYC or AML compliance — these are not protected by the RBI retention mandate and should be deleted on request.
The DPDP erasure provision for banking KYC comes into full force from May 13, 2027, as per the government’s gazette notification. Until then, the current framework applies.
What This Means for Banks and Compliance Teams
Banks now face a dual compliance mandate — they must satisfy both the DPDP Act and their existing RBI/PMLA obligations simultaneously.
Key practical obligations for banks under this dual regime:
- Separate retained data from deletable data Not all customer data falls under the KYC retention mandate. Banks must audit their data holdings and distinguish between:
- Data required by law to be retained (KYC documents, transaction records)
- Data collected for other purposes that must be deleted post-relationship
- Communicate clearly to customers When refusing an erasure request, banks must provide the customer a clear explanation citing the specific legal provision that mandates retention. A vague refusal will not satisfy the DPDP Act’s transparency obligations.
- Avoid indefinite retention without justification The RBI’s current directions allow banks to maintain KYC data beyond five years without prescribing a hard outer limit. The DPDP Act challenges the spirit of open-ended retention. Banks should establish defined retention schedules and not retain data beyond what is reasonably required.
- Apply data minimisation to non-mandatory data The DPDP Act’s principle of data minimisation applies even when some data must be retained. Banks should not retain more data than what the law specifically requires.
- Prepare for DPDP’s phased enforcement The DPDP Rules, 2025 come into force in phases. Banks classified as Significant Data Fiduciaries (SDFs) — which large banks are likely to be — face additional obligations including Data Protection Impact Assessments (DPIAs), a resident Data Protection Officer (DPO), and independent audits.
The Bigger Picture: Why This Conflict Matters
The tension between DPDP erasure rights and RBI retention mandates is not unique to banking. A similar conflict exists between DPDP and SEBI’s investor record retention rules, IRDAI’s policyholder data mandates, and TRAI’s subscriber data retention requirements.
In each case, the sectoral regulation prevails over the DPDP Act’s erasure right when a genuine statutory obligation exists. The DPDP Act functions as a broad umbrella framework — it raises the baseline for data protection across all sectors, but it does not displace specific laws that were already operating in that space.
What the DPDP Act does accomplish, even in areas where retention is legally mandated, is this: it forces organisations to justify, document, and communicate every data retention decision. Retaining data by default — without purpose, without documentation, without transparency — is no longer acceptable.
Quick Summary: DPDP vs RBI KYC — At a Glance
| Aspect | DPDP Act | RBI KYC Direction / PMLA |
| Core obligation | Delete data once purpose is over | Retain KYC records for minimum 5 years post-closure |
| Erasure right | Yes — customers can request deletion | Banks can refuse if statutory retention applies |
| Who prevails in conflict? | Sectoral law (RBI/PMLA) prevails | ✅ RBI / PMLA take precedence |
| Does DPDP still apply? | Yes — for non-mandatory data | Banks must delete non-KYC data on request |
| Enforcement timeline | KYC erasure provisions from May 13, 2027 | Immediate |
FAQs
Q: Can I ask my bank to delete my KYC data after closing my account? You can make the request, but the bank is legally permitted to retain your KYC documents and transaction records for at least five years after account closure under RBI and PMLA rules. The DPDP Act’s erasure right does not override this statutory obligation.
Q: Does the DPDP Act cancel out RBI KYC rules? No. The DPDP Act was designed to coexist with existing sectoral regulations. Where another law specifically mandates retention — as RBI and PMLA do — the DPDP erasure right does not apply.
Q: Which law takes precedence — DPDP or RBI KYC Direction? RBI KYC Direction and PMLA take precedence over the DPDP Act’s erasure right for mandated KYC and transaction records. The DPDP Act itself provides this exception.
Q: Is the bank required to delete any of my data under DPDP? Yes. The bank must delete personal data that is not covered by a statutory retention mandate — such as marketing data, non-KYC behavioural data, or preferences. Only data specifically required by RBI/PMLA to be retained is exempt from the erasure obligation.
Q: When does the DPDP erasure right for KYC data come into full effect? The relevant DPDP erasure provisions are scheduled to come into force on May 13, 2027, per the government gazette notification.
Conclusion
The DPDP Act represents a landmark shift in how India treats personal data — but it was not designed to dismantle India’s financial regulation framework. When it comes to KYC data, RBI guidelines and PMLA retention mandates lawfully override the DPDP erasure right for the duration of the statutory retention period.
What the DPDP Act does change, even within this space, is the standard of transparency and accountability that banks must meet. Retention decisions must be documented, communicated, and purpose-bound. Open-ended, unexplained data hoarding — even of KYC data — is increasingly untenable.
For customers: you cannot delete your KYC records while the law requires them to exist. But you can — and should — demand that your bank justify every byte it holds beyond that legal minimum.
For banks: compliance is no longer just about retaining what the law requires. It is equally about deleting what it does not.
