The RBI-DPDP Retention Conflict
Section 8(7) Already Resolves It
A thesis has become fashionable in data protection commentary since the notification of the Digital Personal Data Protection Rules, 2025: that Indian banks face an irreconcilable legal conflict between the RBI’s Know-Your-Customer record preservation mandate and the DPDP Act’s right-to-erasure framework. The argument appears weighty. It is not. A patient reading of Section 8(7) of the Act — specifically the opening words of the parent clause and the text of Illustration II appended to it — demonstrates that the Act itself has disposed of this question at source.
What remains is not a jurisprudential conflict but a documentary compliance task. This article sets out the misconception, quotes the text that resolves it, explains what banks and NBFCs must document, and identifies the genuine (smaller) DPDP-RBI overlap zones where careful architecture is required. By Advocate Subodh Bajpai, Unified Chambers and Associates.
The Story Being Told in the Market
The argument, as typically presented in industry panels, compliance seminars, and LinkedIn long-form posts since November 2025, runs broadly as follows.
The RBI Master Direction on Know-Your-Customer requires regulated entities — commercial banks, NBFCs, payment system operators, housing finance companies, asset reconstruction companies — to preserve customer identification records and transaction records for a specified period after the business relationship terminates. The Prevention of Money-Laundering Act 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules 2005 layer a parallel obligation at the statutory level: Rule 3 and Rule 9 require records of transactions, client due-diligence material, and beneficial ownership information to be maintained for five years from completion of the transaction or termination of the business relationship, whichever is applicable.
On the other side, Section 8(7) of the Digital Personal Data Protection Act 2023 obliges a Data Fiduciary to erase personal data “as soon as it is reasonable to assume that the specified purpose is no longer being served”. A closed savings account, the argument goes, is a paradigmatic case of a specified purpose no longer being served. Therefore the bank must erase. But RBI and the PML Rules simultaneously say the bank must retain. The obligations are said to be mutually exclusive. The commentator typically closes with a rhetorical flourish — “which regulator will the bank displease?” — and a call for urgent clarifying guidance from either MeitY or the RBI.
The difficulty with this thesis is that it proceeds by quoting Section 8(7)(a) alone. It omits the opening words of the parent clause of Section 8(7). It omits Illustration II. When those are restored to view, the entire conflict disappears.
Parliament was aware of the retention-erasure tension when it enacted the DPDP Act. That is precisely why Illustration II was placed in the statute. Illustrations appended to a section are not decorative — they form part of the enactment and are a recognised aid to construction.
Reading the Provision in Full
Section 8(7) of the Digital Personal Data Protection Act, 2023 — as published in the Gazette of India Extraordinary on 11 August 2023 — has two components a practitioner must always read together: the parent clause containing the opening carve-out, and the illustrations appended to it that show how the carve-out applies.
The operative words that the popular commentary tends to drop are the opening phrase: “unless retention is necessary for compliance with any law for the time being in force”. This is a traditional non-obstante carve-out. It sits at the head of the provision and governs everything that follows. The erasure obligation in sub-clauses (a) and (b) does not arise at all where retention is legally required. It is not that the bank must erase and then plead a defence; the duty to erase is excluded ab initio when there is a statutory retention mandate.
Three points deserve emphasis.
First, Parliament chose banking as the illustrative fact pattern. Of all the industries whose retention obligations it could have used to demonstrate the carve-out — tax records, corporate registers, healthcare, telecoms — the drafters selected a bank and a closed savings account. This is no accident. It reflects the legislative assessment that banking retention is the most prominent interaction with the Act’s erasure principle, and that the principle had to be resolved clearly on the face of the statute.
Second, the ten-year figure in Illustration II is illustrative, not prescriptive. An illustration to a section in Indian statutory drafting is a legislative instrument that shows how the rule operates on assumed facts. The number is chosen for clarity of exposition. It does not create a ten-year rule. The actual retention period for any given Data Fiduciary is drawn from the law that requires the retention — for Indian banks that is, at a minimum, the five-year period prescribed by Rule 3 and Rule 9 of the PML (Maintenance of Records) Rules 2005, augmented by the RBI Master Direction on KYC and by any sector-specific rules (for example, longer periods under tax law, limitation law, or directions in respect of disputed transactions).
Third, the mechanism is automatic. Illustration II does not require the bank to apply to the Data Protection Board for permission, seek an exemption under Section 17, or structure the retention as “legitimate interest”. The retention happens because the law requiring it is in force. The bank’s task is documentary: to be able to point to that law when asked.
Illustrations to a section are an integral part of the section and are regarded by Indian courts as legitimate aids to construction of the section. They can be used to resolve ambiguity or doubt, and they cannot be lightly brushed aside on the ground that the enacting part of the section is clear. Where an illustration and the enacting part are consistent, each reinforces the other.
The Legal Basis Register Banks Must Maintain
The Section 8(7) carve-out is self-executing in law. In practice, a bank will be asked to prove its compliance. The natural forum for such proof is a complaint before the Data Protection Board of India, a supervisory enquiry by the RBI, or a grievance filed by a customer who alleges that the bank has retained data beyond what the law required. In each case, what the bank must produce is a legal basis register — a per-data-element matrix that maps each category of retained personal data to the specific legal provision that authorises the retention, the retention period flowing from that provision, and the erasure trigger.
| Data Category | Purpose | Legal Basis | Period | Erasure Trigger |
|---|---|---|---|---|
| KYC identity documents | Customer due diligence; AML monitoring | Rule 9, PML (Maintenance of Records) Rules 2005; RBI Master Direction on KYC | 5 years from end of relationship | Scheduled erasure on period expiry |
| Transaction records | AML/CFT compliance; audit | Rule 3, PML (Maintenance of Records) Rules 2005 | 5 years from completion of transaction | Scheduled erasure on period expiry |
| Tax-relevant records (TDS, Form 15G/H) | Income-tax compliance | Income-tax Act 1961 and rules | As prescribed under tax law | Scheduled erasure on period expiry |
| Credit-decision data | Loan sanction; asset classification | RBI Master Directions on Income Recognition and Asset Classification; contractual basis | Until discharge plus limitation period | Scheduled erasure on period expiry |
| CCTV / branch footage | Physical security | Internal security policy; not PMLA-mandated | Short cycle (e.g. 90 days) unless flagged | Automatic rolling erasure |
| Marketing-consent records | Direct marketing campaigns | Consent under DPDP Section 6 | Until withdrawal of consent | On withdrawal, erase within operative cycle |
The distinction the final row captures is important. Where data is retained purely on consent (for example, marketing profile information), the Section 8(7) carve-out does not apply — no law requires the retention. The DPDP erasure obligation fires in the ordinary way. A bank that holds indefinitely a customer’s marketing preferences or behavioural analytics profile on the claim that “we are regulated” is exposed: the regulator does not require the retention, and Section 8(7)(a) therefore operates without carve-out.
A defensible register is granular. It does not say “we retain customer data for five years because of PMLA”. It distinguishes between data elements, names the specific rule for each, and sets a distinct erasure trigger for each. When the Data Protection Board asks “why do you still hold her mobile number five years after account closure?” the Data Protection Officer should be able to point to a named row in the register.
Beyond Retention — Where DPDP and RBI Do Need Careful Alignment
To say that the retention “conflict” is a myth is not to say that DPDP and the RBI framework never interact. They do, at three real junctures. None of these is a conflict in the legal sense — each is capable of parallel compliance — but each requires deliberate architecture.
1. Breach reporting — stacked timelines, not substituted timelines
A financial institution suffering a personal data breach that is also a cyber incident faces several parallel reporting duties that run off different clocks. The CERT-In Directions of 28 April 2022, issued under Section 70B of the Information Technology Act 2000, require reporting of specified cyber incidents within six hours of noticing or being brought to notice. RBI circulars on cyber-security framework for banks and on outsourcing of IT services prescribe their own reporting timelines to the Reserve Bank. DPDP Rule 7(2) requires preliminary notification to the Data Protection Board of India without delay and detailed notification within seventy-two hours. Section 8(6) of the DPDP Act itself requires intimation to affected Data Principals without delay.
None of these displaces any other. The DPDP Rules do not say “RBI / CERT-In reporting will be deemed sufficient”. The bank must coordinate all four addressees: CERT-In, RBI (per its cyber incident framework), DPBI, and affected Data Principals. The right answer is an integrated breach-response standard operating procedure with role allocations and a unified log of what was reported, to whom, when, and what evidence supports the timing.
2. Cross-border transfer — consent layer plus storage layer
Section 16 of the DPDP Act empowers the Central Government to restrict transfer of personal data by a Data Fiduciary for processing to countries notified by the Government. At present no such negative list has been notified, and the framework defaults to permissive transfer subject to other applicable law. The “other applicable law” is doing a great deal of work in the banking sector. The RBI’s Payment System Data Storage direction dated 6 April 2018 requires that the entire data relating to payment systems operated by payment system operators is stored in a system only in India; onshore processing is permitted for foreign leg processing subject to repatriation requirements. This is not a DPDP obligation but it constrains where payment data can sit.
A bank processing personal data offshore must therefore satisfy DPDP (consent where required; purpose limitation; security safeguards that travel with the data; cross-border transfer restrictions once Section 16 notifications issue) and RBI (storage location; reporting). The two regimes are additive, not alternative.
3. Consent architecture — matching DPDP bases with RBI processing
Much bank processing is not really consent-based in the Section 6 sense. KYC, AML monitoring, statutory reporting, credit-bureau reporting, Suspicious Transaction Reports under PMLA — all of these sit more naturally within Section 7 “certain legitimate uses”, particularly Section 7(b) (performance of function under law) and other statutory-compliance limbs. Section 7 processing does not require consent. It does require fairness, purpose limitation, accuracy, and security. A bank should audit its data flows and classify each as (a) consent under Section 6, (b) legitimate use under Section 7, or (c) retention-by-law under Section 8(7) carve-out. Mixing these up — for example, pretending that AML monitoring is “consent-based” — will expose the bank to consent-withdrawal attacks it cannot defend.
Practical Compliance Architecture for Banks and NBFCs
Against this legal backdrop, the compliance roadmap for a commercial bank, NBFC, or large fintech is best organised in five steps, sequenced to be achievable within the eighteen-month runway to 13 May 2027.
RBI-DPDP Retention — Seven Practical Questions
Does the DPDP Act 2023 override the RBI KYC record retention mandate?
No. Section 8(7) of the Digital Personal Data Protection Act, 2023 contains an express carve-out for legal retention. The parent clause of Section 8(7) begins with the words "unless retention is necessary for compliance with any law for the time being in force." This means a bank continues to be governed by its statutory retention obligations under the Prevention of Money-Laundering Act 2002 read with the PML (Maintenance of Records) Rules 2005 and by RBI Master Directions on KYC. Illustration II appended to Section 8(7) makes this explicit for banking: it states that where a bank is required by law to maintain records of client identity for a specified period beyond closure of accounts, the bank shall retain the data for that period. There is therefore no legal conflict between the DPDP erasure obligation and the RBI/PMLA retention regime.
What does Illustration II to Section 8(7) actually say?
Illustration II appended to Section 8(7) of the DPDP Act 2023 reads verbatim: "X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X's personal data for the said period." This illustration is part of the statute itself. The ten-year period in the illustration is used hypothetically to demonstrate the principle; the actual retention period for a given bank will depend on the applicable law. Under Rule 3 and Rule 9 of the PML (Maintenance of Records) Rules 2005, records of transactions, client identity, and beneficial ownership must be maintained for five years after completion of transaction or termination of relationship, whichever is applicable. Sectoral regulators may prescribe longer periods, and the RBI Master Direction on KYC contains its own record-preservation requirements.
So where is the real compliance challenge for banks?
The real challenge is documentary, not jurisprudential. A bank must be able to demonstrate, on a per-data-element basis, (a) which personal data is retained under which specific legal provision, (b) the precise retention period flowing from that provision, (c) the erasure trigger once the statutory period expires, and (d) that data retained beyond any statutory requirement is erased in accordance with Section 8(7) purpose-limitation. This is achieved through a "legal basis register" or retention matrix. The Data Protection Board of India, when assessing a complaint that personal data has been retained beyond the specified purpose, will ask the Data Fiduciary to produce this register. A bank that retains data indefinitely "because we are regulated" without mapping each data element to a specific legal provision will fail that enquiry and expose itself to penalty under Schedule Sl.7 up to Rs 50 crore.
Does CERT-In six-hour breach reporting conflict with the DPDP seventy-two-hour window?
No. These are parallel, non-conflicting obligations arising under different statutes and directed to different regulators. The CERT-In Directions 2022, issued under Section 70B of the Information Technology Act 2000, require service providers, intermediaries, data centres, body corporates, and government organisations to report specified cyber incidents to CERT-In within six hours of noticing or being brought to notice about the incident. DPDP Rule 7(2) requires Data Fiduciaries to notify the Data Protection Board of India without delay (preliminary information) and, within seventy-two hours (detailed information), of a personal data breach. A bank suffering a breach must comply with both: CERT-In within six hours, DPBI preliminary without delay, affected Data Principals without delay, and DPBI detailed within seventy-two hours. The DPDP Act does not displace or extend the CERT-In timeline.
Is there any area where DPDP and RBI obligations are actually inconsistent?
The genuine overlaps, which require careful navigation but are not true "conflicts", are three. First, cross-border transfer: Section 16 of the DPDP Act empowers the Central Government to restrict transfer of personal data outside India to notified countries, which could intersect with RBI rules on the storage of payment system data under the Payment System Data Storage direction of 6 April 2018 that mandates end-to-end Indian storage for payment system data. DPDP adds a consent layer; RBI imposes a storage layer. Both must be satisfied. Second, consent architecture: DPDP requires free, specific, informed, unconditional, unambiguous consent for processing, while certain RBI Master Directions contemplate data processing on contractual or regulatory basis. Banks should align these by treating contractual and legal processing under Section 7 legitimate uses of the Act where available. Third, purpose-specific erasure: Schedule III of the DPDP Rules 2025 does not apply to banks; banks operate under the Section 8(7) legal-compliance exception. None of these constitute an inconsistency requiring judicial reconciliation; they require competent legal mapping.
Can a bank rely on Section 17(3) "legitimate interest" to avoid DPDP erasure?
Section 17(3) of the DPDP Act empowers the Central Government to notify, by rules, certain Data Fiduciaries or classes of Data Fiduciaries to whom the Act applies with modifications in certain respects. It is not a standing carve-out that any bank can invoke of its own motion. Separately, Section 7 of the Act enumerates "certain legitimate uses" for which personal data may be processed without consent, which include performance of any function under law, compliance with any judgment or order, medical emergency, and employment-related processing. For retention purposes, the controlling provision for banks is Section 8(7) parent clause read with Illustration II. A bank should not argue "legitimate interest" when the cleaner and directly applicable defence is statutory compliance under Section 8(7).
What does a defensible retention matrix look like for a commercial bank?
A defensible retention matrix has at minimum five columns: (i) data category, for example "KYC identity documents", "transaction records", "CCTV footage", "call recordings", "credit assessment data"; (ii) specified purpose, for example "customer onboarding", "AML monitoring", "credit evaluation"; (iii) legal basis citation, identifying the specific statute, rule, master direction, or contractual clause authorising the retention — for example "Rule 3 and 9, PML (Maintenance of Records) Rules 2005" or "RBI Master Direction on KYC, paragraph [relevant]"; (iv) retention period, stated in months or years from a clearly defined trigger (such as "five years from termination of business relationship" or "eight years from disposal of dispute, per limitation period"); and (v) erasure trigger and owner, stating what action will cause erasure and which officer is accountable. This matrix should be reviewed annually, signed by the Data Protection Officer where applicable, and presented to the Data Protection Board on request.
Retention Matrix Advisory
For Banks, NBFCs & Fintech
Unified Chambers and Associates advises regulated financial institutions on DPDP-RBI interface questions, including legal basis registers, retention matrices, breach response SOPs, and Section 17 exemption applications. Senior Partner response within one business day. Minimum engagement: Rs 50 lakhs.
All statutory references verified against Gazette of India Extraordinary publications of the Digital Personal Data Protection Act, 2023 (11 August 2023) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. Official DPDP PDF: unifiedchambers.com/dpdp-documents/dpdp-act-2023.pdf.