KYC Data Privacy: What Banks Can and Cannot Do

Someone emailed me last week asking a question that I think a lot of people have but don't know how to phrase: "I did KYC at my bank two years ago. They have my Aadhaar, my PAN, my photo, my address proof, even my fingerprint from the biometric machine. What are they actually allowed to do with all of that? Because I keep getting calls from insurance agents who seem to know my account details."

It's a fair question. And the answer is more complicated than it should be, because the rules governing KYC data sit at the intersection of RBI directives, the DPDP Act, the Aadhaar Act, PMLA regulations, and common law privacy principles — all of which overlap in some areas and contradict each other in others. Nobody's produced a single, clear document that says "here's exactly what a bank can and can't do with your KYC data." So I'll try to lay it out as plainly as I can, acknowledging upfront that some of these boundaries are genuinely ambiguous.

What KYC Is and Why It Exists

KYC — Know Your Customer — exists for a specific reason. It's an anti-money-laundering and counter-terrorism-financing measure. The Prevention of Money Laundering Act (PMLA) requires banks and financial institutions to verify the identity of their customers before establishing a business relationship. The RBI's Master Direction on KYC spells out the details: what documents are acceptable, how often verification needs to be updated, what enhanced due diligence looks like for high-risk customers. The purpose, on paper, is narrow. Confirm that you are who you say you are. Make sure you're not laundering money or financing terrorism. Done.

In practice, the data collected during KYC goes well beyond what that narrow purpose would require. A typical KYC file contains your full name, date of birth, address, PAN number, Aadhaar number, a photograph, and sometimes biometric data (fingerprints or iris scans captured during Aadhaar-based e-KYC). If you've done Video KYC — which became common during and after the pandemic — the bank also has a recording of your face from the verification session. That's a lot of data. Name and address would verify identity. Everything else builds a profile.

What Banks Are Permitted to Do

What banks are permitted to do with this data, according to current regulations:

Identity verification. This is the core function. When you open an account, apply for a loan, request a new credit card, or execute a large transaction, the bank uses your KYC records to confirm your identity. They can cross-check your PAN with the income tax database. They can verify your Aadhaar through UIDAI's authentication system. That's straightforward and uncontroversial.

Regulatory compliance and reporting. Banks are required to share customer information with regulatory bodies when mandated. If the RBI asks for records as part of an inspection, the bank complies. If the Enforcement Directorate requests information under PMLA, the bank complies. If there's a court order, the bank complies. Suspicious Transaction Reports (STRs) filed with the Financial Intelligence Unit contain customer data including KYC details. This is legal, expected, and outside your ability to prevent.

Risk assessment and credit evaluation. Banks use KYC data as part of their internal risk and credit models. Your PAN links to your tax filing history. Your address and employment details feed into creditworthiness assessments. This usage is generally considered within the scope of the banking relationship, though the line between "risk assessment" and "profiling for marketing purposes" can be very thin. A bank knowing your income bracket for loan decisions is one thing. A bank using that same data to target you with premium credit card offers is something else, and the rules on that cross-use aren't as clear as they should be.

Periodic KYC updates. RBI requires banks to refresh KYC data periodically — every two years for high-risk customers, every eight years for medium-risk, and every ten years for low-risk. During re-KYC, the bank can request updated documents and may reach out to you to confirm that your details are current. This is the basis for those periodic "Please update your KYC" messages that every bank customer in India has received.

What Banks Are Not Permitted to Do

Now, what banks are not permitted to do:

Sell or share your KYC data with third parties for marketing. This is where the reader's complaint about insurance agent calls comes in. Under the DPDP Act, your data can only be processed for the purpose for which consent was given. If you consented to KYC for the purpose of opening a bank account, that consent doesn't extend to the bank sharing your phone number, income details, and account information with a partner insurance company or mutual fund distributor. If that's happening — and anecdotally, it seems to happen frequently — it's a violation. The challenge is proving it. The insurance agent calling you won't say "I got your number from SBI's database." They'll claim you signed up somewhere or that your number was on a general list. The causal chain is hard to establish.

Use Aadhaar data for anything beyond authentication. This one comes from the Supreme Court's K.S. Puttaswamy v. Union of India ruling and subsequent Aadhaar Act provisions. Banks that conduct Aadhaar-based e-KYC receive your demographic data (name, address, date of birth, gender) and optionally biometric data from UIDAI's servers. That data is supposed to be used strictly for identity verification. Using it to build customer profiles, cross-reference with other databases for marketing, or sharing it with third parties isn't permitted. Whether this restriction is enforced in practice is debatable. Banks have enormous databases and the technical ability to correlate Aadhaar-linked data with other customer records internally. An audit would need to examine actual data flows and internal system access patterns, and those audits aren't happening at meaningful scale.

Retain your data indefinitely after the relationship ends. If you close your bank account, the bank isn't supposed to hold your KYC data forever. Data minimization principles under the DPDP Act require deletion or anonymization once the data is no longer needed for its original purpose. The catch is that regulatory retention requirements can override this — PMLA requires certain records to be maintained for at least five years after the business relationship ends, and the bank can argue it needs to retain data to comply with that. So "indefinitely" is not permitted, but "five-plus years after account closure" apparently is. The practical effect is that your data stays in banking systems for a very long time.

Deny basic banking services if you refuse to provide non-mandatory information. Banks sometimes ask for data during KYC that goes beyond regulatory requirements — employer details, annual income, number of dependents, mother's maiden name. If you decline to provide optional fields, the bank can't refuse to open your account or deny you basic services. In practice, bank employees at the branch level may not know which fields are mandatory and which are optional. They'll present the entire form as a package and tell you every field is required. That's often not true, and pushing back (politely, with reference to RBI's actual KYC requirements) sometimes works.

Central KYC Registry and Data Flows

The Central KYC Records Registry — CKYCR, operated by CERSAI — adds another layer to consider. CKYC was introduced so that you'd do KYC once and have it shared across financial institutions rather than repeating the process every time you opened an account with a new bank or mutual fund house. The convenience is real. The privacy implication is that a centralized database now holds your identity documents and demographic data, and any financial institution registered with CERSAI can request access to your CKYC record using your KYC Identifier Number (KIN).

You should know your KIN. You should also periodically check which institutions have accessed your CKYC record. CERSAI's system allows you to do this, though the process isn't exactly user-friendly. If an institution you don't have a relationship with has pulled your CKYC record, that's a red flag worth investigating — it could mean someone opened an account in your name, or a financial institution is accessing records it shouldn't be.

Practical Self-Protection Measures

For practical self-protection, a few measures are worth the effort. When submitting KYC documents, use masked Aadhaar — the version that shows only the last four digits of your Aadhaar number — wherever it's accepted. UIDAI introduced masked Aadhaar specifically to reduce the risk of your full Aadhaar number being exposed through document handling. Not all institutions accept it yet, but RBI has directed banks to accept masked Aadhaar for e-KYC, and adoption is growing.

Don't send KYC documents over email or WhatsApp unless you're using the bank's official secure portal or a verified bank representative has directed you to a secure upload link. Branch employees sometimes informally ask customers to "just WhatsApp your Aadhaar and PAN" for re-KYC — this is insecure, non-compliant with data handling norms, and creates copies of your documents on devices the bank doesn't control.

On the subject of document handling, it's worth understanding how your KYC documents move through a bank's internal systems. When you submit physical photocopies at a branch, those copies get scanned into a document management system, usually by a junior employee or an outsourced data entry operator. The physical copies may sit in the branch for weeks before being shredded or archived. The digital scans live in the bank's central database, accessible to various departments depending on internal access controls. How tight those controls are varies enormously between institutions. A well-run private bank might have granular role-based access and audit logs. A cooperative bank in a small town might store scanned documents in a shared folder that every employee can open.

Video KYC introduces another layer. When you do Video KYC — which RBI permitted as a remote alternative during the pandemic and has since made a permanent option — the bank records the video session. That recording includes your face, your voice, and often a close-up of your identity documents held up to the camera. It's stored on the bank's servers, potentially for years, and it's more biometric data than a simple photograph provides. Banks are supposed to encrypt these recordings and limit access, but the operational reality at many institutions lags behind the policy.

The rise of Account Aggregators in India's financial ecosystem adds yet another data flow to consider. Under the Account Aggregator framework, consented financial data (including data originally collected through KYC) can be shared between financial institutions through licensed intermediaries. The consent architecture is supposed to give you control — you approve each sharing request, you can revoke consent, and the data flows through encrypted channels. In practice, the consent screens can be confusing, the implications of sharing aren't always clear, and once you've consented to data sharing between your bank and a lending platform, the data that originated from your KYC becomes accessible to a wider network of institutions. That's the design working as intended, but it's worth being deliberate about which consent requests you approve rather than tapping "allow" reflexively.

For senior citizens and less digitally literate bank customers, the KYC privacy challenge is amplified. Many older Indians had their Aadhaar-based e-KYC done by a bank employee who handled the entire process while the customer watched without fully understanding what data was being shared or consented to. The UIDAI authentication log — accessible at resident.uidai.gov.in — shows every time your Aadhaar was used for authentication, including which entity authenticated it and when. Checking this log periodically can reveal unauthorized Aadhaar authentications that might indicate your KYC data was accessed or shared without proper consent.

Monitoring and Complaint Mechanisms

Review your bank statements and SMS alerts regularly for transactions you don't recognize. If your KYC data has been misused to open unauthorized accounts or make fraudulent transactions, early detection is your best defense. Set up real-time transaction alerts for every amount, not just large ones. A small test transaction of Rs 1 or Rs 10 is often the precursor to a larger fraud.

If you believe your KYC data has been misused, the complaint process has multiple levels. Start with the bank's internal grievance officer — every bank is required to have one, and their contact details should be on the bank's website. If the response is unsatisfactory within 30 days, escalate to the RBI Banking Ombudsman through the RBI's Complaint Management System. Under the DPDP Act, you'll eventually be able to take data privacy complaints to the Data Protection Board of India as well, though that body's operational status is still evolving as of early 2026.

Mergers, Failures, and Data Limbo

There's also the question of what happens to your KYC data when financial institutions merge, get acquired, or shut down. India has seen several bank mergers in recent years — the consolidation of public sector banks in 2020, ongoing M&A activity among NBFCs and fintech companies. When Bank A merges with Bank B, your KYC data from Bank A gets absorbed into Bank B's systems. Your consent was originally given to Bank A. Did it transfer automatically? The legal position is unclear. The DPDP Act's provisions on purpose limitation suggest that the acquiring entity should obtain fresh consent for any purposes beyond the original collection purpose, but in the chaos of integration, that rarely happens in practice. Your data gets migrated, your file gets consolidated, and nobody asks you whether you're comfortable with the new entity holding your information.

For NBFCs and fintech startups that fail — and in India's rapidly evolving financial sector, some inevitably do — the data handling post-closure is even murkier. When a fintech lending platform goes bankrupt, what happens to the KYC documents of its borrowers? Are they destroyed? Sold as part of the asset liquidation? Left on servers that nobody's maintaining anymore? RBI's regulations require record retention for specific periods, but supervision of data handling at defunct entities is minimal. Your KYC documents might be sitting on an unmaintained server belonging to a company that no longer exists, accessible to whoever inherits or stumbles upon that digital infrastructure. It's a gap in the regulatory framework that nobody seems to be working on fixing.

There's a broader issue here that goes beyond individual actions, which is the fundamental tension between KYC as a compliance exercise and KYC as a data collection mechanism. The regulatory intent is compliance — making sure banks know who their customers are for anti-money-laundering purposes. The commercial incentive is data — the more a bank knows about you, the better it can target products, assess risk, and cross-sell. The same data serves both purposes, and the boundary between them isn't policed as rigorously as it should be. RBI's inspection processes focus heavily on whether banks are collecting KYC properly, not on whether they're using the collected data properly. That gap between collection compliance and usage compliance is where most KYC privacy violations live, and it's not clear when or how it's going to close. The Data Protection Board might eventually take up cases on this, or it might not — its scope and operational appetite remain to be seen. Meanwhile, your Aadhaar and PAN sit in databases you've probably lost track of, being used in ways you may never learn about.