Compliance This guide covers regulatory compliance considerations when using TxnCheck API for identity verification and fraud prevention in India.
Regulatory Landscape
RBI Guidelines Reserve Bank of India regulations for KYC and payment security
IT Act 2000 Information Technology Act provisions for data protection
DPDP Act 2023 Digital Personal Data Protection Act requirements
PCI DSS Payment Card Industry Data Security Standard
RBI KYC Compliance Periodic Re-KYC RBI requires periodic re-verification:
Customer Type Re-KYC Frequency High Risk Annually Medium Risk Every 2 years Low Risk Every 10 years
async function scheduleReKYC ( customerId : string , riskLevel : string ) { const intervals = { high: 365 , medium: 730 , low: 3650 , }; const nextKYC = new Date (); nextKYC . setDate ( nextKYC . getDate () + intervals [ riskLevel as keyof typeof intervals ]); await db . customer . update ({ where: { id: customerId }, data: { nextKYCDate: nextKYC }, }); }
DPDP Act 2023 Compliance Consent Management The Digital Personal Data Protection Act requires explicit consent:
interface Consent { userId : string ; purpose : string ; dataCategories : string []; consentGiven : boolean ; consentTimestamp : Date ; withdrawable : boolean ; } // Obtain consent before verification async function obtainVerificationConsent ( userId : string ) : Promise < boolean > { const consent = await db . consent . create ({ data: { userId , purpose: 'identity_verification' , dataCategories: [ 'mobile' , 'name' , 'pan_last4' ], consentGiven: true , consentTimestamp: new Date (), withdrawable: true , }, }); return consent . consentGiven ; } // Check consent before API call async function verifyWithConsent ( userId : string , mobile : string ) { const hasConsent = await checkConsent ( userId , 'identity_verification' ); if ( ! hasConsent ) { throw new ConsentRequiredError ( 'User consent required for verification' ); } return client . upiByMobile ( mobile , { sync: true }); }
Data Principal Rights Implement rights management:
// Right to access async function handleAccessRequest ( userId : string ) { const userData = await collectAllUserData ( userId ); return { personalData: userData , processingPurposes: [ 'identity_verification' , 'fraud_prevention' ], retentionPeriod: '7 years for compliance records' , dataSharing: [ 'None - data not shared with third parties' ], }; } // Right to correction async function handleCorrectionRequest ( userId : string , corrections : Record < string , any > ) { // Verify identity before allowing corrections await verifyIdentity ( userId ); // Apply corrections await db . customer . update ({ where: { id: userId }, data: corrections , }); // Log the correction await logDataCorrection ( userId , corrections ); } // Right to erasure async function handleErasureRequest ( userId : string ) { // Check if we can delete (may need to retain for compliance) const canDelete = await checkRetentionRequirements ( userId ); if ( ! canDelete ) { return { status: 'partial' , message: 'Some data retained for regulatory compliance' , retainedUntil: calculateRetentionEnd ( userId ), }; } await deleteAllUserData ( userId ); return { status: 'complete' }; }
PCI DSS Compliance If processing payment data alongside TxnCheck:
Requirement 3: Protect Stored Data // Never store full PAN from KYC results function processKYCResult ( result : any ) : SafeKYCData { const kyc = result . result ?. kycByMobile || {}; return { name: kyc . fullName , panLast4: kyc . pan ? kyc . pan . slice ( - 4 ) : null , // Do NOT store: kyc.pan (full PAN) }; }
Requirement 10: Track Access // Log all access to cardholder data async function logPCIAccess ( event : { userId : string ; action : string ; dataType : string ; success : boolean ; }) { await db . pciAuditLog . create ({ data: { ... event , timestamp: new Date (), ipAddress: getRequestIP (), userAgent: getRequestUserAgent (), }, }); }
Audit Trail Requirements What to Log Event Required Fields Retention API Call Request ID, timestamp, user, method 90 days Data Access User, data type, access level, reason 7 years Consent User, purpose, timestamp, action 7 years Data Deletion User, data types, timestamp 7 years
Audit Log Schema interface AuditLog { id : string ; eventType : 'api_call' | 'data_access' | 'consent' | 'deletion' ; userId ?: string ; customerId ?: string ; action : string ; details : Record < string , any >; ipAddress : string ; userAgent : string ; timestamp : Date ; // Immutable - use append-only storage } // Use append-only storage for audit logs async function writeAuditLog ( log : Omit < AuditLog , 'id' | 'timestamp' >) { // Write to immutable storage (e.g., append-only database, blockchain, S3 with object lock) await appendOnlyStorage . write ({ ... log , id: generateUUID (), timestamp: new Date (), }); }
Compliance Reporting Generate Compliance Reports interface ComplianceReport { period : { start : Date ; end : Date }; totalVerifications : number ; consentMetrics : { obtained : number ; withdrawn : number ; pending : number ; }; dataRequests : { access : number ; correction : number ; erasure : number ; }; securityMetrics : { unauthorizedAttempts : number ; dataBreaches : number ; }; } async function generateQuarterlyReport ( startDate : Date , endDate : Date ) : Promise < ComplianceReport > { return { period: { start: startDate , end: endDate }, totalVerifications: await countVerifications ( startDate , endDate ), consentMetrics: await getConsentMetrics ( startDate , endDate ), dataRequests: await getDataRequestMetrics ( startDate , endDate ), securityMetrics: await getSecurityMetrics ( startDate , endDate ), }; }
Regular Compliance Reviews Review Type Frequency Responsible Party Access review Monthly Security team Consent audit Quarterly Compliance team Data retention check Quarterly DPO Security assessment Annually External auditor Policy review Annually Legal + Compliance
Data Processing Agreement Ensure your agreement with TxnCheck covers:
Categories of personal data processed
Purpose limitation
Data retention periods
Sub-processor disclosure
Encryption standards
Access controls
Incident response procedures
Audit rights
Process for handling requests
Response timeframes
Cooperation requirements
Notification timeframes (72 hours)
Information to be provided
Remediation procedures
Compliance Checklist Before Going Live
Legal Review
Have legal team review TxnCheck DPA and terms
Consent Flow
Implement and test consent collection
Data Mapping
Document all data flows and storage locations
Audit Logging
Verify audit logs capture required events
Retention Policies
Configure automated data deletion
Rights Handling
Implement data subject request workflows
Ongoing Compliance Penalties for Non-Compliance Regulation Potential Penalty DPDP Act Up to ₹250 crore per violation RBI KYC License restrictions, fines PCI DSS Fines up to $100,000/month, card processing suspension
Non-compliance with data protection regulations can result in significant financial penalties and reputational damage. Consult with legal and compliance experts for your specific situation.
Resources 