> ## Documentation Index
> Fetch the complete documentation index at: https://docs.txncheck.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance

> Regulatory compliance guidance for fraud prevention systems

# Compliance

This guide covers regulatory compliance considerations when using TxnCheck API for identity verification and fraud prevention in India.

## Regulatory Landscape

<CardGroup cols={2}>
  <Card title="RBI Guidelines" icon="landmark">
    Reserve Bank of India regulations for KYC and payment security
  </Card>

  <Card title="IT Act 2000" icon="scale-balanced">
    Information Technology Act provisions for data protection
  </Card>

  <Card title="DPDP Act 2023" icon="shield-check">
    Digital Personal Data Protection Act requirements
  </Card>

  <Card title="PCI DSS" icon="credit-card">
    Payment Card Industry Data Security Standard
  </Card>
</CardGroup>

## RBI KYC Compliance

### Periodic Re-KYC

RBI requires periodic re-verification:

| Customer Type | Re-KYC Frequency |
| ------------- | ---------------- |
| High Risk     | Annually         |
| Medium Risk   | Every 2 years    |
| Low Risk      | Every 10 years   |

```typescript theme={null}
async function scheduleReKYC(customerId: string, riskLevel: string) {
  const intervals = {
    high: 365,
    medium: 730,
    low: 3650,
  };
  
  const nextKYC = new Date();
  nextKYC.setDate(nextKYC.getDate() + intervals[riskLevel as keyof typeof intervals]);
  
  await db.customer.update({
    where: { id: customerId },
    data: { nextKYCDate: nextKYC },
  });
}
```

## DPDP Act 2023 Compliance

### Consent Management

The Digital Personal Data Protection Act requires explicit consent:

```typescript theme={null}
interface Consent {
  userId: string;
  purpose: string;
  dataCategories: string[];
  consentGiven: boolean;
  consentTimestamp: Date;
  withdrawable: boolean;
}

// Obtain consent before verification
async function obtainVerificationConsent(userId: string): Promise<boolean> {
  const consent = await db.consent.create({
    data: {
      userId,
      purpose: 'identity_verification',
      dataCategories: ['mobile', 'name', 'pan_last4'],
      consentGiven: true,
      consentTimestamp: new Date(),
      withdrawable: true,
    },
  });
  
  return consent.consentGiven;
}

// Check consent before API call
async function verifyWithConsent(userId: string, mobile: string) {
  const hasConsent = await checkConsent(userId, 'identity_verification');
  
  if (!hasConsent) {
    throw new ConsentRequiredError('User consent required for verification');
  }
  
  return client.upiByMobile(mobile, { sync: true });
}
```

### Data Principal Rights

Implement rights management:

```typescript theme={null}
// Right to access
async function handleAccessRequest(userId: string) {
  const userData = await collectAllUserData(userId);
  return {
    personalData: userData,
    processingPurposes: ['identity_verification', 'fraud_prevention'],
    retentionPeriod: '7 years for compliance records',
    dataSharing: ['None - data not shared with third parties'],
  };
}

// Right to correction
async function handleCorrectionRequest(
  userId: string, 
  corrections: Record<string, any>
) {
  // Verify identity before allowing corrections
  await verifyIdentity(userId);
  
  // Apply corrections
  await db.customer.update({
    where: { id: userId },
    data: corrections,
  });
  
  // Log the correction
  await logDataCorrection(userId, corrections);
}

// Right to erasure
async function handleErasureRequest(userId: string) {
  // Check if we can delete (may need to retain for compliance)
  const canDelete = await checkRetentionRequirements(userId);
  
  if (!canDelete) {
    return {
      status: 'partial',
      message: 'Some data retained for regulatory compliance',
      retainedUntil: calculateRetentionEnd(userId),
    };
  }
  
  await deleteAllUserData(userId);
  return { status: 'complete' };
}
```

## PCI DSS Compliance

If processing payment data alongside TxnCheck:

### Requirement 3: Protect Stored Data

```typescript theme={null}
// Never store full PAN from KYC results
function processKYCResult(result: any): SafeKYCData {
  const kyc = result.result?.kycByMobile || {};
  
  return {
    name: kyc.fullName,
    panLast4: kyc.pan ? kyc.pan.slice(-4) : null,
    // Do NOT store: kyc.pan (full PAN)
  };
}
```

### Requirement 10: Track Access

```typescript theme={null}
// Log all access to cardholder data
async function logPCIAccess(event: {
  userId: string;
  action: string;
  dataType: string;
  success: boolean;
}) {
  await db.pciAuditLog.create({
    data: {
      ...event,
      timestamp: new Date(),
      ipAddress: getRequestIP(),
      userAgent: getRequestUserAgent(),
    },
  });
}
```

## Audit Trail Requirements

### What to Log

| Event         | Required Fields                       | Retention |
| ------------- | ------------------------------------- | --------- |
| API Call      | Request ID, timestamp, user, method   | 90 days   |
| Data Access   | User, data type, access level, reason | 7 years   |
| Consent       | User, purpose, timestamp, action      | 7 years   |
| Data Deletion | User, data types, timestamp           | 7 years   |

### Audit Log Schema

```typescript theme={null}
interface AuditLog {
  id: string;
  eventType: 'api_call' | 'data_access' | 'consent' | 'deletion';
  userId?: string;
  customerId?: string;
  action: string;
  details: Record<string, any>;
  ipAddress: string;
  userAgent: string;
  timestamp: Date;
  // Immutable - use append-only storage
}

// Use append-only storage for audit logs
async function writeAuditLog(log: Omit<AuditLog, 'id' | 'timestamp'>) {
  // Write to immutable storage (e.g., append-only database, blockchain, S3 with object lock)
  await appendOnlyStorage.write({
    ...log,
    id: generateUUID(),
    timestamp: new Date(),
  });
}
```

## Compliance Reporting

### Generate Compliance Reports

```typescript theme={null}
interface ComplianceReport {
  period: { start: Date; end: Date };
  totalVerifications: number;
  consentMetrics: {
    obtained: number;
    withdrawn: number;
    pending: number;
  };
  dataRequests: {
    access: number;
    correction: number;
    erasure: number;
  };
  securityMetrics: {
    unauthorizedAttempts: number;
    dataBreaches: number;
  };
}

async function generateQuarterlyReport(
  startDate: Date,
  endDate: Date
): Promise<ComplianceReport> {
  return {
    period: { start: startDate, end: endDate },
    totalVerifications: await countVerifications(startDate, endDate),
    consentMetrics: await getConsentMetrics(startDate, endDate),
    dataRequests: await getDataRequestMetrics(startDate, endDate),
    securityMetrics: await getSecurityMetrics(startDate, endDate),
  };
}
```

### Regular Compliance Reviews

| Review Type          | Frequency | Responsible Party  |
| -------------------- | --------- | ------------------ |
| Access review        | Monthly   | Security team      |
| Consent audit        | Quarterly | Compliance team    |
| Data retention check | Quarterly | DPO                |
| Security assessment  | Annually  | External auditor   |
| Policy review        | Annually  | Legal + Compliance |

## Data Processing Agreement

Ensure your agreement with TxnCheck covers:

<AccordionGroup>
  <Accordion title="Data Processing Terms">
    * Categories of personal data processed
    * Purpose limitation
    * Data retention periods
    * Sub-processor disclosure
  </Accordion>

  <Accordion title="Security Measures">
    * Encryption standards
    * Access controls
    * Incident response procedures
    * Audit rights
  </Accordion>

  <Accordion title="Data Subject Rights">
    * Process for handling requests
    * Response timeframes
    * Cooperation requirements
  </Accordion>

  <Accordion title="Breach Notification">
    * Notification timeframes (72 hours)
    * Information to be provided
    * Remediation procedures
  </Accordion>
</AccordionGroup>

## Compliance Checklist

### Before Going Live

<Steps>
  <Step title="Legal Review">
    Have legal team review TxnCheck DPA and terms
  </Step>

  <Step title="Consent Flow">
    Implement and test consent collection
  </Step>

  <Step title="Data Mapping">
    Document all data flows and storage locations
  </Step>

  <Step title="Audit Logging">
    Verify audit logs capture required events
  </Step>

  <Step title="Retention Policies">
    Configure automated data deletion
  </Step>

  <Step title="Rights Handling">
    Implement data subject request workflows
  </Step>
</Steps>

### Ongoing Compliance

* [ ] Monthly access reviews
* [ ] Quarterly consent audits
* [ ] Annual security assessment
* [ ] Regular policy updates
* [ ] Staff training on data handling

## Penalties for Non-Compliance

| Regulation | Potential Penalty                                       |
| ---------- | ------------------------------------------------------- |
| DPDP Act   | Up to ₹250 crore per violation                          |
| RBI KYC    | License restrictions, fines                             |
| PCI DSS    | Fines up to \$100,000/month, card processing suspension |

<Warning>
  Non-compliance with data protection regulations can result in significant financial penalties and reputational damage. Consult with legal and compliance experts for your specific situation.
</Warning>

## Resources

<CardGroup cols={2}>
  <Card title="RBI Master Direction" icon="landmark" href="https://www.rbi.org.in/commonman/Upload/English/Notification/PDFs/MD18KYCF6E92C82E1E1419D87323E3869BC9F13.pdf">
    KYC Master Direction 2016
  </Card>

  <Card title="DPDP Act 2023" icon="scale-balanced" href="https://www.meity.gov.in/static/uploads/2024/02/Digital-Personal-Data-Protection-Act-2023.pdf">
    Digital Personal Data Protection Act
  </Card>
</CardGroup>

## Related Guides

<CardGroup cols={2}>
  <Card title="Data Handling" icon="database" href="/security/data-handling">
    PII handling best practices
  </Card>

  <Card title="Security Overview" icon="shield" href="/security/overview">
    Complete security guide
  </Card>
</CardGroup>
