Confidential Dispatch
At a glance

A real estate agent handling buyer and seller KYC carries two overlapping duties: the DPDP Act’s notice-and-consent-and-security requirements as a Data Fiduciary, and — if annual turnover crosses ₹20 lakh — anti-money-laundering record-keeping duties under the Prevention of Money-Laundering Act (PMLA) as a reporting entity, including due-diligence checks and transaction records kept for reconstruction on demand. High-value and HNI deals raise the stakes on both: more sensitive documents, more parties in the loop, and a stronger case for a controlled document channel instead of email and WhatsApp.

Educational resource only. This explains document-handling duties under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and PMLA for real estate agents handling buyer and seller KYC; it is not formal legal advice.

The situation

A property transaction moves an unusual amount of sensitive paperwork through an unusually informal channel — PAN and Aadhaar copies over WhatsApp, bank statements forwarded for a home-loan pre-approval, passport copies for an NRI buyer, all changing hands between buyer, seller, broker and sometimes a financier, often with no single controlled channel and no one person responsible for what happens to a copy once the deal closes.

The two overlapping duties

The DPDP Act applies to every agent; PMLA’s reporting-entity duties apply once you clear a turnover threshold. Under the DPDP Act, any agent or agency deciding why and how a client’s personal data is used — which is every agency handling buyer/seller documents — is a Data Fiduciary, full stop. Separately, a 2023 government notification brought real estate agents with annual turnover of ₹20 lakh or more under PMLA as reporting entities: they must run client due-diligence checks, verify beneficial ownership, maintain records that let a transaction be reconstructed later, and file suspicious-transaction reports with the Financial Intelligence Unit. The two regimes reinforce each other rather than conflict — PMLA’s record-keeping duty is itself a lawful basis under the DPDP Act (Section 7, legal obligation) for holding the data that long.

What buyer/seller KYC actually involves

Identity, financial, and property-title documents move together, and the sensitivity varies sharply between them.

  • Identity documents — PAN, Aadhaar, passport (for NRI buyers), photographs.
  • Financial documents — bank statements, income proof, home-loan sanction letters, sometimes a source-of-funds declaration.
  • Property documents — the sale deed, encumbrance certificate, title documents, sometimes shared before a deal is even confirmed.
  • Beneficial-ownership detail — where a buyer purchases through a company or trust, the identity of the individuals actually behind it, which PMLA’s due-diligence duty specifically requires agents to establish.

Where high-value and HNI deals raise the stakes

More money moving means more scrutiny, more parties, and a proportionally bigger document-handling risk. High-value and HNI transactions tend to add: source-of-funds documentation that goes beyond a standard salary slip, foreign-asset or NRI-status paperwork, multiple advisors (a chartered accountant, a lawyer, sometimes a wealth manager) all requesting copies of the same documents, and a materially higher incentive for a leaked document to be misused — a buyer’s full financial profile is worth more to a bad actor than a routine mid-market transaction’s. None of this changes the underlying duty under the DPDP Act or PMLA; it raises the cost of getting the document-handling step wrong.

Step-by-step: a controlled document workflow

  1. One channel, not scattered ones. Route buyer and seller documents through a single access-controlled folder or portal — not a mix of WhatsApp, personal email and printouts changing hands at a site visit.
  2. Collect what the stage actually needs. A property-shortlisting stage doesn’t need a full KYC set; save the complete document ask for once a deal is genuinely progressing.
  3. Verify beneficial ownership up front for entity buyers. If a buyer is purchasing through a company or trust, get the individual owners’ identity documented at due-diligence stage, not after the fact.
  4. Keep the PMLA-required records intact and separately logged — the client due-diligence file and transaction record, distinct from the general property paperwork, so it’s ready to reconstruct if FIU-India or another authority asks.
  5. Limit access to the deal team — the assigned agent and, where relevant, the financier’s representative — not the whole agency.
  6. Set a deletion point for documents that fall outside the deal. A shortlisted buyer who doesn’t proceed shouldn’t have their financial documents sitting in the agency’s files indefinitely.

Where RERA adds a third layer

A registered real estate agent carries obligations under the Real Estate (Regulation and Development) Act, 2016 (RERA) too, alongside the DPDP Act and, above the turnover threshold, PMLA — a third overlapping regime rather than a substitute for the other two. State RERA rules generally require a registered agent to maintain books of account and transaction records, and to furnish specific information about the deals they’ve facilitated to the state Real Estate Regulatory Authority on request — a record-keeping and disclosure duty conceptually similar to PMLA’s, though serving buyer-protection and market-transparency purposes rather than anti-money-laundering ones. As with PMLA, this RERA-driven record-keeping is itself a legal-obligation basis under the DPDP Act (Section 7) for holding the specific buyer and transaction data that duty requires — it doesn’t relieve the agent of the DPDP Act’s other obligations (security, minimisation, deletion once no regime still needs the data), and the exact record-keeping specifics vary by state, so an agent should check the current rules for the state(s) they operate in rather than assume a single national standard.

FAQ

Does RERA registration add its own data-retention duty on top of PMLA and the DPDP Act?

Yes, for registered agents — RERA rules generally require maintaining transaction records and furnishing details to the state Regulatory Authority on request, which functions as a separate legal-obligation basis under the DPDP Act. The specifics vary by state, so check current state RERA rules rather than assuming one national standard.

Does every real estate agent count as a PMLA reporting entity?

Only those with annual turnover of ₹20 lakh or more, per the 2023 notification. Below that threshold, the agent is still a Data Fiduciary under the DPDP Act but doesn’t carry PMLA’s specific client due-diligence and reporting duties.

How long must PMLA records be kept?

PMLA’s record-keeping provisions (Section 12) generally require reporting entities to retain transaction and identification records for a set period after the transaction or the end of the client relationship — check the current FIU-India guidance for the exact figure applicable to your entity type, and treat that period as the legal-obligation basis recognised under the DPDP Act for holding the data that long.

Do NRI buyers’ documents need any special handling?

Not a separate legal regime, but practically yes — passport copies and foreign-bank documentation are higher-value targets and worth the same controlled-channel treatment as any other sensitive ID, if not more.

What happens to a prospective buyer’s documents if the deal falls through?

The DPDP Act’s purpose-limitation principle applies — once the specific deal that needed the documents is off, retaining the buyer’s financial and identity documents indefinitely has no basis; delete them unless a specific ongoing duty (like an active PMLA record period) requires otherwise.

Reviewed by Confidential Dispatch Editorial Team
Last updated 17 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →