At a glance
A real estate agent handling buyer and seller KYC carries two overlapping duties: the DPDP Act’s notice-and-consent-and-security requirements as a Data Fiduciary, and — if annual turnover crosses ₹20 lakh — anti-money-laundering record-keeping duties under the Prevention of Money-Laundering Act (PMLA) as a reporting entity, including due-diligence checks and transaction records kept for reconstruction on demand. High-value and HNI deals raise the stakes on both: more sensitive documents, more parties in the loop, and a stronger case for a controlled document channel instead of email and WhatsApp.
Educational resource only. This explains document-handling duties under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and PMLA for real estate agents handling buyer and seller KYC; it is not formal legal advice.
The situation
A property transaction moves an unusual amount of sensitive paperwork through an unusually informal channel — PAN and Aadhaar copies over WhatsApp, bank statements forwarded for a home-loan pre-approval, passport copies for an NRI buyer, all changing hands between buyer, seller, broker and sometimes a financier, often with no single controlled channel and no one person responsible for what happens to a copy once the deal closes.
The two overlapping duties
The DPDP Act applies to every agent; PMLA’s reporting-entity duties apply once you clear a turnover threshold. Under the DPDP Act, any agent or agency deciding why and how a client’s personal data is used — which is every agency handling buyer/seller documents — is a Data Fiduciary, full stop. Separately, a 2023 government notification brought real estate agents with annual turnover of ₹20 lakh or more under PMLA as reporting entities: they must run client due-diligence checks, verify beneficial ownership, maintain records that let a transaction be reconstructed later, and file suspicious-transaction reports with the Financial Intelligence Unit. The two regimes reinforce each other rather than conflict — PMLA’s record-keeping duty is itself a lawful basis under the DPDP Act (Section 7, legal obligation) for holding the data that long.
What buyer/seller KYC actually involves
Identity, financial, and property-title documents move together, and the sensitivity varies sharply between them.
- Identity documents — PAN, Aadhaar, passport (for NRI buyers), photographs.
- Financial documents — bank statements, income proof, home-loan sanction letters, sometimes a source-of-funds declaration.
- Property documents — the sale deed, encumbrance certificate, title documents, sometimes shared before a deal is even confirmed.
- Beneficial-ownership detail — where a buyer purchases through a company or trust, the identity of the individuals actually behind it, which PMLA’s due-diligence duty specifically requires agents to establish.
Where high-value and HNI deals raise the stakes
More money moving means more scrutiny, more parties, and a proportionally bigger document-handling risk. High-value and HNI transactions tend to add: source-of-funds documentation that goes beyond a standard salary slip, foreign-asset or NRI-status paperwork, multiple advisors (a chartered accountant, a lawyer, sometimes a wealth manager) all requesting copies of the same documents, and a materially higher incentive for a leaked document to be misused — a buyer’s full financial profile is worth more to a bad actor than a routine mid-market transaction’s. None of this changes the underlying duty under the DPDP Act or PMLA; it raises the cost of getting the document-handling step wrong.
Step-by-step: a controlled document workflow
- One channel, not scattered ones. Route buyer and seller documents through a single access-controlled folder or portal — not a mix of WhatsApp, personal email and printouts changing hands at a site visit.
- Collect what the stage actually needs. A property-shortlisting stage doesn’t need a full KYC set; save the complete document ask for once a deal is genuinely progressing.
- Verify beneficial ownership up front for entity buyers. If a buyer is purchasing through a company or trust, get the individual owners’ identity documented at due-diligence stage, not after the fact.
- Keep the PMLA-required records intact and separately logged — the client due-diligence file and transaction record, distinct from the general property paperwork, so it’s ready to reconstruct if FIU-India or another authority asks.
- Limit access to the deal team — the assigned agent and, where relevant, the financier’s representative — not the whole agency.
- Set a deletion point for documents that fall outside the deal. A shortlisted buyer who doesn’t proceed shouldn’t have their financial documents sitting in the agency’s files indefinitely.
Where RERA adds a third layer
A registered real estate agent carries obligations under the Real Estate (Regulation and Development) Act, 2016 (RERA) too, alongside the DPDP Act and, above the turnover threshold, PMLA — a third overlapping regime rather than a substitute for the other two. State RERA rules generally require a registered agent to maintain books of account and transaction records, and to furnish specific information about the deals they’ve facilitated to the state Real Estate Regulatory Authority on request — a record-keeping and disclosure duty conceptually similar to PMLA’s, though serving buyer-protection and market-transparency purposes rather than anti-money-laundering ones. As with PMLA, this RERA-driven record-keeping is itself a legal-obligation basis under the DPDP Act (Section 7) for holding the specific buyer and transaction data that duty requires — it doesn’t relieve the agent of the DPDP Act’s other obligations (security, minimisation, deletion once no regime still needs the data), and the exact record-keeping specifics vary by state, so an agent should check the current rules for the state(s) they operate in rather than assume a single national standard.
FAQ
Does RERA registration add its own data-retention duty on top of PMLA and the DPDP Act?
Yes, for registered agents — RERA rules generally require maintaining transaction records and furnishing details to the state Regulatory Authority on request, which functions as a separate legal-obligation basis under the DPDP Act. The specifics vary by state, so check current state RERA rules rather than assuming one national standard.
Does every real estate agent count as a PMLA reporting entity?
Only those with annual turnover of ₹20 lakh or more, per the 2023 notification. Below that threshold, the agent is still a Data Fiduciary under the DPDP Act but doesn’t carry PMLA’s specific client due-diligence and reporting duties.
How long must PMLA records be kept?
PMLA’s record-keeping provisions (Section 12) generally require reporting entities to retain transaction and identification records for a set period after the transaction or the end of the client relationship — check the current FIU-India guidance for the exact figure applicable to your entity type, and treat that period as the legal-obligation basis recognised under the DPDP Act for holding the data that long.
Do NRI buyers’ documents need any special handling?
Not a separate legal regime, but practically yes — passport copies and foreign-bank documentation are higher-value targets and worth the same controlled-channel treatment as any other sensitive ID, if not more.
What happens to a prospective buyer’s documents if the deal falls through?
The DPDP Act’s purpose-limitation principle applies — once the specific deal that needed the documents is off, retaining the buyer’s financial and identity documents indefinitely has no basis; delete them unless a specific ongoing duty (like an active PMLA record period) requires otherwise.