Confidential Dispatch
At a glance

A KYC packet is your identity in one folder — ID proof, address proof, PAN, photo, often a cancelled cheque — so treat the bundle as more sensitive than any single document in it. Send only what the specific KYC actually requires, use masked Aadhaar where Aadhaar is the ID, self-attest every copy with the purpose written on it, and send through the institution’s official channel. And treat every unsolicited “your KYC is expiring” call or link as a scam — real KYC never starts with a stranger’s link.

Educational resource only. This explains how your KYC documents are treated as personal data under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

Why the KYC bundle deserves more care than any single document

KYC — “know your customer” — is the identity-verification step regulated institutions must run, and it’s the one moment you routinely hand over several core documents at once. A leaked PAN is a problem; a leaked folder containing your PAN, Aadhaar, photo, address proof and bank details is a ready-to-use impersonation kit — everything a fraudster needs to open accounts, take loans or pass verification as you, pre-assembled. The bundling is what changes the stakes, and it’s why how you send a KYC packet matters more than for any single document.

What a KYC packet actually contains

The standard set is proof of identity, proof of address, PAN and a photograph — with add-ons depending on what you’re signing up for. Typically that means: one ID proof (Aadhaar, passport, driving licence or Voter ID), one address proof (often the same document, or a utility bill), PAN for anything financial, a passport photo, and — for accounts that move money — a cancelled cheque or bank proof. Each element is a strong identifier on its own; together they cross-confirm each other, which is precisely what verification needs and exactly what misuse exploits.

Who asks for KYC, and how much they really need

Banks, insurers, fund houses, telecom operators and regulated lenders are required by their own regulators to run KYC — but “KYC” is not a licence to collect everything. Whoever collects it becomes a Data Fiduciary with duties to you: a clear notice of why it’s collected (Section 5), and collection limited to what the stated purpose needs (Section 6).

  • Reasonable — a bank or regulated lender opening your account, a mutual fund or broker onboarding you, an insurer issuing a policy, a telecom operator issuing a SIM. The regulator prescribes the set; the institution can tell you exactly which documents qualify.
  • Question it — “KYC” invoked by businesses with no regulatory duty to run it (a gym, a rental broker, a shopping app), demands for the full packet where one ID would do, or an insistence on unmasked Aadhaar when a masked copy or another ID from the accepted list serves. Which document to give is usually your choice from a list — you can pick the least sensitive one that qualifies.

The real risks — including the KYC-update scam

The bundle is the prize — and “KYC” itself has become the costume fraud wears. A stray KYC packet can be used to:

  • impersonate you wholesale — accounts, SIMs, wallets or loans opened in your name with your own cross-confirming documents;
  • back loan and credit fraud — a complete, genuine document set passes checks that a single forged document wouldn’t;
  • fuel targeted scams — someone holding your real details sounds exactly like your bank on the phone.

Then there’s the scam that uses the word: the KYC-update fraud. A call, SMS or WhatsApp message warns that your account, SIM or wallet will be “blocked” unless you complete KYC immediately — via a link, an app they ask you to install, or documents sent right there in chat. Real KYC doesn’t work that way: institutions don’t threaten same-day blocking, don’t run KYC over chat links, and never need remote-access apps. Any urgent, unsolicited KYC demand is a scam until proven otherwise — verify by contacting the institution through its official app or branch, never through the message that raised the alarm.

What to include, what to mask, what to attest

Build the minimum packet the specific KYC requires, mask what the rules allow, and purpose-mark every page.

  1. Ask for the accepted-documents list and pick the least sensitive combination that qualifies — you rarely need to submit more documents than the list requires.
  2. Use masked Aadhaar (it hides the first eight digits) wherever Aadhaar is your chosen ID — it’s officially valid for most KYC, and no private business can insist on Aadhaar specifically when the list offers alternatives.
  3. Self-attest every copy — sign across each page and write the purpose and date: “For [institution], [purpose], [month/year] only.” An attested, purpose-marked copy is far harder to reuse.
  4. Don’t volunteer extras — if PAN plus one address proof completes the KYC, the packet doesn’t also need your salary slips or bank statements “just in case.”

How to send it securely

Official channel, protected files, no chat forwards — the channel is where KYC packets usually leak.

  1. Use the institution’s own route — its app, its upload portal, its video-KYC flow, or the branch — rather than emailing scans to an agent’s personal address or WhatsApping them to a relationship manager.
  2. If a document must travel by email, password-protect it and send the password separately. One protected PDF beats a burst of gallery photos.
  3. Never send KYC documents in response to an incoming call or link — that’s the scam’s entry point, not a channel.
  4. Prefer official digital alternatives where offered — DigiLocker-issued documents and video-KYC flows exist precisely so loose photocopies don’t have to circulate.

Masking, safe channels and minimisation work the same way for every document you handle — the steps above are the KYC-packet version of that shared routine.

How to store it, and when to let go

Don’t keep a pre-assembled “KYC folder” in your gallery or chats — and hold institutions to their retention rules. Assemble a packet when needed, from originals kept in one secured place, and clear the copies from your sent mail, chats and downloads afterwards — a ready-made identity kit sitting in your phone gallery is a standing risk if the phone or an account is compromised.

Institutions are required by financial regulations to retain KYC records for years after the relationship ends — that’s a legal obligation, and the DPDP Act respects it. What the Act adds (Section 8) is that they must secure what they hold and erase what no law or live purpose requires — and a business that had no KYC mandate in the first place gets no such shelter. You can ask what’s held, ask for deletion where nothing requires retention, and ask for written confirmation.

FAQ

Which documents does KYC actually require?

Typically one identity proof of your choice from an accepted list (Aadhaar, passport, driving licence, Voter ID), an address proof, PAN for financial services, and a photo. The institution must tell you the accepted list — pick the least sensitive combination that qualifies.

Can I use masked Aadhaar for KYC?

Yes, in most cases — a masked Aadhaar (first eight digits hidden) is officially valid for identification, and where a business insists on more, you can usually choose a different document from the accepted list instead.

How do I recognise a KYC scam?

Urgency plus an unofficial channel: a call, SMS or chat link warning your account or SIM will be blocked unless you “update KYC” now. Real institutions don’t run KYC through links in messages or remote-access apps — verify through the official app or branch, never through the message itself.

Is it safe to send KYC documents over WhatsApp to my bank’s relationship manager?

Avoid it. A personal chat thread isn’t the institution’s controlled channel — copies persist in phones and backups indefinitely. Use the bank’s app, portal or branch, and if email is unavoidable, password-protect the file.

How long can a company keep my KYC documents?

Regulated institutions must retain KYC records for the period their financial regulations mandate, even after you leave. Beyond what a law requires, the DPDP Act’s erasure duty applies — and a business that never had a KYC mandate can’t hide behind the word.

Reviewed by Confidential Dispatch Editorial Team
Last updated 16 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →