Every entity (“Regulated Entity” or “RE”) regulated by the Reserve Bank of India (“RBI”) is required to conduct customer due diligence (“CDD”) on individuals (i) while establishing an account-based relationship; or (ii) while dealing with a beneficial owner, an authorized signatory, or a power of attorney holder related to any legal entity. For this purpose, an RE must adhere to the guidelines as provided by RBI under the Know Your Customer (KYC) Directions, 2016 (“KYC Directions”) as amended from time to time.
In January 2020, with a view to use of digital channels for the customer identification process (“CIP”) by REs, RBI amended the KYC Directions, amongst other things, to also allow ‘Video-based Customer Identification Process’ (“V-CIP”). The V-CIP is a consent-based alternate method of establishing the customer’s identity for customer onboarding. In fact, RBI’s recent amendments to the KYC Directions indicates its intentions to simplify customer onboarding and to conform to the terms of the ‘Digital India’ campaign. Though a few lapses may occur , RBI is definitely closer to a complete online process for customer onboarding.
A summary of the CDD procedure currently followed by all REs as required under the KYC Directions and some notable implications of the said process follows.
As per the KYC Directions, REs must obtain the following information/documents from individuals while conducting CDD:
1. Aadhaar number; or
2. Proof of possession of Aadhaar number where offline verification can be carried out; or
3. Proof of possession of Aadhaar number where offline verification cannot be carried out; or
4. Any Officially Valid Document (“OVD”) (the RBI has recognized Passport, Driving License, Voter ID, Pan Card, Aadhar Card and NREGA Job Card as OVDs), or the equivalent e-document thereof, giving the details of identity and address; and
5. Permanent Account Number (PAN), or the equivalent e-document thereof, or Form No. 60 as defined in Income-tax Rules, 1962; and
6. documents certifying the client’s nature of business and financial status, or the equivalent e-documents thereof as may be required by the RE.
The KYC Directions have prescribed certain guidelines to be followed by REs when the above-mentioned documents/data are collected from a customer. Some of the key features are:
When a customer has voluntarily submitted his/her Aadhaar Number to banks or certain other REs (which have been permitted to undertake authentication of an individual’s Aadhaar Number), such banks or REs must carry out authentication of the customer’s Aadhaar Number, using the e-KYC facility provided by the Unique Identification Authority of India (“UIDAI”).
Alternatively, a customer may choose to provide proof of possession of his Aadhaar card instead of submitting his Aadhaar Number to the RE. In such an instance, the RE will be required to proceed by the following routes:
1. Where offline verification can be carried out: This route requires an individual to generate his/her digitally signed Aadhaar details (using XML) by accessing the UIDAI portal. The details generated will contain name, address, photo, gender, date of birth, registered phone number (hidden), and registered e-mail address (hidden). While it is mandatory for the individual to share his name and address in the digitally-signed XML, he/she has the option to specify which of the five remaining demographic details he/she chooses to share with the RE.
Offline verification helps to limit data sharing. In today’s world where the protection of data is of paramount importance, the offline verification method gives an individual the option to complete his/her onboarding process without having to disclose details of his/her Aadhaar Number or share his/her biometrics with the RE. By collecting limited information in relation to a customer’s Aadhaar, REs limit their exposure to a potential data breach.
2. Where offline verification cannot be carried out: When offline verification cannot be carried out, Digital KYC must be conducted. Digital KYC is a process of capturing live photo of a customer with his/her OVD or the proof of possession of Aadhaar, along with the latitude and longitude of the location where such live photo is being taken by the authorised officer of the RE. Verification through digital KYC involves the following these steps:
• The RE gives prior sanction to a person/persons for access to its digital application for conducting the digital KYC;
• The RE authorizes an officer to take a live photograph of the customer along with latitude and longitude of the location where the said photograph is being taken;
• Once the details collected are entered in the prescribed form, the customer has to confirm the information by using the OTP generated;
• Lastly, the authorized person attests to the correctness of these details.
While digital KYC does simplify the onboarding process, the requirement of a middleman (i.e. a person authorized by the RE) to complete the process defeats the purpose of having a digital KYC. Ideally, a digital process should considerably reduce the need for human interaction. RBI should consider introducing a mechanism that permits REs to allow an individual to directly log into the RE’s digital application and complete his/her digital KYC instead of having a person authorized by the RE to complete this process. This could potentially save more time and cost for REs.
Notably, RBI has also provided for an alternate option instead of conducting digital KYC. As per the KYC Directions, REs may also choose to obtain a certified copy of proof of possession of Aadhaar or OVD and a recent photograph. However, when a customer submits his/her Aadhaar as proof, the RE must ensure that the customer’s Aadhaar Number is redacted. While several REs may fail to perform this exercise (due to the volume of customer onboarding documentation they process on a daily basis), it would be indeed preferable if RBI could introduce a mechanism for an individual to ascertain that the RE has indeed redacted details of the Aadhaar Number when a copy of his/her Aadhaar is submitted.
OVD: If an individual prefers to provide any of the OVDs (instead of his/her Aadhaar) for the purpose of CDD, the KYC Directions have prescribed that the same process as that for Aadhaar verification be followed for OVD verification.
V-CIP: By the recent amendment in January 2020, the RBI introduced a consent-based V-CIP as another method for customer identification. As per this method, an RE opts for seamless, secure, real-time, consent based audio-visual interaction with an individual to obtain identification information, including the documents required for CDD purpose, and to ascertain the accuracy of the information furnished by the customer. The V-CIP must be carried out only by an official authorized by the RE. Notably, the KYC Directions have certain stipulations that must be adhered to by the REs when V-CIP is undertaken. These include:
1. The official authorized by the RE to conduct the V-CIP must record a video and capture a photograph of the individual for identification and also obtain the following identification information:
• Banks can use OTP based Aadhaar e-KYC authentication or offline verification of Aadhaar for identification. Additionally, banks may also use the services of business correspondents to assist in the V-CIP mechanism.
• All other REs can only perform offline verification of Aadhaar for identification.
2. Live location of the individual must be captured to ensure that the customer is physically present in India.
3. REs must capture a clear image of the PAN card displayed by the individual during the process, except in cases where the customer provides e-PAN. The PAN details must also be verified from the database of the issuing authority.
4. REs must ensure that the video recording is stored in a secure manner and bears a stamp of the date and time.
REs have welcomed the introduction of V-CIP as it allows remote onboarding, which saves time both for themselves and their customers.
By the introduction of these methods of verification in the KYC Directions, RBI is obviously working towards simplifying the CDD exercise. With these amendments, the age-old reliance on cumbersome paper-work for the purpose of customer identification is being replaced with technology-based identification. In fact, several start-ups in India have already developed digital identification solutions. It remains to be seen whether RBI encourages REs to collaborate with these start-up entities to ensure completion of V-CIP in a seamless manner; and what is more, whether RBI streamlines the customer verification procedure by introducing a centralized digital application for REs to complete customer onboarding.
Kavya Katherine Thayil, the author is an Associate with J Sagar & Associates, a law firm. Views expressed are personal and should not be construed as the official view of this publication.