On January 09, 2020, the Reserve Bank of India (“RBI”) vide notification no. DOR.AML.BC.No.27/14.01.001/2019-20 amended the Master Direction on KYC dated February 25, 2016 with a view to ‘leveraging the digital channels for Customer Identification Process (“CIP”) by Regulated Entities (“RE”). This move was in furtherance of Gazette notifications dated August 19, 2019 and November 13, 2019 amending the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (“PMLR”). It has introduced One Time Password (“OTP”) based KYC mechanism and Video-Customer Identification Process (“V-CIP”).
Pre-Amendment Position
Since Aadhaar was introduced, many RBI regulated entities, banks and otherwise, were using e-KYC. Prior to the verdict of the Apex Court in Justice K.S. Puttaswamy v. Union of India, banks were using Aadhaar e-KYC to open bank accounts through phone apps and websites. E-KYC facility by all these other entities was suspended after the said judgment. It gave rise to an indispensable need for a serious assessment of its implications on fintech firms. There was legal uncertainty on the use of online KYC on a voluntary basis by fintech firms as the judgment practically put a stop to the use of e-KYC or relying on Aadhaar Database in any way for such firms. According to the Steering Committee on Fintech in its Report, the Puttaswamy Case resulted in the need to explore alternatives such as Original Seen and Verified (“OSV”) correspondents for physical KYC, e-sign, non-face to face onboarding, including offline authentication modes prescribed by the UIDAI.[1]
Due to lack of any approved alternative digital KYC process, non-banking entities were left to resort to physical KYC which had several banes such as higher expenses, lengthier timelines and various operational burdens. XML Offline Aadhaar verification had a high failure rate, making it a less effective mechanism.[2]
Eventually, in February 2019, the Union Cabinet cleared ordinance allowing banks and telecom companies to use Aadhaar for KYC. It left out non-bank firms. Later, a Ministry of Finance circular dated May 09, 2019, laid down the process for applications under Section 11A under the PMLA for the use of Aadhaar authentication services by non-bank entities. The Circular requires REs to file an application with its respective regulator and undergoing a three-tier approval process involving such respective regulator, the UIDAI and the Central Government.[3] Accordingly, if financial entities, other than banks were willing to put in place e-KYC, they were required to apply individually under the aforementioned three-tiered process.
SEBI had permitted vide-KYC for entities regulated by it such as mutual fund houses to verify its customers in absence of Aadhaar based verification by virtue of its circular dated November 05, 2019.
The RBI had granted an extension to comply with its requirement of conversion from minimum KYC to full KYC to March 31, 2020. In the meanwhile, there were no alternative digital means for fintech firms to conduct KYC in light of the aforementioned Puttaswamy Case.
Amendments introduced to the Master Direction on KYC
1. Opening Account using OTP based e-KYC in non-face-to-face mode
This consent-based authentication mechanism which relies on OTP verification is introduced with certain conditions. These limitations include a cap on the balance of the customer, cap on aggregate credit in a financial year, availability of certain types of loans and tenure of such accounts.
Under this mechanism, the RE is required to develop a secured app which would be controlled by it and act as an exclusive venue for OTP based e-KYC. It is based on possession of Officially Valid Document (“OVD”) by the customer.
Through this secure app, the Authorized Officer (“AO”) of RE would capture a live photograph of the customer which is embedded in the Customer Application Form (“CAF”). The captured live photograph would contain a readable watermark having the CAF number, GPS coordinates, the AO’s name and his unique employee code as well as a date and time stamp. Photograph of the customer’s OVD is also to be captured by placing it horizontally and capturing it vertically from above while maintaining abovementioned other conditions.
After capturing of live photographs, the customer needs to then fill other entries per the furnished documents and in case of availability of a Quick Response Code, by scanning such code.
Thereafter, on completion of the aforementioned process, an OTP will be generated to the customer’s mobile number seeking the customer to verify the details filled in the form before sharing OTP. On successful validation of the OTP, the same will be treated as his signature on CAF.
The AO has to provide his declaration about the capturing of live photographs. For this purpose, the AO also will be verified by OTP and his live photograph will be captured in such declaration.
This is followed by the generation of transaction-id by the activation officer of the RE to the customer. On successful verification, the CAF will be digitally signed by AO, who will thereafter print the CAF, obtain signatures of the customer at appropriate places, scan and upload the same in the system. The customer may receive the original hard copy.
Banks are permitted to appoint a Business Correspondent (“BC”) for the purpose of this process.
2. Video- CIP
The amendment has introduced V-CIP for establishing customer relationship and laid down the detailed process in the Master Directions. V-CIP provides a seamless, real-time, secure, end-to-end encrypted audiovisual mechanism for identification of customers.
The V-CIP process is to be initiated from the domain of the RE itself, the Directions bar use of third party service provider for this purpose. The process needs to be operated by specifically trained officials of the RE. Further, the activity log along with the credentials of the officials are required to be preserved, and stored in a safe and secure manner and must bear date and time stamp.
Unlike the OTP based mechanism where the entire process can be assisted by BCs, in V-CIP, BCs can facilitate the process only at the customer end, the other end has to be manned necessarily by a Bank Official. Banks are further required to maintain details of BCs assisting customers.
The Directions place ultimate responsibility for due diligence on the bank. V-CIP process requires the official of RE to capture a clear image of PAN Card, to be displayed by the customer in the video call. It mandates geotagging to ensure that the customer is physically present in India. RE must ensure to redact or blackout the Aadhaar number and also carry out liveliness check of its V-CIP process to guard against spoofing and other fraudulent manipulations.
*Notably, accounts opened by way of this mechanism can only be made operational post a concurrent audit to ensure the integrity of the process.*
3. Digilocker e-Documents
The Master Direction also permits acceptance of e-documents issued by issuing authority to customer’s DigiLocker account in the KYC Process. Equivalent e-document has been defined as “electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the customer as per Rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016."
This move has been long-awaited by stakeholders. It is expected to give impetus to fintech players anticipating legal clarity on the e-KYC process, which is vital for seamless onboarding.
[1] Report of the Steering Committee on Fintech Related Issues, 2019, Department of Economic Affairs, Ministry of Finance, Government of India.
[2] https://community.nasscom.in/communities/policy-advocacy/headline-finance-ministry-introduces-digital-kyc-under-pmla.html
[3]Ibid.