Over the past year, we released Veri5KYC, a suite of products catering to KYC and verification needed by BFSI and Fintech industry. Companies in the transport, delivery, and ecommerce space also adopted Veri5KYC products to ascertain the safety of their customers and protect themselves from identity fraud.
One of the major questions that we get from our customers, especially for companies that fall under RBI and PMLA guidelines, is whether they should consider doing an IPV(In-person Verification) after going through Digital KYC or Offline KYC process? And if this applies to all fintechs irrespective of the size or volume of transactions?
In this essay, we bring out parts of RBI Circular, PMLA guidelines, and UIDAI directives to try and answer these questions.
To begin with, we picked out the Master KYC directive from RBI for all regulated entities under its umbrella and tried to interpret what was given there with respect to KYC.
Master KYC Circular
Section 3 (ix) of Master Circular on Reserve Bank of India’s circular on KYC read with Regulation 4(d) of UIDAI’s circular on “Proof of possession of Aadhaar number”, establish Offline Aadhaar XML as an Officially Valid Document which can be used to conduct KYC.
In addition to this, the Ministry of Finance in it Gazetted notification amended the PMLA guidelines to include Aadhaar offline XML as proof of possession of Aadhaar number.
The aforesaid Gazetted notification is applicable to “Regulated Entities” (REs) which include:
- All Scheduled Commercial Banks (SCBs)/ Regional Rural Banks (RRBs)/
- Local Area Banks (LABs)/ All Primary (Urban) Co-operative Banks (UCBs)/State and Central Co-operative Banks (StCBs / CCBs) and any other entity which has been licenced under Section 22 of Banking Regulation Act, 1949,which as a group shall be referred as ‘banks’
- All India Financial Institutions (AIFIs)
- All Non-Banking Finance Companies (NBFCs), Miscellaneous Non-Banking Companies (MNBCs) and Residuary Non-Banking Companies (RNBCs).
- All Payment System Providers (PSPs)/ System Participants (SPs) and prepaid Payment Instrument Issuers (PPI Issuers)
- All authorized persons (APs) including those who are agents of the Money Transfer Service Scheme (MTSS), regulated by the Regulator.
What this means?
The above notification and section of Master KYC circular mean that Offline Aadhaar XML is a valid OVD and can be used for the purpose of KYC.
The point of mandating KYC by RBI was to make sure PMLA guidelines were followed. In the notification by the Government of India, the “Digital KYC” process is defined along with details of how it should function.
Though it does shed light on validity of Aadhaar based KYC process and its validity for REs. The question about Digital KYC and in-person verification still persists. To answer this, we take a look at The Internet & Mobile Association of India’s (IAMAI) analysis of PMLA guideline below and further analyse what Digital KYC means.
PMLA guidelines
The Government of India in its latest Gazette prescribes Digital KYC Process as summarized below:
- The reporting entities shall develop an application for digital KYC process which shall be made available at customer touchpoints for undertaking KYC of their customers and the KYC process shall be undertaken only through this authenticated Application of the Reporting Entities.
- The access of the Application shall be controlled by the Reporting Entities and it should be ensured that the same is not used by unauthorized persons. The Application shall be accessed only through login-id and password or Live OTP or Time OTP controlled mechanism given by Reporting Entities to its authorized officials.
- The client, for the purpose of KYC, shall visit the location of the authorized official of the Reporting Entity or vice-versa. The original Officially Valid Document (OVD) shall be in possession of the client.
- The Reporting Entity must ensure that the Live photograph of the client is taken by the authorized officer and the same photograph is embedded in the Customer Application Form (CAF). Further, the system Application of the Reporting Entity shall put a water-mark in readable form having CAF number, GPS coordinates, authorized official’s name, unique employee Code (assigned by Reporting Entities) and Date (DD:MM:YYYY) and timestamp (HH:MM:SS) on the captured live photograph of the client.
- The Application of the Reporting Entities shall have the feature that only live photograph of the client is captured and no printed or video-graphed photograph of the client is captured. The background behind the client while capturing live photograph should be of white colour and no other person shall come into the frame while capturing the live photograph of the client.
- Similarly, the live photograph of the original officially valid document or proof of possession of Aadhaar where offline verification cannot be carried out (placed horizontally), shall be captured vertically from above and water-marking in readable form as mentioned above shall be done. No skew or tilt in the mobile device shall be there while capturing the live photograph of the original documents.
- The live photograph of the client and his original documents shall be captured in proper light so that they are clearly readable and identifiable.
- Thereafter, all the entries in the CAF shall be filled as per the documents and information furnished by the client. In those documents where Quick Response (QR) code is available, such details can be auto-populated by scanning the QR code instead of manual filing of the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where QR code is available, the details like name, gender, date of birth and address can be auto-populated by scanning the QR available on Aadhaar/e-Aadhaar.
- Once the above-mentioned process is completed, a One Time Password (OTP) message containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent to client’s own mobile number. Upon successful validation of the OTP, it will be treated as client signature on CAF. However, if the client does not have his/her own mobile number, then mobile number of his/her family/relatives/known persons may be used for this purpose and be clearly mentioned in CAF. In any case, the mobile number of authorized officers registered with the Reporting Entity shall not be used for client signature. The Reporting Entity must check that the mobile number used in client signature shall not be the mobile number of the authorized officer.
- The authorized officer shall provide a declaration about the capturing of the live photograph of client and the original document. For this purpose, the authorized official shall be verified with One Time Password (OTP) which will be sent to his mobile number registered with the Reporting Entity. Upon successful OTP validation, it shall be treated as authorized officer’s signature on the declaration. The live photograph of the authorized official shall also be captured in this authorized officer’s declaration.
- Subsequent to all these activities, the Application shall give information about the completion of the process and submission of activation request to activation officer of the Reporting Entity, and also generate the transaction-id/reference-id number of the process. The authorized officer shall intimate the details regarding transaction-id/reference-id number to the client for future reference.
- The authorized officer of the Reporting Entity shall check and verify that:-
- information available in the picture of the document is matching with the information entered by the authorized officers in CAF.
- live photograph of the client matches with the photo available in the document.; and
- all of the necessary details in CAF including mandatory field are filled properly.
On Successful verification, the CAF shall be digitally signed by authorized representative of the Reporting Entity who will take a print of CAF, get signatures/thumb-impression of the customer at an appropriate place, then scan and upload the same in the system. An original hard copy may be returned to the customer.” - “Reporting Entity” means a banking company, financial institution, intermediary or a person carrying on a designated business or profession [Section 2(1)(wa)]
What does this mean?
The PMLA circular defines Digital KYC as follows:
“Digitial KYC means the capturing live photo of the client and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity as per the provisions contained in the Act.”
From the above definition and based on our interpretation of the Master Circular and PMLA summaries, we understand that any OVD along with digital live photo of the person can be used to do a full KYC of the customer. Additionally this also means if you use Aadhaar offline XML to perform KYC you are not required to do an in-person verification for your customers,apart from cases where offline verification (via Aadhaar XML) is not possible.
This means, if Aadhaar offline XML is used to perform KYC, then a reporting entity would be in compliance with the latest PMLA guidelines.