The Ultimate Guide to KYC
According to a report by Securitas , identity theft accounts for 35% of all financial frauds in India. Combine this with the possibility of using this money for terrorist funding, the problem doesn’t just stop at losing money.
While banks and financial institutions try their best to secure their systems to avoid loss, money launderers and criminal entities look to exploit new loopholes almost everyday. This is where KYC comes into the picture, KYC allows banks to confirm if the customer is who she says she is.
KYC is a requisite and mandatory requirement to verify the customers by collecting reliable information and supporting documents. Individuals verify their identity by providing government registered documents like passport, national ID card or any other “Officially Verified Document” (OVD) to screen their records. This process was made mandatory by RBI for financial organisations regulated by it. RBI’s KYC Mandate also includes the regulation to update KYC information at intervals of 2,4,8,10 years based on the risk profile of the customer.
The core process of KYC is to prevent fraudulent transactions, it helps financial institutions and government departments to track money trails and in some cases money launderers who could essentially use this for illegal and potentially life threatening activities. KYC though has been mandated by regulations, it makes definite business sense in mitigating risks for banking and finance sector.
Officially KYC is defined as
Know your client or simply KYC, is the process of a business verifying the identity of its clients and assessing their suitability, along with the potential risks of illegal intentions towards the business relationship.
Before we move into understanding KYC, it makes sense how KYC evolved over time
A brief History Of KYC in India
When Money laundering has become a growing menace and posed a serious threat to the stability and integrity of the financial system, with the Recommendations made by the Financial Action Task Force (FATF) on Anti Money Laundering (AML) standards India passed Prevention of Money laundering Act(PMLA) in the year 2002. One of the major intentions was combating terrorist financing.
FATF is an inter-governmental body which came into existence in the year 1989. The main objective of FATF was to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. FATF issued its first recommendations in the year 1990 and were revised in the year 1996, 2001, 2003 and recently in the year 2014.
India officially entered the AML/CFT international regime in the year 1998 by joining the Asia Specific Group on Money Laundering. Later, India also joined UN International Convention in the year 2002 to suppress financing for terrorism. To bring about important legislations for the money laundering activities the Central Government of India in 2004 also came up with FIU-IND ( Financial Intelligence Unit – India) and made central national agency responsible for receiving, disseminating information related to suspicious financial transactions. India joined FATF in the year 2006 and became a fully fledged member of FATF.
The logical next step after introduction of money laundering regulations and associated laws was the introduction of KYC to keep a close watch and track illegal activities which anonymous bank accounts were majorly used for.
The prevention of money laundering act (PMLA) was passed in 2002, which has been aligned with the financial action task force (FATF) recommendations of 2009. The banks were also strictly advised to follow certain customer identification procedure for opening of accounts and monitoring transactions of any suspicious nature for the purpose of reporting it to the appropriate authority. The ‘Know Your Customer’ guidelines are revisited time to time in the context of the Recommendations made by the Financial Action Task Force (FATF) on Anti Money Laundering (AML) standards and on Combating Financing of Terrorism.
The Reserve Bank of India introduced KYC guidelines for all banks in 2002. In 2004, RBI directed all banks to ensure that they are fully compliant with the KYC provisions before December 31, 2005.
The KYC Policy has been framed to develop a strong mechanism for achieving the following objectives:
- To prevent Bank from being used, intentionally or unintentionally, by criminal elements for Money Laundering or Terrorist Financing activities. KYC procedures also enable the Bank to know/understand their customers and their financial dealings better, which in turn helps it to manage the associated risks prudently.
- To enable the Bank to comply with all the legal and regulatory obligations in respect of KYC norms / AML standards / CFT measures / Bank‟s Obligation under PMLA, 2002 and to cooperate with various government bodies dealing with related issues.
The Reserve Bank of India has recently revised the KYC norms for banks and other financial entities to make sure that no account is opened in an undesignated or fake name. The central bank has also mentioned that the regulated entities have to ensure that no account is opened where the entity is unable to apply appropriate customer due diligence measures, either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer.
RBI has also told banks and NBFCs not to allow any transaction or account relationship without following the customer due diligence procedure and the mandatory information to be sought for KYC purpose while opening an account and during the periodic updation. Also, circumstances in which a customer is permitted to act on behalf of another person is clearly spelled out. A suitable system is put in place to assure that the identity of the customer, it added.
Meanwhile, the RBI was made linking of Aadhaar to bank accounts mandatory as part of the updated KYC guidelines adding an additional level of security and reliability onto KYC information. However the Supreme Court verdict on Aadhaar left this on the consent of the customer, making Aadhaar voluntary for financial transactions.
Importance of KYC
KYC is a part of the CDD (Customer Due Diligence) and EDD(Enhanced Due Diligence) measures required by most financial institutions and relevant service providers to incorporate in their internal risk management mechanism for regulatory compliance requirements.
With the emergence of new methodologies that uses machine learning and data analytics, KYC has become much easier to use and implement.
As to why is it required, the predominant reasons remains to be prevention of fraud, money laundering and terrorist funding. The idea is knowing who the banks deal with would allow the government and the banks themselves to keep track of potential fraudulent transactions and might eventually lead to the prevention of fraud.
How to ace the KYC process?
KYC is accomplished by verifying various documents obtained from reliable sources. These documents may include one or more of the following:
- Legal name
- Valid date of birth
- Phone number
- Picture of passport or a valid government issued ID (front and back)
- Legible selfie with the above-mentioned identification document
- Physical address (a utility bill or similar document may be required as proof)
The goal is to identify and investigate suspicious activity. In addition to protecting the banks or institutions from inadvertently being used for criminal or terrorist activities, the KYC process also protects the clients as it helps avoid instances of identity theft and fraudulent activities on the accounts.
There are various ways of getting your KYC done
1. Paper Based KYC
This is the traditional and the most used one as of today, the customer has to share a self attested copy of documents which includes proof of address and proof of Identity to the service provider. There is also a requirement to do In-person verification of the customers i.e. see the original documents of the customer in-person to verify the validity of the details submitted.
2. Video Recording based manual KYC
This is one of the latest methods used by MF industry to do KYC. Here, the customer initiates self on-boarding by submitting the POI and POA as well as by recording a video through an app or a web portal provided by the service provider which then is manually viewed and verified by an agent. This takes care of the IPV mandated by SEBI and RBI meanwhile saving on operational costs that comes with paper based KYC.
3. ML driven Video ID based KYC
An advanced form of Video based KYC solution in which Machine Learning takes care of authenticating the document and identity of the customer by matching the recorded video and documents submitted. Completely removing the need for any manual intervention, though in some cases you can have cross validation done manually for a fraction of all tractions, where a minor fleet of agents get to re-validate the data or take a second look at validations rejected by the algorithm.
This not only takes care of the IPV but also eliminates the time and cost required to manually validate a customer, speeding up customer on-boarding.
Central KYC is an initiative by the Government of India. The main motive of this is to have a structure in place which allows investors to complete their KYC only once before interacting with various entities across the financial sector. CKYC is managed by CERSAI (Central Registry of Securitization Asset Reconstruction and Security Interest of India) and is authorized by Government of India to function as the Central KYC Registry (CKYCR). The objective of CKYCR is to reduce the burden of producing KYC documents and getting those verified every time when the investor deals with a financial entity for the first time. Thus, CKYCR will act as a centralized repository of KYC records of investors in the financial sector with uniform KYC norms and inter-usability of the KYC records across the sector.
This means a company that is required to KYC their customers can use the data provided by the customer, name/email ID or PAN card to search and check for KYC details from this database, allowing them to avoid re-KYCing the customer, speeding up onboarding and saving on operation costs.
Electronic KYC services can only be used if you have Aadhaar number. With the customer’s consent, the UIDAI is authorized to reveal their information including their Name, Address, hashed Phone Number through the biometric or OTP based authentication. As of now this is only available to banks that are part of DBT(direct benefit transfer) scheme.
6. Aadhaar Offline KYC
is a method to verify the identity of a person without the use of biometrics or connecting UIDAI database directly using an API.
There are 3 ways to do Offline verification:
- Offline Aadhaar XML
- QR code
Offline Aadhaar XML
Offline Aadhaar XML is the most secure of the 3 methods mentioned above and usually when done in realtime the most accurate one. The data is share in the form of a password protected XML packet which contains the demographic information of the customer, digitally signed and encrypted by UIDAI.
Generation of the XML file for Offline Verification:
- Visit www.uidai.gov.in
- Click on Aadhaar Services tab and select Aadhaar Paperless local e-KYC.
- A new page will open where you will have to enter your 12 digit Aadhaar number and an OTP will be sent to your registered mobile number.
- In the redirected page mention your Name, address as it is mentioned in your Aadhaar Card.
- Your name and address will appear on the shareable document. Enter ‘Share Code’ as per the instruction of the website. Enter the Security code and submit. On your successful submission, an XML file will be downloaded on your PC
QR code based Verification
QR code is only second to Aadhaar XML in terms of authenticity of the data in it. A provider would require a QR code reader to scan and make sense on information provided in this. One set back of using this method of KYC is various versions of Aadhaar card currently in circulation some of which either don’t have a QR code or lack some of the demographic information like the photo or date of birth of the customer.
Verification using the QR code:
- Download the QR reader application.
- Click on ‘Scan from the QR reader’ in UIDAI website.
- Scan the QR code given in your Aadhaar card, your demographic details and photo will be displayed and verified.
To ensure that the latest details about the customer are available, banks have been advised to periodically update the customer identification data based upon the risk category of the customers this is called re-KYC
Banks will create a customer profile based on details about the customer like social/financial status, nature of business activity, information about his clients’ business and their location, the purpose and reason for opening the account, the expected origin of the funds to be used within the relationship and details of occupation/employment, sources of wealth or income, expected monthly remittance, expected monthly withdrawals etc. When the transactions in the account are observed not consistent with the profile, the bank may ask for any additional details/documents as required. This is just to confirm that the account is not being used for any fictitious activities.
Re-submitting KYC documents are often requested by the banks when an account is being held inactive for a longer period or when there are too many or too few changes in the deposits or when the account is very old. That is depending on the risk category of the customer, banks might ask to redo KYC formalities so that they can have their database updated with the latest details of the customers. It’s normally done over a period of 4, 8, 10… years of time.
Over the years various regulations and policies were made by regulating authorities of various sectors including RBI, SEBI, IRDA and UIDAI , in this section we try to summarize some of them that have a bearing on the BFSI sector.
Customer Acceptance Policy: Banks should develop a clear Customer Acceptance Policy laying down explicit criteria for acceptance of customers. The Customer Acceptance Policy must ensure that explicit guidelines are in place on the following aspects of customer relationship in the bank :
(i) Parameters of risk perception are clearly defined in terms of the nature of business activity, location of customer and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III); customers requiring very high level of monitoring, e.g. Politically Exposed Persons may, if considered necessary, be categorised even higher;
(ii) Documentation requirements and other information to be collected in respect of different categories of customers depending on perceived risk and keeping in mind the requirements of PML Act, 2002 and guidelines issued by Reserve Bank from time to time;
(iii) Not to open an account or close an existing account where the bank is unable to apply appropriate customer due diligence measures i.e., bank is unable to verify the identity and/or obtain documents required as per the risk categorisation due to non-co-operation of the customer or non-reliability of the data/information furnished to the bank. It may, however, be necessary to have suitable built in safeguards to avoid harassment of the customer. For example, the decision to close an account may be taken at a reasonably high level after giving due notice to the customer explaining the reasons for such a decision;
Customer Identification Procedures: The Customer should be identified not only while opening the account but also at the time when the bank has a doubt about his transactions.
So, all banks must develop a criteria before accepting a person as their customer. This helps to restrict any anonymous accounts and ensure documentation mentioned in KYC.
Here is how the banks will have to verify the identity as laid down in Customer Identification Procedures and also ensure that:
(a) No account is opened in anonymous or fictitious.
(b) No account is opened where the Bank is unable to apply appropriate Customer Due Diligence (CDD) measures, either due to non-cooperation of the customer or non-reliability of the documents furnished by the customer.
(c) No transaction or account based relationship is undertaken without following the CDD procedure.
(d) The mandatory information sought for KYC purpose while opening an account and during the periodic updation is specified.
(e) ‘Optional’ / additional information is obtained with the explicit consent of the customer after the account is opened.
(f) Bank will apply the CDD procedure at the UCIC level. Thus, if an existing KYC compliant customer of Bank desires to open another account with the same Bank, there shall be no need for a fresh CDD exercise.
(g) CDD Procedure is followed for all the joint account holders while opening a joint account.
(h) Circumstances in which a customer is permitted to act on behalf of another person, are clearly spelled out.
(i) No account is opened where identity of the customer matches with any person or entity, whose name appears in the sanctions lists circulated by Reserve Bank of India and the Bank should also ensure that the Customer Acceptance Policy shall not result in denial of banking / financial facility to members of the general public, especially those who are financially or socially disadvantaged
Monitoring of Transactions: KYC is made more effective by monitoring transactions regularly. If any abnormal or unusual transaction is identified they will watch on a higher risk group of the account, which is essential in monitoring transactions.
Risk management: This is all about maintaining internal work to reduce the risk of any unwanted activity. Managing responsibilities, duties and various audits and regular employee training for KYC procedures.
The RBI guidelines also specify that KYC should be implemented for existing account holders on the basis of materiality and risk segments.
The RBI had also directed all banks to make a policy for implementing ‘Know Your Customer’ and anti-money laundering measures and remain fully compliant with given guidelines before December 31, 2005.
But there have been instances of lapses in the implementation of KYC guidelines by several banks. Since January 2006, the RBI has slapped penalties on several leading banks who were ignorant and led many AML activities. Till date, we have not come across any case of money laundering, terrorist financing or transfer of funds for anti-national activities, but in case of any more lapses in the ‘Know Your Customer’ guidelines, the threat of the misuse of the banking channels for anti-national activities always lurks around the corner.
For Risk Management, Bank shall have a risk-based approach which includes the following.
(a) Customers shall be categorized as a low, medium and high-risk category, based on the assessment and risk perception of the Bank.
(b) Risk categorization shall be undertaken based on parameters such as customer’s identity, social/financial status, nature of the business activity, and information about the clients’ business and their location, etc. While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in.
Future of KYC
New data solutions to make KYC more efficient
The major problem faced during this KYC process was managing the huge volume of data. Disconnected KYC processes result in redundant data entry, mistakes, data quality issues, and onboarding delays. Robotic process automation for enhanced and efficient search and new techniques with the API’s. This will help to eliminate the manual process bottleneck and data insecurity.
Artificial Intelligence for greater automation and to have more risk insights
Use of AI will help to filter the large volume of information to small amount according to relevance, eliminating content not relevant to financial crimes. By reducing false positives, banks can speed up the customer onboarding process and mitigate risk.
Automation and technology tools might be the future of KYC, it introduces flexibility and adaptability and helps to reduce the complexity. Hence, banks will gain a competitive advantage. Still, not every solution is the best fit for an organization’s unique needs. Financial institutions should look at providers with a proven track record who also have a pulse on the regulatory climate. Technology providers can be a strong partner in clearing the path to value. Know Your Customer regulations will continue to morph with surprising speed in recognition of that reality.