Update: April 25, 2020
- SEBI put out this clarification on April 24, 2020 on the Know Your Client (KYC) process. It is in line with what we have described in the post below.
- While we have explained authenticating AADHAR through DigiLocker, The Ministry of Finance has put out this notification on April 22nd allowing AADHAR authentication directly from UIDAI for Exchanges, Depositories, and RTAs. This means that a slightly faster non-DigiLocker route should be possible to authenticate AADHAR in the next few weeks for all SEBI registered intermediaries by partnering with any of the entities who have been given approval to authenticate directly in the gazette notification.
The KYC (Know Your Customer) process is the most important part of customer onboarding for any SEBI registered intermediary – Stockbrokers, Investment advisors (RIAs), Portfolio Managers (PMS), Asset Management Companies (AMCs), and more. The intermediary is required to obtain KYC details of the customer like PAN, Proof of Identity (POI), Proof of Address (POA), Bank details, and also perform In-person verification (IPV). These need to be validated by the intermediary and uploaded to the KYC Registration Agency (KRA). The customer can then use the KYC details available with the KRA to start a relationship with any other intermediary avoiding duplication of effort.
For an intermediary, not following the required KYC process would mean violating PMLA (Prevention of Money Laundering Act) apart from also violating the requirement set by SEBI and exchanges. Since the KYC details once uploaded are used by other intermediaries as well, it is important for all intermediaries uploading information to follow the requisite steps during KYC. In cases of financial fraud, the intermediary who performed the KYC and uploaded information can have serious repercussions if the KYC process wasn’t followed as mandated by SEBI.
Traditionally, the KYC process was physical with an executive representing the firm meeting the customer and validating all the details being provided. As you’d imagine, it was not just a lot more expensive to onboard a client but also slowed down the growth of the industry significantly. Over the last 5 years, thanks to DigiLocker (for original digital IDs and documents), IMPS (for penny drop bank validation), and SEBI’s push towards digital onboarding, most client relationships today are started completely online without any executive having to meet customers in person. The digital process is not only faster but has a much better audit trail as compared to the physical alternative.
As CEO of Zerodha and Rainmatter, I constantly get queries on KYC not only from other brokerage firms but also from startups trying to build a business around capital markets. We now have the experience of running completely online onboarding for nearly 4 years, having gone through multiple inspection cycles, and many instances where our KYC processes were scrutinized closely. With this experience, I thought of sharing what I think are the best practices to follow during the KYC process when allowing a customer to onboard completely online.
The basic essence of KYC is to ensure that all the details provided by the customer are authenticated and verified against originals and that the details provided belong to a real person who is interested in opening an account. While this might seem weird for many, money laundering is a huge problem in this country and is usually done by impersonating someone else or creating Benami accounts. This is the reason KYC is an important part of PMLA. This post is in the context of how to have a completely online KYC process while making sure that no financial fraudsters can onboard on the platform.
Validating the authenticity
Like I explained earlier, the following are the details that are required from a customer for the KYC process that also needs to be validated.
- PAN details
- Proof of Identity (POI)
- Proof of Address (POA)
- Bank account information
- Person opening the account (In-person verification or IPV)
Before you read further, it is important to learn about DigiLocker, if you aren’t already aware.
DigiLocker is a flagship initiative of the Ministry of Electronics & IT (MeitY) under Digital India programme. DigiLocker aims at ‘Digital Empowerment’ of the citizen by providing access to authentic digital documents to a citizen’s digital document wallet. The issued documents in DigiLocker system are deemed to be at par with original physical documents as per Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries providing Digital Locker facilities) Rules, 2016 notified on February 8, 2017, vide G.S.R. 711(E).
It is trivial for a fraudster to create the image of a PAN card with anyone’s details. There are also physical, fake cards that are so good that it is tough to spot it even if the fake PAN card is held in person. It is hence important that the intermediary doesn’t rely on just a scanned copy of the PAN.
There are two ways to currently validate if the PAN details being shared is genuine or not.
- NSDL PAN verification service: PAN number and date of birth can be entered and the service returns if the PAN is valid or not, and the name as per PAN.
- DigiLocker: a customer can create a DigiLocker account, map his PAN and share the PAN through DigiLocker within the onboarding experience. Documents shared through DigiLocker comes with a digital signature by the issuer and by law can be considered as good as the original for electronic use.
PS: Even if the customer is onboarding physically, it is important that the PAN be validated using the NSDL PAN verification service.
Validating POI & POA
POI is any document that carries the photo of the customer, name, and date of birth. The POA, in addition to the details required for the POI also requires the customer’s address. If the POA has all the required data, it can also be used as POI. Currently when onboarding customers online, there are only two documents which can act as POI and POA and can be validated.
- Aadhaar (masked copy)
- Driving License (DL)
The reason only these two is because the customer can currently share digitally signed copies of Aadhaar and DL through DigiLocker which by law can be considered as the original document. UIDAI also has an offline e-KYC process through which details on Aadhaar can be shared as POI & POA, but is slightly more complicated to implement.
Through DigiLocker we also receive the photo of the person along with all the other details required for the proof to be considered as both POI and POA.
There are platforms that require customers to upload a copy of Aadhaar and the details are validated using QR code on the Aadhaar code. The issue with this is that QR code doesn’t return the photo of the person and hence, like PAN, can’t be used as proof of identity (POI). Asking clients to create a DigiLocker account (if they don’t already have one), mapping their documents, and then sharing can be a reason for drop-offs. But currently, there is no other alternative.
Can PAN also be used as POI?
Both, the NSDL and DigiLocker services for PAN, don’t share the photo of the person which is required for any document being used as POI. A fraudster can quite easily forge a PAN Card using his own photo on another person’s PAN Card and use it as POI. As such, PAN shouldn’t be relied upon as POI. Of course, you could match the photo of the scan copy of the PAN with Aadhaar or DL from DigiLocker and then accept it as POI.
Validating the person opening the account (IPV or In-Person verification)
While documents from DigiLocker can be considered authentic, since it is an online, mobile OTP based process, it is not possible to know whether the person going through the process is actually the person described in the documents. Someone who has gained access to a person’s DigiLocker account and mobile phone can onboard pretending to be them.
Here, a video IPV can be performed to make sure that the person is alive and is indeed the person onboarding. This can be done in multiple ways. We at Zerodha send an OTP which has to be displayed by the customer during the IPV to make sure that it isn’t a pre-recorded video on the other side of the IPV. The face from the IPV is matched against the photo from the POI submitted.
Validating bank account details
Finally, it is important that the bank account that will be used to transfer and receive funds is also validated. Using IMPS, a fund transfer of a small amount (penny drop) can be initiated. This transaction returns the holder’s name and IFSC of the account number to which the money was transferred. This way, the bank account submitted can be validated to ensure that it belongs to the person opening the account.
I am guessing the next question would be if all funds move in and out of the bank account which is already KYC compliant, shouldn’t SEBI take it a little easy on KYC? The capital market industry has been pushing for this, which saw the creation of a central repository of KYC (CKYC), similar to KRA but covering all intermediaries covered by SEBI, RBI, and IRDAI. The initiative is still not accepted by all the regulators as a central KYC repository and I am guessing we are still many years away from CKYC turning into a common KYC accepted by all intermediaries.
By the way, we might soon have depositories (NSDL, CDSL) offering KYC as a service, where all the KYC processes mentioned above will be offered as a service. This should hopefully solve the KYC pain-point that all financial services businesses face today.
If there are any follow up queries, do post in the comments below.