KYC exists to prevent fraud and not to make people miserable

More recently, as public and private banks accelerated their growth trajectory, this methodology of social reputation certification was no longer feasible. 

Additionally, with the advances in digital public infrastructure (mobile internet, Aadhaar, UPI, etc) and programs such as Jan Dhan Yojana, India undertook the massive exercise of getting a bank account for all eligible Indians.

Digitization was a boon to Indian citizens. Accessibility to banks became the norm instead of the exception. However, as they say, when you invent the ship, you also invent the shipwreck. 

With financial growth came financial crime. New forms of fraud emerged. Instances of social engineering, phone-jacking, OTP-stealing, fake customer support etc became everyday stories.

Also read: KYC Maze: Investors, distributors face updating hurdles with NDML & DotEx KRAs

In the Reserve Bank of India’s (RBI) KYC norms through the Master Directive in 2016 and subsequent updates, banks were mandated to ensure: that any new bank account applicant is who they say they are (proof of identity); they live where they say they live (proof of address); banks had to also conduct a physical verification for the documents (OSV, or Original Seen and Verified and CPV, or Contact Point Verification)

The reason for this type of verification is to ensure that no fraudster enters the system, specifically, the government was worried about terrorism and money laundering. Along the way, RBI introduced anti-money laundering checks to enhance security.

The new fraudsters found that they could use minimum KYC compliance norms using stolen IDs to open ‘burner’ accounts or mule accounts. These mule accounts were used to launder the proceeds of crime to several different accounts before withdrawing the cash from ATMs.

While KYC norms have been around for a long time and have protected the citizens of our country from fraud for many years, they are not without loopholes.

For example, a KYC initiated through CKYC or central KYC (recall the Amitabh Bachchan ad that said let’s make sure your KYC is easy and you don’t have to collect your documents) has significant limitations. 

The bank that submits the data takes no liability for the accuracy of the data and the bank that pulls the data might not conduct their own diligence. It often ends up being a garbage in/garbage out problem.

Perhaps people forget the reason why KYC exists. Let’s be categorical about it, KYC exists to eliminate fraud. It exists so that both fiduciaries as well as the citizens are protected. 

A wrong KYC could mean that someone’s identity is stolen and these accounts are used for malicious purposes. In this context, the regulator’s primary responsibility is not to make KYC easy but to ensure that it’s done correctly.

Having worked in the fraud detection space, I get worried when business and industry leaders make demands to reduce KYC norms without thinking about the repercussions. 

Recently, a group of fintechs had submitted a representation asking for a risk-based approach for KYC/KYB. The thought is that if the risk of the individual/entity to the fiduciary is low, then the KYC for this entity should be less onerous. As we have seen, such steps lead to a proliferation of mule accounts using stolen IDs.

Just to give a flavour of this issue, I recommend that you look at how many phone numbers are in your name, or check out your Cibil record to see how many enquiries or loans have been issued in your name without your permission.

The problem further gets aggravated because the KYC norms for the various regulators are not aligned. In the telecom world, prepaid accounts don’t have a physical KYC (the sim vendor himself authenticates the documents) and SIM card vendors themselves undergo vendor/distributor due diligence (KYB, or Know Your Business). The government is now looking at a unified KYC norm across all the regulated entities.

Essentially, it should ensure that KYC is not assumed because of the availability of the documents. There are four questions that need to be answered to ensure that fraudsters do not enter the system:

Does the entity (person or enterprise exist)—Do they have a POI and is it genuine (we must ensure that this document is not tampered with).

Are they the ones doing the transaction—Selfie versus POI match along with liveness detection, which ensures that the person is not pretending to be someone else.

Have they committed fraud in the past—We must ensure that fraudsters who have committed fraud in the past are not allowed in the system. You can do an FIR/court check and also the regulators should start building a fraudster database that can be checked at the point of onboarding.

POA and CPV check—We have to ensure that the person is living where they say they live and that it matches the proof of address.

This can only be done through technology and the current Video KYC norms cover most of the base. Additionally, ensure that we don’t make the mistake of believing that KYC is there to make people’s lives miserable. It is there to protect your identity from getting stolen and you or your loved ones from getting scammed.