CKYCR becomes fully operational: The long-awaited format for legal entities’ information finally introduced
-Kanakprabha Jethani (kanak@vinodkothari.com)
Background
The Central KYC Registry (CKYCR) is a registry that serves as a central record for KYC information of all the customers of financial institutions. In India, the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) has been authorised to carry out the functions of CKYCR. It was operationalised in 2016 beginning with collecting information on ‘individual’ accounts. Until now, the CKYCR did not have a feature to collect KYC information of legal entities.
The CERSAI has, in consultation with the RBI, prepared a template for submission of KYC information of legal entities (the same is yet to be published by CERSAI). The RBI has, through a notification dated December 18, 2020[1] (‘Notification’) directed financial institutions to begin submitting KYC information of legal entities w.e.f April1, 2021 (‘Notified Date’). The Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) have been updated in line with the said notification.
In this note we have discussed the implications for NBFCs, having customer interface, specifically.
Actionables for financial entities
In compliance with the existing KYC provisions on CKYCR and the Notification, NBFCs shall be required to take the following steps:
For customer who are legal entities, other than individuals and FPIs
- Ensure uploading KYC data of legal entities whose loan account has been opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer. It is to be noted that the existing time limit for uploading the documents of individual accounts was 3 days.
- Ensure uploading KYC records of legal entities on CKYCR, whose accounts are opened before the Notified Date, while undertaking periodic updation[2] or otherwise on receipt of updated KYC information from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
- Communicate the KYC identifier generated after uploading of KYC information to the customer.
For individuals
- Ensure that the existing KYC records of individual customers pertaining to loan accounts opened prior to April 01, 2017, should be incrementally uploaded on CKYCR at the time of periodic updation or earlier when the updated KYC information is obtained/received from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
- Ensure uploading KYC data of individual loan account opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer.
- Communicate the KYC identifier generated after uploading of KYC information to the customer.
Clarification with respect to identity verification through CKYCR
There has been a confusion regarding validity of identity verification done by fetching KYC details from the CKYCR. While the provisions of the Prevention of Money Laundering Act, 2002 (PMLA) and rules thereunder as well as the operating guidelines clearly state that if the customer submits KYC identifier for identity and address verification, no other documents need to be obtained.
The KYC Directions have remained silent on the same for long. The Notification also clarified that-
“Where a customer, for the purpose of establishing an account based relationship, submits a KYC Identifier to a RE, with an explicit consent to download records from CKYCR, then such RE shall retrieve the KYC records online from CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, unless –
- there is a change in the information of the customer as existing in the records of CKYCR;
- the current address of the customer is required to be verified;
- the RE considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.”
Hence, for the purpose of verification, what is necessary is the KYC Identifier and an explicit consent from the customer to download his/her KYC information from the CKYCR.
Conclusion
The template for uploading KYC information of legal entities on the CKYCR portal has been formulated and shall be live on CERSAI Platform shortly. Financial institutions shall be required to ensure uploading of KYC information of legal entities w.e.f. the Notified Date. Further, additional obligations have been placed on financial institutions in terms of uploading KYC documents for existing customers and intimation of KYC identifier to all customers. Clarification regarding the validity of KYC verification using data from CKYCR is a welcome move.
[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12008&Mode=0
[2] As per para 38 of the KYC Directions- Periodic updation shall be carried out at least once in every two years for high risk customers, once in every eight years for medium risk customers and once in every ten years for low risk customers as per the prescribed procedure.
Good write up !
Yes, Master Directions were silent on CKYCR identifier as an acceptable mode of identification and verification of clients.
Now, even a non individual client can give consent and ckycr number and no further documentation may be needed.
However, there is still silence on face to face meeting requirement with clients as video CIP was only for limited set of customers (individuals whose aadhaar online or offline verification is done).
In what form is the explicit consent acceptable? Would OTP on customer’s registered mobile number suffice? Is there a need for digitally or physically signed consent?