An all-embracing guide to identity verification through CKYCR

/0 Comments/in , , , , /by

-Kanakprabha Jethani | Executive

(kanak@vinodkothari.com)

Updated as on January 19, 2022

Introduction

Central KYC Registry (CKYCR) is the central repository of KYC information of customers. This registry is a one stop collection of the information of customers whose KYC verification is done once. The Master Direction – Know Your Customer (KYC) Direction, 2016 (KYC Directions)[1] defines CKYCR as “an entity defined under Rule 2(1) of the Rules, to receive, store, safeguard and retrieve the KYC records in digital form of a customer.”

The KYC information of customers obtained by Reporting Entities (REs) (including banks) is uploaded on the registry. The information uploaded by an RE is used by another RE to verify the identity of such customer. Uncertainty as to validity of such verification prevails in the market. The following write-up intends to provide a basic understanding of CKYCR and gathers bits and pieces around identity verification through CKYCR.

Identity verification through CKYCR is done using the KYC identifier of the customer. To carry out such verification, an entity first needs to be registered with the CKYCR. Let us first understand the process of registration with the CKYCR.

Registration on CKYCR

The application for registration shall be made on CKYCR portal. Presently, Central Registry of Securitisation Asset Reconstruction and Security Interest (CERSAI) has been authorized by the Government of India to carry out the functions of CKYCR. Following are the steps to register on CERSAI:

  1. A board resolution should be passed for appointment of the authorised representative. The registering entity shall be required to identify nodal officer, admin and user.
  2. Thereafter, under the new entity registration tab in the live environment of CKYCR, details of the entity, nodal officers, admin and users shall be entered.
  3. Upon submission of the details, the system will generate a temporary reference number and mail will be sent to nodal officer informing the same along with test-bed registration link.
  4. Once registered on the live environment, the entity will have to register itself on the testbed and test the application. It shall have to test all the functionalities as per the checklist provided at https://www.ckycindia.in/ckyc/downloads.html. On completion of the testing, the duly signed checklist at helpdesk@ckycindia.in shall be e-mailed to the CERSAI.
  5. The duly signed registration form along with the supporting documents shall be sent to CERSAI at – 2nd Floor, Rear Block, Jeevan Vihar Building, 3, Parliament Street, New Delhi -110001.
  6. CERSAI will verify the entered details with physical form received. Correct details would mean the CERSAI will authorize and approve the registration application. In case of discrepancies, CERSAI will put the request on hold and the system will send email to the institution nodal officer (email ID provided in Fl registration form). To update the case hyperlink would be provided in the email.
  7. After completion of the testing and verification of documents by CERSAI, the admin and co-admin/user login and password details would be communicated by it.

Obligations in relation to CKYCR

The establishment of CKYCR came with added obligations on banks and REs.  The KYC Directions require banks and REs to upload KYC information of their customers on the CKYCR portal. As per the KYC Directions – “REs shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, as required by the revised KYC templates prepared for ‘individuals’ and ‘Legal Entities’ as the case may be. Government of India has authorised the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), to act as, and to perform the functions of the CKYCR vide Gazette Notification No. S.O. 3183(E) dated November 26, 2015.

…Accordingly, REs shall take the following steps:

  • Scheduled Commercial Banks (SCBs) shall invariably upload the KYC data pertaining to all new individual accounts opened on or after January 1, 2017 with CERSAI in terms of the provisions of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005.
  • REs other than SCBs shall upload the KYC data pertaining to all new individual accounts opened on or after from April 1, 2017 with CERSAI in terms of the provisions of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005.”

Further, para III and IV of the Operating Guidelines of CKYCR require reporting entities (including banks) to fulfill certain obligations. Accordingly, the reporting entities shall:

  • Register themselves with CKYCR
  • Carry out due diligence and verification KYC information of customer submitting the same.
  • Upload KYC information of customers, in the KYC template provided on CKYCR portal along with scanned copy of Proof of Address (PoA) and Proof of Identity (PoI) after successful verification.
  • Communicate KYC identifier obtained from CKYCR portal to respective customer.
  • Download KYC information of customers from CKYCR, in case KYC identifier is submitted by the customer.
  • Refrain from using information downloaded from CKYCR for purposes other than identity verification.
  • In case of any change in the information, update the same on the CKYCR portal.

In and around verification

Registered entities may download the information from CKYCR portal and use the same for verification. Information can be retrieved using the KYC identifier of the customer. Before we delve into the process of verification and its validity, let us first understand what a KYC identifier is and how would a customer obtain it.

KYC identifier

A KYC Identifier is a 14 digit unique number generated when KYC verification of a customer is done for the first time and the information is uploaded on CKYCR portal. The RE uploading such KYC information on the CKYCR portal shall communicate such KYC Identifier to the customer after uploading his/her KYC information.

Obtaining KYC identifier

When a customer intends to enter into an account-based relationship with a financial institution for the very first time, such financial institution shall obtain KYC information including the Proof of Identity (PoI) and Proof of Address (PoA) of such customer and carry out verification process as provided in the KYC Master Directions. Upon completion of verification process, the financial institution will upload the KYC information required as per the common KYC template provided on the CKYCR portal, along with scanned PoI and PoA, signature and photograph of such customer within 3 days of completing the verification. Different templates are to be made available for individuals, and on the CKYCR portal. Presently, only template for individuals[2] has been made available.

Upon successful uploading of KYC information of the customer on the CKYCR portal, a unique 14 digit number, which is the KYC identifier of the customer, is generated by the portal and communicated to the financial institution uploading the customer information. The financial institution is required to communicate the KYC identifier to respective customer so that the same maybe used by the customer for KYC verification with some other financial institution.

Verification through CKYCR

When a customer submits KYC identifier, the RE, registered with CKYCR portal, enters the same on the CKYCR portal. The KYC documents and other information of the customer available on the CKYCR portal are downloaded. The RE matches the photograph and other details of customer as mentioned in the application form by the customer with that of the CKYCR portal. If both sets of information match, the verification is said to be successful.

Identity Verification through CKYCR- is it valid?

The process of CKYCR is not a complete process in itself and is merely a means to obtain documents from the central registry. In the very essence, the registry acts as a storehouse of the documents to facilitate the verification process without having the customer to produce the KYC documents every time he interacts with a regulated entity. Para 56(j) provides that Regulated entities are not required to ask the customer to submit KYC documents, if he/she has submitted KYC Identifier, unless:

(i) there is a change in the information of the customer as existing in the records of CKYCR;
(ii) the current address of the customer is required to be verified;
(iii) the RE considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.

The above specification is for obtaining the documents from the customer and not for verification of the same. Verification can be done only through physical, digital or V-CIP modes of CDD.

Furthermore, V-CIP as a manner of CDD was introduced through an amendment to KYC Directions introduced on 9th January, 2019[5]. Para 18(b) of the KYC Directions prescribes that documents for V-CIP procedure may be obtained from the CKYCR portal. Logically, if the CKYCR procedure was to be complete in itself, the same would not have been indicated in conjunction with the V-CIP mode of due diligence.

Benefits from CKYCR

While imposing various obligations on REs, the CKYCR portal also benefits REs by providing them with an easy way out for KYC verification of their customers. By carrying out verification through KYC Identifier, the requirement of physical interface with the borrower (as required under KYC Master Directions)[4] may be done away with. This might serve as a measure of huge cost savings for lenders, especially in the digital lending era.

Further, CKYCR portals also have de-duplication facility under which KYC information uploaded will go through de-duplication process on the basis of the demographics (i.e. customer name, maiden name, gender, date of birth, mother’s name, father/spouse name, addresses, mobile number, email id etc.) and identity details submitted. The de-dupe process uses normaliser algorithm and custom Indian language phonetics.

  • Where an exact match exists for the KYC data uploaded, the RE will be provided with the KYC identifier for downloading the KYC record.
  • Where a probable match exists for the KYC data uploaded, the record will be flagged for reconciliation by the RE.

Conclusion

Identity verification using the KYC identifier is a cost-effective way of verification and also results into huge cost saving. This method does away with the requirement of physical interface with the customer. Logic being- when the customer would have made the application for entering into account-based relationship, the entity would have obtained the KYC documents and carried out a valid verification process as per the provisions of KYC Master Directions. So, the information based on valid verification is bound to be reliable.

However, despite these benefits, only a handful of entities are principally using this method of verification presently. Lenders, especially FinTech based, should use this method to achieve pace in their flow of transactions.

[1] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

[2] https://rbidocs.rbi.org.in/rdocs/content/pdfs/KYCIND261115_A1.pdf

[3] https://testbed.ckycindia.in/ckyc/assets/doc/Operating-Guidelines-version-1.1.pdf

[4] Our detailed write-up on the same can also be referred-  http://vinodkothari.com/wp-content/uploads/2020/01/KYC-goes-live-1.pdf

[5] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11783&Mode=0

Our FAQs on CKYCR may also be referred here- http://vinodkothari.com/2016/09/ckyc-registry-uploading-of-kyc-data/

Our other write-ups on KYC:

Revised Guidelines on KYC & Anti-Money Laundering Measures for HFCs

RBI amends the KYC Master Directions

Analysis of amendments to KYC Master Directions, 2016

Introduction of Digital KYC

KYC goes live!

/0 Comments/in , , , , /by

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [796.86 KB]

[

Introduction of Digital KYC

/0 Comments/in , , , , /by

Anita Baid (anita@vinodkothari.com)

The guidelines relating to KYC has been in headlines for quite some time now. Pursuant to the several amendments in the regulations, the KYC process of using Aadhaar through offline modes was resumed for fintech companies. The amendments in the KYC Master Directions[1] allowed verification of customers by offline modes and permitted NBFCs to take Aadhaar for verifying the identity of customers if provided voluntarily by them, after complying with the conditions of privacy to ensure that the interests of the customers are safeguarded.

Several amendments were made in the Prevention of Money laundering (Maintenance of Records) Rules, 2005, vide the notification of Prevention of Money laundering (Maintenance of Records) Amendment Rules, 20191 issued on February 13, 2019[2] (‘February Notification’) so as to allow use of Aadhaar as a proof of identity, however, in a manner that protected the private and confidential information of the borrowers.

The February Notification recognised proof of possession of Aadhaar number as an ‘officially valid document’. Further, it stated that whoever submits “proof of possession of Aadhaar number” as an officially valid document, has to do it in such a form as are issued by the Authority. However, the concern for most of the fintech companies lending through online mode was that the regulations did not specify acceptance of KYC documents electronically. This has been addressed by the recent notification on Prevention of Money-laundering (Maintenance of Records) Third Amendment Rules, 2019 issued on August 19, 2019[3] (“August Notification”).

Digital KYC Process

The August Notification has defined the term digital KYC as follows:

“digitial KYC” means the capturing live photo of the client and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity as per the provisions contained in the Act;

Accordingly, fintech companies will be able to carry out the KYC of its customers via digital mode.

The detailed procedure for undertaking the digital KYC has also been laid down. The Digital KYC Process is a facility that will allow the reporting entities to undertake the KYC of customers via an authenticated application, specifically developed for this purpose (‘Application’). The access of the Application shall be controlled by the reporting entities and it should be ensured that the same is used only by authorized persons. To carry out the KYC, either the customer, along with its original OVD, will have to visit the location of the authorized official or vice-versa. Further, live photograph of the client will be taken by the authorized officer and the same photograph will be embedded in the Customer Application Form (CAF).

Further, the system Application shall have to enable the following features:

  1. It shall be able to put a water-mark in readable form having CAF number, GPS coordinates, authorized official’s name, unique employee Code (assigned by Reporting Entities) and Date (DD:MM:YYYY) and time stamp (HH:MM:SS) on the captured live photograph of the client;
  2. It shall have the feature that only live photograph of the client is captured and no printed or video-graphed photograph of the client is captured.

The live photograph of the original OVD or proof of possession of Aadhaar where offline verification cannot be carried out (placed horizontally), shall also be captured vertically from above and water-marking in readable form as mentioned above shall be done.

Further, in those documents where Quick Response (QR) code is available, such details can be auto-populated by scanning the QR code instead of manual filing the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where QR code is available, the details like name, gender, date of birth and address can be auto-populated by scanning the QR available on Aadhaar/e-Aadhaar.

Upon completion of the process, a One Time Password (OTP) message containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent to client’s own mobile number. Upon successful validation of the OTP, it will be treated as client signature on CAF.

For the Digital KYC Process, it will be the responsibility of the authorized officer to check and verify that:-

  1. information available in the picture of document is matching with the information entered by authorized officer in CAF;
  2. live photograph of the client matches with the photo available in the document; and
  3. all of the necessary details in CAF including mandatory field are filled properly.

Electronic Documents

The most interesting amendment in the August Notification is the concept of “equivalent e-document”. This means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016 shall be recognized as a KYC document. Provided that the digital signature will have to be verified by the reporting entity as per the provisions of the Information Technology Act, 2000.

The aforesaid amendment will facilitate a hassle free and convenient option for the customers to submit their KYC documents. The customer will be able to submit its KYC documents in electronic form stored in his/her digital locker account.

Further, pursuant to this amendment, at several places where Permanent Account Number (PAN) was required to be submitted mandatorily has now been replaced with the option to either submit PAN or equivalent e-document.

Submission of Aadhaar

With the substitution in rule 9, an individual will now have the following three option for submission of Aadhaar details:

  • the Aadhaar number where,
    1. he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 or
    2. he decides to submit his Aadhaar number voluntarily
  • the proof of possession of Aadhaar number where offline verification can be carried out; or
  • the proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document thereof containing the details of his identity and address;

Further, along with any of the aforesaid options the following shall also be submitted:

  1. the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and
  2. such other documents including in respect of the nature of business and financial status of the client, or the equivalent e-documents thereof as may be required by the reporting entity

The KYC Master Directions were amended on the basis in the February Notification. As per the amendments proposed at that time, banking companies were allowed to verify the identity of the customers by authentication under the Aadhaar Act or by offline verification or by use of passport or any other officially valid documents. Further distinguishing the access, it permitted only banks to authenticate identities using Aadhaar. Other reporting entities, like NBFCs, were permitted to use the offline tools for verifying the identity of customers provided they comply with the prescribed standards of privacy and security.

The August Notification has now specified the following options:

  1. For a banking company, where the client submits his Aadhaar number, authentication of the client’s Aadhaar number shall be carried out using e-KYC authentication facility provided by the Unique Identification Authority of India;
  2. For all reporting entities,
    1. where proof of possession of Aadhaar is submitted and where offline verification can be carried out, the reporting entity shall carry out offline verification;
    2. where an equivalent e-document of any officially valid document is submitted, the reporting entity shall verify the digital signature as per the provisions of the IT Act and take a live photo
    3. any officially valid document or proof of possession of Aadhaar number is submitted and where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC, as per the prescribed Digital KYC Process

It is also expected that the RBI shall notify for a class of reporting entity a period, beyond which instead of carrying out digital KYC, the reporting entity pertaining to such class may obtain a certified copy of the proof of possession of Aadhaar number or the officially valid document and a recent photograph where an equivalent e-document is not submitted.

The August Notification has also laid emphasis on the fact that certified copy of the KYC documents have to be obtained. This means the reporting entity shall have to compare the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the client with the original and record the same on the copy by the authorised officer of the reporting entity. Henceforth, this verification can also be carried out by way of Digital KYC Process.

[1] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566#F4

[2] http://egazette.nic.in/WriteReadData/2019/197650.pdf

[3] http://egazette.nic.in/WriteReadData/2019/210818.pdf

Revised Guidelines on KYC & Anti-Money Laundering Measures for HFCs

/0 Comments/in , , , /by
Read more

Checkpoints for filing e-form DIR 3 KYC

/0 Comments/in , /by

By Simran Jalan (corplaw@vinodkothari.com)

Introduction:

Pursuant to the Rule 12A and 11(2) and (3) of the Companies (Appointment and Qualification of Directors) Rules, 2014, every individual who are holding DIN/DPIN shall submit an e-form DIR 3 KYC to the Central Government on or before 31st August, 2018 for the purpose of updating the personal identification details of the director concerned.

Accordingly, the MCA is conducting KYC for all DIN/DPIN holders. The same has to be updated on or before 31st August, 2018 and thereafter annually.

Listed below are some of the important points to be considered before filing DIR 3 KYC.

For filing the form:

  • Nationality and citizenship are two different things. A person can choose “India” as its nationality but if he is holding two citizenships then he may/may not check yes in the field ‘Citizen of India’.
  • ‘Send OTP’ button will get enabled once the form is pre-scrutinized i.e., after affixing DSC.
  • The OTP is valid for 15 mins
  • In permanent address field, if the applicant is the resident of India then he has to write his Indian address but if he is resident outside India then he will have to write his foreign address.
  • Personal Mobile number and personal id may include the id of the company but it should be used only by the applicant.
  • DSC must be associated with the same PAN, as mentioned in the form for citizens of India and for foreign citizens the name on the DSC and the applicant’s name should match.
  • Signatories under DIR 3 KYC: Applicant (DIN/DPIN holder) and Professional.
  • For non-resident directors, their foreign address and foreign numbers shall be inserted in the ‘permanent address field’.
  • The DIN/DPIN holder is responsible for filing the form. He will have to fill in the OTP, not the professionals.
  • In case of foreign nations, their documents are required to be attested by the authority prescribed i.e., apostilled/notarized documents.

Attachments:

  • Aadhaar is mandatory for a citizen of India.
  • Copy of PAN is not compulsory to provide.
  • Proof of Address will be as per Rule 16 of the Companies (Incorporation) Rules, 2014 which states:

(n) Residential proof such as Bank Statement, Electricity Bill, Telephone / Mobile Bill: 

Provided that Bank statement Electricity bill, Telephone or Mobile bill shall not be more than two months old; “

  Thus, an applicant is not required to attach his Aadhaar card twice.

  • Attachment of Aadhaar and passport is mandatory if selected yes in the required fields.
  • If you have a Driving License/Voter ID card then it is recommended to provide the same in the Form.
  • The name in the DIN and PAN must be the same.

Other Information:

  • Disqualified directors are also required to file DIR 3 KYC but filing of the same will not remove their disqualification.
  • If DIR 3 KYC is filed within due date, then no fee is applicable. If it is filed after due date then fine of Rs. 5000 is applicable.
  • Penalty/Fine for not filing is on individual directors.
  • A person cannot file DIR 3 KYC more than once.
  • For every subsequent F.Y. 30th April is the due date for updating their DIR 3 KYC.
  • If there is any discrepancy in any of the information, then first DIR 6 is required to be filed for updating the information and then the Form DIR 3 KYC should be filed.

Consequence of not filing DIR 3 KYC:

If any DIN/DPIN holder fails to file DIR 3 KYC within the stipulated time i.e. 31st August, 2018, then the DIN of such director or DPIN of such designated partner will be de-activated. The re-activation of such de-activated DIN/DPIN can be done only after filing DIR 3 KYC along with a fee of Rs. 5000.  So, all the DIN/DPIN holders should take steps to file this e-form at the earliest.

New KYC norms for directors make a cell-phone, email & DSC mandatory for directors

/0 Comments/in , , , /by

Vinod Kothari

corplaw@vinodkothari.com

 

If you ever thought your life will be much better and tranquil without a cellphone on you, and without an email to stay connected, well, you may be right, but you cannot function as a director in companies. This is the fallout of the new DIR-3-KYC norms brought by the MCA[1]. The Rules require every director to file the KYC form by 31st August, 2018, post which the Directors’ Identification number (DIN) granted to the director shall be “de activated”. The Rules also lay that such de-activated DIN shall be re-activated only after the person has filed the KYC form.

One of the mandatory requisites of the new KYC form is that the director shall provide his cellphone number, his email id and file the eForm with his/her own digital signature (DSC). If you thought you may provide the cellphone number and email id of your children, or your assistants, you are mistaken, because the form goes on to say that the cellphone number and the email id shall be of the director himself.

Section 153 of the Companies Act makes it mandatory for any prospective director to apply for DIN. While there is nothing in the statute to say that on de-activation of the DIN, the director will lose his office as such, technically called vacation of office, it will not be surprised, if the Government, in its recent impetus to weed out shell companies and dummy directors, barges ahead and challenge the very directorship of such directors whose DINs stood deactivated.

Result – you cannot be a director, unless you have a cellphone number and email id. Legal experts may argue that being director in companies is basic freedom to carry business, as the right to carry business includes the right to carry it in corporate form as well, and there is nothing in the law of the land to make a cellphone or an email an existential necessity. Therefore, if there is a law that forces a corporate professional to have a personal cellphone number/ email- id, the law needs to be questioned.

Not having a personal cellphone is neither an evidence of laity nor anachronism. Several people use a limited insulation from communications technology as a way of life. There is no basis to contend that such persons are not fit to be corporate directors.

It may be argued that the qualifications of a director and the circumstances in which a director automatically vacates his office are all well defined in the law. De-activation of the DIN is not one of such circumstances. It may also be argued that there is an assurance in the MCA DIN rules that the DIN once granted has lifetime validity, and the question of its de-activation does not arise at all.

In order to file this eForm, all directors (Indian and foreign national) will have to obtain/ have their own email id, mobile number, specify the OTP in the eForm and sign with their own DSC. The consequence of false declaration is that the Director shall be liable under section 448 of the Act and under relevant provisions of the Indian Penal Code, 1860 and any other law as applicable, if any statement in the application is found to be false or any material fact is found to be have been omitted.

The MCA rules come in the wake of the Government’s resolve to weed out shell companies and dummy directors. It is apprehended that the 10-lakh odd companies have lots of directors who are men of straw, even though the requirement for DIN was introduced sometime in 2006.

[1] Insertion of new rule 12A in Companies (Appointment and Qualification of Directors) Rules, 2014 vide MCA notification dated 5th July, 2018