Policy Brief: RBI permits video-based customer verification to address KYC challenges faced by the fintech industry
Blog: NASSCOM Official Blog
Context
On 9 January 2020, the Reserve Bank of India (RBI) issued a circular to all the entities regulated by it on amendment to Master Direction on know-your-customer (KYC). According to the circular, with a view to leveraging the digital channels for Customer Identification Process (CIP) by Regulated Entities (REs), the Reserve Bank has decided to permit Video based Customer Identification Process (V-CIP) as a consent based alternate method of establishing the customer’s identity, for customer on-boarding. It also highlights the possibility of use of e-KYC facility by fintech companies for verifying customers who voluntarily provide their Aadhaar number.
This comes as a major relief for the fintech industry, which was struggling to do KYC of the customers digitally. NASSCOM had made several representations to different government departments/ministries such as the Department of Revenue, Unique Identification Authority of India (UIDAI), NITI Aayog, Ministry of Electronics & Information Technology (MeitY) and RBI with regard to certain challenges that the PPI industry is facing, pertaining to KYC verification process. We had requested the regulators to consider video KYC as a method for doing digital KYC and to enable e-KYC for prepaid payments instruments (PPIs).
In February 2019, the Union Cabinet cleared an ordinance to allow use of Aadhaar by banks and telecom companies. This ordinance had no provision for non-banking entities. Following extensive advocacy to extend this provision to non-banking entities as well, Department of Revenue (DoR), the Ministry of Finance issued a circular which laid down the procedure for processing of applications under Section 11A of the Prevention of Money Laundering Act, 2002 (‘PMLA’) for use of Aadhaar authentication services by non-banking entities. This included, reporting entities having to file an application for use of Aadhaar authentication services with their respective regulator. The circular said that the application would have to undergo a three-tier approval process involving the regulator, UIDAI and the Central government.
The DoR also introduced digital KYC in August 2019 by amending the Prevention of Money-laundering (Maintenance of Records) Rules, 2005.The move was aimed at providing a digital solution to fintech companies who were forced to adopt age old, physical form of KYC in the absence of any alternate digital KYC. Despite this, the PPI industry has been still struggling to do KYC of the customers digitally.
The major highlights of the circular by RBI:
- e-KYC
According to circular issued by RBI, “provided that where the customer has submitted Aadhaar number under paragraph (c.I.i) above to a bank or to a RE notified under first proviso to sub-section (1) of section 11A of the PML Act, such bank or RE shall carry out authentication of the customer’s Aadhaar number using e-KYC authentication facility provided by the UIDAI.”
This means that not only banks but also fintech companies will be able to authenticate users using the e-KYC facility if the users provide Aadhaar number voluntarily.
NASSCOM’s Recommendation to RBI in November:
- As an immediate step, RBI should issue a circular on use of e-KYC authentication facility by entities regulated by it. This will enable RBI regulated entities to apply for e-KYC license with the UIDAI.
- As a long-term solution, the RBI should consider requesting the Department of Revenue should to modify the circular issued on 9 May 2019. Accordingly, the circular should upfront treat reporting entities which are regulated by different regulators such as RBI, SEBI, Pension Fund Regulatory and Development Authority (PFRDA) as eligible to apply for e-KYC. Thereafter, they should be allowed to apply to UIDAI directly for an Aadhaar authentication license. The existing step 2 i.e. Examination by the appropriate regulator in the circular, should be removed.
- Also, the RBI should consider requesting the Department of Revenue to prescribe an application template after consultation with the UIDAI, which can be used by fintech companies to apply for an Aadhaar authentication license directly. This will eliminate the need for separate procedure to be laid by different regulators for getting license to conduct e-KYC.
- Video-based KYC
RBI has amended its Master Direction on KYC to insert the definition of V-CIP in Section 3. The process of V-CIP has been specified in Section 18 in terms of which, REs may undertake live V-CIP, to be carried out by an official of the RE, for establishment of an account based relationship with an individual customer, after obtaining his informed consent and shall adhere to the following stipulations:
i. The official of the RE performing the V-CIP shall record video as well as capture photograph of the customer present for identification and obtain the identification information as below:
- Banks: can use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for identification. Further, services of Business Correspondents (BCs) may be used by banks for aiding the V-CIP.
- REs other than banks: can only carry out Offline Verification of Aadhaar for identification.
ii. RE shall capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority.
iii. Live location of the customer (Geotagging) shall be captured to ensure that customer is physically present in India
iv. The official of the RE shall ensure that photograph of the customer in the Aadhaar/PAN details matches with the customer undertaking the V-CIP and the identification details in Aadhaar/PAN shall match with the details provided by the customer.
v. The official of the RE shall ensure that the sequence and/or type of questions during video interactions are varied in order to establish that the interactions are real-time and not pre-recorded.
vi. In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be ensured that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP.
vii. All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of process.
viii. RE shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audiovisual interaction with the customer and the quality of the communication is adequate to allow identification of the customer beyond doubt. RE shall carry out the liveliness check in order to guard against spoofing and such other fraudulent manipulations.
ix. To ensure security, robustness and end to end encryption, the REs shall carry out software and security audit and validation of the V-CIP application before rolling it out.
x. The audio visual interaction shall be triggered from the domain of the RE itself, and not from third party service provider, if any. The V-CIP process shall be operated by officials specifically trained for this purpose. The activity log along with the credentials of the official performing the V-CIP shall be preserved.
xi. REs shall ensure that the video recording is stored in a safe and secure manner and bears the date and time stamp.
xii. REs are encouraged to take assistance of the latest available technology, including Artificial Intelligence (AI) and face matching technologies, to ensure the integrity of the process as well as the information furnished by the customer. However, the responsibility of customer identification shall rest with the RE.
xiii. RE shall ensure to redact or blackout the Aadhaar number in terms of Section 16.
xiv. BCs can facilitate the process only at the customer end and as already stated in para B(b) above, the official at the other end of V-CIP interaction should necessarily be a bank official. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.
NASSCOM’s Recommendation to RBI in November:
A remote face-to-face KYC process should be notified, and best practices from global frameworks be leveraged to ensure that the mechanism is made seamless and customer friendly. Reference can be drawn from European regulations on Digital Identity (SPID, eIDAS) and UK/EU KYC/AML provisions that allow capturing customer identity and consent in video sessions (‘Live-ID’), without the need for any physical verification whatsoever. This process is treated at par in terms of meeting technical security and legal compliance as face-to-face in person identification. A similar solution needs to be notified that given industry an alternate to e-KYC, to offer customers who do not want to use Aadhaar for authentication another digital method for doing KYC. NASSCOM would be happy to assist RBI, including the organization of industry consultations to evaluate new digital KYC means such as the video-based KYC.
- Digital KYC
The DoR introduced digital KYC by amending the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 on 19 August 2019. “digital KYC means the capturing live photo of the client and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity,” the notification said.
According to the RBI circular, “provided that where the customer has submitted proof of possession of Aadhaar number where offline verification cannot be carried out under clause (c.I.iii) above or any OVD under clause (c.I.iv), the RE shall carry out verification through digital KYC as specified under Annex I of the Master Direction.” We are waiting for the updated version of the Master Direction on KYC to understand the changes in the process of Digital KYC. We will update this blog accordingly.
NASSCOM’s Recommendation to RBI in November:
The RBI should consider requesting the DoR to revisit the steps enumerated under the ‘Digital KYC process’ and remove the unnecessary clauses to make the process more practical and suitable for large-scale implementation. The industry should be consulted before the government finalizes any changes.
If you have any suggestions/clarifications regarding this matter, please write to komal@nasscom.in
The post Policy Brief: RBI permits video-based customer verification to address KYC challenges faced by the fintech industry appeared first on NASSCOM Community |The Official Community of Indian IT Industry.
Leave a Comment
You must be logged in to post a comment.
