Blog Overview Chronicles New AML rules bring KYC to the digital age

New AML rules bring KYC to the digital age

New AML rules bring KYC to the digital age

Reading the new Prevention of Money Laundering Act (PMLA) of August 20, can feel a bit like reading tea leaves. While we wait for clarifications and further announcements let’s take a look at what the future holds for us based on what we know so far.

Finance minister Nirmala Sitharaman last week allowed the use of bank KYC by NBFCs. It wouldn’t be surprising if gradually more and more entities are allowed voluntary Aadhaar eKYC.

Reading the new Prevention of Money Laundering Act (PMLA) of  August 20, can feel a bit like reading tea leaves. Sitharaman’s address on August 23 was encouraging but essentially a set of bullet points summarising the world from a distance. While we wait for clarifications and further announcements let’s take a look at what the future holds for us based on what we know so far.

Looking back

KYC, as used in regulated industries, is born out of the PMLA. The government further specifies procedural details in a separate document called PML Rules. Regulators such as RBI, SEBI, and IRDA then interpret these further for entities that they regulate. Thus, although what Sitharaman says or PML Rules says will ultimately affect banks, brokers and other entities, nothing will change on the ground until the regulators change their respective ‘KYC Directions’.

KYC is rooted in the concept of identifying individuals and enterprises so that they may be served regulated products and then monitored. Historically the approach has been quite pluralistic, allowing Indians a range of government IDs (called officially valid documents or OVDs). However, along the way, someone realised that it was quite easy for an individual to create multiple ID cards in India and confuse law enforcement.  So, the government decided to mandate Aadhaar eKYC for all by changing the PML Rules. The Supreme Court then overturned this aspect of the PML Rules in its famous judgment on September 26, 2018 on grounds that one didn’t need to always have an Aadhaar number to prove one’s identity as identity can be established in other ways (referred to as the proportionality test). Supreme court also banned eKYC for all use cases but government subsidies.

Subsequently the government amended the Aadhaar Act to allow banks, telcos to perform ‘voluntary’ eKYC. It retained a provision to allow other sectors to avail voluntary eKYC after due scrutiny by the government and UIDAI. It also changed its stance and made PAN mandatory in PML Rules, ostensibly drawing a link between an individual’s tax ID and money laundering activity.

Apart from specifying OVDs to use to identify oneself, the PML Rules also specify some procedural rules to conduct KYC. Historically it leveraged the concept of ‘certifying OVDs’ where an authorised officer of the regulated entity would see the original and sign the photocopy. The industry started calling this process original seen and verified (OSV). This threw up some interesting challenges.

  • Firstly, it wasn’t always possible to determine the genuineness of a government ID based on the fact that the card looked original
  • Secondly, it relied on the probity of the officer – what if he/she was lying about seeing the original
  • Thirdly, there was a risk that the officer would misplace the photocopies and that someone would steal these and be able to defraud the individual through impersonation.

The new PML Rules with a twist

Logically there are only two ways to solve the first problem – (1) by providing access to government databases so that one may verify the details on the ID card, (2) by making ID cards that cannot be forged. Most ID cards have corresponding government databases that are accessible to private entities. These databases typically provide text data such as name, date of birth, father’s name and address that can be easily matched against the details on the card. However text details aren’t enough to ascertain if the card belongs to the holder. What if someone stole your ID card, the ID card in this case would still be genuine, but the person wouldn’t be. For this the database ought to return the face of the person or some other way to authenticate him/her such as through OTP or biometric authentication. This is why an earlier avatar of PML Rules had mandated eKYC.

The new version of PML Rules permits eKYC (for banks and other entities that have allowed it) but respects the Supreme Court’s observations and makes it voluntary. Then it does something interesting. It recognises that electronic IDs can be tamper proof and easy to determine as genuine. Here it relies on digital signatures, a concept where an authority (called the certificate authority) can testify to the authenticity of the signatory. Thus, as electronic ID card such as a signed Aadhaar PDF cannot be tampered and at the same time can be easily checked for authenticity by asking one of the certified authorities of India. The PML rules also allows electronic documents that are stored in the DigiLocker which is a government initiative that allows citizens to store pre-authenticated versions of their documents (including ID cards) in a central repository. The individual can now simply permit access to this pre-authenticated DigiLocker version of his/her ID card, whenever any entity requests for it.

The PML rules also makes a valiant attempt to solve the second and third problem linked to authorised officers who conduct the KYC process manually today. It introduces the concept of digital KYC and puts the good old certified OVD process on notice by saying that it cannot be used “beyond such date as may be notified for a class of reporting entity”.  It hopes that digital KYC will eventually replace what happens today when relationship managers visit you at your home when you need a loan or credit card, or what happens when you go to stores like Croma to buy a new AC and want a loan for it, or what happens when you go to your nearest branch to open a new bank account. No longer will photocopies suffice; these use cases will all require the authorised officer to use secure and ‘authenticated’ applications to take live photographs of people and their OVDs and timestamp and geotag them. It also requires that every KYC include explicit consent from the applicant (collected through OTP) and to record the identity of the authorised officer (also collected through OTP). By using secure apps, live photographs and consent, PML Rules hope to address problems associated with business correspondent fraud and the risk of misplacing of photocopies.

There are however, some niggling issues linked to implementation. PML Rules prescribes a very rigid process modeled around the telecom process used to activate SIM cards. In fact it uses terms such as CAF(Customer Acquisition Form) and activation officer that are not really relevant to entities regulated by RBI and SEBI. It also prescribes a process of printing a form, signing it and then re-uploading it to the authenticated app, thus making the digital KYC process not so digital. One hopes that RBI, SEBI and other regulators will study the process to glean out relevant principles instead of exactly replicating the telecom process that has been documented in the draft.

What the future holds

As I gaze at the crystal ball, I see four broad themes – wider adoption of eKYC, more electronic documents, video KYC and controlled access to government databases.

In her address on August 23, Sitharaman lists two interesting points related to KYC. The first is “use of Aadhaar based KYC for domestic retail investors”. The second is “use of bank KYC by NBFCs”. While Aadhaar based KYC isn’t defined, one can speculate that this refers to eKYC which is currently restricted to only banks and telcos. This would then tie in nicely with the department of revenue circular from 9th of May that describes a process for other entities to apply for access to Aadhaar eKYC. Such an eKYC would have to be voluntary in nature. It wouldn’t be surprising if gradually more and more entities are allowed voluntary Aadhaar eKYC.

The second bullet point is a bit more tricky to interpret. Sitharaman says that NBFCs will be “permitted to use the Aadhaar authenticated bank KYC to avoid repeated processes”. Presumably she isn’t referring to just extending eKYC access to NBFCs, as that would mean NBFCs would have to repeat the KYC. She could be referring to cKYC, which is a centralised KYC database that all regulated entities are required to submit their KYC documents to. RBI has also recognised cKYC as a way to fetch documents from KYC. However, cKYC doesn’t today discriminate between Aadhaar and non- Aadhaar bank accounts. One can also speculate that Sitharaman is referring to an entirely new process, where lenders will be able to deposit the loan amount to an Aadhaar authenticated account of the applicant. Such a process would require that the NBFC be able to ascertain that the bank account is indeed that of the loan applicant, so it can be challenging to implement. Indeed, it may be simpler to just permit voluntary eKYC to NBFCs.

The PML Rules have been quite pragmatic in recognising electronic documents and DigiLocker as valid alternatives to ‘certified OVD’. The challenge remains growing adoption among the user communities. Yet, just as people are getting used to receiving bank statements as PDFs in their email inbox, it is hoped that they would find it just as natural to receive and store signed electronic ID cards in the inbox. Although the PML Rules calls it out separately, I am inclined to look at Offline Aadhaar as a type of electronic ID document as it has all the properties of an electronic ID and is also a signed document. It is possible for individuals today to download their Aadhaar XML files and Aadhaar PDFs from the UIDAI site by simply authenticating themselves using their OTP. It would be entirely plausible to replicate this architecture and create a whole class of new electronic ID equivalents for PAN, Voter ID, DL and others. Growing adoption on DigiLocker may prove a bit more tricky, as the process isn’t as simple as uploading a file from one’s laptop or mobile phone – it requires that one download, install and register oneself on the DigiLocker application.

An interesting corollary of electronic documents and eKYC is that it is no longer needed to certify electronic documents by authorised officers. This legacy process means that authorised officers have to be physically present with the applicant and see his/her OVD. Since electronic documents can be verified remotely, one can potentially do the KYC also remotely. In a vast country such as India where financial inclusion is such a massive problem, performing KYC remotely would reduce the cost to serve for financial service providers and thereby drive adoption. SEBI already permits a form of KYC, called Video KYC that allows remote KYC of applicants. It is expected that, with the introduction of electronic documents and reintroduction of eKYC, RBI would now feel reassured about performing OSV remotely and announce a form of Video KYC that consumes these new document types.

My final prediction is that there would now be concerted action by the government to provide controlled access to government databases other than Aadhaar. Even though electronic documents are a great step forward, a lot of Indians would still find it hard to understand and use them. A simpler solution would be to provide controlled and systematic access to government databases. The databases should also return face images that were used at the point of registration, as these images are an important link between details of the ID card and the person who is presenting it.

The article originally appeared in ET Prime on August 27, 2019

Share Now