Banks and financial service providers have a responsibility to identify their customers and understand the risks they pose before providing services. When prospective customers lack formal identification, or when their identification is difficult to authenticate, providers cannot easily verify their identities or perform Customer Due Diligence (CDD) on them. This challenge imposes two constraints during the customer onboarding phase: expensive customer identification/due diligence procedures, and lengthy or inconvenient onboarding procedures.
The case of India: looking back
In India, Know Your Customer (KYC) is born out of the Prevention of Money Laundering Act (PMLA), 2002. The government further released procedural details in a separate document called the PML Rules. Regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority (IRDA) then interpret these rules further for the entities they regulate.
Historically, the KYC/AML approach for Indian citizens has been quite complex, allowing Indians a range of government IDs (called officially valid documents or OVDs).
However, along the way, the regulators realized that it was quite easy for an individual to create multiple ID cards and confuse law enforcement. So, the government launched “Aadhaar,” a free 12-digit number issued by the Indian government to all residents of India with the objective of being (a) robust enough to eliminate duplicate and fake identities and (b) able to be verified and authenticated in a simple cost-effective way. Later, the Indian government and regulators decided to mandate Aadhaar based eKYC for all by changing the PML Rules.
On September 26, 2018, the Supreme Court overturned this aspect of the PML Rules in its judgment because one didn't always need to have an Aadhaar number to prove one's identity. Subsequently, the government amended the Aadhaar act to allow banks, telecom, and other financial services providers to perform “voluntary” eKYC.
The new PML rules: Aadhaar-based eKYC
The new version of the PML Rules permits Aadhaar-based eKYC by which financial service providers can now verify the identity of Indian consumers electronically — reducing both the paperwork required and time spent. A recent World Bank report cites an estimate that moving to eKYC reduces the average cost of verifying customers from $23 to $0.50. Similarly, most estimates suggest that customer verification can be done in seconds using eKYC compared to five to seven days when done manually.
The use of Aadhaar for KYC has, however, raised privacy concerns. For example, using the tool for KYC authentication gives financial service providers additional personal information about their customers, which poses a potential data privacy risk. One means of mitigating this risk is to only share the minimum relevant information necessary with third parties, without exposing customers’ personal information, as outlined by the UIDAI.
What is Aadhaar eKYC? How is it different from offline Aadhaar?
The eKYC is an API-based solution where KYC is done electronically. With respect to Aadhaar, eKYC is defined as “a paperless Know Your Customer (KYC) procedure, wherein the identity and address of the user are verified electronically through Aadhaar authentication.” It allows for a simple mechanism where the customer provides the Aadhaar number along with exclusive consent to use their data to the service provider. Once received, the service provider use the API to send the 12 digit Aadhaar number to UIDAI which then responds back with demographic information connected to the Aadhaar number. This data (name, address, phone number, gender, etc.) that is received from UIDAI is used to verify the identity of the customer(s). This method requires an Authentication User Agency (AUA) or KYC User Agency (KUA) license from UIDAI to be issued before it can be used for KYC.
Offline Aadhaar allows residents to share their details with agencies or organizations that want to verify them with KYC. This process can be done using either offline Aadhaar XML or a QR code. In case of offline Aadhaar XML, the customer needs to visit the UIDAI website and enter an OTP to get access to a password-protected, digitally signed XML packet, which contains:
- Download reference number
- Date of birth
- Mobile number
This XML packet can then be shared with the organization or agency that is trying to verify the customer. The digital signature from UIDAI within the XML file allows the service provider to verify its authenticity.
One of the major differences between offline Aadhaar-based KYC and Aadhaar eKYC is the fact that, unlike eKYC, offline Aadhaar doesn’t access the UIDAI database directly and goes through an XML file download process to access demographic details.
An identity for the digital age — how businesses can harness eKYC to onboard Indian consumers
Earlier, banks, telecom, and other financial services providers were seeking photocopies of the customer's original identity proof for performing KYC verification. In an attempt to reduce the ever-increasing regulatory burden and compliance cost, financial service providers have started using Aadhaar eKYC to verify Indian consumers. There are various advantages to FIs in using eKYC:
- Paperless verification
- Prevents fraud
- Real-time identity verification
- Consent based to protect user privacy
Aadhaar enabled KYC is highly effective in streamlining the onboarding process; it allowed FIs to digitally onboard customers, and it dramatically reduced the operational cost of verifying the identity of customers.
However, the use of Aadhaar for KYC has also raised privacy concerns. The Aadhaar system was initially designed to send only “yes/no” responses to queries from third parties, indicating whether the attributes of a customer match those stored in the UIDAI database. But Aadhaar eKYC provides financial institutions with additional information about their customers.
What the future holds
Since electronic documents can be verified remotely, one can potentially also perform KYC remotely. In India, where financial inclusion is such a massive problem, performing remote KYC would reduce the costs of financial institutions and thereby increase adoption of eKYC.
Regulators like SEBI have already given their consent to video-based KYC solutions, and multiple large enterprises have already implemented or are in the process of adopting these solutions for their customer onboarding needs.
Video-recording-based manual KYC
This method is being used extensively by the mutual fund industry to do KYC. Here, the customer initiates self-onboarding by submitting the Proof of Identity (POI) and Proof of Address (POA) as well as recording a video via an app or a web portal provided by the service provider, which then is manually viewed and verified by an agent. This process takes care of the In-Person Verification (IPV) mandated by SEBI and RBI, meanwhile saving on operational costs that come with paper-based KYC.
AI/ML-driven video-ID-based KYC
This is an advanced form of video-based KYC, in which machine learning takes care of authenticating the document and identity of the customer by matching the recorded video and documents submitted. This method eliminates the need for any manual intervention, though in some cases you can have cross-validation done manually for a fraction of all transactions, where a minor fleet of agents re-validate the data or take a second look at validations rejected by the algorithm.
This method not only takes care of the IPV but also eliminates the time and cost required to manually validate a customer, speeding up customer onboarding.
Importance of a legal framework and regulations that encourage adoption of eKYC
At present, most developing countries still lack comprehensive legal frameworks on usage and protection of biometric data that is being collected by third-party users. With the Supreme Court’s verdict, a legal framework on eKYC and data protection that enables third party use becomes pertinent. With more accurate and affordable KYC solutions, a new range of financial services become practical, contributing to increasing business growth, financial inclusion, and economic prosperity. With Government and regulators encouraging widespread adoption of digital identity, companies looking to expand their operations to India can more quickly and seamlessly sign up the customers and start delivering their products and services to one of the biggest markets on the planet.