The promise of neobanks, digital banks, embedded finance, and so on has changed how financial services are accessed and experienced. Players, ranging from banks to startups to big tech companies, are thus exploring the multifarious ‘as-a-service’ offerings and infrastructure, such as Open Banking APIs, UPI, and the upcoming Open Credit Enablement Network (OCEN). Many of the resulting arrangements manifest as a layer on top of banks and other regulated players. To access the financial services they offer, compliance with the applicable KYC mandate, the service, and the player or the underlying player is an essential first step.
Customers expect a seamless and digitized identity verification procedure, particularly during the pandemic that has made traditional contact-based and in-person KYC processes a health risk. Integrating a completely digitized and scalable identity verification layer is thus essential for innovation in this space to achieve its full potential. Regulatory steps relaxing individual and business KYC and technological infrastructure for API-based verification play a crucial role in creating this layer.
The Digitized Identity Verification Layer and Scaling an Experimental Service
The explosion of API-based services has facilitated numerous new arrangements. Take, for example, banks and FinTech companies partnering to launch digital banks to add new distribution and onboarding channels, companies signing up as TPAPs to launch UPI-based payments services, and tech/FinTech companies riding on the licenses of regulated players to offer digital lending and other services. In fact, dedicated financial infrastructure players that partner with multiple banks, NBFCs, and other entities via APIs enable companies to simply ‘plug and play’ to launch their financial services.
Services in the experimental stage and trying to scale, such as a new service or a new way to access a traditional service, must minimize customer onboarding friction—a valuable lesson learned the hard way by the m-wallet industry in its initial years. Business models in the m-wallet industry were originally built around low-cost Aadhaar-based eKYC (approximately INR 20, as opposed to INR 200–250 for regular KYC). The 2018 withdrawal of eKYC, combined with the mandate to convert to full KYC, took away convenience—a key factor that drove the early adoption of m-wallets. M-wallets have since completely reinvented themselves, but this still leaves lessons to be learned on the KYC front.
A digitized identity verification layer, much like IndiaStack’s integrated ‘presence-less’ and ‘paperless’ identity layer (via eKYC, DigiLocker, etc.), thus plays an essential role.
How KYC Verification and Account Linking with API-Based Services Work Today
Neobanks can partner with multiple banks or other regulated players. Customers can access the services of a neobank if they have an account with any of the underlying partner banks. KYC compliance is then defined by the norms applicable to the banks.
A neobank and its partner bank can set up ‘connected banking’ models, enabling customers having accounts with the partner bank to simply link their account via a net banking process. KYC must be completed first if a new account needs to be opened. Account linking and KYC vary across banks, with varying levels of digitization. For example, a URL can be redirected from the neobank’s website/app to the bank’s website to complete the process. Alternatively, some or all of the required data—to be shared with the bank—can be collected at the merchant’s portal that conducts and confirms the verification via APIs. The bank can also conduct Aadhaar-based verification depending on the service.
Similar steps are deployed when accessing a new service requiring separate KYC, say, accessing insurance, lending, or mutual funds after linking an existing savings account. The same goes for an embedded finance offering, for example, a savings account or wallet service embedded as a feature directly in a merchant app.
KYC verification and account linking with API-based services are not yet completely digitized. Video KYC primarily eases individual KYC; business KYC is still a far cry from digitization. KYC here also often ends with a mandatory in-person verification by the bank before account activation.
Benefits of the Verification Layer and the Vast Potential of Real-Time KYC
An identity verification layer undoubtedly eases verification at the technological level, covering the multiple API integrations with banks, public databases, and other sources as required. In addition, API-based data access can further ease verification, for instance, allowing consent-based predictive auto-filling of KYC forms to reduce human error, accelerate onboarding, and support the overall due diligence and fraud checks.
While KYC has specific requirements such as accepting only official ‘equivalent e-documents,’ data from government databases and other sources can also be used for digital identity verification outside of the legal mandate for KYC. For instance, apart from KYC for customers, verification is equally important, say, for onboarding vendors, partners, and employees. Sector-specific rules can also have requirements that may not be KYC per se. For example, the Consumer Protection (e-commerce) Rules, 2020 require marketplace e-commerce entities to keep records, allowing identification of sellers.
Even with regulated entities, a modular approach can help platforms set up staggered KYC policies on a need-to-know basis instead of full KYC. A step in this direction was RBI’s guidelines—that differentiate between account-based and onboarding relationships—for payment aggregators (PAs). With this, PAs onboarding merchants with an underlying full KYC bank account need not conduct the entire KYC process again; a board-approved KYC policy will suffice.
Features to ease the process have already been introduced. For instance, using GSTIN, data such as legal entity name, business address, registration date, GST status, and beneficial owner information can be pulled from the GST portal and auto-filled. Trusted sources such as the account aggregator framework and other Banking-as-a-Service (BaaS) facilities can all be leveraged here. Even payment credentials need to be verified, for instance, verifying payment credentials prior to processing employee salaries and vendor payments. The traditional ‘canceled check’ technique can also be made instant and paperless with online bank account verification via APIs.
Open Banking, thus, has tremendous potential to create reliable ‘instant’ identity verification.
Defining a Verification Layer’s Functioning – Features and Key Business KYC Challenges
Several factors impact how a digital identity verification layer works—what KYC and verification entail, restrictions on data storage, etc. Although regulatory steps have eased the process, several challenges still need to be addressed.
1. Different KYC requirements for different services
KYC—a multi-step process that starts from pre-onboarding and continues until the relationship ends—includes checking identity documents, such as Aadhaar and passport, and business documents (licensing, registration), verifying PAN and GSTIN, beneficial owner KYC, and bank account verification. Many of these steps can be digitized via a verification layer, thanks to regulatory relaxations and government databases that have opened API access to enable direct verification.
KYC norms vary from service to service and, sometimes, entity to entity. Businesses, therefore, need to assess their business requirements, applicable regulatory norms, and the facilities their verification layer requires. For example, consider a business using an embedded finance feature for wallets to credit salaries to its unbanked vendors/partners or facilitate specific authorized purchases by employees. Seamless issuance of wallets will also require an integrated ability to complete KYC. The following points specific to KYC for wallets must be kept in mind:
- KYC must include the facility for collecting data for minimum KYC (OTP-verified mobile number, self-declared name, and OVD identity number) and converting to full KYC (say, via V-KYC) under RBI PPI norms.
- Voluntary Aadhaar-based eKYC also comes in for bank-issued wallets.
- KYC levels also vary based on the type of wallet facility required. For example, converting to full KYC isn’t required for low-limit (INR 10k) wallets loaded only from a bank account. In this scenario, minimum KYC will suffice as long as the issued wallets are loaded by the business only from those company bank accounts that have completed KYC.
- In all other cases, full KYC is mandated within two years. Even here, full KYC wallets allow features such as interoperability (upcoming), cash withdrawal, and increased balance limits (INR 2 lakh), which allow wallets to become substitutes to bank accounts. Depending on business requirements, these additional features may support earlier conversion to full KYC.
- e-RUPI now adds a KYC-free option for prepaid vouchers via UPI, but this comes with restrictions such as a INR 10,000 cap and one-time use only.
2. Important regulatory steps for digitizing KYC
Regulatory steps to digitize KYC play a crucial role with seamless identity verification. With m-wallets, the initial regulatory flip-flop around KYC was a big part of the challenge. Moreover, the respite that came (permitting minimum KYC low-limit wallets and increasing time for converting to full KYC to two years) was slow. However, steps are now being taken to digitize and relax KYC.
In addition to relaxing KYC for wallets, there are initiatives that relax KYC for particular services or entities. For example, customers can link an underlying bank account for which the bank has already conducted full KYC. Similarly, PA guidelines approve board-approved KYC policies when onboarding merchants with such accounts. The distinction between account-based and onboarding relationships mentioned in the guidelines is important and is, in fact, also found in the KYC Direction that requires the ‘customer due diligence aspect’ of KYC to be carried out only when “establishing an account-based relationship.” Yet another example is UPI that requires linking the account to the UPI app. As a result, UPI is favored more than wallets. Minimum KYC wallets, loaded only from such accounts, are also an example.
Yet another step toward digitizing KYC is using Aadhaar OTP based e-KYC as a simple KYC option for opening savings and lending accounts. While these are subject to limits of INR 1 lakh and INR 60,000, respectively, and must be converted to full KYC (via V-KYC again) within a year, these are a good option, say, for issuing short-term, small-ticket loans.
Digitizing KYC, in general, includes essential steps such as permitting the use of ‘equivalent e-documents’ for KYC from DigiLocker or the issuing authority (e-PAN, e-AoA, and e-MoA). Operationalizing C-KYC for individuals and, recently, for businesses and permitting V-KYC for individuals first and now businesses are among the other steps. V-KYC was eased recently to accept identity documents apart from Aadhaar via the C-KYC Identifier and DigiLocker. The increase in API-accessible government databases (such as NSDL for PAN, GST Portal, and MCA) is another benefit.
All these steps increase the possibility of an end-to-end digital KYC process. The key benefit at present, however, is for individuals. For businesses, KYC is still not adequately digitized.
3. Key challenges with digitized business KYC
Individual KYC is comparatively more digitized than business KYC, thanks to V-KYC, C-KYC, and DigiLocker, though practically, even these run into issues. V-KYC, for example, still hasn’t been adopted widely. KYC sharing via C-KYC is not highly reliable due to the risk of fraud at the other institution. For business KYC, despite recent welcome steps, there are several additional challenges:
- All business documents not digitized: While many government databases have enabled API-based access, digitization does not cover the complete spectrum of documents needed and every type of business. Partnership deeds, trust deeds, registration proof, board resolutions are some documents that are often unavailable in a digital format. Company MoAs and AoAs can be downloaded from the MCA portal, but these are usually scanned copies of physical documents. One may encounter the same issue while submitting ITRs, IEC certificates, and other documents even though PAN or IEC in itself can be verified online.
- Issues with scanned documents: Uploading scanned documents prevents API-based access to the data in those documents while also necessitating traditional ‘original seen and verified’ checks for many of them. Another challenge is converting the scans to the supported formats and size of each portal before uploading, which hampers smooth onboarding.
- C-KYC not operational: Although the legal entity template has been shared, C-KYC is not operational yet and will be plagued by the lack of digitized business documents.
- Mandatory on-site verification: Recent V-KYC relaxations for sole proprietors and beneficial owners may allow completely digitized KYC processes for onboarding some MSMEs, one-person companies, and similar small businesses with entirely digitized processes. Higher risk and larger businesses, however, still need to wait. Banks, for example, often mandate on-site verifications for businesses as a key due diligence check. The physical aspect of business KYC thus becomes unavoidable for business address verification, activity checks, etc.
- Multiple business owners and ownership setups: Multiple business owners and ownership setups make business KYC a lot more subjective than individual KYC. A significant challenge is correctly identifying current beneficial owners, such as the current majority shareholder or relevant director. This, in fact, is also a common source of fraud.
Moving Closer to Real-Time Identity Verification
A verification layer thus takes many factors into consideration and plays a crucial role in easing customer onboarding for businesses. Regulators can certainly take the next steps, like increasing the number of API-accessible business documents, recognizing API-based verification as original seen and verified, resolving operational issues with C-KYC, and increasing data available on merchant fraud. These steps can play a pivotal role in digitizing onboarding, particularly for business KYC, including small businesses and MSMEs. The regulatory focus and initiatives in this regard cannot be undermined. Each step brings fully digitized and real-time verification closer to reality.