Verify once, reuse everywhere, that is the promise of portable KYC, and India has not yet kept it. The infrastructure exists: the CKYCR is live, KRAs have run for over a decade, and the PML Rules contemplate reuse with the client's consent. What is missing is legal comfort, Rule 9(2) leaves intermediaries on the hook even when they rely on a government-operated registry, so they re-verify instead. In our latest piece in the Financial Express, Pranjal Kinjawadekar, Yash Vardhan and I argue that fixing the liability rule and harmonising data standards across regulators will do more for portability than any further build-out of registry infrastructure. The full piece is as below:
An investor who has been verified once should not have to be verified again. That is the promise of portable KYC, and it is a promise the Indian financial system has not yet kept. Speaking at SEBI’s Foundation Day on April 25, Finance Minister Nirmala Sitharaman called on SEBI to deliver a seamless, secure, and portable KYC experience across the financial sector. The architecture to do so is already in statute. What is missing is the operational detail and the liability clarity that would make intermediaries willing to use it.
India’s KYC obligations originate in the Prevention of Money-Laundering Act, 2002, and the rules framed under it. The Central KYC Records Registry (CKYCR), operated by CERSAI, was set up as a cross-sector repository. Every reporting entity that completes KYC must upload the record and generate a unique identifier, which any other reporting entity can retrieve with the client’s consent. The design is a shared identity infrastructure across the financial system. The practice is not. Duplication and friction persist.
Within the securities market, SEBI established its own infrastructure as early as 2011 through KYC Registration Agencies (KRA), governed by the SEBI (KYC Registration Agency) Regulations, 2011 and the Master Circular on Know Your Client (KYC) norms for the securities market. Under this framework, the first SEBI-registered intermediary onboarding a client conducts due diligence, uploads the records to a KRA, and retains the documents, following which subsequent SEBI-regulated intermediaries retrieve these records instead of initiating the process afresh. The KRA system has been in place for over a decade and has materially streamlined onboarding within the securities market. That said, the framework continues to be subject to certain structural constraints.
The first constraint arises at a cross-sector level. Portability under the KRA framework is confined to SEBI-regulated intermediaries, with no seamless mechanism to extend this across other regulatory domains. As a result, a client whose identity has already been verified by an RBI-regulated bank cannot have those records readily accessed by a SEBI-regulated broker through the same channel. The CKYCR was intended to address this gap and, in principle, provides the necessary bridge. In practice, however, its effectiveness across sectors remains limited. The reasons are operational: data standards are not aligned across regulators and there is no standardised digital consent mechanism for retrieval. This results in investors continuing to re-submit documents at multiple regulatory boundaries.
The second constraint arises within the securities market, at the level of financial groups. A group offering distribution, advisory and broking services typically operates through separate SEBI-registered entities. Each is required to retrieve the client’s KYC record from a KRA on onboarding. Market practice is not uniform. Some groups initiate separate KRA pulls for each entity; others rely on a single pull and share the record internally. Neither approach has clear regulatory backing, and the framework does not settle the point. The result is multiple identical pulls of the same record across a group’s product suite, with cost and delay but no regulatory benefit.
Different categories of KYC information are governed by different sharing rules. Core identity and verification data uploaded to KRAs can be accessed only through a KRA pull. Other due diligence information, such as risk assessments and source-of-wealth documentation, sits outside the KRA framework and may be shared internally under group policies. The boundary is not clearly drawn, and market participants do not apply it consistently. Both constraints reduce to the same point: the records exist, the verification has been done, and what is missing is a mechanism to reuse them.
The Finance Minister’s push must translate into reform at two levels. At the cross-sector level, the CKYCR must be made to work. The infrastructure is in place: CERSAI operates the registry, reporting entities are required to upload to it, and the PML Rules contemplate retrieval by any reporting entity with the client’s consent. What is required is alignment. Data standards across regulators must be harmonised so that a record acceptable to an RBI-regulated bank satisfies a SEBI-regulated broker. The consent mechanism must be standardised and made digitally operable, so the client can authorise retrieval once at onboarding rather than separately for each pull.
Most importantly, the liability question needs to be addressed directly. Under Rule 9(2) of the PML Rules, a reporting entity that relies on a third party’s due diligence continues to bear full responsibility for compliance with its KYC obligations, even where the underlying records have been verified by a regulated entity and uploaded to a government-operated registry. This allocation creates a disincentive, as intermediaries may prefer to undertake fresh verification rather than rely on third party records. A clear regulatory position is required on the extent to which reliance in good faith on verified CKYCR records can satisfy KYC obligations. Such clarity would materially improve portability, more so than incremental improvements to registry infrastructure.
Within the securities market, SEBI may consider issuing clear guidance on the conditions under which a single KRA pull by one group entity satisfies the obligation for other entities in the same group. Clarity on the distinction between KRA-stored information and other due diligence information, along with the applicable sharing channels for each, would further support consistency in practice. Without this, divergent market practices will persist, with the conservative players bearing unnecessary costs and the aggressive ones operating without a clear legal basis.
Portable KYC is not a technology problem. The registry exists, the records exist, and the statute already contemplates reuse with the client’s consent. What is missing is the legal comfort that reliance in good faith on those records will not be second-guessed. Fix the liability rule, harmonise the data standards, and the rest will follow. The infrastructure has been built. It is time to let it work.
No comments:
Post a Comment