Revolutionizing Customer Verification with RBI’s Bold New KYC Guidelines

The Reserve Bank of India (RBI) has recently implemented significant updates to its Know Your Customer (KYC) guidelines, effective immediately as of November 6, 2024.

These changes aim to enhance regulatory alignment with the Prevention of Money Laundering (Maintenance of Records) Rules and to streamline processes for regulated entities (REs).

Key Updates to KYC Guidelines

1. Customer Due Diligence at UCIC Level

The revised Master Direction mandates that REs conduct Customer Due Diligence (CDD) at the Unique Customer Identification Code (UCIC) level.

This means that existing KYC-compliant customers can open additional accounts or access other services without undergoing a fresh CDD process, simplifying the customer experience significantly.

2. Timely Updates to KYC Records

REs are now required to update KYC information within seven days of receiving new or updated data from customers.

This information must be submitted to the Central KYC Records Registry (CKYCR), which will then notify all reporting entities about the updates. This mechanism ensures that KYC records remain current and consistent across institutions.

3. Streamlined Verification Process

For establishing account-based relationships or verifying identities, REs can request the KYC Identifier from customers or retrieve it from CKYCR.

This process eliminates the need for customers to resubmit documents unless specific conditions arise, such as changes in customer information or incomplete records

These updates are designed to enhance the efficiency and security of customer verification processes while ensuring compliance with evolving regulatory standards.

By adopting these measures, financial institutions can expect improved operational efficiency, reduced paperwork for customers, and a more robust framework for combating money laundering and terrorist financing activities.

As India’s leading provider of Aadhaar-based Digital Identity and KYC solutions, ECS welcomes these changes, which promise to facilitate greater adoption of secure identity verification services across the financial sector.

Feel free to contact our colleague, Amit Joshi, at amit@eastcs.com for any queries regarding these new guidelines or to learn more about ECS’s comprehensive e-KYC solutions suite.

Understanding Consent Management under the DPDP Act

After several years of debate and consultation, the Personal Data Protection (PDP) Bill in India was finally enacted as the Digital Personal Data Protection Act (DPDP) in August 2023.

The genesis of the DPDP Act can be traced back to the landmark 2017 Supreme Court case of Justice K.S. Puttaswamy v. Union of India, which recognised the “right to privacy” as one the fundamental rights of Indian citizens as guaranteed by the Constitution of India.

Specifically created to safeguard the digital personal data of Indian citizens, the DPDP Act places special emphasis on the role of explicit consumer consent in the processing of their personal data.

The Mandatory Role of Explicit Consumer Consent

Section 6 of the DPDP Act exclusively deals with the process required to be followed by the organisations that collect and process consumers’ personal data (referred as ‘Data Fiduciaries’) for capturing and processing the digital personal data of the customer (referred as ‘Data Principal’) in accordance with the consent given.

This section asserts that “The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.”

Here are some key points of this section:

1. Consent as the Primary Basis for Processing

The DPDP Act requires Data Fiduciaries to obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal before processing their Digital Personal data.

2. Granular and Explicit Consent

Consent must be obtained for each specified purpose of data processing, and the consent should be limited to only the personal data necessary for that specific purpose.

3. Ease of Withdrawal

Data Principals have the right to withdraw (revoke) their consent at any time, with the process for withdrawal being as easy as the process for giving consent.

4. Consent for Minors

For processing the personal data of children under 18 years, the DPDPA mandates obtaining verifiable consent from the child’s parent or guardian.

5. Prohibition on Certain Processing of Children’s Data

The DPDP Act prohibits tracking, behavioural monitoring, and targeted advertising directed at children, even with parental consent.

6. Consent Manager and Consent Management Platforms

The DPDP Act recognises the role of consent managers and consent management platforms in enabling organisations to obtain and manage consent from Data Principals effectively and permits them to process the underlying data only in accordance with the same.

In a nutshell, the DPDP Act places the Data Principal’s consent at the center of personal data processing, in line with global data privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and the United States’ California Consumer Protection Act (CCPA).

DPDA Compliance With ECS’s Consent and Data Management Solution (CDMS)

ECS’s CDMS is an integrated suite of consent and data management modules that provide a cohesive framework to comply with DPDP Act’s stringent mandates.

1. Consent Management Module

ECS Consent Management module efficiently captures, stores, and manages Data Principal (consumer)’s consents as mandated by the DPDP Act.

  • Consent Capture & Logging: Supports capturing, logging, and storing the consumer’s consent along with the consent expiry date as chosen by the consumer (Data Principal).
  • Seamless Integration with Frontend Apps: Supports integration with frontend interfaces (e.g., Mobile App, Website) of the Data Fiduciaries and facilitates instant consent capture directly from consumers.
  • Auto-Generated Consent Notice: Automatically generates consumers’ digital consent notices detailing the purpose of data usage and is capable of capturing the customers eSignature on the same before sending to the customer.
  • Ease of Consent Withdrawal: Enables easy revocation or modification of the consumer’s consent through legitimate and secure mechanisms like OTP or eSign.
  • Generates Unique Consent ID and Data Reference ID: For each element of the Digital Personal Data.

2. Data Encryption Module

This optional module secures consumers’ digital personal data through:

  • Real-Time Encryption: Leverages industry-leading Hardware Security Modules (HSMs) to encrypt consumers’ digital personal data through HSM keys or public-private key pairs.
  • Restricted Access: Ensures that the consumers’ encrypted personal data is accessible only to authorised applications for cohesive data confidentiality and integrity.

3. Data Storage Module

Data Fiduciaries can opt to use the Data Storage module which is designed to securely store consumers’ encrypted digital personal data.

  • Mapped Storage: Stores the combination of Data Reference IDs, consent IDs and encrypted data in secure databases.
  • Adherence to Storage Best Practices: Ensures that data storage practices adhere to DPDP Act requirements, maintaining data security throughout its end-to-end lifecycle.

4. Data/Info Sharing Module

Enables the sharing of personal data with external entities as allowed under the DPDP Act’s guidelines.

  • Integrated Data Sharing: Facilitates real-time exchange of consumers’ digital personal data with external Data Fiduciaries and processors based on the consumer’s explicit consent.
  • Transaction Logging: Ensures end-to-end traceability and accountability by storing access logs for all data-sharing transactions.

5. Grievance Module

Provides an interface to efficiently handle consumer complaints and all issues related to the processing of their personal data.

  • Capture Grievances: Captures grievances raised by the consumer and presents them to the Data Fiduciary’s internal team (Consent Manager / Data Protection Officer) for fast redressal.
  • Integration with Front-End Apps: Allows consumers to raise grievances through multiple channels, facilitating easy accessibility.
  • Redressal Tracking: Provides a single-window interface for displaying the status of all grievances, ensuring transparency in the redressal process.

6. Module for Data Protection Officer

Specifically designed to meet the complex operational needs of Data Protection Officers (DPOs).

  • Unified Dashboard: Displays details of all grievances, consent logs, and data-sharing activities.
  • Integrated with E-Office of DPDP Board: DPDP Board (reporting to Ministry of Electronics and Information Technology – MeitY) shall function as a regulator for Data protection ecosystem. DPDP Board is in the process of setting up a e-Office for managing the customer grievances. ECS CDMS platform shall be integrated with this e-Office to facilitate exchange information on a real-time basis.
  • Integrated with Internal Systems: Seamless integration with internal platform modules and APIs of external services to share required information with consumers.

7. Management Information System (MIS) Module

The MIS Module serves as an intuitive dashboard for the internal and external stakeholders of Data Fiduciaries and Processors.

  • Instant Information Retrieval: Displays details of data capture, sharing transactions, consent logs, and more.
  • Real-time Status Updates: Provides real-time updates on the status of data processing activities and grievances.

Summing Up

DPDP Act places significant emphasis on consumer consent and data security, aligning with global data privacy standards.

ECS’s Consent and Data Management Solution (CDMS) offers a comprehensive, integrated platform to help organisations meet these stringent requirements by streamlining consent management, data protection, and timely grievance redressal.

To learn more, please feel free to reach our colleague Amit Joshi on 9820875525 / 7208155528 or email him at amit@eastcs.com.

FAQs at MOSIP Connect 2024

In today’s increasingly interconnected world, the need for a singular, unifying national identity has become more important than ever.

With India showing the way with its national ID – Aadhaar, many countries around the globe have expressed their interest to emulate India’s national ID success story. 

Spearheading this global initiative is the Modular Open Source Identity Platform (MOSIP), a university-incubated not-for-profit organization that helps governments ideate and implement effective digital public infrastructure in their respective countries.

To bring together the key changemakers in the global digital identity ecosystem, MOSIP recently hosted its first edition of MOSIP Connect, a 3-day event in Addis Ababa, Ethiopia from 5th to 7th March 2024.

As India’s leading Digital Identity solutions provider, ECS was privileged to present its advanced MOISP-integrated KYC solutions to global dignitaries and industry leaders at the MOSIP Connect event. Here are a few Frequently Asked Questions (FAQs) that Team ECS answered at the event:

Q1. Can you tell us more about your MOSIP-enabled solutions? What are their exact use cases?

A. As India’s leading Digital and Paperless KYC solutions provider that has processed over 2.2 Billion Digital KYC transactions for over 400+ enterprises, here are some of the key modules embedded in our ready-to-implement, MOSIP-integrated Digital KYC platform:

  1. Full stack ‘MOSIP PAP Server Module’ integrated with MOSIP’s MISP Engine.
  2. MOSIP-approved Secure Biometric Interface (SBI) integrated with all leading Biometric Devices.
  3. Web & Mobile-based Transaction Interfaces integrated with enterprises’ existing front-end modules.
  4. MOSIP based e-Sign module to enable execution of any documents in a Paperless form.

This comprehensive stack is implemented under an ‘On-Premises’ model and is designed to seamlessly communicate with the MOSIP-powered National ecosystem for downloading KYC data of citizens on a real-time basis.

Our stack that cohesively supports Fingerprint, IRIS and OTP-based KYC transactions has diverse use cases, including:

  • KYC of Telco individuals applying for a new SIM Card.
  • KYC of individuals applying for a bank or NBFC’s asset/liability products.
  • KYC of Payment Wallet customers.
  • KYC of individuals applying for competitive examinations.
  • KYC of individuals applying for a life/general insurance policy.
  • KYC of individuals seeking Government subsidies.

Paperless execution of any document by the end-user by using his/her MOSIP-powered National ID.

Q2.  What are the infrastructural requirements for integrating your solutions with our current National ID project?

A. ECS’s KYC stack is deployed under an ‘On-premises’ model to ensure complete security and control over the sensitive KYC information downloaded from the MOSIP-powered National ID Ecosystem.

Our platform is designed to function optimally on asset lite hosting environments and is scalable both horizontally as well as vertically.  Additionally, it is also designed to support HA implementation and can be implemented in a physical DC/DR setup as well as in cloud environments.

Q3. How do your solutions optimize the end user onboarding process?

A. Our solutions are designed to automate two critical facets of the end-user onboarding process:

1) The end-to-end KYC process.

2) The customer’s document execution process.

Enterprises can optimize their processes by implementing Paperless KYC and MOSIP-based e-Sign process to enable digital acquisition and secure execution of any document in a completely digital and Paperless mode.

In addition to more accurate and efficient, the Paperless KYC and Paperless e-Sign processes result in a significant reduction in the end-user onboarding costs.

Q4. How do you support the acquisition of end-users who are not enrolled in our National ID project?

A. ECS’s KYC Engine is designed to support the online KYC process (KYC data is fetched from the National ID ecosystem after validation of the end-user).

Furthermore, our KYC Engine also supports the process of capturing the images of the original Officially Valid Documents (OVDs) and process the KYC of the end-user without the need to capture the paper-based documents. This process of using other OVDs is however subject to regulatory approval.

Q5. Do your solutions enable Paperless onboarding?

A. Yes. Our National ID-based KYC Engine seamlessly supports Paperless onboarding and paperless KYC of the end users.

Q6. What are the modes of end user authentication offered by your solutions?

A. Our National ID based KYC engine supports the authentication of end users through Fingerprint biometrics, IRIS Biometrics, Face Biometrics as well as OTP. Our engine is integrated with all the leading biometric devices approved by MOSIP / National ID ecosystem.

Q7. Do your solutions mandate any specific biometric or IRIS devices?

A. No. Our platform is device agnostic in nature and is integrated with all the leading biometric devices approved by MOSIP / National ID ecosystem. Enterprises using our solution are free to choose any of the approved device vendors of their own choice.

Q8. What are the various interfaces that your solutions support?

A. Our Paperless KYC and e-Sign Engine is designed to support both mobile (iOS as well as Android) as well as web-based interfaces (supports all leading browsers).

Additionally, our solution can be easily integrated with diverse native thick-client applications.

Q9. How do you ensure data security and user privacy?

A. To ensure optimal data security, all our solutions are strictly implemented under an ‘On-premises’ model in the DC/DR/cloud environment of the client.

Furthermore, the KYC data fetched by our platform from the National ID ecosystem is purged from the database of this application after the same is successfully uploaded to the internal core applications of the client. All the entry points to our platform are secured using PKI security (RSA2048 bit encryption) and in addition to this, the users using these entry points (to invoke our KYC & e-Sign Engine) are subjected to multi-level authentication.

Q10. Are your solutions HA compatible? Can you tell us more about your solutions’ interoperability functionalities? 

A. Our platform architecture is designed to support full HA as well as partial HA and the instances of our solution can be deployed under active-active/active-passive mode to ensure complete failover between the DC and DR setup.

Summing Up

Today’s digital-first world warrants the right digital identity solutions that can help create a more inclusive global society.

By offering secure and accurate means of identifying individuals, digital identity solutions such as the ones offered by ECS pave the way for better access to essential services like healthcare, banking, and education, regardless of geographic or socioeconomic barriers.

At ECS, we strongly believe that it is not just about citizen identification, but about building the very foundation for a global society that values every individual’s identity and rights. To learn more about our MOSIP-integrated, ready-to-deploy national ID solutions, feel free to reach our colleague Amit Joshi on 9820875525 / 7208155528 or email him at amit@eastcs.com.  

Important Announcement: UIDAI Slashes e-KYC License Fees!

In a much-appreciated move, the Unique Identification Authority of India (UIDAI) has announced a significant reduction of e-KYC authentication license fees for AUAs and KUAs w.e.f. 1st July 2023.

Currently, UIDAI charges AUAs/KUAs a flat license fee of 20 lakhs for 2 years. This is all set to change as UIDAI has now aligned the license fees to the actual number of e-KYC transactions processed by an AUA/KUA.

As per the new regime, the revised license fees will be calculated as follows:

1) For AUAs/ KUAs processing Up to 5 Lakh transactions per year: License fees of Rs. 5 lakh for 2 years.

2) For AUAs/ KUAs processing between 5 lakh – 20 Lakh transactions per year: License fees of Rs. 10 Lakhs for 2 years.

3) For AUAs/ KUAs processing Above 20 Lakh transactions per year: License fees of Rs. 20 Lakhs for 2 years.

Additionally, this notification also enlists some other important points which are as mentioned below

A. Newly onboarded AUAs/KUAs will be granted free access to their pre-production environment for the first three months, provided such AUAs/KUAs move to the production stage within the prescribed time frame.

B. If the entity fails to move into production within three months of the grant of free access to the pre-production environment, it will have to pay a pre-production license fee of Rs. 5 Lakhs which will be valid for a period of 3 months.

C. Entities will be on-boarded based on the transaction estimates provided by them and the license fee shall be charged as per the applicable slab. At the time of renewal of the license if the entity is found to have processed a higher number of transactions, then the differential amount (i.e., the difference between the applicable license fee and the license fee levied initially) will be charged along with an interest of 18% per annum.

D. If the entity has processed a lesser number of transactions compared to the initially submitted transaction estimates no benefit of the lower slab will be extended.

As India’s leading Aadhaar-based Digital Identity Solutions company, at ECS we wouldn’t have been more happier about these new announcements. We are confident that this announcement will provide a significant boost to organisations looking to integrate e-KYC processes to streamline their customer onboarding experience.

Feel free to reach our colleague Amit Joshi on 9820875525 / 7208155528 or email him at amit@eastcs.com if you have any questions or if you’d like to learn how ECS can help you in your e-KYC journey.

Anchor Image Credit: https://www.freepik.com/free-photo/fingerprint-scanner-transparent-screen_12187421.htm?query=Biometric#from_view=detail_alsolike

New Development: Indian Govt. To Allow Aadhaar Authentication By Private Entities

Aadhar Authentication

In a welcome move, on Thursday 20th April 2023, the Ministry of Electronics and Information Technology (MeitY) has proposed to amend the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020.

To this date, only government ministries, departments, and regulated entities like banks and telecom companies were allowed to perform Aadhaar authentication if they were fully compliant with UIDAI’s 2019 amendment to the Aadhaar Act, 2016 (Targeted Delivery of Financial and Other Subsidies, Benefits and Services).

With an intent to enhance the adoption of the Aadhaar authentication ecosystem, MeitY has released a draft amendment that will now allow even private entities to facilitate Aadhaar authentication to promote ease of living and enable better access to public services.

To get the government’s approval for Aadhaar authentication, private entities will have to submit a proposal justifying how their Aadhar authentication service can enhance good governance, prevent the leakage of public funds, and foster innovation.

For areas that fall under the purview of the Central Government, private entities will have to submit their proposals to the central ministry governing their operations. For subjects that are managed by State Governments, private entities have to submit their proposals to the concerned ministry / department of the respective State Government.

The government has urged the public to submit their feedback/comments to the proposed amendment before 5th May 2023 through the MyGov website.

As India’s leading Aadhaar-based Digital Identity and KYC Solutions provider, at ECS we are confident that this new development holds the potential to completely transform the current Aadhaar ecosystem and usher in a new chapter in Digital India’s growth story.

Please feel free to get in touch with our colleague Amit Joshi on 9820875525 / 7208155528 or email him at amit@eastcs.com if you need any help in navigating the complex and ever-evolving Aadhaar authentication landscape in India.

Image credit: https://www.freepik.com/free-photo/senior-woman-using-her-phone-park_15440989.htm#query=rawpixel%20authentication&position=19&from_view=search&track=aishttps://www.freepik.com/free-photo/senior-woman-using-her-phone-park_15440989.htm#query=rawpixel%20authentication&position=19&from_view=search&track=ais

The Next Chapter In Securing Aadhaar Authentication Transactions

Aadhaar-based fingerprint authentication

As technology advances, malicious threat actors also adapt and refine their tactics, becoming more sophisticated each day. The case is no different with India’s homegrown Aadhaar ecosystem that has completely redefined the concept of “financial inclusivity” with its unparalleled Aadhaar Enabled Payment System (AEPS) that facilitates instant direct beneficiary transfer (DBT). 

In March last year, the Unique Identification Authority of India (UIDAI) had informed the Indian Parliament that it had recorded an unprecedented rise in attempted, unauthorized Aadhaar biometric-based financial transactions.

As per the statics presented by UIDAI, around 13,864 fraudulent transactions amounting to around ₹10 crore were reported between 2019 and 2022.

To thwart such malicious attempts, on 27th Feb 2023 UIDAI rolled out a new Artificial Intelligence (AI) and Machine Learning (ML)-based mechanism for Aadhaar-based fingerprint authentication and faster detection of spoofing attempts.

As per UIDAI, this indigenously developed security mechanism uses a combination of both finger minutia and finger image to check the liveness of the fingerprint captured  by Regulated Entities (RE)s like AUAs and Sub-AUAs, thereby facilitating a dual-level authentication of the captured fingerprint.

To appreciate the importance of this new security mechanism, let’s first understand how fraudsters spoof fingerprint authentications.

Spoofing Mechanism Used By Fraudsters

As a conventional practice the ‘Optical Sensors’ embedded in a majority of biometric devices capture either the finger minutia or the finger image of the presented finger in isolation for processing the transaction.

Realising this limitation, fraudulent operators predominantly relied on using ‘Gummy Finger’ technique to bypass the security of Biometric Devices.

Instances where fraudsters were creating ‘Artificial Fingers’  from a real fingerprint image by using  materials like Free Moulding Plastic and Gelatine Sheets were extensively reported by UIDAI. Such artificial fingers were extensively used to process unauthorized fraudulent transactions.

To plug this loophole UIDAI has now introduced a mechanism to capture a combination of both finger minutia and finger image to check the liveness of the fingerprint captured. This optimization is slated to make Aadhaar authentication transactions even more robust and secure.

As India’s leading Aadhaar-based e-KYC Solutions Company, we have been closely working with UIDAI for testing this new security module and are happy to inform you we have already implemented this for some of our key clients.  

Implementation Modalities

REs need to follow the following steps to implement this new feature:

  • Obtain a new license key from UIDAI to support FIR + FMR Transactions (UIDAI has started to mandate usage of FIR + FMR)
  • Implement the new KEY in the KUA Stack
  • Incorporate the necessary changes in the request sent to RD Service and UIDAI for processing of eKYC, Bio Auth transactions.

Feel free to get in touch with our colleague Amit Joshi on 9820875525 or 7208155528 or email him at amit@eastcs.com if you have any queries, or want to know how ECS can help your organisation to implement this new security feature.  

Credits: Anchor Image: https://www.freepik.com/free-photo/biometric-technology-background-with-fingerprint-scanning-system-virtual-screen-digital-remix_15606690.htm#query=virtual%20fingerprint&position=0&from_view=search&track=ais

Decoding RBI’s Latest Amendment On Permitting Regulated Entities To Subscribe To e-KYC Service

The Reserve Bank of India (RBI) and Unique Identification Authority of India (UIDAI) have been consistently working to improve the uptake and usability of  India’s Aadhaar-based e-KYC ecosystem.

Recently, on 13th September 2021, RBI released a circular stating that all RBI-governed entities, such as NBFCs, Payment System Providers, and Payment System Participants, can now apply for their own AUA / KUA license to use Aadhaar’s e-KYC and Aadhaar Authentication services of UIDAI.

(more…)

Implications of RBI’s latest amendments to Master Directions on KYC

On 10th May this year, the Reserve Bank of India (RBI) amended the Master Directions (MD) on KYC to expand the scope and usage of Video-based Customer Identification Process (V-CIP).

These amendments are a welcome move as they effectively eliminate the various ambiguities associated with the implementation of a V-CIP solution.

(more…)

ECS Helps NeSL Digitise and Execute Non-registrable Contracts and Agreements in Tamil Nadu

Continuing its winning streak of developing world-class digital platforms that facilitate ‘Ease of Doing Business’ and enhance the lives of discerning Indian citizens, ECS recently helped National E-Governance Services Ltd. (NeSL) – a Union Government Company, to develop a fully-digital platform to enable paperless execution of non-registrable agreements and digital payment of Stamp Duty in the the state of Tamil Nadu.

(more…)