Professional Documents
Culture Documents
It wasn’t as if this had never occurred to Indian help it get converted to legal money, without the
regulators, or for that matter, regulators all over the sources of funds being detected. Many important
bankers were on his payroll.
globe.
Because of his speciality, he built close
• By the time the 1970s rolled in, banks were given
connections with members of Pablo Escobar’s
guidelines to help prevent “benaami” transactions,
cartel.
or transactions that could not be traced to specific
people. Banks were required to have the names When he was about to get married, his cartel and
and addresses for all depositors. banking friends turned up in large numbers to
attend.
• By the 1980s, new back accounts could be
opened only after being “introduced” by someone The evening before the big day, limousines arrived
who already had an account with the bank. to pick up the guests and take them to what
promised to be a really wild bachelor party.
• Then the norms for introduction got a bit stricter.
Instead, the limousines took all of them straight to
Sometime later, banks were required to have
US law enforcement agents.
photographs of all account holders.
Bob Musella was actually employed by the US
All this is to suggest that RBI and other regulators Customs as an undercover agent and his real
were aware of the misuse of the financial system name was Robert Mazur and he had helped catch
and were trying to implement solutions. a number of dangerous criminals.
However, neither were the guidelines water-tight in It would also lead to the demise of the Bank of
themselves, nor was the implementation of Credit and Commerce International (BCCI) - an
prevailing ones done to perfection. international bank, which at the peak of its
operations had over 400 branches in 48 countries.
Which meant that either by exploiting loopholes, by
lying, or through collusion with insiders, it was The bank had grown rapidly by enabling criminals
possible for just about anyone to get a lot of illegal all over the world to use their services without
stuff done, pretty easily. regulation. It was even known as the “Bank of
Crooks and Criminals International” to law
While regulators and law enforcement were to an
enforcement agents who were on to them.
extent lumbering their feet over the issue of misuse
of the financial system, criminals outside and within The 2016 Hollywood movie “The Infiltrator”
their system were rubbing their hands with glee. directed by Brad Furman is a dramatized
recollection of the heroics of Robert Mazur and
Towards the last decade of the twentieth century, other agents.
going right up to the beginning of the current one,
2002 was also the year when India’s RBI first laid
out KYC norms for banks and other financial
institutions.
4
Others interested in them are government and
politicians, judiciary and of course citizens - who
need to go through the KYC process before they
can avail necessary services like banking.
5
Chapter II:
Know Your KYC or KY-KYC
requirements is usually their ability to prevent money branches of Wachovia in the United States.
laundering.
This money could then be used for legal purposes
However, as businesses (and not just financial in the USA. One of the uses that the drug cartels
businesses) that have enforced good KYC practices put the money to was to buy aeroplanes that they
have found, there are plenty of direct benefits to then used to smuggle more drugs from other
countries into Mexico.
knowing your customer.
Between 2004 and 2007, almost $380 billion was
Companies are using the information they collect
laundered by this mode, using just one bank as a
about their customers to predict likelihood of default
partner.
on loan payments, likelihood to commit fraud and
even to conduct targeted promotions for their This happened in an era when KYC had already
products. been mandated not just in the USA, but across
major countries in the world.
In summary, an ideal KYC eco-system serves its
primary purpose of putting a check on money Had KYC been strictly following the KYC
laundering, while at the same time providing requirements and the proper checks had been in
benefits to the industry that encourages them to place, the kind of transactions that occurred would
adopt good KYC practices, rather than seeing them have been red flagged and reported to law
as a burden. enforcement authorities in time.
• Banks
• All Indian Financial Institutions (AIFIs) - like Exim
Bank, NABARD, SIDBI etc. • All Indian Financial Institutions (AIFIs)
• Risk Management;
• Monitoring of Transactions
• Designated Director
• Reporting requirements
• Principal Officer
• Protocols associated with action to be taken after
suspicious activity is detected • In-house or third party resources for
identity verification
• Procedures for dealing with correspondent banks
or setting up international subsidiaries
• Training of employees
13
Chapter III:
Aadhaar and KYC
“Authentication”, as defined by the Aadhaar Act, For individuals who are not eligible for Aadhaar or
means the process by which the Aadhaar number are not residents:
along with demographic information or biometric
information of an individual is submitted to the • The PAN number or Form 60
This authentication must only be done with the • Their passport that has a valid visa and
18
Money laundering and suspicious activities have
always existed - it is just that we have gotten Growth in Suspicious
much better at detecting them. Transaction Reports
Many factors may be contributing to the
increased detection - better definition of
suspicious activity, better training and
awareness, better data analytics capabilities etc.
19
Chapter IV:
Authentication with Aadhaar
• Biometric-based authentication: Biometric When these are not possible, it may also be
information is typically a fingerprint or an iris scan, combined with an OTP based authentication.
which is collected by the organisation using a
device and then the scan is sent along with the
Aadhaar number to the CIDR.
Devices
As per UIDAI:
Examples:
• A Sub-KUA is similar to a sub-AUA and can To facilitate Aadhaar authentication without the
receive e-KYC data from a KUA after receiving the sharing of an individual’s Aadhar number, UIDAI
required authorisation and complying with has proposed the concept of a Virtual ID or VID.
regulations. The VID is a 16 digit number that maps to an
individual’s account number.
Similar qualifying criteria have been mentioned to be
eligible as either an AUA or a KUA, though a certain Every Aadhaar card holder, can generate a VID that
category of companies need to meet authentication is unique but temporary.
transaction criteria - like the volume of transactions
This unique VID can be shared for authentication
processed, as prescribed by UIDAI.
and later revoked or changed by the Aadhaar card
Most private sector companies that are not holder, after a certain specified amount of time has
regulated by RBI, need to have a paid-up capital of passed.
at least rupees one crore or a turnover of rupees five
The virtual identity ensures that in case there is a
crores in the previous year, to become eligible.
data leak or security breach, only the VID can be
Data security and sharing of information stolen, which can easily be changed by the
Aadhaar number holder.
There are many clear guidelines about the roles and
responsibilities of requesting agencies, none
perhaps more important than the requirements on
data security and information sharing.
Ongoing monitoring, audits and strict checks The limited KYC system proposes to further reduce
the distribution of actual Aadhaar numbers to
and controls on internal people with access to
requesting entities.
data have all been recommended.
According to the limited KYC concept, UIDAI
As far as the sharing of data is concerned,
categorises AUAs into two groups - Global AUAs
restrictions are imposed upon all concerned
and Local AUAs.
entities.
Global AUAs are those that are required by law to
For example, even UIDAI through the CIDR, is
necessarily use the Aadhaar number as part of
not allowed to share core biometric information
their KYC process.
with requesting agencies, though it may share
other types of information including photograph These entities have access to full KYC and the
and demographic information. permission to store the Aadhaar number in their
system.
Similarly, the core biometric information
collected by the requesting agency can be The list of Global AUAs includes different types of
stored only for ‘buffered authentication’. banks like scheduled commercial banks,
co-operative banks, payment banks, etc. and
There are rules for information sharing that need certain other entities like life insurance providers
to be followed by everyone else, i.e. all and the National Payments Corporation of India
companies that are not requesting entities. (NCPI).
To begin with the Aadhaar number or numbers All other AUAs are Local AUAs, which receive a
of customers can never be published or limited KYC response without the Aadhaar number,
displayed by anyone. as well as other information that UIDAI may decide
does not need to be shared in this case.
If companies do possess the Aadhaar details for
lawful reasons, they need to adhere to all Local AUAs can also not have Aadhaar numbers
conditions of full disclosure to customers and stored in their system.
preventing any unauthorised use of this data.
Among RBI regulated entities, AUAs classified as
Recent updates - Virtual ID, Limited KYC and local, consist of pre-paid instruments and NBFCs.
UID tokens
27
The concept of Virtual ID, limited KYC and UID
UID Tokens
tokens were proposed by UIDAI through a
circular in January 2018 (see details in boxes).
With access to limited KYC only, many requesting
agencies would be left with a situation where they
Conclusion: In Sync with RBI in Theory
are not able to uniquely identify customers in their
structure to support the processes that the RBI With VID being a temporary ID as well, it can be
norms demand.. changed by the customer without the requesting
entity knowing about it.
RBI guidelines point to Aadhaar being the best
tool for the required KYC, with an insistence on This created the need for a mechanism where the
in-person e-KYC process on most occasions. ability of companies to establish unique identity for
their customers was not compromised, just like the
While the industry may have specific concerns
customer’s privacy.
about the insistence on in-person verification,
from UIDAI the expectation is to provide a The UID token system is the solution that
solution that helps them meet the norms in a addresses these concerns.
reliable and cost-effective manner.
In this system, when the CIDR returns a limited
On paper, UIDAI provides them with the required KYC response, it also sends a unique UID Token.
tools and processes that are needed, while also
This token is unique for each customer-entity
continually adopting new technologies to
combination.
address concerns over privacy and breaches.
Which means, that all authentication requests by
However, recent experience show that in
the same entity for a particular Aadhaar number
practice, it’s not smooth sailing for the industry.
will have the same UID Token but a different entity
Businesses have been hit by implementation requesting authentication for the same Aadhaar
troubles and arbitrary decision making by UIDAI, number, will receive a different unique token.
In the next chapter, we will try and understand match databases with each other based on the
how Aadhaar based KYC has worked in practice Aadhaar number. Thus the UID token system
for the financial services industry and learn addresses one of the major privacy concerns
related to Aadhaar authentication.
about some of the issues that exist.
28
Chapter V:
Aadhaar e-KYC in Practice
Rising Issues
Reliability concerns
33
Chapter VI:
IDfy View - Mandatory in-person
verification is a backward step