2.7 KYC, CKYC, CERSAI

KYC Master Direction

Rule summary

The RBI Master Direction – Know Your Customer (KYC) Direction, 2016 consolidates all KYC, CDD (Customer Due Diligence), and AML / CFT obligations for REs. Updated frequently — the latest amendments are tracked on rbi.org.in.

Source

RBI Master Direction – Know Your Customer (KYC) Direction, 2016, DBR.AML.BC.No.81/14.01.001/2015-16, as amended.
Prevention of Money Laundering Act, 2002 (PMLA) and Rules.

Required CDD elements

For each customer (and beneficial owner for non-individual accounts):

Identity proof — Aadhaar / Passport / Driving Licence / Voter ID / NREGA card (Officially Valid Documents).
Address proof — same OVDs or utility bill, bank statement.
PAN — mandatory for any account with financial transactions.
For non-individuals: incorporation documents, beneficial-owner identification, authorisation to act, MoA/AoA / partnership deed / trust deed.
Photograph.
Live photograph + signature in video-KYC or in-person.

CDD methods (alternatives)

In-person at branch.
Video Customer Identification Process (V-CIP) per RBI’s specifications — live video session with trained official, OVD verification, geo-tagging, recording retained.
Aadhaar e-KYC — via OTP for non-PMLA-Schedule-II purposes, via biometric for full e-KYC. For NBFCs, Aadhaar e-KYC is permitted only via the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Act route, on borrower’s voluntary consent.
DigiLocker-fetched OVDs — borrower fetches OVD from DigiLocker; pre-validated by issuing authority.
Offline Aadhaar XML — borrower provides offline e-KYC zip + share-code, signed XML validated against UIDAI public key. No biometric or OTP needed.
CKYC fetch — pull the customer’s KYC record from CKYCR if available.

Periodic update

High-risk customers: every 2 years.
Medium-risk: every 8 years.
Low-risk: every 10 years.

Beneficial owner identification

For corporate borrowers — identify any natural person who ultimately owns or controls the entity, defined as owning >= 25% (companies) or >= 15% (partnerships, trusts) of capital or beneficial interest, or who exercises ultimate effective control through other means.

Sanctions screening

Mandatory screening of customers (and beneficial owners) against:

UN-designated lists (UNSC consolidated list of individuals and entities subject to sanctions).
MHA-published lists (UAPA-banned organisations).
Other government / RBI-circulated lists.

Screening at onboarding, periodically thereafter, and on every periodic update.

CKYC (Central KYC Records Registry)

Rule summary

CKYCR, operated by CERSAI (Central Registry of Securitisation Asset Reconstruction and Security Interest of India), is the central registry of KYC records of customers of all REs in India.

REs are required to upload new KYC records to CKYCR and download existing records (with consent) before opening accounts — reducing repeat-KYC and creating a single source of customer KYC truth.

Source

CKYC operating norms issued by CERSAI under PMLA Rules. Available at ckycindia.in.
RBI directions to REs on CKYC integration (within the KYC Master Direction).

Process

At customer onboarding (or periodic update), generate a CKYC Identifier (KIN) — 14-digit number.
Search CKYC with customer’s identifiers (PAN, Aadhaar, mobile) to check for an existing KIN.
If KIN exists, download the record with customer consent.
If not, upload the new KYC record (along with documents in specified XML / image format).
CKYCR returns the KIN.
On any future periodic update, update the CKYC record.

Mandatory data elements (CKYC upload format)

Customer type (individual / legal entity / sole proprietor).
Name, DoB / DoI, gender, nationality.
Identity documents (number, type, issuing authority, expiry).
Permanent and current address.
Mobile, email.
PAN.
Aadhaar reference (if used).
Photograph.
KYC method (in-person, V-CIP, etc.).
KYC date.

Operational implications

Most off-the-shelf KYC vendors (Karza/Perfios, IDfy, Hyperverge, Signzy, Digio) include CKYC integration as part of their KYC suite. Don’t build the CKYC connector yourself.
CKYC upload failures are common (data format issues, mismatch with other registries) and need a workflow to investigate and re-upload.

CERSAI security-interest registry

Rule summary

CERSAI also operates a registry of security interests created by lenders against borrowers’ assets, under the SARFAESI Act, 2002 (Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act). Registration is mandatory for security interests created on or after the rules came into effect.

Source

SARFAESI Act, 2002.
Security Interest (Enforcement) Rules, 2002.
CERSAI rules and notifications at cersai.org.in.

When applicable

Mortgages of immovable property.
Hypothecation of movable property (plant, machinery, vehicles).
Charges on book debts / receivables.
Pledges (where applicable).

Process

After loan disbursement and security creation (registered mortgage / hypothecation deed), filing must be made on the CERSAI portal within prescribed time (typically 30 days, with late-filing fee window).
Filing includes details of borrower, security, lender, asset value.
CERSAI returns a unique registration number.
On loan satisfaction, file a satisfaction notice.

Applicability for SME WC wedge

For the unsecured WC wedge recommended in this spec, CERSAI security registration is not applicable in the absence of secured collateral.
For any secured product launched later (LAP, equipment loan), CERSAI registration is mandatory.

Product implications (combined)

KYC service must support multiple methods — V-CIP, DigiLocker, offline Aadhaar XML, in-person. Borrower’s chosen method captured.
CKYC lookup before re-running KYC for repeat borrowers and group entities.
Sanctions screening integrated at onboarding and periodically.
Beneficial owner mapping captured for all non-individual borrowers.

System implications

KYC service abstracts over all methods; vendor-pluggable.
CKYC service — upload / download / search / update; queue-based with retry.
Sanctions service — periodic batch screening, alerts on match.
BO graph for non-individual borrowers — partners, directors, shareholders, ultimate BO.
Periodic-update reminder workflow.
CERSAI service — only if secured products launched.

Documents that must be generated

KYC declaration form with customer signature / e-signature.
V-CIP recording (retained per record-retention rules).
CKYC upload confirmation per customer.
CERSAI registration certificate per secured loan.
Sanctions screening result log per customer.

Workflow that must exist

New customer KYC.
Periodic KYC refresh based on risk category.
CKYC upload and re-upload on update.
Sanctions screening on onboarding and periodic.
Beneficial owner re-verification for entity customers.

Reports that must be produced

KYC compliance report (sample audit) monthly.
Periodic update overdue report.
Sanctions match log.

Audit evidence required

KYC records (in CKYC + locally).
V-CIP recordings.
BO mapping for entity customers.
Sanctions screening logs.
CERSAI registration evidence for secured loans.

Sources

RBI Master Direction – KYC, 2016, DBR.AML.BC.No.81/14.01.001/2015-16 as amended.
PMLA, 2002 and Rules.
CKYCR — ckycindia.in.
CERSAI — cersai.org.in.
SARFAESI Act, 2002 — text at legislative.gov.in / indiacode.nic.in.