Skip to content
by Rakesh Waghela

3.C KYC and KYB

Purpose

Section titled “Purpose”

Establish, for every borrower and every controlling natural person and beneficial owner, a verified identity, address, and entity standing, in line with the RBI KYC Master Direction, CKYC requirements, PMLA, and the platform’s risk policy.

In-scope features

Section titled “In-scope features”

Individual KYC

Section titled “Individual KYC”
  • PAN verification — name + DoB match against income tax database (via NSDL or vendor API).
  • Aadhaar offline XML — borrower-provided offline KYC zip + share-code; XML signature verified against UIDAI public key.
  • Aadhaar e-KYC (OTP / biometric) — where permitted; biometric typically via authorised AUA channel.
  • Other OVDs — Voter ID, Passport, Driving Licence, NREGA card (validated where possible against issuing authority via DigiLocker).
  • V-CIP (Video CIP) — RBI-compliant video session: trained agent, live video, geo-tag, OVD shown on camera, recording retained.
  • Face match / liveness — selfie matched against OVD photo via a vendor (Hyperverge, IDfy, Signzy).
  • Photograph and signature.

Business / entity KYB

Section titled “Business / entity KYB”
  • Entity-type-specific document set:
    • Sole proprietorship: PAN of proprietor (no separate entity PAN); GSTIN, Udyam, shop & establishment licence, bank account in business name.
    • Partnership: PAN of firm, partnership deed, partner KYC.
    • LLP: PAN, LLP agreement, LLPIN, MCA filings.
    • Private / public limited: PAN, CoI, MoA / AoA, Board resolution, director KYC, shareholder mapping.
    • HUF: PAN, deed of HUF, karta KYC.
    • Trust / society: trust deed / society registration, trustee / member KYC.
  • GSTIN verification — GSTIN exists, status active, legal name match, address consistency.
  • Udyam verification — Udyam registration on udyamregistration.gov.in.
  • MCA verification — company status active, directors, last filings.
  • DIN verification for directors.
  • CIN / LLPIN verification.
  • Shop and establishment licence verification where applicable (state-specific).
  • Bank account verification — penny drop (small credit to verify name + account).
  • Address verification — physical / geo-tagged field visit if policy requires.

Beneficial owner mapping

Section titled “Beneficial owner mapping”
  • For entity borrowers, BO graph captured and verified.
  • Each BO undergoes individual KYC (full or simplified per risk policy).

Sanctions / PEP / adverse media

Section titled “Sanctions / PEP / adverse media”
  • UN-designated lists screening.
  • MHA / UAPA lists.
  • OFAC, EU, UK lists (good practice for borrowers with international exposure).
  • PEP screening (Politically Exposed Persons).
  • Adverse media — news mentions of fraud, criminal investigations, regulatory action.
  • Vendor: World-Check, Refinitiv, AML Watcher, Trulioo, or domestic vendors.

CKYC

Section titled “CKYC”
  • CKYC search — by PAN / Aadhaar / mobile to check for existing KIN.
  • CKYC download — if KIN exists, fetch the record (with consent).
  • CKYC upload — for new KYC, upload to CKYCR.
  • CKYC update — for periodic updates.

Periodic update

Section titled “Periodic update”
  • Risk-category-based refresh cadence (every 2 / 8 / 10 years).
  • Automated reminders.
  • Light-touch update flow for repeat borrowers.

Field verification (FI)

Section titled “Field verification (FI)”
  • Field-agent app to perform shop / office verification.
  • Geo-tagged photo and timestamp.
  • Address verification report.
  • Business operations confirmation — agent confirms operational, employees seen, signage seen, etc.

Out of scope

Section titled “Out of scope”
  • Loan-eligibility decisioning — see 3.E.
  • Loan documentation — see 3.H.

Key entities

Section titled “Key entities”
  • KycRecord — per natural person.
  • KybRecord — per business entity.
  • OvdProof — per OVD type per person.
  • VcipSession — per V-CIP attempt.
  • CkycRecord — pointer to KIN + local archive.
  • SanctionsScreen — per screen, with hits.
  • FieldVisit — per visit.
  • BoNode — per BO graph node.

Key workflows

Section titled “Key workflows”
  1. First-time borrower KYC.
  2. Repeat borrower light KYC — CKYC fetch + delta verification.
  3. BO mapping for entity borrower — recursive.
  4. Sanctions / PEP screening — at onboarding and periodically.
  5. Periodic KYC update — automated trigger; borrower / RM completes.
  6. V-CIP session — schedule, conduct, record, archive.

Integrations

Section titled “Integrations”

See 4.2 KYC / KYB vendors for full vendor list. Key categories:

  • PAN verification: NSDL, Karza, Perfios.
  • GSTIN, Udyam, MCA: Karza, Probe42, Tofler, Signzy.
  • CKYC: most KYC suites include CKYC connectors.
  • Aadhaar offline: Karza, Signzy, IDfy, Hyperverge.
  • V-CIP: Signzy, IDfy, Hyperverge, Karza, Bureau.
  • Face / liveness: Hyperverge, IDfy, AuthBridge.
  • Sanctions / PEP: AML Watcher, Refinitiv World-Check.
  • Penny drop: Razorpay, Cashfree, Setu, Decentro.

APIs

Section titled “APIs”
  • POST /kyc/individual — initiate individual KYC; returns session.
  • POST /kyc/vcip/schedule — schedule V-CIP.
  • GET /kyc/vcip/{id} — V-CIP result.
  • POST /kyb/entity — initiate KYB; returns session.
  • POST /kyb/{id}/bo — add BO node.
  • POST /ckyc/search — search by PAN / Aadhaar / mobile.
  • POST /ckyc/download — download by KIN.
  • POST /ckyc/upload — upload new record.
  • POST /sanctions/screen — screen a name / PAN / DoB / address.
  • POST /field-visit/schedule — schedule FI.
  • GET /field-visit/{id} — FI result.

Events emitted

Section titled “Events emitted”
  • kyc.individual.completed / kyc.individual.failed
  • kyb.entity.completed / kyb.entity.failed
  • vcip.recorded
  • ckyc.uploaded / ckyc.fetched
  • sanctions.hit (high priority)
  • bo.mapped / bo.unverified_flagged
  • field_visit.completed

Edge cases

Section titled “Edge cases”
  • PAN name and Aadhaar name mismatch — common in India; threshold-based fuzzy match; manual review queue.
  • GSTIN cancelled or suspended after application start — block.
  • Director resigned between MCA pull and application — re-pull at sanction stage.
  • CKYC download returns stale data — must compare against new submission and update.
  • V-CIP failure due to network — allow rescheduling; capture partial evidence.
  • Aadhaar offline zip corrupt or signature invalid — fallback to other OVD.
  • BO is a non-resident — additional FEMA-related checks.
  • Sanctions false positive — common with common names; well-defined disposition workflow.
  • Periodic update overdue with active loan — risk policy decision: continue lending or pause renewal.

Compliance touchpoints

Section titled “Compliance touchpoints”
  • RBI KYC Master Direction.
  • PMLA, 2002.
  • CKYC operating norms (CERSAI).
  • DPDP — every KYC artefact is personal data; consent, purpose, retention.
  • Digital Lending Guidelines — KYC methods that don’t comply with KYC MD are disallowed even if technically possible.

MVP vs production

Section titled “MVP vs production”
FeatureMVPProduction
PAN verify
Aadhaar offline XML
V-CIP✓ (manual scheduling)✓ (instant on-demand)
OCR of OVDs(Phase 2)
CKYC
GSTIN, Udyam, MCA verify
BO mappingSingle-tier MVPFull multi-tier
Sanctions / PEP / adverse mediaSingle vendorMulti-vendor consensus
Field verification(Phase 2)
Periodic update(Phase 2)
Face match + liveness
Penny drop

Related: 2.7 KYC, CKYC, CERSAI, 4.2 KYC / KYB vendors, 13.3 KYB / KYC backlog.