4.2 KYC and KYB vendors

Vendor landscape

Vendor	Strengths	URL
Karza Technologies (now Perfios Karza)	Largest aggregator; PAN, GST, Udyam, MCA, V-CIP, CKYC, BSA — broad coverage	`karza.in` / `perfios.com`
IDfy	Strong V-CIP + face / liveness; KYC suite; fraud signals	`idfy.com`
Signzy	KYC + KYB suite, V-CIP, CKYC, eSign	`signzy.com`
Hyperverge	Best-in-class face match + liveness; OCR	`hyperverge.co`
Bureau	KYC, V-CIP, device fingerprint, fraud	`bureau.id`
AuthBridge	KYC + background verification	`authbridge.com`
NSDL	Authoritative PAN; partner-only access for some primitives	`nsdl.co.in`
Probe42 / Tofler	MCA + commercial data depth	`probe42.in` / `tofler.in`

Primitives and recommended vendors

PAN verification

What: name + DoB match against income-tax database; status (active / deactivated).
Vendor: NSDL (direct), Karza, Signzy, IDfy.
Cost: ₹0.50 – ₹3 per check at volume.
Failure: name mismatch (common); fuzzy threshold + manual review.

Aadhaar offline XML

What: borrower fetches offline KYC zip from UIDAI; share-code provided; XML signature verified against UIDAI public key; no biometric, no OTP required.
Vendor: Karza, Signzy, IDfy, Hyperverge — all wrap the verification.
Cost: ₹2 – ₹10 per verification.
Failure: corrupt zip, share-code mismatch, signature mismatch — fall back to other OVD.
Compliance: preferred path for non-Aadhaar-Authentication NBFCs.

V-CIP (Video Customer Identification Process)

What: RBI-compliant live video session with trained operator; geo-tag, OVD shown on camera, recording retained.
Vendor: IDfy, Signzy, Hyperverge, Bureau, Karza.
Cost: ₹40 – ₹150 per session (depends on operator vs auto-assisted).
Failure: borrower-side network issues; reschedule. Operator-side failures; vendor SLA.
Compliance: RBI prescribes detailed V-CIP standards; vendor must be compliant.

CKYC

What: search by PAN / Aadhaar reference; download existing record; upload new record.
Vendor: Karza, Signzy, IDfy — included in KYC suite.
Cost: search/download — ₹2 – ₹15; upload — ₹5 – ₹30.
Failure: duplicate records, schema mismatches; reconciliation workflow.

GSTIN verification

What: existence, status (active / suspended / cancelled), legal name, registration date, taxpayer type, address.
Vendor: Karza, Signzy, IDfy, GSPs (Cygnet, Webtel, Vayana).
Cost: ₹1 – ₹5 per check at volume.
Failure: GSTIN cancelled / suspended (high-severity flag).

Udyam verification

What: existence and details from udyamregistration.gov.in.
Vendor: Karza, Signzy, IDfy.
Cost: ₹1 – ₹3 per check.

MCA company / director lookup

What: company status (active / strike-off / under-process); director list; DIN; address; financials filed dates.
Vendor: Karza, Probe42, Tofler, Signzy.
Cost: ₹3 – ₹20 for basic; deeper financials more.
Failure: strike-off / under-process — block.

CIN / LLPIN / DIN verification

What: validate company / LLP / director identifiers.
Vendor: same as MCA.

Bank account verification

What: account exists, name match against KYC name.
Method: Penny drop (₹1 credit; name returned from bank).
Vendor: Razorpay, Cashfree, Setu, Decentro, Karza.
Cost: ₹2 – ₹6 per check.
Failure: name mismatch (common — proprietorship vs proprietor name; address differences).

Face match + liveness

What: borrower selfie matched against OVD photo; passive liveness checks ensure not photo/video spoof.
Vendor: Hyperverge (leader), IDfy, AuthBridge.
Cost: ₹5 – ₹20 per session.
Failure: low light, glasses, motion blur — UX coaching.

Sanctions / PEP / adverse media

What: screen against UN / OFAC / EU / domestic sanctions lists; PEP databases; adverse media corpora.
Vendor: Refinitiv World-Check, AML Watcher, Trulioo, AuthBridge, IDfy.
Cost: per-name screening — ₹3 – ₹30; bulk packages vary.
Failure: common-name false positives; disposition workflow.

Beneficial owner data (entity)

What: shareholder pattern, ultimate BO via MCA + group lookups.
Vendor: Probe42, Tofler, Karza for company structure; manual reconciliation for unlisted layers.

Aggregator vs specialist

For an early-stage NBFC, a single aggregator (Karza or Signzy or IDfy) covers ~90% of primitives at acceptable quality. As volume grows, replace specific primitives with specialists (Hyperverge for face match, an AA TSP for AA, a specialised GSP for GST) to get better quality, sometimes lower cost.

API flow

Typical aggregator flow:

Auth to vendor (API key + tenant).
POST primitive endpoint with input (PAN / GSTIN / etc.).
Receive structured JSON response.
Persist alongside borrower record with vendor reference for audit.
Vendor invoice reconciled monthly.

Implementation complexity

Aggregator integration: ~1 – 3 weeks for 5 – 10 primitives.
V-CIP integration: ~2 – 4 weeks (UI + flow + recording archival).
Build vs buy: buy. KYC primitives are well-served by vendors; building costs more than buying for < ₹50 crore book.

Compliance implications

KYC MD — every primitive used must satisfy a specific KYC MD requirement.
PMLA — full KYC required for accounts above thresholds.
DPDP — every KYC data point is personal data.
Outsourcing MD — vendor governance.

Build vs buy

PAN, GST, Udyam, MCA, BO: Buy via aggregator.
V-CIP: Buy specialist.
CKYC: Buy (in KYC suite).
Face match / liveness: Buy specialist (Hyperverge / IDfy).
Sanctions / PEP: Buy (AML data is licensing-heavy).
Decline / dispose workflow on screening hits: Build (your case-management).