Tuesday, April 13, 2021

Analysing India's KYC Framework: Can We Do Things Better?

by Rishab Bailey, Trishee Goyal, Renuka Sane, and Ridhi Varma.

Know-Your-Customer (KYC) norms require customers of the formal financial system to establish their identity through certain specific identification documents, prior to engaging in any transactions. According to World Bank's estimates, approximately 32 million adults in India do not have access to an officially recognized proof of identity. This puts the formal financial system out of reach for a significant number of people. Along with creating difficulties for customers, KYC requirements increase compliance costs for businesses including by lengthening customer onboarding time and heightening regulatory risks (Lyman and Noor, 2014). While India has seen progress towards limiting financial exclusions, not least due to the use of Aadhaar-based verification and e-KYC systems, the problems outlined above still remain.

In a recent paper Analysing India's KYC Framework: Can We Do Things Better? we ask what drives the current KYC policy framework? How is the Indian KYC framework different from that in other FATF compliant countries? Is there a possibility of doing KYC more efficiently in India?

Tracing global roots of domestic KYC requirements

The design of KYC norms derive from the requirements imposed by Financial Action Task Force (FATF). The FATF is an inter-governmental body that aims to prevent the use of the financial system for money laundering (ML), terrorist financing (TF) and weapons proliferation (WPF). To this end, it issues recommendations that lay down standards for member countries to adopt. While the recommendations of the FATF are directory in nature, a failure by a member state to adhere to them can have adverse implications on the state's economic interests. Accordingly, the FATFs recommendations shape domestic legislation. One of the cornerstones of the FATFs recommendations pertains to the need for reporting entities (financial institutions and other designated non-financial businesses) to carry out appropriate customer identification and verification. These requirements, broadly speaking, are aimed at ensuring greater transparency and accountability in use of the formal financial system.

Before India became a member of the FATF in 2010, it had implemented customer identification requirements on various financial entities under the Prevention of Money Laundering Act, 2002 ("PMLA") and rules issued thereunder. Sectoral regulators such as the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory Development Authority of India (IRDAI) and the Pension Fund Regulatory and Development Authority (PFRDA) also lay down specific obligations in this regard. Cumulatively, these customer identification procedures are referred to as "Know Your Customer" or KYC norms. The PMLA framework has however been consistently amended, ostensibly in light of India's FATF obligations.

Key Challenges of the Indian KYC framework

While the FATF allows for a certain degree of flexibily in the design of KYC norms, these are not fully utilised in India. We find that India implements extremely stringent KYC requirements in comparison to countries such as Australia, Germany, UK, the EU and the US. Our analysis suggests that there are three main problems with the manner in which India implements KYC requirements:

  1. Over-emphasis on address proof: The address proof requirements in Indian law are excessively detailed and rigid in nature. Indian regulators require customers to provide proof of multiple addresses at the KYC stage - current, permanent, and residence. The need to provide documentary proof of multiple addresses, and the lack of flexibility in this regard can prove problematic for marginalised or vulnerable sections of the population (Lyman and Noor, 2014). This is specially so as significant numbers of Indians, such as migrant labour, as well as nomadic communities, vulnerable communities, the homeless, etc., may not have any fixed or permanent address. Even in cases where the individual has a permanent address, they may not have officially valid documents (OVDs) that demonstrate their "current address". The need for providing a "current address" can be problematic despite the existence of various pan-India identification schemes (such as Aadhaar, passports, voter IDs, etc.). It is difficult and time-consuming to update addresses in these documents. Further, in order to update the address in these documents, the individual needs to provide some proof of a local/current address, which may not always be easily accessible. For instance, many migrants may not be part of the NREGA system (if they work in the private or informal sector), implying that they cannot use a NREGA job card for the purpose. The strict requirements under Indian law can therefore exacerbate the problem of financial exclusions.

  2. Incomplete technological solutions: In order to reduce costs of conducting KYC, regulators have attempted to introduce various technological methods to enhance efficiency. These include the use of electronic KYC (e-KYC) methods as well as video KYC for on-boarding customers. Another technological intervention involves the creation of the Central KYC Registry (CKYCR), a centralised repository of customer KYC information. However, we find that the regulatory framework and implementation of these methods leaves much to be desired.

    For instance, in order to complete the video KYC process, entities under the purview of the RBI and SEBI can only accept ID documents that have been authenticated using the e-Sign facility that is provided by the DigiLocker system. Thus, a video KYC process is unavailable for those customers without a DigiLocker account. The fact that a DigiLocker account can only be created by Aadhaar holders creates another possible hurdle for customers. As per Dalberg's estimates, this requirement excludes around 8% of the population (of which 28 million are adults) from using the simplified KYC procedure. The video KYC process also requires a bank official to conduct the video-call in real time. This is resource intensive, which limits scaling. The video KYC process is also problematic from the perspective of the digital divide (Gera, 2020). The CKYCR process is also said to suffer from various implementation problems.

    Further, while banks are permitted to conduct e-KYC using Aadhaar, NBFCs are not. Even if a customer wants to use Aadhaar based authentication for KYC, non-banks and non-banking financial institutions, are forced to use the offline method of authentication. Anecdotal evidence as well as our interactions with industry practioners suggests that this leads to significantly increased costs for NBFCs. Customers too, are said to struggle with in-person verification processes. This difference therefore creates an uneven playing field, even for entities providing similar financial services.

  3. Poor design of enforcement actions: We find that the unlike in various foreign jurisdictions, the Indian regulatory framework does not provide for sufficient enforcement options of a scaled or proportionate nature. The penalties applicable for even minor violations can be of a significant order - including in the form of criminal sanctions, cancellation of licenses and high fines. By way of comparison, regulators in the US, Australia and the UK have a much broader range of enforcement actions they can adopt, ranging from the issuance of advice or cautionary notices, to securing compliance undertakings.

    When combined with the absence of an appellate mechanism, the strict penalties under the Indian framework can incentivize financial institutions to adopt a conservative, risk-averse attitude. This can lead to businesses exiting markets and customer segments associated with higher risk of compliance failure - particularly where it comes to customer segments with low profit margins (Lowery and Ramachandran, 2015). This, paradoxically, heightens risks of money laundering and other financial crimes that KYC requirements were designed to solve in the first place (Lyman and de Koker, 2018). The significant penalties that can be imposed under the Indian regulatory framework are not only a regulatory risk for businesses, but also make it more difficult for regulators to apply penalties on a consistent basis, particularly for minor breaches. This promotes arbitrariness in enforcement actions.

Recommendations

We suggest liberalising and standardising address proof requirements within the existing FATF framework. The first step towards reform requires regulators to clearly delineate the purposes of securing an address proof. For example, if the purpose of securing documentation is merely to enable correspondence with the customer (as is indicated by a numnber of KYC forms that use the term "correspondence" address interchangeably with "current" address), a number of simpler methods can be used. For example, the Supreme Court has recognised that communications through e-mail and instant messaging can constitute valid service.

Further, entities under the domain of SEBI, IRDAI, PFRDA, in addition to requiring customers to prove existence of a bank account, also need documentary proof of the customer's current address. However, bank accounts themselves can be opened by providing a self-declaration of current address (where an OVD has been submitted for a permanent address). Thus, there appears to be little justification for the additional requirement of proving current address implemented by SEBI, IRDAI and PFRDA. That said, even if the requirement for proving current address is mantained, the manner of doing so could be liberalised. For instance, certain countries such as the United States permit a customer to merely specify a post box as a mailing address, or even use the address of a referee. These methods could be considered in India, as a means to limit the exclusionary effects of KYC norms.

Our analysis suggests that attempts to simplify the KYC procedure by adopting video and eKYC norms have also not achieved their true potential. This is for a variety of reasons concerning both the regulatory structure and implementation issues. For instance, the measures of simplification are largely limited to banks (and not NBFCs). NBFCs constitute a vital channel for financial inclusion. However, the restricted applicability of simplified KYC procedures have hindered their ability to reach customers by increasing operational costs and limiting scaling. In this context, one may consider permitting NBFCs to also utilise simplified KYC processes (though this may come at a cost to privacy interests). Regulators also need to be mindful of the digital divide issue in India. Accordingly, making simplified processes completely reliant on technical infrastructure such as internet facilities may be unwise. Therefore, in addition to simplifying the KYC requirements themselves, regulators must attempt enable multiple channels of verification. One may also consider the need to de-duplicate KYC processes. Notably, the report of the High-Level Committee on Deepening of Digital Payments advocates reducing KYC compliance requirements at multiple levels. For instance, it suggests implementing lower KYC requirements where a customer who already has a verified KYC compliant account, uses this to open a second account or an account with a mutual fund or payments wallet.

Finally, there is a need to streamline enforcement actions and allow for regulators to adopt a wider range of "softer" remedial actions. An appeals process must be provided from RBI decisions. The Financial Sector Legislative Reforms Committee (FSLRC) has made similar recommendations in its report. The FSLRC report, which is now nearly a decade old, advocates for a unified Financial Sector Appellate Tribunal to be created to hear appeals from all the financial sector regulators. Further it suggests that penalties and enforcement actions be reviewed to ensure proportionality. While entities in the banking sector have lobbied for the adoption of the FSLRCs recommendations, and discussions in this regard have taken place at the highest levels of government, no legal developments have yet taken place (Adhikari, 2018).

In conclusion, we recommend that the KYC framework in India be revised to better balance the goals of preventing financial exclusion, creating a level-playing field for businesses, and the need to prevent money laundering and other financial crimes.

References

Lyman and Noor, 2014: Timothy Lyman and Wameek Noor, AML/CFT and financial inclusion: New opportunities emerge from recent FATF action, CGAP Focus Note, No. 98, September 2014.

Isern and de Koker, 2009: Jennifer Isern and Louis de Koker AML/CFT: Strengthening financial inclusion and integrity, CGAP Focus Note No.56, August 2009.

Lowery and Ramachandran, 2015: Clay Lowery and Vijaya Ramachandran Unintended consequences of anti-money laundering policies for poor countries, Center for Global Development, Working Group Report, 2015.

Adhikari, 2018: Anand Adhikari Will the government push for an appellate tribunal for RBI?, Business Today, December 2018.

Lyman and de Koker, 2018: Timothy Lyman and Louis de Koker KYC utilities and beyond: Solutions for an AML/CFT paradox? , CGAP Blog Series, Beyong KYC Utilities, March 2018.

Gera, 2020: Ishaan Gera KYC over video? Yes, RBI makes it possible with tweaks in rules, Financial Express, February 2020.


The authors are researchers at NIPFP.

No comments:

Post a Comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.