KYC, eKYC, and the four registries you didn’t know you were on.
A reading of the Prevention of Money-Laundering Act and the regulations downstream of it, in the order they were drafted.
A bank, asked why it requires identification before opening an account, will say the law requires it. The answer is true but lazy. The law that requires it is the Prevention of Money-Laundering Act, 2002 — and the regulations downstream of that Act have, over twenty years, built up a quietly elaborate architecture of registries, identifiers, and re-identification flows that the average customer experiences only as a forty-minute interruption every five years.
The PMLA, in its current form, requires regulated entities — banks, securities intermediaries, insurers, payment aggregators, and a growing list of others — to verify the identity of every client at onboarding, and to update that verification periodically. The verification process is what the country calls Know Your Customer. The regulations specifying its operation are issued separately by each financial regulator — the RBI for banks, SEBI for securities, IRDAI for insurance — and consolidated, periodically, in master directions that look identical in form and differ in small but consequential detail.
The four registries
The first registry is the Central KYC Records Registry, operated by CERSAI on behalf of the Ministry of Finance. A customer who has been KYC-verified by any one regulated entity has, by operation of law, a record at the central registry. The second is the Aadhaar-based eKYC system, operated by UIDAI under the Aadhaar Act and brought back into financial use, after a constitutional detour, by the 2019 amendments that followed the Puttaswamy judgment. The third is the video-KYC framework — a real-time video verification flow permitted by the RBI in 2020 and now used by every digital onboarding pipeline in the country. The fourth is the in-person verification record that each entity still maintains in its own files.
Most countries have one KYC system. India has four, and they cooperate carefully.
The architecture is more elaborate than is strictly necessary. A customer who has been KYC-verified at his bank could, in theory, be onboarded at his broker the same day, by reference to the central registry alone. In practice, each entity reverifies, because the regulations downstream of the central registry are silent on the question, and an institution facing a regulator with a fine to issue would rather repeat the work than rely on someone else's. The KYC, accordingly, is done four times.
The law that did not consolidate
The data protection law that the country has been writing since 2018, and that now exists as the Digital Personal Data Protection Act, 2023, was meant to consolidate this architecture. It has, instead, sat alongside it. The KYC regime continues to operate. The registries continue to multiply. The customer continues to be identified, recorded, and re-identified, with a regularity that is the closest thing the country has to a national civic ritual.