E-Wallets: Death By A Thousand KYCs
On the evening of Feb. 25, 2019, the Reserve Bank of India extended the timeline for completion of KYC for prepaid payment instruments by six months. The earlier deadline was Feb. 28, 2019. This article was published before the RBI announcement.
According to one estimate, the market share of e-wallets in India is said to have fallen by 40-50 percent from October 2017 to March 2018. Though e-wallet transactions have continued to grow in terms of volume in the last year, they have been far outstripped by the Unified Payments Interface in terms of market share. The future looks bleak for e-wallets with one payments operator predicting that e-wallets could cease to exist in a few years. This is a dramatic shift for an industry that was once regarded as the future of fintech in India. The regulatory burden imposed by the RBI’s Know Your Customer guidelines is widely cited as the cause for this reversal of fortunes.
Carrying out offline verification of all their customers—a requirement of the KYC guidelines—has been costly to all e-wallets. But it has been especially difficult for smaller e-wallet operators who do not have the wherewithal to invest in a capital and resource intensive compliance process. News reports suggest that most e-wallet operators verified just a fraction of their user base to date. The fast-approaching March 1 deadline for offline KYC compliance increasingly seems like a cliff’s edge from which the sector may not recover.
The use of the Centralised KYC Registry is a readily available solution to many of the sector’s woes.
With adequate data protection safeguards, the CKYCR could allay the existential fears confronting e-wallets.
The RBI’s Master Direction on Pre-Paid Instruments issued in October 2017 made the KYC process mandatory for e-wallets. Rules on KYC are contained in the Know Your Customer Direction, 2016, issued under the Prevention of Money Laundering Act, 2002. The KYC regulations require regulated entities to identify customers when they open an account or in certain specified cases. With the aim of curbing money laundering, the KYC regulations initially applied only to banks, financial institutions and other ‘regulated entities.’ The PPI rules, issued in response to concerns over e-wallets being used to launder money, also clarified that e-wallets fall under the category of other regulated entities. This in effect required e-wallets to comply with the KYC regulations.
Of all the regulations in the PPI rules, KYC obligations have proved to be particularly cumbersome, especially after Aadhaar judgment. Before the Aadhaar judgment, e-wallets had the option of carrying out e-KYC using biometrics. E-wallet operators could first verify the Aadhaar number and then verify biometrics within a year. The one-year window gave e-wallets flexibility and time to comply with KYC requirements. Since the Supreme Court prohibited the use of Aadhaar for commercial use, e-wallets no longer have this option. The recent amendment of the Prevention of Money Laundering (Maintenance of Records) Rules will only make this problem worse. Rule 9(15) of the rules enabled regulated entities to perform e-KYC using Aadhaar. The amendment, in compliance with the Aadhaar judgment, has limited e-KYC to those individuals receiving benefits or subsidies from the government.
The effect of both these changes means that for a majority of their users, e-wallets will have to perform offline KYC before March 1.
The source of this regulatory uncertainty is that unlike the other master directions rules, the KYC regulations were framed with offline regulated entities in mind. For banks and financial institutions, physically verifying the authenticity of customers does not impose too much of a burden. This is because their businesses are based on customer contact on a regular basis and they have the capital to invest in the expensive KYC compliance process. In the case of e-wallets, KYC upended their main value proposition, which is the convenience of a purely online relationship.
Media reports suggest that even the biggest e-wallet operators have verified only 70 percent of their user base. Close to 18 months after the PPI rules were issued, the low verification figures paint a bleak picture for the future of the sector. As e-wallet operators face up to the looming deadline, there is a technology-based solution within the KYC framework to make the KYC process simpler and less cumbersome. KYC data collected by all entities in the financial sector is currently stored in the CKYCR.
Designed with interoperability in mind, data in the CKYCR is stored in a standard format and can be used across sectors.
However, access to CKYCR data is currently restricted to government agencies and regulators pursuant to the Prevention of Money Laundering Act, 2002.
Allowing regulated entities to use the CKYCR to cross-reference new customers against existing entries in the registry is the logical next step for the registry. In addition to reducing the burden on regulated entities, a truly interoperable CKYCR will also make the KYC process easier on the customer. Currently, KYC must be completed separately when an account is opened with every regulated entity. So, a customer opening three bank accounts will have to go through the KYC process three times. This is despite the fact that KYC information is stored in a centralised database after the first registration. The CKYCR thus offers a faster, cost-effective and customer-friendly means of KYC compliance.
Data Protection Safeguards
There are obvious data protection concerns in making the CKYCR interoperable. However, the advantage offered by a centralised database is that there can be different levels of access to the data. In addition, the customer need only share his/her unique CKYCR identifier with the regulated entity to perform a KYC verification.
Unlike Aadhaar—which offered similar KYC functionality—the CKYCR does not contain biometric information, reducing potential data protection risks.
In fact, for the purposes of KYC, the CKYCR can be made interoperable without any sensitive personal information being shared. The only plausible risk may be of purpose limitation. Both the data protection rules framed under the Information Technology Act and the proposed data protection law, provide that data collected from a customer can only be used for the purpose to which he or she consented to. However, checking for a CKYCR match is not purpose limited as the customer would have consenting to using his/her data for verification. Merely matching the unique identifier also means that after the first verification, the data is more secure than an offline KYC verification.
The use of the CKYCR will solve the problems currently facing e-wallets in India. It will also help make the KYC process easier for consumers and other regulated entities. Following the Aadhaar judgment, regulators are understandably wary to make a public database accessible to commercial operators. However, the data protection risks associated with CKYCR are far less than the Aadhaar database or offline KYC. With sufficient safeguards, the CKYCR will help reduce the onerous demands of compliance on regulated entities. A sector that is currently on death’s door can be revived with a simple tweak of the existing framework.
Vaibhav Kakkar is a Regulatory Practice Partner and Puneeth Nagaraj is an Associate (Policy & Advisory) at L&L Partners. The views expressed are personal and intended for general information purposes. They are not a substitute for legal advice.
The views expressed here are those of the authors and do not necessarily represent the views of BloombergQuint or its editorial team.