What is eKYC (Electronic Know Your Customer)?

Businesses subject to Anti-Money Laundering (AML) compliance are required to carry out a customer identification and verification process, known as ‘Know Your Customer’ (KYC), as part of the Customer Due Diligence (CDD) requirement. When such a KYC process is carried out remotely or digitally with software or an app, it is known as eKYC (electronic KYC).

Most AML compliance laws mandate that businesses, under their purview, have in place adequately formulated steps involved in carrying out eKYC. Accordingly, regulated entities must evaluate the appropriateness of tools and technology for carrying out eKYC.  They must take into consideration data privacy and data protection regulations and follow the best practices in eKYC implementation in a business.

The blog also discusses eKYC use cases and the adoption of the risk-based approach in eKYC implementation.

Introduction to eKYC

The introduction and development of the eKYC concept resulted from businesses and regulators suffering from the pitfalls of the manual KYC process, which was time-consuming, tedious, repetitive, lacking in accuracy, and heavy on resources.

eKYC Definition

In simple words, eKYC refers to a computerised or digitised version of the conventional KYC process. eKYC entails the collection of customers’ data to identify and verify their identities.

eKYC can be performed at any given point in time, through any platform, without the need for human intervention, at the convenience of the customer.

In contrast, the traditional KYC process can be carried out only at the place of business, requiring the physical presence of the customer and the availability of essential ID documents. It also requires human input by an employee of the business during working hours, usually inconveniencing the customer by requiring a visit with the required documents.

Why Is eKYC Important?

In this digital age, businesses usually have services and customers beyond geographical boundaries; the non-face-to-face onboarding of customers has become a new normal, leading to eKYC as a solution to ensure that regulatory compliance requirements are met. eKYC process not only helps with compliance but also contributes to combing out potentially suspicious and non-verifiable, fraudulent, forged, deep-fake, or fake customer profiles or bots that are trying to disrupt usual operations. A seamless adoption of the eKYC process helps businesses safeguard customer interests and ensure long-term customer satisfaction and retention.

Steps Involved in eKYC

The steps involved in eKYC usually cover the following:

Registration/Login

• The customer is registered on the eKYC portal, mobile app, or kiosk of the business with which he intends to carry out a transaction. The customer can log in on any kiosk, portal, mobile app, or digital platform supported by the business for eKYC purposes.

Enter Personal Information

• Once the customer has successfully logged into the eKYC platform, they are required to enter key identifier information such as their name, address, date of birth or certificate of incorporation containing registration number in case of a legal entity, the nationality or country of registration in case of a legal entity, the purpose of proposed business transaction. These details may vary depending on jurisdictional requirements.

Upload Required Identity Documents (ID)

• After entering the key identifier details, customers are now required to upload government-issued ID documents confirming who they are. Such an eKYC document checklist must be configured according to relevant and applicable jurisdictions.

Authenticate Identity

• The eKYC platform or software is then supposed to cross-verify or authenticate the ID documents of the customer across government databases or reliable open-source databases to confirm that the person/entity is indeed the one that they are claiming to be. This authentication can also be done by cross-verifying the photograph of the customer or ultimate beneficial owner (UBO) stored in the database by carrying out a facial match through a selfie, video KYC, sending a One-Time Password (OTP) to a registered mobile number followed by its entry on a platform, and ID scanning.

Initiate and Ensure AML Compliance

The business is then required to initiate and ensure AML compliance through

• Risk-based ID authentication.
• Repeating the eKYC cycle for a legal entity or legal arrangement until the Ultimate Beneficial Owner (UBO) is found, identified, and verified.
• Analysing and generating ID verification reports.
• Ensuring record-keeping obligations are met.

Technologies Used for eKYC

1. Optical Character Recognition (OCR): OCR helps in eKYC by extracting and verifying customer information from ID documents. OCR technology works by converting text present on physical documents, images, and PDF files into editable data. It reads and recognises patterns, images, and characters and translates them into machine-readable text.
2. Artificial Intelligence (AI): AI enables eKYC tools to automate repetitive manual tasks such as the collection of documents and entering details into the system. AI also enables the natural progression of cases to move to the stage of ID verification after the collection of key identifier details.
3. Machine Learning: helps in adapting the eKYC tool according to the various data sets being fed into the system. This helps the eKYC tool to ‘learn’ about analysing various types of data, their possible outcomes, and the next steps.
4. Multi-Factor Authentication (MFA): An MFA framework in the eKYC process helps reduce the exploitation of the platform used by criminals. It not only relies on the user ID and password to authenticate a customer but the customer is also asked to authenticate through other methods, such as OTP, biometrics, etc. The MFA framework ensures device integrity by identifying location anomalies and unusual patterns to identify suspicious behaviour.
5. Blockchain: Blockchain technology helps in eKYC by storing customer data in secure blocks that are uneditable and unhackable in nature, making eKYC record-keeping secure and safe.

Benefits of eKYC

The benefits of eKYC are listed below:

1. Instant Autofill in eKYC System: The eKYC system, when integrated with any existing CRM or customer service software or an API, is capable of instantly extracting relevant details, subject to data privacy permissions and autofill the customer information for eKYC purposes, reducing time and efforts on the part of the business and fulfilling eKYC compliance.
2. Efficient: An eKYC software, when integrated with existing systems, helps avoid duplication of efforts and achieve a high level of efficiency in the customer onboarding process.
3. Several Modes of Customer Authentication: The best feature that eKYC offers is customer onboarding and authentication through multiple mediums such as mobile, app, kiosk, software, or an API.
4. Integration: Another benefit of relying on the eKYC tool is its ability to integrate with name screening, adverse media, PEP screening, and customer risk assessment tools. This, in turn, helps with better AML compliance by providing a holistic view of customer information.
5. Accuracy: The ultimate benefit of relying on eKYC for meeting KYC obligations is increased accuracy in terms of results and output. eKYC is hassle-free and error-free as compared to the usual KYC onboarding process.

Use Cases for eKYC

Remote Customer Onboarding

Video KYC helps businesses by enabling them to onboard any customer remotely. Customers can be verified by checking live video along with available customer information, such as photographs on the ID document, along with a liveness check and behavioural analysis. This process is automated by eKYC tools, requiring manual in-person KYC only when there is suspicion that video KYC is a deep fake or AI-generated.

 

Ongoing Monitoring

Ongoing monitoring of business relationships requires the software to identify and generate alerts as and when any document expiry is approaching. This enables the user of the eKYC tool to seek updated ID documents from their customers.

 

Document Verification

Document verification is also carried out using the eKYC tool. Many tools have APIs integrated with government, semi-government, or government-approved databases where the database of personal ID documents issued by government authorities is maintained. The eKYC tool can help with identity verification by communicating with an API and authenticating the user.

 

­­­­­­Types of eKYC

OTP-Based: For an OTP-based eKYC system, the customer’s consent is obtained to carry out the eKYC process for a specific purpose on the ID verification platform. Following this, an OTP is generated and sent to the customer’s registered mobile number associated with the digital identification document issued by any government authority. This OTP authentication helps the business in extracting customer details from the central data registry with the customer’s consent for the purpose of eKYC.

Biometric-Based Authentication: Biometric-based eKYC authentication relies on capturing biometric details such as customer retina scans or fingerprint scans and sharing them with the central registry. The central data registry or data repository then cross-verifies the biometric details with an existing database. When such biometric details are matched, the customer details, such as key identifier details, are shared to authenticate the customer.

QR Code: Scanning QR codes to extract customer key identifier details is another form of eKYC. Businesses may rely on scanners that read the QR code contained on the customer’s ID document to collect and verify identity information from the central KYC registry.

eKYC and Data Security

Data security refers to the measures taken by any business to ensure that its digital data are safeguarded from unauthorised access, misuse, theft, corruption, embezzlement, and other crimes. Data Security measures cover hardware, software, cloud storage devices, user devices, and access and administrative controls.

Any business that uses digital systems must ideally have an adequate and appropriate data security policy and procedures in place. The policies and procedures should cover how the organisation plans to use, handle, store, disseminate, and safeguard its own data and its customers’ data. Failing to do so will result in regulatory penalties.

As eKYC deals with customer data, businesses need to store the personal data of their clients to ensure compliance with record-keeping requirements. Businesses need to ensure that their customers’ personal data is safeguarded adequately.

Businesses must ensure that data security measures are covered in their Data Security Policy, where the provisions are made to safeguard their data on hardware and software. The confidentiality, integrity, and availability of data should not be compromised.

eKYC and Privacy Concerns

eKYC process involves the collection of personal data of individuals and corporate entities. Whenever there is involvement of personal data of individuals, the immediate concern arises about safeguarding personal data privacy. With several instances of impersonation, identity theft, and misuse of personal data, countries across the world felt the need to have adequate data privacy and data protection laws in place.

Data privacy laws are important as they contribute towards upholding the basic principle of human rights, which is the right to privacy. Data privacy laws assist individuals in exercising their rights over their personal data, its use, storage, and dissemination. Data privacy laws vary from country to country. However, the fundamental pillars of data privacy laws require businesses to ensure:

• Lawful, fair, and transparent approach while making use of individuals’ personal data.
• Using personal data only for the purpose for which it is being sought, and not beyond, also known as purpose limitation.
• Data minimisation by collecting only personal data that is required and not seeking additional information until justified by legal requirements.
• Ensuring that personal data maintained is accurate, up-to-date, and aligned with the purpose for which it is collected.
• Storing or record-retention of personal data in accordance with that prescribed by relevant and applicable laws.
• Ensuring integrity and confidentiality of personal data is retained throughout the period for which personal data is utilised and stored.
• Accountability for personal data they collect, store, handle, or deal with.

Some of the Data Privacy legislations that businesses need to consider when conducting business overseas are:

Global Data Privacy Legislations
China	·       The Cybersecurity Law (C.S.L.) ·       The Personal Information Protection Law (PIPL) ·       Data Security Law (DSL)
European Union	·       General Data Protection Regulation (EU GDPR)
India	·       Digital Personal Data Protection (DPDP) Act, 2023
Japan	·       The Act on the Protection of Personal Information (APPI)
Nigeria	·       Nigeria Data Protection Regulation, 2019 (NDPR)
Singapore	·       The Personal Data Protection Act (PDPA)
United Arab Emirates	·       The Personal Data Protection Law, UAE, Federal Decree-Law No. 45 of 2021, regarding the Protection of Personal Data
United Kingdom	·       The Data Protection Act 2018 ·       UK General Data Protection Regulation (GDPR)
United States of America:	·       California Consumer Privacy Act (CCPA) ·       The California Privacy Rights Act of 2020 (CPRA) ·       Biometric Privacy Laws [Illinois Biometric Protection Act (BIPA)] ·       Consumer Data Protection Act (CDPA) – Virginia

eKYC and Regulatory Framework

The requirement to carry out CDD forms part of the AML regulations worldwide. Whether in the banking sector or non-financial businesses and professions, CDD and KYC are mandatory. The regulations governing eKYC and allied laws are the same as those governing CDD.

Global eKYC Regulatory Framework
China	·       Anti-money Laundering Regulations ·       Anti-Money Laundering Law of the People’s Republic of China (PRC)
European Union	·       Revision of the Anti-Money Laundering Directive (AMLD6) ·       The Anti-Money Laundering Authority (AMLA) regulation ·       eIDAS 2: European Digital Identity Regulation (Regulation (EU) 2024/1183)
India	·       PMLA (Prevention of Money Laundering Act), 2002 ·       The Reserve Bank of India (RBI) Know Your Customer (KYC) and AML guidelines ·       International Financial Services Centres Authority (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022
Japan	·       Act on Prevention of Transfer of Criminal Proceeds (APTCP) ·       Foreign Exchange and Foreign Trade Act (FEFTA) ·       Act on Punishment of Organised Crimes and Control of Proceeds of Crime (APOC) ·       Act on Punishment of Financing to Offences of Public Intimidation (TF Act) ·       Terrorist Asset-Freezing Act (TAFA)
Nigeria	·       Money Laundering (Prevention and Prohibition) Act, 2022 ·       Terrorism (Prevention and Prohibition) Act, 2022 ·       Regulation for the Implementation of Targeted Financial Sanctions on Proliferation Financing ·       Regulation for the Implementation of Targeted Financial Sanctions on Terrorism, Terrorism Financing and Other Related Measures, 2022
Singapore	·       Terrorism (Suppression of Financing) Act 2002 ·       Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act ·       The Precious Stones and Precious Metals (Prevention of Money Laundering and Terrorism Financing) Act 2019 (“PSPM Act”)
United Arab Emirates	·       Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (as amended by Federal Decree Law No. (26) of 2021) ·       Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Cabinet Resolution No. (24) of 2022)
United Kingdom	·       Proceeds of Crime Act 2002 ·       The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ·       Sanctions and Anti-Money Laundering Act 2018 ·       Economic Crime (Transparency and Enforcement) Act 2022 ·       The Electronic Identification and Trust Services for Electronic Transactions (Amendment, etc.) (EU Exit) Regulations 2019
United States of America	·       Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001. ·       Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) ·       Customer Due Diligence (CDD) Final Rule

 

The Importance of Customer Awareness in eKYC Implementation

A successful eKYC implementation requires customer participation in the process. Sometimes due to the lack of technology awareness, software glitches, and complicated video verification processes, customers stay away from eKYC procedures.

One of the major consumer grievances that businesses face is that customers either don’t understand the importance of providing businesses with their personal information or don’t feel that they have any control over their personal information once it is shared for eKYC purposes. eKYC measures such as biometric scanning by retinal scan, fingerprint scan, or OTP authentication sometimes make customers nervous about cooperating with eKYC procedures, thinking that their personal or biometric details might be misused or sold.

Customers’ approach to cooperation with eKYC completion shall remain suspicious and rigid until businesses themselves take measures to raise customer awareness regarding the eKYC implementation. Businesses need to make their customers aware of the data security and data privacy measures taken during the implementation of the eKYC.

Risk-Based Approach in eKYC Implementation

Businesses must keep in mind the fundamentals of a risk-based approach (RBA). RBA requires businesses to apply Money Laundering, Financing of Terrorism, and Proliferation Financing (ML/FT and PF) risk-mitigation measures according to the degree to which they are exposed to ML/FT and PF risks.

To simplify the concept of RBA, one may take an example of how heavily guarded and protected nuclear reactors in most countries are due to the sensitivity and vulnerability of nuclear material and the potential threat of destruction. However, the same amount of security isn’t provided to any public library or a public park as the degree of FT and PF risk and accompanied threat of destruction is significantly lesser than that of the FT and PF risk the nuclear reactor faces.

Similarly, in the case of eKYC implementation, the appropriate use of RBA would require the business to consider whether the eKYC software is compliant with relevant laws and regulations.

This can be illustrated by considering that if a business’s customer base consists of mostly high-net-worth individuals and their eKYC tool doesn’t offer integration with name-screening tools for screening sanctioned, politically exposed persons (PEPs) and adverse media checks, then using such an eKYC tool would be very risky as high-net-worth individuals are usually influential and their probability of being a PEP or their names coming in adverse media checks is much higher than same sample size of lower or medium-income individuals.

Businesses also need to ensure that the eKYC tool they are using or planning to switch to is viable for their specific line of business and relevant to their sector. Businesses must be mindful that they do not make the error of using eKYC tools that do not meet their specific needs.

The eKYC software should be customisable to suit business needs; otherwise, it will not deliver the desired and required results, leaving it underutilised.

Challenges in eKYC Implementation

1. Uneven Jurisdictional Requirements: Implementing eKYC is challenging as laws concerning KYC requirements vary from country to country. Uneven jurisdictional requirements lead to variations in record-keeping requirements and different eKYC checklists, making eKYC implementation difficult.

2. Data Privacy and Data Security Concerns: Businesses need to overcome the challenge of consent-related considerations and comply with biometric regulations which restrict, limit, and govern the use of biometric information.

3. Unidentifiable Vulnerabilities: Due to the element of remote customer onboarding, the eKYC system remains vulnerable to exploitation by elements such as deep fake AI that gives the false impression of an actual person fulfilling eKYC requirements or answering questions. Vulnerabilities also come from the use of malware, the possibility of data breaches, and cyberattacks by criminals.

4. Non-Integration Across Tools: Not all eKYC software comes with the feature of integration with existing systems in an organisation, making it difficult for businesses to streamline processes.

5. Obtaining Information from High-Risk Customers: Many times, despite having a well-integrated eKYC software that offers seamless customer onboarding service, a customer posing a high risk, such as a Politically Exposed Person (PEP) or UBOs of businesses having multiple layers of corporate ownership, does not cooperate with timely completion of eKYC process.

Best Practices for eKYC Implementation

1. Formulation and Implementation of AML Policy and Data Protection Policy:

The effective and adequate implementation of any program, tool, or compliance process requires it to be included in a well-drawn-out AML compliance policy along with procedures, systems, and controls. An AML compliance policy must provide for the customer onboarding process and methodology, the eKYC process and tools used, and the handling of customer relationships when suspicious activities and reports are filed. The AML compliance policy must also provide for a Customer Identification Program (CIP). The AML policy must provide for risk assessment and management (due diligence, part of the KYC process), ongoing monitoring, and record-keeping of eKYC measures taken.

Further, the company must carve out and implement a data protection policy to remain compliant with legal requirements.

2. Consider Data Security Measures:

Businesses must implement tight data security measures to prevent incidences like hacking. The entire IT infrastructure needs to be planned, and security measures must be given due consideration.

3. Relying on Third-Party for eKYC:

Businesses must ensure that if they rely on third parties to fulfil their eKYC needs, the responsibility for data breaches or data loss will remain with the business itself, not the third party.

4. Group Oversight:

Businesses must consider that they have uniformity across branches and subsidiaries or sister concerns when implementing eKYC tools. The policies and procedures concerning eKYC should be as uniform as possible, or in cases where laws are distinct, as a best practice, following more stringent laws is advisable.

5. Integration and Interoperability

As a best practice, to ensure a more streamlined workflow across platforms such as CRM, payroll, accounting, name screening, AML case management, and eKYC tool, it is preferable to integrate these tools to avoid duplication of efforts.

Future of eKYC

Geolocation Tagging: Technology or features such as geolocation, IP addresses, and keying patterns can be combined to verify users of eKYC software or apps.

Near-Field Communication (NFC): NFC readability can be used to capture data stored on an ID chip and extract data stored on the ID document. Further, blockchain technology can be used to safeguard customers’ personal data.

Advanced Liveness Detection: Advanced liveness detection techniques help in identifying deep fake or AI-generated profiles trying to defraud eKYC systems. Advanced liveness detection observes signs of life that are distinct from AI-generated models. Advanced liveness check analyses the subject’s environment in a contextual manner along with behavioural analysis to achieve accurate results.

Conclusion

Conducting KYC is a mandatory requirement across the globe. Regulated entities rely on the eKYC process to fulfil their identification document collection and verification requirements. However, a tick-box approach of simply purchasing or subscribing to an eKYC tool is not enough. Businesses need to follow a risk-based approach while implementing an eKYC tool.

By following the fundamentals of a risk-based approach, businesses must implement relevant and viable eKYC software that takes care of its compliance requirements and suits their individual business needs while making the most of advancements in eKYC technology.