KYC fraud: In a bid to prevent Know Your Customer (KYC) data from fraud and misuse, the launch date for masking KYC identifiers in the Central KYC Records Registry (CKYCRR) has been extended to January 20, 2025. This effort, designed to enhance data security and curb potential misuse, will conceal sensitive KYC information such as Aadhaar, PAN, Voter ID, and Driving License numbers within the system.
Masked KYC involves concealing sensitive information in customer records shared via CKYCRR. Instead of revealing the complete KYC identifier, only the last four digits will be shown.
This approach will safeguard individual privacy and diminish the potential for unauthorised access.
Reporting entities will still have the ability to retrieve the complete KYC records by using a unique CKYC Reference ID associated with each record. Two measures that can be implemented include masking KYC identifiers (such as PAN, Aadhaar, voter ID card, driving license, etc.) and enabling authorized access based on unique IP addresses.
Date extension
The industry players, including banks and financial institutions categorized as Regulated Entities (REs), expressed concerns about the government’s rapid implementation of certain measures and requested an extension of the deadline. Responding to their concerns, the Central Know Your Customer (CKYC) has decided to extend the deadline for masking KYC identifier documents from December 16, 2024, to January 20, 2024.
“In view of requests received from various Reporting Entities, it has been decided to defer the date of go live for masking of KYC Identifier from December 16, 2024, after 08:00 PM to January 20, 2025, after 8:00 PM,” as per an official communique from Central KYC Records Registry dated December 16, 2024.
How your data will be protected
The updated system, scheduled for implementation beginning January 20, 2024, will now display only the last four digits of KYC Identifier documents such as Aadhar, PAN, Voter ID Card, Driving License, etc, while concealing the remaining details.
Central KYC Records Registry said in an official communique dated October 17, 2024, “To enhance data security, the KYC Identifier shall now only be available to registered reporting entities (REs) when the KYC record is successfully downloaded from CKYCRR using an authentication factor. In the KYC search response and confirmed match responses received during the new KYC record generation (KYC Upload) process, the KYC identifier shall be masked, and a CKYC reference ID that is unique to each KYC identifier shall be provided. REs shall be able to download KYC records using either the KYC identifier or CKYC reference ID.”
Changes to KYC Identifiers
Only the last four digits of KYC identifiers will be displayed in search responses and match confirmations.
Reporting entities are required to utilize this updated unique identifier when downloading complete KYC records.
To access records, authentication factors and unique IP addresses will be necessary.
Unique IP address system
According to experts, most Regulated Entities (REs) typically outsource KYC collection tasks to technology firms such as TrackWizz, which serve as intermediaries. To address this issue, the CKYC Registrar has mandated REs to utilize their own IP addresses for accessing KYC information instead of relying on intermediary IPs. Previously, intermediaries acting on behalf of REs accessed KYC data using their own IP addresses. The deadline for implementing this requirement is December 31, 2024.
Additionally, CKYCR aims to restrict intermediaries from accessing customer KYC data from their own IP addresses or systems. REs are now obligated to use their own IP addresses and systems to search for and download customer KYC information from the CKYC registry.
Central KYC Records Registry in an official communique dated November 20, 2024, said: “This is in reference to the API integration between Reporting Entities and CKYCRR. To ensure data security, each Reporting Entity using CKYCRR API must use a unique IP address. This means that no two reporting entities can share the same IP address for CKYCRR API access. reporting entities are directed to not share their login credentials, digital signatures, and API public/private keys with third parties. Reporting entities are also directed to ensure that the data obtained from CKYCRR is stored securely with adequate cybersecurity checks and controls and data protection measures in place so that there is no unauthorised access to the KYC data at any point in time, including during the transition between CKYCRR to the end point at the reporting entities’ end. By 31 December 2024, IPs that are common to multiple reporting entities shall be blocked from accessing CKYCRR APIs.”