It wasn’t a shootout or a sting operation that brought down Al Capone. It was a ledger. In The Untouchables (1987), a bespectacled accountant suggests prosecuting Capone not for bootlegging or murder, but for failing to file tax returns. Ness (Kevin Costner) initially scoffs. But the money trail proves more effective than witnesses, whom Capone would eliminate. Records of undeclared income led to his conviction and imprisonment for over a decade. (Al Capone was areal-life American mafia boss active in the 1920s and 1930s.)
That’s the power of a money trail. For crimes like terrorism, corruption, drug trafficking or online scams, it often holds more weight than witness testimony. Know Your Customer (KYC) norms introduce identity into the financial system. Once money enters the formal economy, a documented identity helps trace its path. KYC regulations prevent anonymity, fraud and misuse. Ironically, the 0.1 per cent who exploit the system have created compliance burdens for the remaining 99.9 per cent. This clash between enforcement and convenience lies at the heart of Indias KYC debate.
All financial entities banks, mutual funds, stockbrokers, demat providers, insurers and the National Pension System (NPS) must complete KYC and store records with the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (Cersai), also called the Central KYC Registry (CKYC). Securities market intermediaries must additionally register KYC with one of the Securities and Exchange Board of India’s (Sebi’s) five KYC Registration Agencies (KRAs). Earlier, KYC excluded many due to a lack of identity or address proof. Aadhaar, widespread mobile access, and the Pradhan Mantri Jan Dhan Yojana, which enabled millions to open bank accounts, changed this.
The direct benefit transfer (DBT) programme accelerated adoption by linking subsidies to these accounts. KYC needs to be updated periodically. The Reserve Bank of India (RBI) follows a risk-based cycle: every two years for high-risk, eight years for medium-risk, and 10 years for low-risk customers. A self-declaration via email, SMS, ATM or online banking suffices if details have not changed. Even address updates can be made through self-declaration and simple verification tools like a registered letter. In theory, this makes re-KYC frictionless. But reality often diverges sharply.
As documented in Money life Foundations report KYC is Torture Rural Realities and Reform, banks often ignore RBIs guidelines, demanding fresh documents and in-person visits even when nothing has changed, sometimes every twothree years. The report adds that many don’t offer online options and ask for more than the rules require.
This imposes a heavy cost, especially in rural areas where visiting a branch can mean losing a days wage. There have even been reports of deaths in KYC queues and of pensions getting blocked. The Foundation notes that banks face no consequences fornon-compliance the customers bear the brunt.
This disconnect stems from differences in backend systems across sectors. In the securities market, KYC is also handled through KRAs, which independently verify details like Permanent Account Number (PAN) and address before storing them.
Paragraph 101 of Sebi’s Master Circular states that clients need not undergo KYC again when they approach a different intermediary in the securities market. This ensures KYC portability KYC completed with one intermediary is accepted by others. CKYC, in contrast, only stores the submitted documents and does not verify them.
Consequently, banks and insurers cannot rely on its accuracy and redo KYC from scratch. This defeats the promise of centralisation. Truth be told, compliance with KYC and anti-money laundering regulations is non-negotiable. But the securities market proves that security and convenience can co-exist. Fixing KYC requires no new laws only better enforcement. RBIs KYC norms must be made binding, with penalties for banks that violate them.
CKYC should be empowered to verify and validate data. Other regulators must follow Sebis lead in allowing KYC, once completed, to be reused across intermediaries. KYC updates, like a change of address or mobile number, must be automatically reflected across all entities.
India already leads the world in population-scale digital infrastructure, has political will, and regulatory frameworks. What’s missing is inter-regulatory coordination and accountability. A banker once joked that KYC stands for Kill Your Customer, not Know Your Customer. If we act now, that joke will remain just that: A bad joke.
The writer heads Fee-Only Investment Advisors LLP, a Sebi-registered investment advisor; X (formerly Twitter): @harshroongta other regulators should follow Sebi’s lead in explicitly stating that once a client completes KYC with one intermediary, they shouldn’t have to repeat the process with another
TRUTH BE TOLD Harsh Roongta
Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper
(A slightly different version of this column first appeared in the Business Standard on JULY 28, 2025)