One nation, one KYC: Sebi shows the way, other regulators should follow

It wasn’t a shootout or a sting operation that brought down Al Capone. It was a ledger. In The Untouchables (1987), a bespectacled accountant in Eliot Ness’s squad suggests prosecuting Capone not for bootlegging or murder, but for failing to file tax returns. Ness (played by Kevin Costner) initially scoffs—Capone had outmanoeuvred every case by eliminating witnesses. But the money trail didn’t lie. Records of undeclared income led to Capone’s 1932 conviction for tax evasion and over a decade in prison. (Al Capone was a real-life American mafia boss active in the 1920s and 1930s.) 

That’s the power of a money trail. In enforcement, it can matter more than witness testimony—especially when criminals operate in the shadows, as with terrorism, corruption, drug trafficking or online scams. The goal of Know Your Customer (KYC) norms is to bring identity into the financial system—because once money touches the formal economy, a documented identity helps trace its path. 

KYC regulations are the gatekeepers of the financial system—intended to block anonymity, deter fraud and prevent misuse. The irony, however, is that the 0.1 per cent who exploit the system trigger compliance burdens for the other 99.9 per cent. This clash—between enforcing security and ensuring convenience—is at the heart of India’s KYC debate. 

Today, every financial entity—banks, mutual funds, stockbrokers, demat account providers, insurers, National Pension System (NPS)—must conduct KYC and store records with the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), more popularly known as the Central KYC Registry (CKYC). Securities market entities must additionally register the KYC with one of the Securities and Exchange Board of India’s (Sebi) five KYC Registration Agencies (KRAs).

 

From exclusion to over-enforcement 

KYC was once a barrier for large sections of the population who lacked proof of identity or address. That changed dramatically with Aadhaar and widespread mobile access. The Pradhan Mantri Jan Dhan Yojana enabled millions to open bank accounts. The Direct Benefit Transfer (DBT) programme accelerated adoption by linking subsidies and welfare to these accounts. 

 

Re-KYC: where the friction begins 

To preserve financial integrity, KYC must be periodically updated. The Reserve Bank of India (RBI) prescribes a risk-based cycle: High-risk: every 2 years; Medium-risk: every 8 years; Low-risk (pensioners, small farmers, labourers): every 10 years. If there’s no change in details, a simple self-declaration—via email, SMS, ATM or online banking—should suffice. Even a change of address can be updated via self-declaration, to be verified by the bank using simple tools like a registered letter. In theory, this makes re-KYC frictionless, especially for low-risk customers. But reality often diverges sharply.

 

As documented in Moneylife Foundation’s detailed report—“KYC is Torture – Rural Realities and Reform” —banks routinely ignore RBI’s flexible norms. “In practice, banks frequently demand fresh documents and in-person visits even when nothing has changed—sometimes every 2–3 years. Many don’t offer online options and ask for more than the rules require.”

 

This is more than just a bureaucratic annoyance. In rural areas, visiting a branch can mean losing a full day’s wages. In extreme cases, there have even been reports of deaths in KYC queues and pensions being blocked. The Foundation rightly notes that banks face no consequences for ignoring RBI’s norms—but customers bear the full burden.

 

This disconnect isn’t just about overzealous bankers—it stems from fundamental differences in how back-end systems are designed across sectors. In the securities market, KYC is also handled through KRAs, which independently verify and validate key details like Permanent Account Number (PAN) and address before storing them. What’s more, Paragraph 101 of Sebi’s Master Circular clearly states that “the client need not undergo the KYC process again when the client approaches a different intermediary in the securities market.” This ensures KYC portability: once a client completes KYC with one intermediary (say, a mutual fund), it can be seamlessly used by another (like a stockbroker). The result? In the securities market, once you're KYC-compliant with one entity, you're effectively KYC-compliant with all.

 

In contrast, CKYC merely receives and stores documents as submitted, without verifying or validating the data. Consequently, when another institution accesses a CKYC record, it cannot rely on its accuracy. As a result, most banks and insurers choose to redo the KYC process from scratch. The promise of centralisation is thus completely undermined.

 

Truth be told, complying with KYC and anti-money laundering regulations is non-negotiable in today’s world. But the securities market demonstrates that security and convenience can co-exist. Fixing KYC doesn’t require new laws—just better enforcement. The RBI’s KYC norms must be made binding across the banking sector, with steep penalties imposed on banks that ignore them. CKYC, like KRAs in the securities market, must be empowered not just to store KYC data, but also to verify and validate it. Other regulators should follow Sebi’s lead in explicitly stating that once a client completes KYC with one intermediary, they shouldn’t have to repeat the process with another. That’s the only way to make KYC truly portable across the financial system. Finally, KYC updates—such as a change in address or mobile number—must be automatically reflected across all financial entities a customer interacts with.

 

India already leads the world in population-scale digital infrastructure. The political will exists. The frameworks are in place. What’s missing is inter-regulatory coordination and accountability. A banker once joked that KYC stands for “Kill Your Customer”—not “Know Your Customer.” If we act now, that joke will stay what it is: a bad joke.

 

The writer heads Fee-Only Investment Advisors LLP, a Sebi-registered investment advisor; X (formerly Twitter): @harshroongta