A booming KYC industry poses data privacy risk

Thanks to artificial intelligence and algorithms, KYC startups carry out millions of digital verifications in a month, helping banks and fintechs check the credentials of customers and making the process of bringing them on board much faster. Not surprisingly, they are supremely important for many fintech firms.

According to a recent report by credit reporting agency Equifax, in partnership with Andromeda, the retail industry disbursed 200 million loans during April 2019-March 2020, 180 million loans in the April 2020-March 2021 period, and 240 million loans during April 2021-March 2022. Usually, the number of KYCs is five times the number of loans sanctioned, as the approval rates are lower. A back-of-the-envelope calculation suggests that the number of KYCs done in FY22 alone could be somewhere around 1.2 billion.

Given the scale of operations, KYC startups deal with vast troves of personal data almost every day. But are there enough protections and guardrails for consumer privacy?

“Everyone in the industry is data hungry,” said a senior official, who takes care of fraud prevention at a fintech. “It is not about bad intent. But when they see so much data, for many, the thought is let’s collect, analyse and see what we can do about it later,” he said.

Last month, for instance, DigiLocker sent out a letter to its partners, stating that “there has been a violation of the Aadhaar Act and DigiLocker Terms of Services by Karza Technologies… As a result of these actions, their account has been blocked … and they are not allowed to use DigiLocker services till the investigation is completed.” Karza Technologies is a seven-year-old startup that does know-your-customer checks for a wide range of clients. DigiLocker is a government repository of online documents where citizens upload personal documents. It is also used by financial institutions to authenticate documents. Even non-regulated entities such as KYC startups can access DigiLocker. “Usually, you are supposed to have one DigiLocker account, and you are not supposed to share those keys with multiple entities. That’s a violation,” a head of a KYC startup head said. According to the DigiLocker letter, “one of Karza partners was found to be bypassing our redirection sign-in/sign-up flow and capturing Aadhaar directly on their user interface.” Mint reached out to both Karza and DigiLocker, asking for more details about this episode. Neither responded till the time of going to print.

As the Reserve Bank of India shows an interest in regulating several aspects of fintech, will KYC startups, sitting on data of millions of customers, also invite scrutiny? Before we try and answer the question, a look at the business of KYC.

Show me who you are

Simply put, KYC involves authenticating two layers of information—proof of identity and proof of address. It helps businesses identify who their customers are and prevent fraud and identity theft.

Globally, most identity frauds happen because personal data is easily available. That’s certainly true of India. “If you give ₹500 to someone on the grey market, they will happily give you hundreds of PAN and Aadhaar numbers. So, it has become extremely easy for someone to get access to this legitimate data and use it to open a bank account and later to avail credit,” said Ranjan R Reddy, founder of Bureau Inc, a KYC startup.

Besides buying data, KYC frauds can happen through UPI and wallets. Say, a customer clicks on a malicious link purportedly from Paytm/PhonePe, etc., and a scammer takes control of their phone. If their PAN card is included in the sensitive data, scammers tend to replace the photo on the card with someone else’s photo. That person can now go ahead and open a bank account, pretending to be the owner of the PAN card.

The bank typically doesn’t spot the deceit. Usually, banks validate the textual information of a PAN card with National Securities Depository Limited (NSDL), where only the name and number on the PAN is matched.

One way of cross-checking credentials for the lenders is through the CKYC (Central KYC), a government-backed centralised repository of KYC records. Only a regulated entity can pull data from this repository for a fee. “This is also treated as a full KYC because you are riding on the authentication done by another regulated financial institution in the market,” said Hem Raj Hyanki, founder of Compliance Pillar, which offers KYC consultancy services to regulated entities and fintechs.

Enter the KYC startups—to speed up the authentication. Though they cannot fetch data from the CKYC or NSDL or UIDAI, they work on documents they receive from the lenders. In this API-based (application programming interface) model, KYC startups are authorized by lenders to perform three functions on their behalf: extract textual information from documents, match customers’ selfies against photographs in multiple ID documents, and validate and verify these documents against government records. In 2021, the RBI also allowed video KYC, adding another option of authentication.

“From the lending point of view, all three steps are needed. Other segments that are beginning to use KYC services on a large scale are gaming, crypto, match-making and dating apps, and ride-hailing apps. These segments may need only the first two checks,” the fraud prevention official quoted above claims. Some KYC startups also offer advanced services, such as checking if documents are forged or not.

This booming industry is largely dominated by four-five players, including IDfy, Karza, Hyperverge, and Signzy. According to an IDfy official aware of the information, IDfy currently carries out 1 million KYC transactions a day (or about 25-30 million a month). Bureau, which offers a range of solutions, from verifying phone numbers to anti-money laundering services to transaction monitoring, all in one place—has over 100 clients. “We do 5 million API calls a month. We have so far verified 38 million identities, and of those 18 million are unique,” Reddy shares. In 2017-2018, the industry was valued at about $20 million. Today, it is at $80 million and in two-three years, it is likely to be a $300 million industry, as per estimates shared by Reddy.

As economy and business have digitized, the demand for KYC has surged – so much so that the industry tends to overlook the grey area of compliance.

The data playbook

In 2018, when Slice was an unregulated fintech, the company used to collect a lot of data from outside sources, said the former Slice official cited earlier. “While there was no partnership with any third-party KYC startup, we relied heavily on Truecaller,” he said.

In a response to Mint’s queries, the Slice spokesperson said, “The Truecaller SDK integration with Slice in 2018 solely focused on facilitating seamless user registration and onboarding. Slice does not have any partnership with Truecaller. The information at our disposal was limited to basic customer details and kept secure and confidential. The integration only facilitated the verification of their first and last name, phone number, and gender.”

According to the former Slice official, everyone at Slice had access to the information. “All that information was saved on an internal panel and every person in Slice was able to see it, along with the customer’s picture, which was fetched from a video recording of those who had applied for a Slice card,” he said. However, the Slice spokesperson said, “Customer privacy is paramount, and we have instituted multiple protocols to keep it that way. With the above context, we would like to iterate that your understanding of the details is incorrect.” In response to Mint’s queries, a Truecaller spokesperson said, “We have never worked with Slice. Our only conversation with it is due to the fact that they have recently been onboarded as a verified business customer on the Truecaller platform.”

This is just one example of how data was collected when digital lending was at a nascent stage. Have things changed much?

“Privacy of customer data is fundamental to a KYC business,” said Arpit Ratan, co-founder of the KYC startup Signzy and a former lawyer. The reality is different, he admits.

An open secret in the industry is that a lot of players end up storing a lot of data and even selling it. Several officials admitted this was rampant and considered “normal”. For example, in an e-KYC, startups act as a pipeline between the lender and UIDAI while verifying Aadhaar documents. “Data flows from UIDAI to the regulated entity. But in the case of video KYC and offline Aadhaar-based KYC, the data rests or resides for some time with these startups, which is a problem. They are not supposed to have that data in the first place, forget about keeping it for some time. The customer consent to fetch information is taken in the name of the regulated entity, the lender, and not anyone else,” Hyanki explains.

But there have also been instances when the consumer ends up giving consent both to the NBFC (non-banking financial company) and its KYC partner – or even to a broader term, “lender”.

“The consent is messed up. One customer becomes customer of five companies, without his/her knowing about it. I have seen many such cases,” Hyanki said.

Regulated entites are required to comply with KYC directives. But, right now, the way it is implemented is a ‘grey zone’.

For example, most banks keep the data they process in their own server. But many financial institutions, including fintechs, rely on cloud. Say, a fintech lending platform gets the PAN of a customer and passes this information to the KYC partner for verification. “Even if they are not supposed to, some KYC startups will hold on to it. The next time another lender wants a check on the same customer, it won’t have to pay for the cost of fetching the same data. This is purely to protect margins,” the fraud prevention official said.

Then, there’s something called ‘system abuse’ in the industry. An unregulated fintech lending platform works with a regulated NBFC in a co-lending arrangement. Then, the NBFC gives one login ID to a KYC partner, using which it could fetch CKYC or NSDL data–even if it is not allowed to do so as per regulation.

Smaller niche startups, which are doing extremely well in terms of revenues, store all the data collected on behalf of their regulated clients and sell it in packages, the fraud prevention official cited above said.

In the absence of a data protection bill, there is little disincentive against such behavior. Recent digital lending guidelines have made fintechs more circumspect. “Fintechs and lenders are more cautious now. A couple of new fintechs I am advising don’t want to operate in those grey zones at all,” Hyanki said.

What next

All of this, of course, leads to concerns over data protection. Will the RBI push for licensing for KYC startups next? Many argue that since KYC startups aren’t regulated globally, it might be hard to do so in India. The basic principle of regulation is that only one entity bears the compliance responsibility—and the buck stops with it. “In this case, the regulated entity owns the risk and compliance,” said a KYC startup co-founder.

The data protection bill, expected to be released soon, could also bring more pressure on startups. It aims to protect personal data of individuals, as well as to create a framework for organizational and technical measures in processing data while laying down norms for social media intermediaries, including regarding cross-border transfer of the data.

The industry does expect a new bunch of guidelines for KYCs. “I know that one department in the government is working on a centralized platform for all KYCs, and will probably come up with a licensing structure just like an account aggregator,” a KYC startup co-founder said. But the moot point is: Even if the laws come, who will ensure enforcement?