caalley logo

The alley for Indian Chartered Accountants

Think beyond masked Aadhaar:
Mandatory masking of all KYC identifiers to prevent CKYC data fraud, check details

Dec 19, 2024

Synopsis
Central KYC (CKYC): The deadline to implement masking of know your customer (KYC) details in the CKYC database has been extended to January 20, 2024. ​“The Central KYC Customer Records Registry (CKYCR) is trying to improve data security and privacy of customers in two ways - by masking the KYC Identifiers and by preventing any intermediaries from accessing the customer’s KYC details," says Wriju Ray.

The government wants to protect the integrity and prevent misuse of Know Your Customer (KYC) data. It has proposed several measures regarding the safety of data with Central Know Your Customer (CKYC). Two of such measures are- masking KYC identifier details (PAN, Aadhaar, voter ID card, driving license etc) and unique IP address based authorised access. Earlier all your details were viewed and searched by any intermediary. Now these practices are starting to end as the government proposal of masking all KYC identifiers.

However, the industry players-banks, financial institutions essentially Regulated Entities (REs) voiced concerns about the government being very fast in implementing these measures and hence requested a deadline extension.

The Central Know Your Customer (CKYC) has listened to REs’ request and has extended the deadline for masking of KYC identifier documents from December 16, 2024, to January 20, 2024.

“In view of requests received from various Reporting Entities, it has been decided to defer the date of go live for masking of KYC Identifier from December 16, 2024, after 08:00 PM to January 20, 2025, after 8:00 PM,” as per an official communique from Central KYC Records Registry dated December 16, 2024.

How your privacy and data stored in CKYC system will be protected due to masking of KYC feature

This new system, which is now stated to be implemented from January 20, 2024, will only show the last four digits of the KYC Identifier document like Aadhaar, PAN, Voter ID Card, Driving License etc and masked the remaining details.

“The Central KYC Customer Records Registry (CKYCR) is trying to improve data security and privacy of customers in two ways - by masking the KYC Identifiers and by preventing any intermediaries from accessing the customer’s KYC details. CKYCR will now mask the KYC identifiers in its search results. By doing this, CKYCR aims to stop any unscrupulous downloading of identity data stored in the registry, by whoever has access to these KYC identifiers,” says Wriju Ray, Chief Business Officer, IDfy.

Explaining about how this process will work, Central KYC Records Registry said in an official communique dated October 17, 2024, “To enhance data security, the KYC Identifier shall now only be available to registered reporting entities (REs) when the KYC record is successfully downloaded from CKYCRR using an authentication factor. In the KYC search response and confirmed match responses received during the new KYC record generation (KYC Upload) process, the KYC identifier shall be masked, and a CKYC reference ID that is unique to each KYC identifier shall be provided. REs shall be able to download KYC records using either the KYC identifier or CKYC reference ID.”

CKYC wants to prevent unauthorised usage of your KYC data hence wants to implement unique IP address system
Industry insiders say, most Regulated Entities (REs) outsource the KYC collection related work to information technology companies like TrackWizz who are essentially, intermediaries. CKYC Registrar wants to put an end to this practice and hence in this regard now mandated REs to use their own IP address to access the KYC details. Earlier intermediaries who were acting on behalf of REs used their IP address to access KYC data. The deadline to implement this feature is December 31, 2024.

“CKYCR also wants to stop intermediaries from accessing the customer’s KYC details from their own IP address or system. It is now mandatory for Regulated Entities to use their own IP address and system to search and download a customer’s KYC details from the CKYC registry. Earlier there was always a risk that intermediaries could use the ‘search’ functionality to obtain the KYC details of customers and then potentially misplace or misuse it,” says Ray.

Central KYC Records Registry in an official communique dated November 20, 2024, said: “This is in reference to the API integration between Reporting Entities and CKYCRR. To ensure data security, each Reporting Entity using CKYCRR API must use a unique IP address. This means that no two reporting entities can share the same IP address for CKYCRR API access. Reporting entities are directed to not share their login credentials, digital signatures, and API public/private keys with third parties. Reporting entities are also directed to ensure that the data obtained from CKYCRR is stored securely with adequate cybersecurity checks and controls and data protection measures in place so that there is no unauthorised access to the KYC data at any point in time, including during the transition between CKYCRR to the end point at the reporting entities’ end.... By 31 December 2024, IPs that are common to multiple reporting entities shall be blocked from accessing CKYCRR APIs."

[The Economic Times]

Read more on:
Don't miss an update!
Subscribe to our newsletter