From Periodic to Perpetual – Rethinking the process of KYC

Posted On Date: October 8, 2025

Save Post

This blog is based on the recent uptake in conversations on the reformation of the know-your-customer (KYC) process in the financial sector. We find the periodicity of the current KYC system to be of concern for various reasons. The periodic updates of KYC present a burden on the customer to validate themselves every few years, failing which they are at risk of being excluded from the financial system. Furthermore, periodic updates of customers’ accounts and KYC data every few years also hinder financial institutions from identifying and preventing ongoing financial crimes. In the realm of digital finance, there is a need for almost continuous, near real-time scrutiny of customers’ risks profile, in stark contrast to the periodic KYC check, which is the current practice. In this context, we explore the potential that comes with adopting a perpetual KYC system.

Introduction

Recently, the Finance Minister, Nirmala Sitharaman, announced the government’s plan to revamp the Central Know-Your-Customer (CKYC) Registry and to introduce a streamlined system for the periodic update of the Know-Your-Customer (KYC) process.[1] This announcement forms a part of previous conversations by the Government on the need to develop a universal KYC framework to streamline customer verification processes, expedite refunds of unclaimed amounts, and to strengthen cybersecurity efforts.[2] Additionally, the Department of Financial Services has been working with financial sector regulators, financial institutions, and other stakeholders, to identify issues in the current KYC process and to understand how the CKYC process may be updated to address these issues.[3] Before we begin discussing the CKYC and the plan to streamline the CKYC process, we must first understand how the KYC process works.

Understanding the current KYC process

The Prevention of Money Laundering Act (PML) 2002[4] and subsequent rules, including the Reserve Bank of India’s (RBI) Master Directions on KYC[5], lay down four constituent aspects of the KYC process:

Customer Acceptance Policy: which sets out the grounds for admitting customers, outlining circumstances when representatives of customers can act on their behalf, and the conditions that render a customer inadmissible.
Risk Management: which helps regulated entities to classify customers according to their perceived risk levels. Parameters that inform risk categorization are kept confidential to prevent gaming of the system but include indicators such as the geographical location of the customer, the nature of transactions etc.
Customer Identification Procedures (CIP):the process of establishing that the person has a unique and valid identity, and
Monitoring of Transactions: which is an integral part of ongoing Customer Due Diligence (CDD) to ensure the customers’ transactions reflect their risk categorization.

Therefore, a KYC process may be summarized as a process of defining admissible customers, gauging their riskiness, establishing their existence, and calibrating the scrutiny their financial behavior attracts to their designated level of riskiness.

Next, we will understand why CKYC was introduced by the Government, how it works and its limitations.

Exploring the working and limitations of the CKYC Record Registry

The CKYC Records Registry was introduced to ease the KYC process for customers and financial institutions. This is because CKYC requires a customer to undergo the KYC process only once, i.e., at the start of their formal finance journey, when they interact with a formal financial institution for the first time. In their first interaction, the financial institution is required to collect every KYC related document from the customer. The financial institution is then mandated by the law to upload these documents in the CKYC Registry. The CKYC Registry will then issue a unique identifier, the KYC Identifier, to the customer. In all subsequent transactions, the customer is only expected to provide the KYC identifier to any other formal financial institution, which can easily look up and download the customer’s KYC documents from the CKYC registry using that information.[6]

In the absence of CKYC, an individual customer was expected to undergo the complete KYC journey as many times as they started a new financial relationship, such as opening an account, purchasing an insurance policy, or investing in mutual funds. This was onerous for the customers and expensive for the financial institutions. Reports estimate the cost of this siloed KYC in India to be anywhere between Rs. 50 to Rs. 1000. The CKYC Registry facilitates the sharing of KYC data among regulated entities across the financial sector which reduces duplication of efforts for both the customer and the regulated entities, realizing savings in monetary and time costs. The cost of KYC has reduced substantially to Rs. 1 or Rs. 2.25, for regulated entities that have digitally integrated the KYC journey in their operations and use APIs to interact with CKYC Registry.[7]

The PML Act and Rules[8] contain provisions that make it mandatory for financial institutions to create electronic copies of a customer’s KYC records to be stored in a centralized database, the Central KYC Record Registry (CKYC Registry). The Operating Guidelines for the CKYC and the PML Act and Rules (specifically Rule 9) set out the rules of engagement with the CKYC including participating entities and help the system remain attentive to the issues of money laundering.[9] Further, to ensure that the KYC information is a credible reflection of the customers’ risk categorization, regulated entities require customers to undertake KYC journeys at stipulated intervals. The periodicity of the KYC is determined by the customers’ risk categorization:

high risk customers such as politically exposed persons, whose profiles are reviewed and updated every 2 years
medium risk customers such as people operating businesses in a country with moderate levels of corruption, and whose profiles are reviewed and updated every 8 years, and,
low risk customers such as people in the lower economic strata, whose profiles are reviewed and updated every 10 years.[10]

Limitations of the periodic review process

A critical appreciation of the periodic review process, that we refer to as Re-KYC highlights some concerns:

First, periodic reviews limit the ability of financial institutions to identify suspicious activities occurring outside of the timeframe mandated for a customer’s periodic review. This is because a periodic review takes place once every few years, depending on the customer’s risk category.[11] Second, periodic reviews may be voluminous, time-consuming, and expensive as they may happen as a bulk process every few years. Financial institutions are also increasingly failing to update[12] customer profiles[13][14] This has proven particularly problematic as customer risk profiles naturally evolve over time. Third, failure to update customer profiles in the CKYC Registry also has real world consequences for customers, specifically people who are in the lower economic strata of society. In the current periodic review process, financial institutions may not always update the customer’s profiles in time for the re-KYC checks. As such, customers may face the risk of having their bank accounts frozen until the financial institution updates the customers’ profile.[15]

These issues are best summarized in the quote from a Deputy Governor of the RBI:[16]

Our root cause analysis indicates a set of issues, including high pendency at bank level in periodical updation of KYC details of the customers; lack of a proactive approach in assisting and obtaining the required customer documents; inadequate staff deployment in such critical functions resulting in overcrowding or denial of service at branches; directing the customers to approach their ‘home branch’ for availing such services rather than being empathetic to customer needs by attending to them at a branch of their convenience; and failure to update the details in the system even after the customers have provided the required documents. It has also come to our notice that in certain cases the accounts that are meant to receive Direct Benefit Transfers from the Government have also been made inoperative or frozen, contrary to regulatory guidelines in the matter.

These issues underscore the need for a KYC system that is capable of:

A more automated, digitized system to reduce burden of updating information at the CKYC Records Registry,
Gauging riskiness associated with a customer on a real-time basis, with little manual intervention. There is a need to revisit the markers of riskiness to ensure they are appropriate for an increasingly digitized, mobile financial ecosystem. Risk may be better gauged by deep transaction monitoring that reflects a more accurate picture of the conduct of the customer. It may be tempting to tag accounts with immovable labels such as ‘welfare beneficiary’ and categorize all such accounts as low risk. However, such a move may only incentivize fraudsters to take over these accounts and misuse them. A deep monitoring of transactions on the other hand would ascertain the riskiness of a customer on the basis of their actual conduct as opposed to some stationary, self-reported parameter such as the type of employment. A scalable, AI powered system could deliver on the promise of deep transaction monitoring.

Exploring the alternative – Promises of a PKYC system

A PKYC system is one in which financial institutions review and update information in customers profiles in near real time, while also continuously monitoring all financial transactions.[17] Unlike a periodic review process which occurs once every few years, PKYC is a perpetual, ongoing process by financial institutions. Some of the promises of the PKYC system that may allow it to be more effective than a periodic system of KYC checks include the following:

The end-to-end automated process of the PKYC system promises to enable efficient KYC checks and real-time monitoring of transactions –
Under a PKYC system financial institutions will be able to automatically update changes made to a customer’s profile – regardless of the materiality of the change[18] Financial institutions will also be able to monitor ongoing transactions that will enable the identification of money laundering or other financial crimes in real time.[19] Additionally, a PKYC process need not necessarily be a fully automated process. If a trigger of a suspicious activity is picked up, an authority from the financial institution’s customer due diligence team could intervene, reach out to the customer, and decide whether to take further action.[20]
The PKYC system may help prevent financial exclusion of persons through automatic document updating –
Under the PKYC system, financial institutions may be able to work together to automatically update any changes made to a customer’s profile as soon as it is made.[21] Additionally, a PKYC system may be beneficial for a customer as it may enable the continuous compliance of the customer using machine learning systems that pick up on documents that are on the verge of expiry and require updating.[22] All these processes may help take some burden off the customer in the document updating process, while also helping to prevent exclusion of customers which is a critical issue in the current re-KYC process.

Conclusion

The current KYC process of periodically reviewing and updating customers’ profiles has proven to be an ineffective system for preventing financial crimes, while also risking the exclusion of vulnerable customers. PKYC has been positioned by actors in the financial sector to be a system that may help address some of these issues, but we must carefully consider its benefits and risks

Footnotes:

[1] Budget 2025-2026, Speech of Nirmala Sitharaman, Minister of Finance, 1 February 2025 – https://www.indiabudget.gov.in/doc/budget_speech.pdf

[2] https://economictimes.indiatimes.com/news/economy/policy/financial-sector-regulators-to-work-on-universal-kyc/articleshow/121787529.cms?from=mdr

[3] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2117797#:~:text=During%20the%20discussion%2C%20many%20suggestions,easing%20of%20the%20KYC%20process.&text=by%20PIB%20Delhi-,Shri.,easing%20of%20the%20KYC%20process.

[4] https://dea.gov.in/sites/default/files/moneylaunderingact.pdf

[5] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

[6] (i) https://www.ckycindia.in/ckyc/assets/doc/Operating_Guidelines_version1.3.pdf (ii) https://indiankanoon.org/doc/242082/

[7] https://www.ckycindia.in/ckyc/assets/doc/Communique2024_10_UpdatedfeestructureinCKYCRR.pdf

[8] https://dor.gov.in/prevention-money-laundering-maintenance-records-amendment-rules-2015

[9] (i) https://www.ckycindia.in/ckyc/assets/doc/Operating_Guidelines_version1.3.pdf (ii) https://indiankanoon.org/doc/242082/

[10] https://www.rbi.org.in/commonman/english/Scripts/FAQs.aspx?Id=3782

[11] https://www.fca.org.uk/publication/corporate/money-laundering-through-markets-review-january-2025.pdf