What are the KYC procedures for merchant onboarding?

Asheeta Regidi Head, Fintech Policy at Cashfree.

As a payment aggregator (‘PA’), when we on-board merchants, we need to address certain risks that arise, like fraud, excessive chargebacks, money laundering, tax evasion, etc. For this, regulatory guidelines and applicable laws require us to adopt several precautionary measures, including the Know-Your-Customer (‘KYC’) and merchant due diligence procedures. We thus carry out a range of checks for merchants, which start prior to onboarding and continue until the end of your relationship with us. The processes discussed may be replicated by financial service entities or any other businesses that would want to onboard merchants onto their platform — both to comply with regulations and to mitigate risk.

What is KYC?

Regulated financial institutions like banks, PAs, investment companies, etc., conduct KYC whenever a client attempts to open an account with them or onboards with them (eg.: the KYC process you undertake when opening a bank account). A client may be an individual or a legal entity. The aim is to establish the client’s identity, address and legitimacy via a verification of its key documents. In combination with due diligence and other mandated checks, these allow us to say identify potential fraudsters, shell companies, detect money laundering, etc. (Related Read: Challenges of tackling merchant fraud). Often non regulated entities, like an online marketplace for example, need to also perform a full or partial KYC as a precaution. These allow us to take a step towards securing not only ourselves, but also the end-customers and the financial system as a whole.

As PAs we can service a range of businesses, from e-commerce marketplaces, financial services like lending/wealth management/ credit management/payments/insurance, etc., edtech, healthtech, digital entertainment and streaming services like video/music/gaming, subscriptions like for SaaS companies, hospitality/ transportation services like taxi aggregators/hotel booking aggregators/vehicle rentals, etc. The checks we undertake thus vary from business to business, particularly based on the merchant’s legal form and line of business.

Figure 1

The Complete KYC Procedure

The Reserve Bank of India’s (‘RBI’) Master KYC Direction, the RBI PA Guidelines and the Prevention of Money Laundering Act, 2002 (the ‘PMLA’) (among others), together require the following 8 stage process:

Step 1: The KYC document check or CDD process

The first stage is the KYC document check or the Customer Due Diligence Check (‘CDD’) process. It can be one or more of the following forms- Individual KYC and Business KYC:

  • Individual KYC : When you are a merchant who is an individual (eg.: a sole proprietor), we carry out a ‘KYC’ process, or CDD for an individual. Broadly, we verify your identity via an ‘Officially Valid Document’ or OVD check (identity documents like Aadhaar, passport, driving license, etc.), individual PAN verification, and if necessary, current address proof check (utility bills, etc.). We can also ask for more documents to verify your financial/business status, say asking for your business registration documents. 
  • Business KYC : When you are a business partner we are onboarding, we carry out a Business KYC process, or CDD for a business. Here we replace the OVD check with an ‘entity-proof’ check. This again differs based on what type of entity you are legally. For example, if you are a company, we need to verify your certificate of incorporation, memorandum and articles of association, etc. If you are a trust/partnership on the other hand, we will need your  trust/partnership deed, registration certificates, etc. Once we’ve verified your licensing/registration, we need to ascertain that the officer/employee transacting with us on your behalf has the authority from you to do so. For this we need your relevant Board resolutions, power of attorney, etc. Next we need your Business PAN, and  address proof (GST) if your licensing/registration documents don’t reflect your current address. We also need to conduct  ‘beneficial owner’ checksi.e., we need to verify who has actual ownership/control, like the directors, shareholders, etc., and carry out the ‘KYC’ process separately for them. We also verify numerous other documents for due diligence processes (discussed below).

Platform KYC: Lastly, depending on your line of business, you may yourself have on-boarded end-merchants. In turn, you may be needed to carry out a KYC or verification process for them as well, whether under regulations that apply to you or as an additional diligence measure. A supplementary check you can carry out here is bank account verification, as a tool to help you ascertain the validity of the bank accounts of the end-merchants you on-board. 

Figure 2

Methods of verifying the documents also vary, like the traditional physical check (original seen and verified, in-person verification). Today digital checks like digital document and signature checks (eKYC, DigiLocker, etc.), API based verification, Digital KYC and Video KYC procedures are being introduced to ease the process and replace earlier physical checks. For us as a PA, relaxations are also being brought in to the CDD process, allowing us to rely on the KYC you would have already undergone while opening accounts with the bank you are banking with. In another welcome move, the RBI has extended the Central KYC Registry for legal entities, introducing a new mode for digital KYC for businesses via a KYC identifier (previously this was only allowed for individuals).  

Step 2: Verification against sanction and PEP lists 

Next, we need to verify the names of our clients and their beneficial owners against certain lists, like national and international terrorist lists, or ‘Politically Exposed Persons’ lists. If a name matches a sanctions list, we also need to report this to the Financial Intelligence Unit of India (‘FIU-IND’). Along with these, we verify numerous other lists, like blacklists/ greylists/ defaulter lists for companies, directors, etc. issued by banks, the Ministry of Corporate Affairs, the Securities and Exchange Board of India, the Enforcement Directorate, the Office of Foreign Assets Control (U.S.), etc. (for a detailed list please see Appendix II below). These checks aid us in the fight against terrorism and money laundering, and also helps us define risk levels for a specific client.

Step 3: Onboarding policies and merchant screening

Next we carry out a background and antecedent check, which takes the form of an initial screening, and for which we define an internal merchant Onboarding Policy. Our aim here is to verify the nature, purpose and bona fides of a prospective client’s business. We conduct a range of checks such as licensing/registration checks, credit checks, profit and loss statement checks, balance sheet reviews, etc., based on information we seek directly from the prospective client, together with checking publicly available information like the merchant’s websites, product listings, end-customer reviews, social media activity, etc., to ascertain business legitimacy. We are also required under law to ascertain whether you are PCI-DSS compliant. 

Step 4: Merchant profiling and diligence levels

After these initial checks, we need to classify merchants as low/medium/high risk. Diligence levels and levels of post onboarding monitoring that we carry out are defined based on this, for example we need to conduct enhanced due diligence for PEPs, but simplified due diligence for self-help groups. Also, we are prohibited from servicing some businesses altogether (tobacco, hacking, gambling, weapons, etc.), while others are considered high-risk (pharmaceuticals, matrimony, gaming, security brokers, jewellery, etc.) requiring increased monitoring and diligence.

Step 5: Ongoing due diligence

Post onboarding, our due diligence checks will continue to keep track of any changes in merchant behaviour that are a cause for concern. For example, a change in merchant website details or an unexpected listing of high-risk products can indicate fraud. These may also call for reviewing merchant risk profiles and due diligence levels.

Step 6: Transaction monitoring

A crucial check post onboarding we do is monitoring merchant transactions, to spot any possible red flags, such as variations in expected transaction characteristics. These can be expected total transaction volume, average order value, chargeback frequency, etc. For example, if a merchant exceeds the maximum permitted transaction limits, displays an unusual refund pattern, or we receive multiple end-customer complaints – these are causes for concern. In case of any suspicious transactions (say which raise money laundering concerns) and also transactions exceeding certain thresholds (eg. cash transactions above Rs.10L, cross border wire transfers above Rs.5L), they must be reported to FIU-IND by regulated entities. 

Step 7: Record-keeping and Internal Governance requirements

Next, we keep records of all merchant transactions and identity documents, normally for at least 5 years. These need to be provided to authorities upon request, such as for an investigation. There are also numerous internal governance mandates to ensure effective implementation of requirements, like dedicated internal committees, internal audits, periodic risk assessments and adequate employee training. A Designated Director and a Principal Officer, who have specific reporting obligations under the PMLA, must also be appointed . 

Step 8: Periodic Updates 

Lastly, we need to update both merchant risk profiles and KYC periodically. As per law, we must update merchant KYC every 10 (low risk), 8 (medium risk) and 2 (high risk) years. The ongoing due diligence checks also aid us with this.

List of Abbreviations

  1. AMFI- Association of Mutual Funds in India
  2. AoA- Articles of Association 
  3. BBPS- Bharat Bill Payment System 
  4. BIS- Bureau of Indian Standards
  5. CBI- Central Bureau of Investigation
  6. CBIC- Central Board of Indirect Taxes and Customs
  7. CBSE- Central Board of Secondary Education
  8. CDD- Customer Due Diligence
  9. CIN- Corporate Identification Number
  10. CoI– Certificate of Incorporation
  11. CoR- Certificate of Registration
  12. DGFT- Directorate General of Foreign Trade
  13. DGFT’s HBP– DGFT’s Handbook of Procedures
  14. DIN- Director Identification Number
  15. DL- Driving license 
  16. DLP- Digital Lending Platforms 
  17. DMT- Domestic Money Transfer
  18. EPIC– Electors Photo Identity Card
  19. FCRA- The Foreign Contribution (Regulation) Act
  20. FFMC- Full Fledged Money Changers
  21. FIU-IND- Financial Intelligence unit- India 
  22. GST- Goods and Services Tax
  23. GSTIN- Goods and Services Tax Identification Number
  24. IATA- International Air Transport Association 
  25. IATO- Indian Association of Tour Operators 
  26. IEC- Import Export Code
  27. IRDA– Insurance Regulatory and Development Authority
  28. ISIL- Islamic State of Iraq and the Levant 
  29. IT- Income Tax
  30. ITC-HS- Indian Trade Classification based on Harmonized System of Coding
  31. KYC- Know your customer 
  32. LoB- Line of Business
  33. LLP- Limited Liability Partnership
  34. Master KYC Direction- Master Direction – Know Your Customer (KYC) Direction, 2016
  35. MCA- Ministry of Corporate Affairs 
  36. MHA- Ministry of Home Affairs
  37. MLM Cos– Multi-Level Marketing Companies 
  38. MoA- Memorandum of Association 
  39. MORTH- Ministry of Road Transport and Highway
  40. NBFC- Non Banking Financial Company
  41. NBFC-AFC- NBFC Asset Finance Company 
  42. NBFC-MFI- NBFC Micro Finance Institution
  43. NBFC-P2P- NBFC Peer-to-Peer Lending Platform 
  44. NCAGR– North Carolina Department of Agriculture and Consumer Services
  45. NGO- Non-Governmental Organization
  46. NPCI- National Payments Corporation of India
  47. NSDL- National Securities Depository Ltd.
  48. NSE- National Stock Exchange 
  49. OCR- Optical Character Recognition 
  50. OVD- Officially Valid Document
  51. PA- Payment Aggregator
  52. PAN- Permanent Account Number
  53. PEP- Politically exposed person 
  54. PMLA- Prevention of Money Laundering Act, 2002
  55. PoA- Power of Attorney 
  56. PPI- Prepaid Payment Instruments 
  57. RBI- Reserve Bank of India 
  58. RBI PA Guidelines- Guidelines on Regulation of Payment Aggregators and Payment Gateways
  59. RNG- Random Number Generator
  60. SaaS- Software-as-a-Service
  61. SEBI- Securities Exchange Board of India 
  62. STPI- Software Technology Parks of India
  63. TIN– Tax information Network
  64. UIDAI- Unique Identification Authority of India
  65. UIN- Unique Identification Number 
  66. UNSCR– United Nations Security Council Resolution
  67. WMD- Weapons of Mass Destruction 
Asheeta Regidi Head, Fintech Policy at Cashfree.