Table of Contents
As a payment aggregator (‘PA’), when we on-board merchants, we need to address certain risks that arise, like fraud, excessive chargebacks, money laundering, tax evasion, etc. For this, regulatory guidelines and applicable laws require us to adopt several precautionary measures, including the Know-Your-Customer (‘KYC’) and merchant due diligence procedures. We thus carry out a range of checks for merchants, which start prior to onboarding and continue until the end of your relationship with us. The processes discussed may be replicated by financial service entities or any other businesses that would want to onboard merchants onto their platform — both to comply with regulations and to mitigate risk.
What is KYC?
Regulated financial institutions like banks, PAs, investment companies, etc., conduct KYC whenever a client attempts to open an account with them or onboards with them (eg.: the KYC process you undertake when opening a bank account). A client may be an individual or a legal entity. The aim is to establish the client’s identity, address and legitimacy via a verification of its key documents. In combination with due diligence and other mandated checks, these allow us to say identify potential fraudsters, shell companies, detect money laundering, etc. (Related Read: Challenges of tackling merchant fraud). Often non regulated entities, like an online marketplace for example, need to also perform a full or partial KYC as a precaution. These allow us to take a step towards securing not only ourselves, but also the end-customers and the financial system as a whole.
As PAs we can service a range of businesses, from e-commerce marketplaces, financial services like lending/wealth management/ credit management/payments/insurance, etc., edtech, healthtech, digital entertainment and streaming services like video/music/gaming, subscriptions like for SaaS companies, hospitality/ transportation services like taxi aggregators/hotel booking aggregators/vehicle rentals, etc. The checks we undertake thus vary from business to business, particularly based on the merchant’s legal form and line of business.
The Complete KYC Procedure
The Reserve Bank of India’s (‘RBI’) Master KYC Direction, the RBI PA Guidelines and the Prevention of Money Laundering Act, 2002 (the ‘PMLA’) (among others), together require the following 8 stage process:
Step 1: The KYC document check or CDD process
The first stage is the KYC document check or the Customer Due Diligence Check (‘CDD’) process. It can be one or more of the following forms- Individual KYC and Business KYC:
- Individual KYC : When you are a merchant who is an individual (eg.: a sole proprietor), we carry out a ‘KYC’ process, or CDD for an individual. Broadly, we verify your identity via an ‘Officially Valid Document’ or OVD check (identity documents like Aadhaar, passport, driving license, etc.), individual PAN verification, and if necessary, current address proof check (utility bills, etc.). We can also ask for more documents to verify your financial/business status, say asking for your business registration documents.
- Business KYC : When you are a business partner we are onboarding, we carry out a Business KYC process, or CDD for a business. Here we replace the OVD check with an ‘entity-proof’ check. This again differs based on what type of entity you are legally. For example, if you are a company, we need to verify your certificate of incorporation, memorandum and articles of association, etc. If you are a trust/partnership on the other hand, we will need your trust/partnership deed, registration certificates, etc. Once we’ve verified your licensing/registration, we need to ascertain that the officer/employee transacting with us on your behalf has the authority from you to do so. For this we need your relevant Board resolutions, power of attorney, etc. Next we need your Business PAN, and address proof (GST) if your licensing/registration documents don’t reflect your current address. We also need to conduct ‘beneficial owner’ checksi.e., we need to verify who has actual ownership/control, like the directors, shareholders, etc., and carry out the ‘KYC’ process separately for them. We also verify numerous other documents for due diligence processes (discussed below).
Platform KYC: Lastly, depending on your line of business, you may yourself have on-boarded end-merchants. In turn, you may be needed to carry out a KYC or verification process for them as well, whether under regulations that apply to you or as an additional diligence measure. A supplementary check you can carry out here is bank account verification, as a tool to help you ascertain the validity of the bank accounts of the end-merchants you on-board.
Methods of verifying the documents also vary, like the traditional physical check (original seen and verified, in-person verification). Today digital checks like digital document and signature checks (eKYC, DigiLocker, etc.), API based verification, Digital KYC and Video KYC procedures are being introduced to ease the process and replace earlier physical checks. For us as a PA, relaxations are also being brought in to the CDD process, allowing us to rely on the KYC you would have already undergone while opening accounts with the bank you are banking with. In another welcome move, the RBI has extended the Central KYC Registry for legal entities, introducing a new mode for digital KYC for businesses via a KYC identifier (previously this was only allowed for individuals).
Step 2: Verification against sanction and PEP lists
Next, we need to verify the names of our clients and their beneficial owners against certain lists, like national and international terrorist lists, or ‘Politically Exposed Persons’ lists. If a name matches a sanctions list, we also need to report this to the Financial Intelligence Unit of India (‘FIU-IND’). Along with these, we verify numerous other lists, like blacklists/ greylists/ defaulter lists for companies, directors, etc. issued by banks, the Ministry of Corporate Affairs, the Securities and Exchange Board of India, the Enforcement Directorate, the Office of Foreign Assets Control (U.S.), etc. (for a detailed list please see Appendix II below). These checks aid us in the fight against terrorism and money laundering, and also helps us define risk levels for a specific client.
Step 3: Onboarding policies and merchant screening
Next we carry out a background and antecedent check, which takes the form of an initial screening, and for which we define an internal merchant Onboarding Policy. Our aim here is to verify the nature, purpose and bona fides of a prospective client’s business. We conduct a range of checks such as licensing/registration checks, credit checks, profit and loss statement checks, balance sheet reviews, etc., based on information we seek directly from the prospective client, together with checking publicly available information like the merchant’s websites, product listings, end-customer reviews, social media activity, etc., to ascertain business legitimacy. We are also required under law to ascertain whether you are PCI-DSS compliant.
Step 4: Merchant profiling and diligence levels
After these initial checks, we need to classify merchants as low/medium/high risk. Diligence levels and levels of post onboarding monitoring that we carry out are defined based on this, for example we need to conduct enhanced due diligence for PEPs, but simplified due diligence for self-help groups. Also, we are prohibited from servicing some businesses altogether (tobacco, hacking, gambling, weapons, etc.), while others are considered high-risk (pharmaceuticals, matrimony, gaming, security brokers, jewellery, etc.) requiring increased monitoring and diligence.
Step 5: Ongoing due diligence
Post onboarding, our due diligence checks will continue to keep track of any changes in merchant behaviour that are a cause for concern. For example, a change in merchant website details or an unexpected listing of high-risk products can indicate fraud. These may also call for reviewing merchant risk profiles and due diligence levels.
Step 6: Transaction monitoring
A crucial check post onboarding we do is monitoring merchant transactions, to spot any possible red flags, such as variations in expected transaction characteristics. These can be expected total transaction volume, average order value, chargeback frequency, etc. For example, if a merchant exceeds the maximum permitted transaction limits, displays an unusual refund pattern, or we receive multiple end-customer complaints – these are causes for concern. In case of any suspicious transactions (say which raise money laundering concerns) and also transactions exceeding certain thresholds (eg. cash transactions above Rs.10L, cross border wire transfers above Rs.5L), they must be reported to FIU-IND by regulated entities.
Step 7: Record-keeping and Internal Governance requirements
Next, we keep records of all merchant transactions and identity documents, normally for at least 5 years. These need to be provided to authorities upon request, such as for an investigation. There are also numerous internal governance mandates to ensure effective implementation of requirements, like dedicated internal committees, internal audits, periodic risk assessments and adequate employee training. A Designated Director and a Principal Officer, who have specific reporting obligations under the PMLA, must also be appointed .
Step 8: Periodic Updates
Lastly, we need to update both merchant risk profiles and KYC periodically. As per law, we must update merchant KYC every 10 (low risk), 8 (medium risk) and 2 (high risk) years. The ongoing due diligence checks also aid us with this.
List of Abbreviations
- AMFI- Association of Mutual Funds in India
- AoA- Articles of Association
- BBPS- Bharat Bill Payment System
- BIS- Bureau of Indian Standards
- CBI- Central Bureau of Investigation
- CBIC- Central Board of Indirect Taxes and Customs
- CBSE- Central Board of Secondary Education
- CDD- Customer Due Diligence
- CIN- Corporate Identification Number
- CoI– Certificate of Incorporation
- CoR- Certificate of Registration
- DGFT- Directorate General of Foreign Trade
- DGFT’s HBP– DGFT’s Handbook of Procedures
- DIN- Director Identification Number
- DL- Driving license
- DLP- Digital Lending Platforms
- DMT- Domestic Money Transfer
- EPIC– Electors Photo Identity Card
- FCRA- The Foreign Contribution (Regulation) Act
- FFMC- Full Fledged Money Changers
- FIU-IND- Financial Intelligence unit- India
- GST- Goods and Services Tax
- GSTIN- Goods and Services Tax Identification Number
- IATA- International Air Transport Association
- IATO- Indian Association of Tour Operators
- IEC- Import Export Code
- IRDA– Insurance Regulatory and Development Authority
- ISIL- Islamic State of Iraq and the Levant
- IT- Income Tax
- ITC-HS- Indian Trade Classification based on Harmonized System of Coding
- KYC- Know your customer
- LoB- Line of Business
- LLP- Limited Liability Partnership
- Master KYC Direction- Master Direction – Know Your Customer (KYC) Direction, 2016
- MCA- Ministry of Corporate Affairs
- MHA- Ministry of Home Affairs
- MLM Cos– Multi-Level Marketing Companies
- MoA- Memorandum of Association
- MORTH- Ministry of Road Transport and Highway
- NBFC- Non Banking Financial Company
- NBFC-AFC- NBFC Asset Finance Company
- NBFC-MFI- NBFC Micro Finance Institution
- NBFC-P2P- NBFC Peer-to-Peer Lending Platform
- NCAGR– North Carolina Department of Agriculture and Consumer Services
- NGO- Non-Governmental Organization
- NPCI- National Payments Corporation of India
- NSDL- National Securities Depository Ltd.
- NSE- National Stock Exchange
- OCR- Optical Character Recognition
- OVD- Officially Valid Document
- PA- Payment Aggregator
- PAN- Permanent Account Number
- PEP- Politically exposed person
- PMLA- Prevention of Money Laundering Act, 2002
- PoA- Power of Attorney
- PPI- Prepaid Payment Instruments
- RBI- Reserve Bank of India
- RBI PA Guidelines- Guidelines on Regulation of Payment Aggregators and Payment Gateways
- RNG- Random Number Generator
- SaaS- Software-as-a-Service
- SEBI- Securities Exchange Board of India
- STPI- Software Technology Parks of India
- TIN– Tax information Network
- UIDAI- Unique Identification Authority of India
- UIN- Unique Identification Number
- UNSCR– United Nations Security Council Resolution
- WMD- Weapons of Mass Destruction