The current situation highlights a gap between India's success in building large-scale digital systems and the reality of a smooth financial experience for users. The ambition of CKYC to act as a unified identity layer, similar to UPI's impact on payments, is significantly hindered by complex regulations and operational issues.
Why Rules Force Banks to Repeat Checks
The core issue stems from global anti-money laundering (AML) standards, enforced in India through laws like the Prevention of Money Laundering Act. These rules require each financial institution to conduct its own independent customer due diligence. This means banks, insurers, and fintech companies cannot fully rely on a central system like CKYC. They must still perform their own checks, leading to customers repeating identity verification. Each institution remains legally accountable for its own customer onboarding, regardless of what's in a central record.
CKYC Data Gaps and Slow Adoption
While CERSAI manages the central CKYC database, its adoption and integration across India's varied financial sector are inconsistent. Data quality is a major issue, with varying completeness and different requirements from various regulators. A significant hurdle is the poor interoperability between CKYC and other vital data sources, such as those managed by SEBI-registered Key Information Registrars (KRAs). For instance, data related to non-individuals (like companies) still exists separately, without clear paths for inclusion in CKYC. Consequently, many institutions find it easier and safer for compliance to re-verify customers rather than navigating the complex process of integrating with the existing CKYC infrastructure.
Beyond Compliance: Banks Use KYC for Data
Beyond its regulatory purpose, the repeated collection of KYC data serves a commercial aim for financial firms. In today's digital economy, customer data is highly valuable. These repeated checks allow companies to update customer profiles, improve their risk models, and gather insights for targeted marketing and cross-selling. While not a deliberate design flaw, this practice means the KYC framework unintentionally aids data enrichment. However, it also increases the risk of data breaches, identity misuse, and fraud, as sensitive personal and financial information is scattered across numerous institutions. This fragmentation creates vulnerabilities that even strong data protection laws may struggle to fully prevent in practice.
System Risks: Data Overreach and User Fatigue
India's digital public infrastructure, including Aadhaar, DigiLocker, and CKYC, is recognized globally. However, CKYC's disconnected implementation reveals systemic weaknesses. Unlike some integrated digital identity systems in Western countries that use federated models or blockchain for better privacy, India's framework faces challenges. These include legal limits on Aadhaar use and DigiLocker's role as mainly a document storage service, not a verification engine. Furthermore, storing sensitive KYC data across multiple entities heightens the risk of commercial exploitation, leading to more spam, fraud, and data leaks. The Digital Personal Data Protection Act of 2023 aims to improve safeguards, but its effectiveness depends on strict enforcement. The current system can feel like overreach, causing 'KYC fatigue' among users, where the effort of verification doesn't match the transaction's perceived risk. Without a fully interoperable, standardized CKYC system and unified regulations, the system remains open to misuse and inefficiency.
The Way Forward: Deeper Integration Needed
Experts and industry players largely agree that CKYC needs deeper integration and standardization to overcome its current issues. Essential steps include creating a fully interoperable CKYC framework, standardizing KYC rules for all regulators, enabling real-time updates of customer records, and seamless integration with platforms like Aadhaar and DigiLocker. Strong data governance and privacy protections are equally critical. This will require greater institutional trust in shared digital infrastructure and aligned regulatory requirements. Until these foundational elements are in place, India's advanced digital identity systems will remain underused, and users will continue to face repetitive verification, missing the convenience that was promised.