India has built one of the most sophisticated digital identity systems in the world. You can open a bank account without visiting a branch. You can invest, trade, insure, borrow, all from your phone.
Your identity, at least in theory, is verified once and usable everywhere. And yet, in practice, the experience feels very different.
You open a bank account and complete your KYC. Then you invest in a mutual fund, KYC again. You sign up on a fintech app, KYC again.
Months later, you are asked to . For millions of Indians, identity verification has quietly turned into a repetitive, never-ending process.
At the centre of this contradiction lies a system that was meant to fix it all — Central Know Your Customer, or CKYC.
CKYC was introduced to solve one of the most basic
Instead of submitting identity documents separately to every bank, insurer, mutual fund or broker, a user would complete KYC once. That information would be stored in a central registry managed by CERSAI, and institutions could access it using a unique 14-digit CKYC number.
A PwC report notes that the objective was to create a single, standardised KYC record that could be reused across the entire financial ecosystem, reducing paperwork, improving efficiency, and making onboarding faster.
In simple terms, CKYC was meant to do for identity what UPI did for payments — create a common, interoperable layer.
But unlike UPI, CKYC has not delivered that seamless experience.
To understand why duplication persists, it helps to first understand why KYC exists at all.
“KYC has effectively become the entry point to the formal financial system,” said Mayank Arora, Partner at The Chambers of Bharat Chugh.
He explained that KYC requirements come from global anti-money laundering standards set by the Financial Action Task Force, which India follows through laws like the Prevention of Money Laundering Act and sectoral regulations.
Over time, the scope of KYC has expanded.
What started with banks now includes:
mutual funds, insurance companies, stock brokers, fintech platforms, digital wallets
As the financial system digitised, regulators extended KYC requirements to ensure traceability, reduce fraud, and maintain oversight.
But this expansion also created a new problem, repetition.
This is where theory and reality diverge.
Even though CKYC exists, institutions cannot simply rely on it.
“The law does not permit an entity to rely entirely on another institution’s verification,” Arora said. “Each entity must conduct its own due diligence, maintain its own records, and remain accountable if something goes wrong.”
This is a fundamental design feature of the system.
Every bank, insurer or platform is independently responsible for:
verifying customer identity, storing KYC records, ensuring compliance
So even if your KYC exists in a central registry, the institution onboarding you still needs to validate it.
That is why the same documents are often collected again.
CKYC, in principle, should still reduce duplication. But in practice, several structural issues limit its effectiveness.
“CKYC was conceived to eliminate duplication,” Arora said. “However, data quality and completeness remain inconsistent, and different regulators require different levels of information.”
The PwC report echoes this gap between design and execution.
It points out that while CKYC has created a central repository, its adoption across sectors remains uneven, and integration with other KYC systems is still incomplete.
Some of the key challenges include:
inconsistent or outdated customer records
lack of standardisation across regulators
limited interoperability between systems
operational delays in updating KYC data
In many cases, institutions find it easier, and safer from a compliance standpoint, to simply redo KYC rather than rely on existing records.
India’s digital public infrastructure story is often seen as a global benchmark.
Aadhaar enables identity verification.
DigiLocker enables document sharing.
CKYC enables centralised storage.
So why don’t these systems work together seamlessly?
The answer lies within legal, technical and regulatory boundaries.
Aadhaar-based KYC, for instance, is subject to restrictions following Supreme Court rulings. Its use is not universal across all sectors.
DigiLocker, while useful, is only a document repository — it does not validate identity in itself.
CKYC, meanwhile, is a registry — but not a fully integrated verification system.
The PwC report highlights that a truly unified KYC system would require deep integration across these platforms, along with standardised protocols and regulatory alignment.
“The unavailability of a link between the CERSAI’s CKYC system and Sebi-registered KRAs is perceived as the main reason for complications and a slower than envisaged rate of implementation. The data about non-individuals still rests with SEBI and there are no guidelines yet on how this data is to be included in the CKYC repository,” said PwC.
That integration is still evolving.
There is also a commercial dimension to KYC that often goes unnoticed.
“KYC is not just a compliance exercise,” Arora said. “It is also a way to collect data, demographics, behaviour patterns, which can be used for profiling and cross-selling.”
In a digital economy, customer data has become a valuable asset.
Repeated KYC allows institutions to:
update customer profiles
refine risk models
build marketing insights
This does not mean duplication is intentional — but it does mean KYC serves more than one purpose.
It helps track transactions, identify suspicious behaviour, create audit trails.
But it is not a complete solution.
“Mule accounts, identity misuse and organised fraud continue to operate within the KYC framework,” Arora said. “In some cases, KYC data itself becomes a target for misuse.”
This reflects a broader reality — KYC improves traceability, but does not eliminate risk.
In fact, as more institutions collect sensitive data, the system itself becomes more complex — and potentially more vulnerable.
For users, the issue is not policy — it is experience.
KYC has become repetitive, time-consuming and often confusing.
“Is India overdoing KYC? I think yes,” Arora said.
He pointed out that in many cases, the level of verification demanded may not always match the risk of the transaction.
This leads to what many users now experience as KYC fatigue — a sense that the system is asking for the same information again and again without clear justification.
Repeated KYC also raises deeper concerns about data protection.
Every time a user completes KYC, they share:
identity documents
addresses
financial details
And this data is stored across multiple institutions.
“Commercial exploitation of KYC data can lead to data leaks, spam and increased vulnerability to fraud,” Arora warned.
The more fragmented the system, the greater the surface area for potential misuse.
While India has introduced the Digital Personal Data Protection Act, 2023, its effectiveness will depend on how well institutions implement safeguards in practice.
The problem is not KYC itself.
It is how it is implemented.
Both experts and industry reports point in the same direction — integration and standardisation.
According to PwC, a more effective system would involve:
a fully interoperable CKYC framework
standardised KYC requirements across regulators
real-time updating of customer records
seamless integration with Aadhaar and DigiLocker
strong data governance and privacy safeguards
Arora agrees.
“A centralised system like CKYC needs stronger standardisation and data quality protocols so that it can truly be used across entities,” he said.
The goal is not to remove KYC — but to make it portable, reliable and trusted across the ecosystem.
India has already shown that it can build population-scale digital systems.
UPI transformed payments, Aadhaar transformed identity, CKYC was meant to transform verification.
But until institutions begin to trust shared infrastructure, and regulators align their frameworks, the burden of proving identity will remain with the user.
India may have built the rails for one-time identity verification, but until the system learns to use them, KYC will remain less about convenience and more about repetition — one form, one upload, one verification at a time.