Author: Urmika Manjrekar, G J Advani Law College, Mumbai, Maharashtra
Introduction
Know Your Customer (KYC) is a due diligence procedure conducted by organizations to authenticate client identities, ensuring compliance with regulatory requirements and effective risk management and the prevention of financial crimes, particularly in industries such as banking and finance.
KYC procedures involve verifying customers’ identities to ensure they are who they claim to be and that their transactions do not involve any illicit or suspicious activity. KYC fraud detection measures are designed to protect businesses from potential financial losses resulting from fraud, money laundering, and terrorist financing. These solutions equip enterprises with the necessary tools to efficiently detect, investigate, and mitigate fraudulent activities by verifying customer identities and analyzing potentially suspicious transactions.Organizations can mitigate risk exposure and prevent financial losses by implementing robust KYC fraud detection measures. These measures also help ensure compliance with applicable laws, regulations, and internal policies, thereby avoiding costly legal violations. As a critical component of an organization’s financial compliance program, KYC fraud detection adopts a proactive approach to identifying and preventing fraudulent activities. By utilizing effective KYC fraud detection systems and procedures, organizations can verify the legitimacy of their clients and safeguard the integrity of their transactions.
KYC fraud detection systems are designed to identify various types of fraudulent activities, including money laundering, identity theft, and other financial crimes.
Abstract
This article explores the growing risk of fraud in KYC processes as digital interactions increase. Cybercriminals exploit KYC procedures through phishing emails or fraudulent websites that mimic trusted platforms, tricking individuals into revealing sensitive information such as names, addresses, social security numbers, and financial data. This stolen information is then used for identity theft, financial fraud, and other cybercrimes.
These scams typically request personal details such as names, addresses, phone numbers, social security numbers, and financial data. Once obtained, this information is used for illegal activities, including identity theft and unauthorized transactions.
KYC scams involve unsolicited communications via SMS, calls, or emails, employing coercive tactics such as threats, urgency, and imposed deadlines to induce compliance.
Applicable Legislation under Indian Jurisprudence:
To combat such fraudulent activities, including KYC scams, fraudulent calls, and counterfeit websites, Indian jurisprudence relies on key legal instruments such as the
Information Technology Act, 2000 (IT Act),
Bhartiya Nyay Sanhita (BNS), 2024
Payments & Settlements System Act, 2007
The Consumer Protection Act, 2019
and the Prevention of Money Laundering Act, 2002 (PMLA), with specific provisions targeting cybercrimes, cheating, and fraud.
Information Technology Act, 2000 (IT Act),
Section 66D of the Information Technology Act, 2000, criminalizes the act of impersonating another person using computer resources or communication devices with the intent to deceive, induce, or mislead, resulting in harm, loss, or an unlawful gain.
Section 66C fraudulent or dishonest use of another’s password, electronic signature, or any unique identification feature is punishable by imprisonment of up to three years and a fine of up to one lakh rupees.
Section 43 of the IT Act imposes penalties and liability for unauthorized access, damage, or alteration of computer systems or data, along with compensation for any resulting loss or damage.
Bhartiya Nyay Samhita – or the Indian Justice Code.
Moreover, The Bharatiya Nyay Sanhita (BNS), superseding the Indian Penal Code (IPC), came into force on July 1, 2024, as the principal criminal statute governing offenses in India.
Section 317 – Cheating and Dishonest Inducement to Deliver Property (Equivalent to IPC Section 420)
Key Elements:
Deception with fraudulent intent.
Dishonest inducement to transfer property or alter security.
Results in wrongful gain or loss.
Example:
A scammer impersonates a bank official and deceives a victim into sharing an OTP, leading to unauthorized fund transfers.
Penalty:
Imprisonment up to 7 years
or Fine
Section 316 (BNS) – Criminal Breach of Trust
Whoever, being entrusted with property or having dominion over it, dishonestly misappropriates, converts, or uses it in violation of legal duty or trust, commits criminal breach of trust.
Punishment:
Up to 3 years imprisonment (or up to 10 years/life if committed by a public servant, banker, merchant, or agent).
or Fine.
Section 318 – codifies the offense of cheating –
Cheating constitutes dishonestly inducing a person to deliver property, consent to its retention, or perform/omit an act they would not otherwise do, resulting in harm to body, mind, reputation, or property.
Relevance to KYC Scams:
Fraudsters deceitfully induce individuals to disclose sensitive information or undertake actions (e.g., updating KYC details) under false pretenses, leading to financial or reputational harm.
Illustrations of Offence:
Fraudulent Inducement – Misrepresentation or concealment of material facts to manipulate an individual’s actions.
Inducing Delivery of Property – Deception resulting in the transfer of money or assets.
Resultant Harm or Loss – Any act of deception causing actual or probable damage to a victim’s body, mind, reputation, or property.
Section 111: Organized Crime
Applicable when KYC scams are perpetrated by a structured group or syndicate. Encompasses organized criminal activities, including cybercrimes conducted on behalf of a criminal organization.
Section 112: Petty Organized Crime
Governs offenses by smaller groups engaged in systematic fraudulent activities, including KYC scams. Covers minor organized crimes such as theft and cheating by collectives.
Payment and Settlement Systems Act, 2007
The Payment and Settlement Systems Act, 2007 (PSS Act) is a key legislative framework that empowers the Reserve Bank of India (RBI) to regulate, oversee, and supervise payment and settlement systems across the country. It establishes the RBI as the central authority responsible for ensuring the security, efficiency, and stability of such systems while also granting it the power to issue guidelines, approve operators, and enforce compliance to safeguard the integrity of financial transactions.
The Consumer Protection Act, 2019
The Consumer Protection Act, 2019 is a comprehensive legislation designed to safeguard consumers from unfair trade practices, deceptive business tactics, and fraudulent activities, including those related to digital transactions. With the increasing use of online platforms and digital payment methods, the Act plays a crucial role in protecting consumers from cyber fraud and ensuring their rights are upheld.
One of the key provisions of this Act is granting consumers the right to file complaints against service providers in cases of security breaches, financial fraud, or misleading advertisements. This ensures that businesses remain accountable for their actions and maintain ethical practices while dealing with consumers. The Act also introduces strict e-commerce regulations, requiring online platforms to provide accurate product descriptions, transparent refund policies, and secure payment mechanisms.
Additionally, the legislation establishes Consumer Dispute Redressal Commissions at the district, state, and national levels, making it easier for individuals to seek legal remedies in case of grievances. These measures empower consumers to take legal action against fraudulent transactions, thereby strengthening trust in digital commerce.
By promoting transparency, accountability, and fairness in the marketplace, the Consumer Protection Act, 2019 ensures that consumers can engage in digital transactions with greater confidence and security.
Prevention of Money Laundering Act, 2002 (PMLA)
The Prevention of Money Laundering Act, 2002 mandates Know Your Customer (KYC) compliance for digital payment providers to prevent fraud and money laundering. The Prevention of Money Laundering Rules, 2005 require entities to maintain transaction records, verify client identities, and report suspicious activities to the Financial Intelligence Unit (FIU) to combat financial crimes.
Key Regulatory Bodies for Digital Payments
In addition, India has established several regulatory bodies to oversee and secure the digital payment ecosystem, ensuring accountability and effectiveness in fraud prevention.
The Reserve Bank of India (RBI)
The Reserve Bank of India (RBI) regulates digital payments under the Payment and Settlement Systems Act, 2007, ensuring security and fraud prevention. It has introduced six key amendments to Know Your Customer (KYC) regulations, revising compliance requirements for due diligence, periodic updates, and risk-based monitoring. These changes enhance oversight, mitigate financial risks, and strengthen anti-money laundering (AML) measures.
Ministry of Electronics and Information Technology (MeitY)
The Ministry of Electronics and Information Technology (MeitY) plays a pivotal role in fostering a secure digital ecosystem through initiatives like the Digital India Programme and cybersecurity frameworks. It collaborates with the Reserve Bank of India (RBI) and other stakeholders to effectively regulate and govern the digital payment sector.
National Payments Corporation of India (NPCI)
The National Payments Corporation of India (NPCI) is responsible for the operation of key payment systems, including the Unified Payments Interface (UPI), Bharat Bill Payment System (BBPS), and Immediate Payment Service (IMPS). It establishes and enforces security standards to protect users from fraud and ensure the integrity of digital payment transactions.
There are several case laws related to Know Your Customer (KYC) scams where financial institutions, regulators, or victims have taken legal action against fraudsters or negligent entities. Here are a few notable cases:
1. Reserve Bank of India (RBI) vs. Banks in KYC Non-Compliance
Case: The RBI has penalized several banks, including major private and public banks, for failing to follow KYC norms, which led to fraudulent accounts being opened.
Precedent: This reinforced the importance of strict KYC compliance under anti-money laundering (AML) laws.
2. Punjab National Bank (PNB) Fraud Case (2018)
Key Figures: Nirav Modi & Mehul Choksi
Issue: Fraudulent use of Letters of Undertaking (LoUs) with weak KYC verification.
Legal Impact: Highlighted the failure of KYC processes in large banking frauds and led to stricter compliance measures.
3. ICICI Bank vs. RBI (2015)
Issue: ICICI Bank was fined for non-compliance with KYC norms after fraudulent accounts were found.
Outcome: Reinforced RBI’s power to penalize banks for lax KYC checks.
4. SBI Advisory on KYC Frauds (2021):
In July 2021, SBI warned customers about rising KYC frauds, where fraudsters impersonate bank officials to extract personal information. The bank clarified that it never sends KYC update links and urged users to avoid sharing confidential details or engaging with unverified messages. Apart from these cases, several other recurring fraudulent schemes are prevalent in KYC scams, here are a few additional instances :
In a recent KYC fraud case in Mumbai, a 73-year-old woman was defrauded of Rs 2 lakh. She received a phishing message claiming her KYC was expiring, prompting her son to enter sensitive details on a fraudulent website. This led to unauthorized withdrawals. A complaint was filed at the Mahim Police Station, and authorities have registered a case under relevant provisions of the Bharatiya Nyay Sanhita (Indian Justice Code) and the Information Technology Act.
A social media influencer fell victim to a sophisticated cyber scam, losing Rs 1.1 lakh after clicking on a fraudulent Know Your Customer (KYC) update link. The scam involved a deceptive message prompting the victim to enter sensitive banking details, leading to unauthorized transactions.
The influencer later shared a viral video detailing the fraud to warn others. Authorities are investigating the case under relevant provisions of the Bharatiya Nyay Sanhita (Indian Justice Code) and the Information Technology Act to address cyber fraud and financial deception.
A Delhi woman was defrauded of ₹47 lakh in a WhatsApp-based KYC scam. Fraudsters, impersonating bank officials, sent deceptive messages urging her to update her Know Your Customer (KYC) details via a fraudulent link. Upon compliance, unauthorized transactions drained her account.
Authorities have registered a case under relevant provisions of the Bharatiya Nyay Sanhita (Indian Penal Code) and the Information Technology Act.
A senior technical officer at DRDO, Pune, fell victim to a cyber fraud wherein scammers, impersonating bank representatives, misrepresented the necessity of a KYC update linked to his bank account. Under false pretenses, the victim was induced to download a malicious file via WhatsApp, which facilitated unauthorized remote access to his device. Exploiting this access, the perpetrators extracted banking credentials and executed fraudulent transactions amounting to ₹13 lakh.
Under the Bhartiya Nyay Sanhita (BNS) and the Information Technology Act, 2000, the incident constitutes criminal impersonation, fraud, and unauthorized access. Legal proceedings may be initiated under Section 66C and 66D of the IT Act for identity theft and fraudulent impersonation, along with Sections 316, 317 & 318 of the BNS for Cheating and Dishonest Inducement of Property Delivery.
Conclusion
In summation, to effectively mitigate exposure to KYC-related fraudulent schemes, both individuals and entities must adopt a proactive approach toward security and vigilance. It is essential to exercise due diligence by thoroughly verifying the authenticity of any requests for personal or financial information before responding. Adhering strictly to regulatory compliance mandates ensures that organizations follow established security protocols, reducing the risk of fraudulent activities.
Moreover, individuals should avoid sharing sensitive data with unverified parties or through unsecured communication channels. Cybercriminals often exploit human error and trust, making it imperative to cross-check any requests for personal information, especially those received via email, phone calls, or websites that may appear legitimate but are fraudulent in nature.
Implementing robust identity verification protocols, such as two-factor authentication and biometric verification, adds an extra layer of protection against unauthorized access. Staying informed about emerging fraud tactics and regularly updating security measures further fortify defenses against illicit exploitation, ensuring greater safety in digital transactions.
Safeguards Against KYC Fraud:
Authenticate Communication – Verify KYC requests directly with the financial institution through official channels.
Exercise Caution with Digital Links – Refrain from engaging with unsolicited emails, SMS, or unverified websites.
Non-Disclosure of Credentials – Never divulge OTPs, passwords, CVVs, or sensitive banking information.
Use Authorized Platforms – Conduct KYC updates exclusively through official banking portals or applications.
Monitor Financial Transactions – Regularly review account statements to detect unauthorized activities.
Implement Security Protocols – Enable multi-factor authentication and fraud alerts for enhanced protection.
Report Anomalies Promptly – Notify the bank or relevant authorities of any suspicious activity without delay.
Continuous Awareness & Vigilance – Stay apprised of emerging fraud schemes, phishing tactics, and deceptive practices. Recognize indicators such as typographical errors in communications, suspicious hyperlinks, or unwarranted solicitations for confidential data. Informed vigilance serves as a critical safeguard against fraudulent inducements.
Victims of similar frauds are advised to report immediately to cybercrime authorities (1930 or cybercrime.gov.in), refrain from downloading unverified files, and verify financial requests through official banking channels.
The Government of India aims to safeguard KYC data integrity and prevent its misuse through measures like Central Know Your Customer (CKYC). Proposed safeguards include masking identification details (e.g., PAN, Aadhaar, voter ID, driver’s license) and restricting access via unique IP authentication. Previously, intermediaries had unrestricted access to such data, but these practices are being curtailed under government directives.
Adherence to these safeguards mitigates exposure to fraudulent inducements in KYC-related offenses.
To safeguard against online KYC fraud, one must exercise vigilance, prudence, and proactive security measures. Personal data is a valuable asset—implementing stringent protective measures is imperative in the increasingly interconnected digital landscape.
FAQS
1) What are phishing emails and fraudulent websites?
Phishing Emails: Fraudulent emails impersonating legitimate entities to trick recipients into disclosing confidential details like credit card numbers or passwords.
Fraudulent Websites: Scam or deceptive sites designed to impersonate trustworthy organizations, tricking users into sharing sensitive data, making unauthorized payments, or downloading malware.
2) What is Smishing?
Smishing: A form of phishing that uses SMS messages instead of emails, luring victims into clicking malicious links or revealing personal information.
3) What is Synthetic Identity Fraud?
Synthetic Identity Fraud involves the creation of entirely fictitious identities using false information to circumvent KYC verification, gain unauthorized account access, or obtain credit fraudulently.
4) What is Deepfake Technology?
Deepfake technology enables scammers to generate highly realistic but fraudulent audio or video content to impersonate individuals or institutions, facilitating unauthorized access to sensitive information.
5) What is identity theft?
where criminals unlawfully use personal information to impersonate victims and obtain financial benefits.
6) What is SIM swap fraud?
fraudsters clone a victim’s SIM card to intercept OTPs and carry out unauthorized transactions.
