SEBI's digital KYC framework has redefined how capital market intermediaries -- stock brokers, depository participants, mutual fund distributors, and portfolio managers -- onboard new clients. The days of paper forms, wet signatures, and physical document submissions are giving way to a fully digital process involving app-based verification, DigiLocker document acceptance, Aadhaar e-Sign, and automated bank verification. This guide provides a detailed, clause-by-clause breakdown of every digital KYC requirement under the SEBI Master Circular SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169, dated October 12, 2023, with practical implementation guidance for intermediaries building or upgrading their KYC infrastructure.
1. What Is SEBI Digital KYC?
SEBI Digital KYC refers to the process of verifying a client's identity and address electronically through an online application or mobile app, combined with video-based In-Person Verification (VIPV). Clause 33 of the Master Circular formally defines this framework:
"The intermediary may carry out KYC of its clients through online/app-based process, including Video In-Person Verification (VIPV)."
-- SEBI Master Circular SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169, Clause 33
Digital KYC is not simply a digitized version of the paper process. It is a fundamentally different approach that leverages government digital infrastructure -- Aadhaar e-KYC, DigiLocker, PAN verification APIs, bank account verification -- to create a verification chain that is more secure, more auditable, and significantly faster than the traditional process.
The framework applies to all SEBI-registered intermediaries, including stock brokers, depository participants, merchant bankers, portfolio managers, investment advisers, and mutual fund distributors. Any entity that establishes an account-based relationship with a client in the Indian capital markets must comply with these requirements. For a broader understanding of video-based verification in financial services, see our guide on What is Video KYC.
2. Digital KYC Process Flow: Step by Step
Clauses 34 through 48 of the Master Circular prescribe the end-to-end digital KYC process. While intermediaries have flexibility in user interface design and workflow sequencing, the following steps must be completed for a valid digital KYC:
Step 1: Client Registration and Data Collection (Cl. 34-36)
The client initiates the process through the intermediary's website or mobile app. They provide basic information -- name, date of birth, PAN number, Aadhaar number (optional for non-Aadhaar-based flows), mobile number, and email address. The system validates the PAN in real-time against the Income Tax database and checks for any existing KYC record in the KRA/CKYCR system. If a valid KYC record already exists, the intermediary can leverage it (with updates if needed) rather than conducting a fresh KYC.
Step 2: Document Submission and Verification (Cl. 37-38)
The client submits identity and address proof documents. SEBI's framework provides multiple channels for document submission: direct upload of scanned/photographed documents through the app, fetching documents from DigiLocker (treated as equivalent to originals), or using Aadhaar e-KYC data received directly from UIDAI. The intermediary must verify document authenticity through electronic means wherever possible -- OCR extraction, database cross-referencing, and DigiLocker verification.
Step 3: Mobile and Email OTP Verification (Cl. 39)
The client's mobile number and email address must be verified through OTP-based authentication. An OTP is sent to the declared mobile number and email, and the client must enter both correctly within the session. This step establishes that the client has active control over the communication channels they have declared.
Step 4: Aadhaar-Based Verification (Cl. 40-42)
If the client opts for Aadhaar-based verification, the intermediary initiates e-KYC through UIDAI. This can be done through Aadhaar OTP authentication (OTP sent to Aadhaar-linked mobile) or through the offline Aadhaar XML route. The e-KYC response provides verified demographic data and photograph, which the system cross-references against the client's declared information.
Step 5: Signature and Consent (Cl. 43-48)
The client must sign the KYC application form and provide explicit consent for data processing. SEBI permits multiple signature methods: Aadhaar e-Sign (electronic signature using Aadhaar OTP), uploading a scanned wet signature, or capturing a cropped signature from a document. The signed application, along with all consent records, becomes part of the permanent KYC file.
Step 6: Bank Account Verification (Cl. 47)
The client's bank account must be verified to establish the financial link. SEBI accepts two methods: Penny Drop verification (a small amount is credited to the declared bank account and the client confirms receipt) or direct Bank API verification (real-time verification through the bank's API infrastructure). This step prevents use of fictitious bank accounts.
Step 7: Video In-Person Verification (Cl. 54, 60)
The final step is VIPV, where an authorized official of the intermediary conducts a live video interaction with the client to verify their physical identity against their document photographs. The VIPV session must meet all technical requirements specified in Cl. 49-53. For a detailed breakdown of VIPV requirements for stock brokers, refer to our companion article on IPV for Stock Brokers: SEBI Compliance Checklist.
3. KYC App Mandatory Features (Cl. 49-53)
SEBI has prescribed specific technical features that any application used for digital KYC must possess. These are not optional enhancements -- they are mandatory compliance requirements. An intermediary whose KYC app does not meet these specifications is non-compliant regardless of how well their process works in practice.
Photography, Scanning, and DigiLocker Acceptance (Cl. 50)
The KYC application must be capable of capturing photographs (both of the client and their documents) at sufficient resolution for verification purposes. It must support document scanning either through the device camera or through integrated scanning functionality. Critically, the app must accept documents fetched from DigiLocker, treating them as originals:
"The application used for the online/app-based KYC process shall have features of taking photographs of the client, scanning copies of the documents, and accepting documents from DigiLocker."
-- SEBI Master Circular, Clause 50
DigiLocker integration is particularly important because documents retrieved through DigiLocker carry the legal weight of originals under the Information Technology Act. Intermediaries who do not accept DigiLocker documents are creating unnecessary friction and potentially violating the spirit of the circular.
Random Action Initiation (Cl. 51)
During the VIPV portion of the digital KYC process, the application must be capable of initiating a randomized action to verify that the person on camera is live and physically present. This is a liveness detection mechanism that prevents impersonation through photographs, video replays, or pre-recorded sessions. The action must be system-initiated (not chosen by the client) and could include instructions to blink, turn the head, hold up a specific number of fingers, or read a randomly generated alphanumeric code.
Timestamp and Geo-Location Capture (Cl. 51)
Every digital KYC session must record precise timestamps (date and time down to the second) and GPS coordinates of the client's device. Additionally, the system must verify that the client's IP address originates from within India. This geo-fencing requirement ensures that accounts are not being opened from outside India, which would be a red flag for potential misuse and would fall outside SEBI's jurisdictional framework.
End-to-End Encryption and Liveness Detection (Cl. 52)
All data transmitted during the digital KYC process -- video streams, document images, personal information, and verification results -- must be encrypted end-to-end. The encryption must use industry-standard protocols (TLS 1.2 or higher for transit, AES-256 or equivalent for storage). Simultaneously, the application must employ AI-based liveness detection technology that operates throughout the video session, not just at a single checkpoint.
"The application shall have end-to-end encryption and the video interaction shall incorporate liveness detection to ensure that the person is live and not a photograph or video."
-- SEBI Master Circular, Clause 52
Periodic Security Audits (Cl. 53)
The KYC application must undergo regular security audits, including Vulnerability Assessment and Penetration Testing (VAPT). SEBI does not specify the exact frequency, but industry best practice (and the expectation during inspections) is at minimum an annual VAPT with quarterly vulnerability scans. The intermediary must maintain documentation of all security audits, findings, and remediation actions. Any critical vulnerability that is discovered must be addressed before the app continues to be used for KYC. For more on security considerations in video-based verification, see our article on AI Deepfake Detection in Video KYC.
4. Document Verification Methods
SEBI's digital KYC framework provides intermediaries with multiple methods for verifying client documents electronically. Understanding each method's regulatory basis, technical requirements, and practical considerations is essential for building a compliant workflow.
DigiLocker Integration (Cl. 37)
DigiLocker is a Government of India initiative that provides citizens with a cloud-based storage platform for their official documents. Documents available on DigiLocker include Aadhaar, PAN, driving license, voter ID, and various educational certificates. Under the IT Act, DigiLocker documents are legally equivalent to original documents.
"Documents fetched from DigiLocker shall be treated at par with original documents."
-- SEBI Master Circular, Clause 37
For intermediaries, DigiLocker integration offers a significant advantage: documents fetched through the DigiLocker API are pre-verified by the issuing authority, eliminating the need for manual document authentication. The client simply authorizes the intermediary to fetch their documents from DigiLocker, and the API returns verified, digitally signed documents. This reduces fraud risk (no scope for forged documents) and improves the client experience (no need to photograph or scan physical documents).
Aadhaar e-Sign (Cl. 43-46)
Aadhaar e-Sign is an electronic signature service that allows individuals to digitally sign documents using Aadhaar OTP authentication. Under SEBI's framework, intermediaries can accept Aadhaar e-Sign as a valid signature on the KYC application form and account opening documents. The process works as follows: the client reviews the KYC form on the app, initiates e-Sign, an OTP is sent to their Aadhaar-linked mobile, they enter the OTP, and the document is digitally signed with a legally valid electronic signature.
The e-Sign service must be provided through a licensed Certifying Authority (CA) empaneled under the Controller of Certifying Authorities (CCA). The signed document must contain the digital signature certificate, timestamp, and signer's Aadhaar details (masked). Intermediaries must retain the signed document and the e-Sign audit trail as part of the KYC record.
Aadhaar e-KYC via UIDAI (Cl. 40-41)
Aadhaar e-KYC is the most comprehensive electronic verification method available under SEBI's framework. Through the UIDAI's e-KYC infrastructure, intermediaries can obtain verified demographic data (name, date of birth, gender, address) and a photograph directly from the Aadhaar database. This data, received in real-time, is cross-referenced against the information provided by the client during the application process. Any discrepancies are flagged automatically for resolution. Aadhaar e-KYC can be conducted through OTP-based authentication (where an OTP is sent to the Aadhaar-linked mobile number) or through biometric authentication. The intermediary must have a valid KUA (KYC User Agency) license or must access e-KYC through an authorized ASA (Authentication Service Agency).
5. Bank Account Verification: Penny Drop and Bank API
Bank account verification is a mandatory step in the digital KYC process under Clause 47. The purpose is to confirm that the client has a valid, operational bank account in their name -- establishing the financial link required for securities transactions and settlements.
"The bank account of the client shall be verified through Penny Drop verification or through Bank API."
-- SEBI Master Circular, Clause 47
Penny Drop verification: The intermediary transfers a nominal amount (typically Re 1) to the client's declared bank account using IMPS, NEFT, or UPI. The transaction response confirms the account holder's name and the bank account's operational status. The client may be asked to confirm the credited amount or the transaction reference number. This method is simple, widely supported, and works with virtually every bank account in India.
Bank API verification: This involves real-time verification through the bank's API infrastructure, typically using account aggregator frameworks or direct bank APIs. The API returns verified account holder details, account status, and IFSC information. This method is faster than Penny Drop (instant vs. minutes/hours) but requires API partnerships with individual banks or aggregator services.
Regardless of the method used, the intermediary must record the verification result -- including the verified account holder name, account number (masked), IFSC code, and verification timestamp -- in the KYC record. A mismatch between the declared account holder name and the verified name must be flagged for manual review.
6. Mobile and Email OTP Verification (Cl. 39)
Clause 39 mandates that the client's mobile number and email address must be verified through OTP-based authentication during the digital KYC process. This is a fundamental step that establishes the client's control over their declared communication channels and enables the intermediary to send transaction confirmations, contract notes, and regulatory communications to verified contact points.
Mobile OTP: A 6-digit OTP is sent via SMS to the client's declared mobile number. The client enters the OTP within the app to confirm ownership. The OTP must have a short validity window (typically 3-5 minutes) and must be single-use. Multiple failed attempts should trigger a cooldown period.
Email OTP: Similarly, an OTP is sent to the client's declared email address. The client enters this OTP to verify email ownership. Some intermediaries combine this with a verification link as a fallback mechanism. Both mobile and email verification must be completed within the same KYC session to maintain session integrity.
7. Signature Options: Wet Signature, Cropped Signature, and e-Sign
SEBI provides intermediaries and their clients with flexibility in how the KYC application form is signed. Clause 48 recognizes three valid signature methods for digital KYC:
Aadhaar e-Sign: This is the most seamless option for digital KYC. The client authenticates via Aadhaar OTP, and the document is digitally signed through a licensed Certifying Authority. No physical signature is required. The e-Sign carries legal validity under the IT Act and is the recommended approach for a fully digital workflow.
Scanned wet signature: The client can sign on a blank sheet of paper, photograph or scan the signature, and upload it through the app. The intermediary must verify the signature quality and ensure it is clear and unambiguous. This method is useful for clients who are not comfortable with e-Sign or whose Aadhaar-linked mobile is unavailable.
Cropped signature from a document: If the client provides a cancelled cheque or bank statement, the intermediary's system can crop the signature from that document and use it as the KYC signature. This method requires OCR or image processing capabilities to extract and validate the signature area. While convenient, intermediaries should ensure the cropped signature is of sufficient quality for future verification purposes.
8. KRA and CKYCR Integration Requirements (Cl. 84, 115)
Completing the digital KYC process is only half the obligation. The intermediary must then upload the verified KYC record to both the KYC Registration Agency (KRA) and the Central KYC Registry (CKYCR) within the timelines specified by SEBI:
"The intermediary shall upload the KYC records to the KRA within the prescribed timelines and shall also ensure that the CKYCR records are updated."
-- SEBI Master Circular, Clause 84
KRA upload: The KYC Registration Agency (operated by entities like CVL KRA, NDML, DotEx, and CAMS) serves as the centralized repository for capital market KYC records. The intermediary must upload the complete KYC record -- including client details, document proofs, IPV status, and verification results -- to the KRA. This enables IPV portability and KYC reuse across intermediaries.
CKYCR upload: Under Clause 115, intermediaries are also required to upload KYC records to the Central KYC Registry maintained by CERSAI. The CKYCR serves as a cross-sectoral registry, meaning KYC records uploaded here can be accessed by entities across financial sectors -- banking, insurance, and securities. The CKYCR upload includes a unique KYC Identifier (KIN) that links the client's identity across all financial relationships.
The upload must happen within the timelines prescribed by SEBI (typically within 10 working days of account activation). Failure to upload KYC records to the KRA and CKYCR is a frequently flagged deficiency during exchange and depository inspections. Automated integration that triggers KRA/CKYCR upload immediately upon KYC completion is the most reliable approach to ensuring compliance.
9. How BASEKYC Covers All SEBI Digital KYC Requirements
BASEKYC is engineered to address every requirement in SEBI's digital KYC framework through a single, integrated platform. Here is how our capabilities map to the regulatory requirements:
| SEBI Requirement | Clause | BASEKYC Feature |
|---|---|---|
| Online/app-based KYC with VIPV | Cl. 33 | White-label mobile + web KYC app with integrated video verification |
| DigiLocker document acceptance | Cl. 37, 50 | Native DigiLocker API integration for direct document fetch |
| Mobile and email OTP verification | Cl. 39 | Built-in OTP engine with SMS and email delivery, retry logic, and session management |
| Aadhaar e-KYC via UIDAI | Cl. 40-41 | UIDAI e-KYC integration (OTP and XML routes) with automated data cross-referencing |
| Aadhaar e-Sign | Cl. 43-46 | e-Sign integration through licensed Certifying Authority with audit trail |
| Bank account verification | Cl. 47 | Penny Drop and Bank API verification with name match validation |
| Random action liveness check | Cl. 51 | AI-powered liveness detection with randomized challenge-response |
| Geo-location + India IP verification | Cl. 51 | GPS capture, IP geo-fencing, and session-level location logging |
| E2E encryption + liveness | Cl. 52 | TLS 1.3 transit encryption, AES-256 storage, continuous liveness scoring |
| Periodic security audits | Cl. 53 | Annual VAPT, quarterly vulnerability scans, SOC 2 Type II compliant infrastructure |
| KRA and CKYCR upload | Cl. 84, 115 | Automated KRA/CKYCR integration with real-time upload and status tracking |
Beyond meeting individual clause requirements, BASEKYC provides a unified compliance dashboard that gives intermediaries a real-time view of their KYC pipeline: pending verifications, completed sessions, KRA upload status, and audit readiness. Our platform is used by stock brokers, depository participants, and mutual fund distributors who need to meet SEBI's digital KYC standards without building and maintaining the underlying infrastructure themselves.
For intermediaries evaluating digital KYC platforms, we recommend reading our Video KYC Platform Comparison to understand how BASEKYC compares against alternatives on compliance coverage, integration depth, and total cost of ownership.
10. Frequently Asked Questions
Is DigiLocker integration mandatory for SEBI digital KYC?
While Clause 50 requires the KYC app to be capable of accepting DigiLocker documents, the client is not required to use DigiLocker. They may choose to upload scanned documents instead. However, the intermediary's application must support DigiLocker acceptance. In practice, DigiLocker significantly reduces fraud risk and improves conversion rates, making it a strong recommendation for any intermediary's KYC flow.
Can intermediaries use Aadhaar e-Sign instead of wet signatures?
Yes. Clauses 43-46 explicitly permit Aadhaar e-Sign as a valid signature method for the KYC application form. e-Sign carries legal validity under the Information Technology Act. Intermediaries should offer e-Sign as the default option while providing wet signature upload and cropped signature as alternatives for clients who cannot use e-Sign.
What is the difference between Penny Drop and Bank API verification?
Penny Drop involves transferring a small amount to the client's bank account and verifying the account holder name from the transaction response. It works universally but can take minutes to hours depending on the payment mode. Bank API verification queries the bank's systems directly for account holder details, providing an instant response. Bank API is faster but requires API partnerships. Both methods are equally valid under Clause 47.
How does the India IP verification requirement work?
Under Clause 51, the KYC application must verify that the client's IP address originates from within India during the VIPV session. This is implemented through IP geolocation databases that map IP addresses to geographic locations. If the client is connecting through a VPN with a foreign IP or is physically outside India, the session should be flagged or rejected. NRI account opening workflows may have different IP requirements based on SEBI's specific NRI KYC provisions.
What are the penalties for not uploading KYC records to KRA/CKYCR?
Failure to upload KYC records to the KRA and CKYCR within the prescribed timelines (typically 10 working days) can result in deficiency observations during exchange/depository inspections, monetary penalties from SEBI, and potential restrictions on new account activations. This is one of the most commonly flagged compliance gaps, often caused by manual processes that fail to trigger the upload. Automated integration between the KYC platform and KRA/CKYCR systems is the most reliable way to prevent this deficiency.