On October 12, 2023, the Securities and Exchange Board of India issued a comprehensive KYC Master Circular -- SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169 -- consolidating all existing KYC-related circulars, guidelines, and directives into a single, authoritative document. This circular is the definitive regulatory reference for every SEBI-registered intermediary on how to identify, verify, and maintain records of their clients. It covers everything from the format of KYC forms to the technical specifications of digital onboarding, from PAN verification requirements to the obligations of KYC Registration Agencies (KRAs) and the Central KYC Records Registry (CKYCR). This guide provides a section-by-section breakdown of the circular's key provisions, with a focus on the clauses that directly impact digital KYC operations and technology infrastructure.
Uniform KYC Format and CKYCR Templates (Clauses 4-6)
The circular begins by establishing uniformity in KYC documentation across all securities market intermediaries. Clauses 4 through 6 mandate that all intermediaries use the standardized KYC form prescribed by SEBI, which aligns with the Central KYC Records Registry (CKYCR) template maintained by the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI).
Clause 4 specifies that the KYC form must capture all fields required for CKYCR upload, ensuring that client data collected at the point of onboarding is immediately compatible with the central registry. This eliminates the historically common problem of intermediaries collecting KYC data in proprietary formats that required manual re-entry for CKYCR submission.
Clause 5 addresses the Account Opening Form (AOF) structure, requiring that the KYC portion of the AOF be separable from the account-specific portion. This separation is critical because KYC data is portable across intermediaries (a client verified by one broker should not need to re-verify when opening an account with another), while account-specific data is unique to each intermediary.
Clause 6 deals with the handling of KYC data for different entity types -- individuals, non-individuals (corporates, partnerships, trusts), and special categories such as NRIs and foreign nationals. Each entity type has specific additional fields and document requirements that must be captured in the standardized format.
PAN as the Primary Identifier (Clauses 7-10)
The Permanent Account Number (PAN) occupies a central position in SEBI's KYC framework. Clauses 7 through 10 establish PAN as the unique identifier for all securities market participants and define the verification requirements around it.
Clause 7 mandates that PAN is compulsory for all clients of SEBI-registered intermediaries. No account can be opened, no transaction can be executed, and no service can be provided without a valid PAN. This is not merely a SEBI requirement -- it aligns with Section 139A of the Income Tax Act and the PMLA rules that underpin securities market KYC.
"PAN shall be the sole identification number for all transactions in the securities market, irrespective of the amount of transaction." -- Clause 7, SEBI KYC Master Circular
Clause 8 requires that PAN be verified against the Income Tax Department's database at the time of onboarding. A self-attested copy of the PAN card is insufficient -- the intermediary must confirm the PAN's validity, the name associated with it, and its active status through electronic verification. This is typically done through the NSDL or UTIITSL PAN verification APIs.
Clauses 9-10 address exemptions and special cases. Certain categories of investors -- such as the Central and State Governments, officials of embassies, and UN entities -- may be exempt from PAN requirements. Micro-investments below specified thresholds in mutual funds may also qualify for PAN exemption, though these exemptions have been progressively narrowed over successive regulatory updates. NRI clients must provide PAN or, where exempt, equivalent documentation as specified by the Income Tax Act.
For digital KYC platforms, the PAN verification requirement translates to a mandatory API integration with the Income Tax database. The platform must validate PAN in real-time during the onboarding flow and flag mismatches between the PAN details and the client's self-declared information before the account opening can proceed.
Proof of Identity and Address: Officially Valid Documents (Clauses 12-23)
Clauses 12 through 23 define the documents that constitute valid proof of identity (POI) and proof of address (POA) for securities market KYC. These clauses are grounded in the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, and align with the OVD (Officially Valid Document) framework used across India's financial regulatory landscape.
Officially Valid Documents (OVDs) recognized under the circular include: Passport, Voter's Identity Card (issued by the Election Commission of India), Driving Licence, Aadhaar letter/card issued by UIDAI, NREGA Job Card, and any other document notified by the Central Government. Of these, Aadhaar has become the dominant OVD in practice because it serves as both POI and POA, and can be verified electronically through UIDAI's infrastructure.
Clauses 14-17 address address verification specifically. The circular recognizes that a client's current address may differ from the address on their OVD. In such cases, the intermediary may accept a utility bill (not older than two months), bank statement, property tax receipt, or other specified documents as proof of current address, in addition to the OVD. This dual-document approach ensures address accuracy while accommodating the reality that many Indians live at addresses different from those on their government-issued documents.
Clauses 18-23 cover special cases including KYC for minor accounts (where the guardian's KYC is used), non-individual entities (where authorized signatories must be identified and verified), and foreign nationals (where passport and visa documentation replace domestic OVDs). The circular also addresses the treatment of politically exposed persons (PEPs), who require enhanced due diligence beyond standard KYC.
From a technology perspective, these clauses require digital KYC platforms to support OCR-based document capture and validation for multiple document types, integration with UIDAI for Aadhaar verification, and configurable document acceptance rules that can be adjusted as regulatory requirements evolve. For more on how different types of KYC are implemented in India, see our detailed guide.
Digital KYC Requirements: Online Forms, e-Sign, DigiLocker, and OTP Verification (Clauses 33-48)
Clauses 33 through 48 represent the most significant modernization in the SEBI KYC framework. These clauses establish the regulatory foundation for fully digital client onboarding -- from online form submission to electronic document verification to digital signature. Together, they enable securities market intermediaries to onboard clients entirely online, without any physical document submission or branch visit.
Online KYC Form Submission (Clauses 33-36)
Clauses 33 through 36 permit clients to fill out and submit the standardized KYC form electronically through the intermediary's website or mobile application. The form must capture all CKYCR-mandated fields and must be structured for seamless upload to the KYC Registration Agency (KRA). The client's identity must be preliminarily verified through mobile OTP and email verification before the form submission is accepted.
e-Sign and Digital Signature (Clauses 37-40)
The circular recognizes Aadhaar-based e-Sign (as per the Information Technology Act, 2000 and CCA guidelines) as a valid method for signing the KYC form and account opening documents. Clauses 37 through 40 specify that e-Sign carries the same legal validity as a wet signature for KYC purposes. This eliminates the need for clients to print, sign, scan, and upload documents -- a process that historically caused significant drop-offs in digital onboarding funnels.
"The KYC form and account opening documents may be signed using Aadhaar-based e-Sign, which shall be treated as equivalent to a wet signature for all regulatory purposes." -- Clauses 37-40, SEBI KYC Master Circular
DigiLocker Integration (Clauses 41-43)
Clauses 41 through 43 formalize DigiLocker as an accepted source for identity and address documents. When a client shares their documents through DigiLocker, the documents are considered authenticated at source -- they do not require additional verification or self-attestation. The intermediary can directly fetch the client's Aadhaar, PAN, driving licence, or other documents from DigiLocker through API integration, eliminating the need for the client to upload scanned copies.
This provision is particularly powerful when combined with the Clause 61 exemption from IPV for DigiLocker-verified documents. An intermediary that implements DigiLocker integration can potentially onboard a client through an entirely automated flow: the client fills in the online form, shares documents via DigiLocker, signs with e-Sign, and the account is activated without any human intervention or video call. This represents the fastest possible onboarding path under SEBI regulations.
Penny Drop and Bank Account Verification (Clauses 44-46)
Clauses 44 through 46 address the verification of the client's bank account -- a critical step since securities market transactions involve fund transfers between the client's bank account and the intermediary. The "penny drop" method (transferring a nominal amount to the client's declared bank account and asking the client to confirm the amount or transaction reference) is recognized as a valid verification mechanism. The client's bank account name must match the KYC name, and any discrepancies must be investigated before the account is activated.
OTP Verification and Mobile/Email Validation (Clauses 47-48)
Clauses 47 and 48 require that the client's mobile number and email address be verified through OTP during the onboarding process. These contact details are essential for ongoing communication, two-factor authentication for transactions, and regulatory notices. The OTP must be sent to the number/email provided by the client (not pre-populated by the intermediary), and the verification must be completed within a reasonable time window to prevent OTP replay attacks.
KYC Application Technical Requirements (Clauses 49-53)
Clauses 49 through 53 specify the technical features that a digital KYC application (mobile app or web-based) must incorporate. These clauses move beyond procedural requirements into the realm of technology specifications, reflecting SEBI's recognition that the integrity of digital KYC depends as much on the platform's technical capabilities as on the intermediary's operational procedures.
Clause 49 -- Random Activity or Challenge-Response: The KYC application must be able to prompt the client to perform a random activity during the verification -- such as blinking, turning their head, holding up a specific number of fingers, or reading a randomly generated phrase. This requirement is designed to prevent pre-recorded video submissions and detect sophisticated replay attacks. The activity must be randomized so that it cannot be anticipated and pre-recorded.
Clause 50 -- Geo-Tagging: The application must capture the client's geographical location (GPS coordinates) at the time of KYC completion. This serves multiple purposes: it provides an additional data point for identity verification, it helps detect potentially fraudulent patterns (such as multiple accounts being opened from the same location), and it creates a location-based audit trail for regulatory examination. The location data must be captured from the device's GPS hardware, not inferred from IP address alone.
Clause 51 -- End-to-End Encryption: All data transmitted during the KYC process -- including video streams, document images, personal information, and authentication tokens -- must be encrypted end-to-end using industry-standard protocols (TLS 1.2 or higher). Data at rest must also be encrypted. The encryption requirements apply to all stages of the data lifecycle: capture, transmission, processing, and storage.
Clause 52 -- Liveness Detection: The application must incorporate liveness detection technology to confirm that the person being verified is physically present and alive. This addresses the growing risk of deepfake attacks and presentation fraud, where attackers use photographs, video recordings, or AI-generated faces to impersonate legitimate clients. Both active (challenge-response) and passive (continuous AI analysis) liveness detection methods are encouraged.
Clause 53 -- Audit and Watermarking: The application must support audit trail generation, including watermarking of captured images and documents with date, time, and session identifiers. This ensures that every document image can be traced back to the specific KYC session during which it was captured, preventing cross-contamination of documents between sessions and providing a tamper-evident chain of custody.
IPV and VIPV Requirements (Clauses 54-61)
Clauses 54 through 61 establish the In-Person Verification (IPV) framework, including the Video In-Person Verification (VIPV) alternative. IPV is mandatory for all new clients of SEBI-registered intermediaries, and VIPV provides a way to fulfill this obligation remotely through a structured, recorded video interaction.
The key provisions include: who must undergo IPV (all new clients, per Clause 54), who can perform it (SEBI-registered intermediaries, scheduled commercial banks, KRAs, and authorized distributors, per Clauses 55-57), documentation requirements (Clauses 58-59), and the seven detailed sub-clauses governing VIPV (Clause 60a through 60g), covering trained officials, live environment, clear video, random questions, Aadhaar photo match, tamper-proof storage, and additional security features.
"In-Person Verification (IPV) shall be carried out for all new clients. Where IPV is carried out through video, the requirements specified in Clause 60 shall be complied with." -- Clauses 54 and 60, SEBI KYC Master Circular
Clause 61 provides exemptions: IPV is not required when the client's identity has been verified through Aadhaar authentication or when documents are fetched directly from DigiLocker. These exemptions enable fully automated onboarding for clients who use these government digital infrastructure services.
For a comprehensive, clause-by-clause breakdown of the VIPV requirements -- including implementation guidance for each sub-clause of Clause 60 and a detailed compliance checklist -- refer to our dedicated article: SEBI VIPV (Video In-Person Verification): Complete Guide for Stock Brokers & Intermediaries.
KRA and CKYCR Compliance: Upload Timelines and KYC Portability (Clauses 82-119)
The final major section of the Master Circular addresses the obligations of intermediaries with respect to KYC Registration Agencies (KRAs) and the Central KYC Records Registry (CKYCR). These clauses govern how client KYC data flows from the intermediary to the centralized systems, how KYC portability works across intermediaries, and the timelines within which data uploads must occur.
KRA Upload Requirements (Clauses 82-95)
Clause 82-84: Every SEBI-registered intermediary must be registered with at least one SEBI-recognized KRA. All client KYC records must be uploaded to the KRA within the prescribed timelines. The KRA serves as the centralized repository from which other intermediaries can fetch a client's KYC data, enabling portability.
Clause 85-90: The upload timeline is critical. KYC records must be uploaded to the KRA within 10 working days of account activation. For digital KYC (online onboarding), the timeline is effectively shorter because the data is already in electronic format and the upload process can be automated. Intermediaries that fail to upload within the prescribed timeline face regulatory penalties, and the client's account may be flagged during SEBI inspections.
"The intermediary shall upload the KYC documents and data to the KRA within the prescribed time from the date of execution of the KYC, and simultaneously upload to the CKYCR as required." -- SEBI KYC Master Circular, Clauses 85-90
Clauses 91-95: These clauses address KYC modifications and updates. When a client's personal details change (name, address, contact information), the intermediary must update the KRA records within the prescribed timeline. The KRA, in turn, propagates these updates to all intermediaries that hold the client's KYC data, ensuring consistency across the securities market ecosystem.
CKYCR Integration (Clauses 96-105)
Clauses 96-100: In addition to KRA uploads, intermediaries must upload client KYC data to the CKYCR maintained by CERSAI. The CKYCR is a cross-regulatory registry -- it receives KYC data from entities regulated by SEBI, RBI, IRDAI, and PFRDA, creating a single national KYC repository. The CKYCR generates a unique 14-digit KYC Identification Number (KIN) for each client, which serves as the pan-regulatory KYC identifier.
Clauses 101-105: The dual upload requirement (to both KRA and CKYCR) means that intermediaries' technology systems must support two distinct upload interfaces. The data formats differ between KRA and CKYCR, and both systems have their own validation rules. Digital KYC platforms must handle these format differences transparently, ensuring that a single onboarding session generates data packages compatible with both systems.
KYC Portability (Clauses 106-119)
Clauses 106-112: KYC portability is one of the most client-friendly provisions in the Master Circular. Once a client has completed KYC with any SEBI-registered intermediary and the data has been uploaded to the KRA, any other SEBI-registered intermediary can fetch the existing KYC data from the KRA instead of requiring the client to undergo KYC again. The client simply provides their PAN, and the new intermediary retrieves the complete KYC record from the KRA.
Clauses 113-116: However, portability does not eliminate all requirements. The new intermediary must still perform IPV (or VIPV) for the client unless the client qualifies for the Clause 61 exemption. The new intermediary must also verify that the KRA data is current and has not been flagged for re-verification. If the KYC data on the KRA is older than the prescribed validity period or has been flagged for discrepancies, the intermediary must conduct fresh KYC. For guidance on Re-KYC processes, see our separate guide.
Clauses 117-119: The final clauses address interoperability between KRAs, ensuring that data can be fetched regardless of which KRA the original intermediary used. SEBI mandates that all recognized KRAs maintain interoperable systems, and intermediaries must be able to fetch KYC data from any KRA, not just the one they are registered with. This interoperability requirement prevents vendor lock-in and ensures true portability across the securities market.
How BASEKYC Helps Intermediaries Comply With the Master Circular
The SEBI KYC Master Circular is comprehensive, and compliance requires capabilities that span technology, operations, and regulatory expertise. BASEKYC addresses every major requirement of the circular through an integrated platform designed specifically for securities market intermediaries.
Digital KYC Form and Document Collection: BASEKYC provides a configurable, white-label onboarding flow that captures all CKYCR-mandated fields (Clauses 4-6), validates PAN in real-time against the Income Tax database (Clauses 7-10), and supports OCR-based document capture for all accepted OVDs (Clauses 12-23). The entire form submission, document upload, and verification process is completed within a single digital session.
e-Sign, DigiLocker, and OTP Integration: Our platform integrates Aadhaar-based e-Sign for KYC form execution (Clauses 37-40), DigiLocker for authenticated document fetching (Clauses 41-43), penny drop for bank account verification (Clauses 44-46), and OTP verification for mobile and email validation (Clauses 47-48). These integrations enable the fastest possible onboarding path under SEBI regulations.
VIPV and IPV Compliance: BASEKYC's video verification platform implements all seven sub-clauses of Clause 60 -- from trained agent workflows and consent capture to AI face matching and tamper-proof recording. For clients who qualify for Clause 61 exemptions, the platform automatically routes them through the non-VIPV path. See our detailed VIPV guide for the clause-by-clause breakdown.
KYC App Technical Requirements: BASEKYC's platform incorporates random activity prompts for liveness detection (Clause 49), GPS-based geo-tagging (Clause 50), end-to-end encryption using TLS 1.3 (Clause 51), AI-powered liveness detection (Clause 52), and watermarked document capture with full audit trails (Clause 53).
KRA and CKYCR Data Upload: BASEKYC generates KRA-compatible and CKYCR-compatible data packages from every completed KYC session. The platform supports automated upload to all SEBI-recognized KRAs and CKYCR, with configurable upload schedules that ensure compliance with the prescribed timelines (Clauses 82-105). Upload status tracking, error handling, and re-submission workflows are built into the platform.
Whether you are a stock broker processing thousands of retail accounts, a depository participant managing institutional clients, or a mutual fund AMC coordinating across a national distributor network, BASEKYC provides the technology infrastructure to achieve and maintain full compliance with the SEBI KYC Master Circular. Our platform supports on-premise deployment for data sovereignty requirements and API-first integration with existing back-office systems.
Frequently Asked Questions
What is the SEBI KYC Master Circular 2023?
The SEBI KYC Master Circular (reference: SEBI/HO/MIRSD/SECFATF/P/CIR/2023/169, dated October 12, 2023) is a consolidated regulatory document that combines all existing SEBI circulars on KYC norms into a single, comprehensive reference. It applies to all SEBI-registered intermediaries -- stock brokers, depository participants, mutual funds, portfolio managers, investment advisers, research analysts, and others. The circular covers KYC form formats, PAN verification, document requirements, digital onboarding, VIPV, KRA compliance, and CKYCR obligations.
Which intermediaries does this circular apply to?
The circular applies to all SEBI-registered intermediaries and market infrastructure institutions. This includes stock brokers (equity, commodity, currency), depository participants (NSDL and CDSL), mutual fund AMCs and distributors, portfolio managers, investment advisers, research analysts, credit rating agencies, registrars and transfer agents, merchant bankers, and stock exchanges. Any entity that facilitates client access to the Indian securities market and is registered with SEBI must comply with this circular.
Can clients be onboarded entirely online under this circular?
Yes. The Master Circular enables fully digital onboarding through a combination of online form submission (Clauses 33-36), Aadhaar-based e-Sign (Clauses 37-40), DigiLocker document verification (Clauses 41-43), bank account verification via penny drop (Clauses 44-46), and OTP-based contact verification (Clauses 47-48). When the client uses Aadhaar authentication or DigiLocker (qualifying for the Clause 61 exemption from IPV), the entire process can be automated without any human intervention. When VIPV is required, it adds a brief video session but the overall process remains digital.
What is the timeline for uploading KYC data to KRA and CKYCR?
The Master Circular requires that KYC records be uploaded to the KRA within 10 working days of account activation. CKYCR upload must happen simultaneously or within the same timeline. For intermediaries using digital KYC platforms, automated upload can typically be completed within 24-48 hours of account activation, well within the regulatory deadline. Failure to upload within the prescribed timeline can result in regulatory penalties during SEBI inspections and may affect the intermediary's compliance rating.
How does KYC portability work across different brokers and intermediaries?
Once a client has completed KYC with any SEBI-registered intermediary and the data has been uploaded to a KRA, any other SEBI-registered intermediary can fetch the existing KYC data using the client's PAN. The client does not need to submit documents again. However, the new intermediary must still conduct IPV/VIPV (unless exempt under Clause 61), verify that the KRA data is current, and ensure the client's details have not changed since the original KYC was performed. KRAs are mandated to maintain interoperable systems, so data can be fetched regardless of which KRA the original intermediary used.