You walk into a bank, submit your documents, get verified, open an account. A few months later, a mutual fund asks for the same documents. Then an insurance company. Then a broker. Every institution, operating under its own regulator, runs the same verification from scratch. The customer experience is frustrating. The compliance cost is real. And the repetition does not make the system meaningfully safer.
India has been trying to address this issue since 2016, when the Central KYC Registry (CKYCR) was operationalized as a shared repository of verified customer records. A customer’s first KYC with any regulated entity gets uploaded on the CKYCR, and every subsequent institution pulls that existing record rather than repeating the exercise.
CKYCR, however, did not work as intended. Records were stored in inconsistent formats across institutions. Regulated entities across sectors could not reliably rely on each other’s records, so they asked customers to re-submit anyway. The gap between the intended vision and the operational reality is what led to CKYC 2.0 being announced in 2024, with a mandate to revamp the registry and move toward unified KYC.
The technical upgrade matters, but the problem runs deeper. Financial regulators have built their respective KYC frameworks in silos, each calibrated to the risks of their own sector. Harmonizing those frameworks without losing sector-specific nuance is not something a registry redesign alone can fix.
In this edition of FinTales, we look at what CKYC 2.0 actually proposes and how it sits within the broader unified KYC push. We also cover RBI’s new draft prepaid payment instruments (PPI) Master Directions and its revamped outward remittance framework.
Let’s dive in.
Main Course 1: A deep dive into India’s push for unified KYC and CKYC 2.0 upgrades.
Main Course 2: An analysis of the RBI’s revamped framework for PPIs.
Dessert: Sweet news about RBI’s fintech-friendly reset for cross-border remittances.
Mints: a refresher on recent fintech developments.
Main Course 🍝
Verify Once, Trust Everywhere: The Long Road to Unified KYC
On 25 April 2026, Finance Minister Nirmala Sitharaman called ‘One Nation, One KYC’ the need of the hour and directed SEBI to implement a common KYC system across all financial sector regulators. SEBI responded with a progress update on CKYC 2.0, expecting to launch it in July 2026. The two are connected but not the same. Unified KYC is the broader policy vision: a single, cross-sector framework where a customer verified once can be onboarded anywhere. CKYC 2.0 is the technical upgrade to the central registry that is supposed to underpin that vision. If unified KYC is the destination, CKYC 2.0 is a part of the means to get there. Whether it is enough on its own is a different question.
The push is not new. The Financial Stability and Development Council flagged the need for uniform KYC norms in early 2024. Around the same time, a high-level committee led by Finance Secretary T.V. Somanathan was formed to operationalise the initiative. Progress has been slow.
What the current system actually does
Regulated entities across the financial sector are required to check the Central KYC Records Registry (CKYCR) before opening a new account-based relationship. If a valid record exists, the customer should not need to resubmit their details. The premise is that identity verified once should be accessible to every institution the customer approaches thereafter.
In practice, it rarely works that way. Three friction points explain most of the failure.
The first is repeated verification. RBI, SEBI, and IRDAI each maintain their own KYC rules. Even when entities across all three sectors connect to the same CKYCR, they do not always accept each other’s records as sufficient. Customers end up submitting documents again regardless of what the registry holds.
The second is conflicting timelines for record updates. The PMLA framework requires regulated entities to upload new records to CKYCR within ten days of opening an account. That part is consistent across the rules for all regulated entities. The timeline for submission of updates to customer records are not. RBI requires entities to update CKYCR records within seven days of any change. SEBI simply expects updates to be made when received from the customer, with no fixed deadline. Without a deadline, updated records may never reach the registry. The record that was uploaded at onboarding sits unchanged, becoming less reliable over time.
The third is the absence of customer control. Customers currently cannot view, update, or correct their CKYCR records directly. If there is an error in the record, a wrong address, a misspelled name, an outdated document, the customer has no way to fix it. The responsibility falls on the entity that uploaded the record, which has little incentive to revisit something it already considers complete. Errors persist.
What CKYC 2.0 Addresses
CKYC 2.0 reimagines how KYC data is captured, validated, shared, and tracked across the financial sector. Four key changes stand out:
The first is moving from PDFs to structured data. The current system ingests KYC records largely through PDF uploads. Different institutions fill in different fields with different levels of completeness. The result is records that cannot reliably be read, compared, or reused by another institution. CKYC 2.0 replaces PDF uploads with XML and JSON formats, where every field follows a predefined structure. Records become machine-readable and consistently formatted. The need to re-verify simply because a record is unreadable should largely disappear.
The second is real-time updates. The current system operates on batch uploads. CKYC 2.0 moves to live API connections, with records verified in real-time through integrations with DigiLocker, PAN, and Aadhaar databases. When a customer updates their details, or when changes occur in the underlying identity databases, the CKYCR record updates automatically. The conflicting timelines problem dissolves because the registry stays current without anyone needing to remember to push an update.
The third is field-level validation and AI-driven deduplication. Every field will be validated before acceptance. AI will cross-reference face data, Aadhaar, PAN, and demographic information to detect duplicates. This improves both the accuracy of what goes into the registry and the consistency of what comes out.
The fourth is customer visibility. Every instance of CKYCR access will be visible to the customer. Regulated entities will need to maintain stronger audit trails and tighter cybersecurity controls. This is more than a compliance requirement. It is a shift in the character of the registry itself, from a back-end compliance utility to something closer to a transparent piece of public digital infrastructure.
What CKYC 2.0 does not solve
Better structured, accurate, and current records are a genuine improvement. But they do not, by themselves, solve the core problem.
The repeated verification problem is not primarily a data quality issue. It is a regulatory standards issue. Each regulator has calibrated its KYC requirements to the risk profile of its own sector. Banking relationships carry different exposure than securities accounts or insurance policies. Even with a perfectly structured CKYCR record, an entity supervised by SEBI has no regulatory obligation to treat an RBI-supervised entity's KYC as sufficient for its own purposes. Until the standards themselves are harmonized across regulators, entities can and will continue asking for additional documents.
Harmonisation also carries its own risks. A one-size-fits-all standard risks flattening out sector-specific nuance and settling at the lowest common denominator. The more defensible approach is a layered framework: a common baseline record that is universally accepted across sectors, with sector-specific requirements layered on top for higher-risk relationships. That preserves the nuance without abandoning the interoperability.
There is also the question of the parallel KRA infrastructure in the securities market. How the real-time ambitions of CKYC 2.0 extend to that segment remains unclear.
What’s next
CKYC 2.0 is necessary but not sufficient. The technical upgrade addresses the registry’s limitations. However, the bigger lift will be regulatory coordination. That means aligning standards across RBI, SEBI, IRDAI, and PFRDA, resolving the cross-regulator acceptance question, and deciding what a layered KYC framework actually looks like in practice.
Until that work is done, the system will remain one where the registry improves but the experience for customers does not change as much as it should.
The PPI Playbook Gets a Rewrite
PPIs have been part of India’s financial landscape long enough that most people have used one without thinking about it. Gift cards, transit wallets, UPI-linked PPI instruments for foreign visitors – the category is broader than it looks. The 2021 Master Directions (2021 MD) have governed all of this for the past several years.
A lot has changed since 2021. The RBI made clear that it disapproves of credit-loaded PPIs. UPI One World has expanded rapidly. And PPI issuers have been quietly grappling with an existential question of where exactly does a stored-value wallet fit in a world where UPI processes nearly every digital retail payment?
In April 2026, the RBI released draft Master Directions on PPIs (Draft PPI MD). The draft consolidates the clarifications that have accumulated since 2021, giving regulated entities a single reference point. But it does more than housekeeping. It tightens the screws on misuse, sharpens the definition of what a PPI actually is, and makes an implicit argument for why PPIs still have a place.
A cleaner architecture
The 2021 framework had already simplified the old three-tier model. The draft goes further, reorganizing everything into two categories:
1. General Purpose PPIs: cover the everyday wallets. Full-KYC PPIs allow up to Rs. 2 lakhs outstanding amount and a Rs. 2 lakhs monthly debit limit. Small PPIs require only minimum KYC, cap outstanding amount at Rs. 10,000, and their use case is limited to merchant payments.
2. Special Purpose PPIs cover everything else.
- Gift PPIs are non-reloadable, outstanding amount is capped at Rs. 10,000, and they cannot be used for P2P transfers or cash withdrawals.
- Transit PPIs require no KYC, outstanding amount is capped at Rs. 3,000, have perpetual validity, and funds loaded cannot be withdrawn or refunded.
- The UPI One World wallet for foreign nationals and NRIs is denominated in INR with a Rs. 5 lakh monthly debit cap.
Any other specific-purpose PPI requires prior RBI approval.
The logic running through all of this is straightforward. The broader the use case and the more money an instrument can hold, the heavier will be the KYC and the tighter will be the controls for it. The risk profile of the instrument shapes the regulatory treatment.
The draft is also easier to read. Rules on security audits, fraud prevention, and customer liability for unauthorised transactions have been moved out and replaced with references to other RBI directions.
What the new definition is really saying
The definitional change in the draft is easy to miss but worth paying attention to.
The 2021 MD defined PPIs as instruments that ‘facilitate purchase of goods and services, financial services, remittance facilities, etc., against the value stored therein’. The draft redefines them as ‘payment instrument(s) in which money is loaded and which facilitates subsequent transactions utilising this money’.
The old definition focused on what you could do with a PPI. The new one focuses on how it works: money goes in first, then gets spent. That sequencing is deliberate. By anchoring the definition in pre-funding, the RBI is reinforcing that a PPI is a stored-value product. It is not a credit product dressed up as something else.
The draft makes this explicit in the loading rules. General Purpose PPIs can only be loaded by debit to a bank account, by cash, or by another PPI. Credit cards are out. Special Purpose PPIs are not subject to the same explicit prohibition, but their narrow use cases, low caps, and absence of P2P functionality mean the practical risk is limited.
This is not new policy. The RBI prohibited credit-loaded PPIs in 2022. The draft is restating that position clearly and building it into the framework’s architecture.
The new definition also clarifies that ‘money’ for PPI purposes means INR and does not include digital currency. Crypto wallets, in-game token balances, and reward-point wallets fall outside the PPI perimeter. One open question the draft leaves unanswered is how hybrid wallets that let users hold both INR and digital currency simultaneously would be treated. That is worth watching out for in the final directions.
Cash gets tighter
The draft continues the RBI’s broader push to make cash-loaded instruments more traceable.
Cash loading limit for Full-KYC PPIs drops from Rs. 50,000 to Rs. 10,000 per month. Small PPIs still allow cash loading, but the Rs. 10,000 outstanding cap limits the exposure. Gift PPIs can no longer be loaded through cash.
The P2P transfer limit for Full-KYC PPIs also gets simplified. The earlier tiered structure had different caps for registered and unregistered beneficiaries. The draft replaces this with a flat Rs. 25,000 per month limit.
Cross-border: one door closes, another opens wider
The 2021 MD allowed Full-KYC PPIs issued by AD Category-I banks to be used for cross-border current account transactions. The draft reverses this. Rupee-denominated PPIs can no longer be used for cross-border payments. The intent appears to be keeping outward forex flows within proper foreign exchange channels rather than letting them route through stored-value instruments.
The offset is UPI One World. The monthly spending limit for the INR wallet issued to foreign nationals and non-resident Indian (NRIs) has been increased from Rs. 2 lakhs to Rs. 5 lakhs. UPI One World had a prominent moment at the India AI Impact Summit, and the limit increase reflects a clear push to position it as the preferred instrument for inbound tourists and business travelers.
Gift card issuers: an open question
The 2021 MD required PPI issuers to maintain KYC details of gift card purchasers but exempted them from collecting separate KYC if the card was bought by debit to a bank account or credit card in India. The draft is silent on this carveout.
This is worth flagging. Gift card issuers need to know whether the old exemption survives. The final directions should address this clearly.
A few other things worth noting
Banks already authorised to issue debit cards no longer need prior RBI approval to issue PPIs. Prior intimation is enough. For non-banks, authorisation gets easier too: the in-principle stage has been dropped, and the window to submit an NOC from a financial sector regulator expands to 45 days. PPIs with no transactions for 12 months become inactive and are closed if they remain inactive for a further 12 months, with balances returned to source or a verified bank account.
Where this leaves the industry
The draft is a more purposeful version of the PPI framework. The risk-weighted classification is cleaner and more intuitive. UPI One World gets a meaningful upgrade.
But the draft also reflects a regulator that has a clear view of what a PPI is and what it is not. The space for regulatory arbitrage has narrowed. The hard line between stored value and credit runs through the entire document, from the new definition to the credit card loading prohibition to the tighter cash rules. Cross-border outward usage is gone.
The final directions will set the implementation timelines and also hopefully resolve the open questions.
Dessert 🍨
RBI gives outward remittances a fintech-friendly reset
Indians send billions of dollars abroad every year for education, travel, investments, family maintenance, subscriptions, and business payments. Increasingly, fintech platforms facilitate these transactions by partnering with banks to offer digital remittance journeys that feel nothing like traditional banking.
On 13 May 2026, the RBI gave this ecosystem a boost. It removed the requirement for prior RBI approval for non-bank entities that partner with Authorized Dealer Category-I (AD) banks to facilitate outward remittance services. The responsibility for FEMA compliance, KYC checks, customer protection, and settlement safeguards now rests squarely with the partnering AD bank.
This is a meaningful policy shift. RBI is stepping back from an approval-heavy model and moving toward a supervision and accountability-led framework. This indicates that RBI now has greater confidence in regulated entities and their ability to manage compliance outcomes. For fintechs, this should reduce operational bottlenecks and make market entry more accessible for newer players.
In practice, the change could make a range of cross-border payment use cases smoother. Students paying tuition to foreign universities, travelers loading forex-linked wallets, freelancers paying for global software tools, creators buying international advertising services, and SMEs making small-ticket import payments through fintech apps rather than bank counters are all examples of who stands to benefit.
Customer protection standards have not been diluted. AD banks must ensure transparent disclosure of charges on third-party platforms, robust contractual oversight, timely settlements, and working grievance redressal mechanisms. The RBI has also clarified that remitter funds must travel directly from the sender’s bank account to the beneficiary account. They cannot pass through third-party accounts. This is a key safeguard against fund diversion.
The revised framework is a pragmatic middle path. Fintechs get more room to innovate. Banks remain fully accountable for compliance and consumer protection.
Mints 🍃
🪙 Digital gold industry gets an SRO: Key digital gold players, including MMTC-PAMP, SafeGold, Augmont, and BharatPe, have come together to launch the Digital Precious Metals Assurance Council of India (DPMACI), a self-regulatory organisation for the sector. The SRO aims to improve transparency, operational standards, and consumer protection in the growing digital gold and silver market.
📈 NSE launches EGR segment: The National Stock Exchange (NSE) has launched an electronic gold receipts (EGR) segment on its platform after receiving SEBI approval. NSE has also published operational details covering trading units, deposit values, purity standards, and related product specifications for EGRs.
🛡️ BFSI prepares for Mythos threat: Regulators and industry players are increasingly concerned about the risks posed by Anthropic’s Mythos AI model and its ability to autonomously exploit software vulnerabilities. The RBI is consulting global regulators, Indian banks and government officials, and may engage directly with Anthropic while also considering broader AI governance rules for banks. NPCI and fintechs such as Paytm, Razorpay and Pine Labs are exploring early access to test the model for vulnerabilities. Separately, the Finance Ministry has convened banks, set up a risk assessment panel, and warned the sector about the systemic cybersecurity risks and network effects that could arise if the model becomes publicly accessible.
🔄 RBI consolidates and updates e-mandate rules for recurring digital payments: RBI has consolidated its e-mandate rules for recurring digital payments across cards, UPI, and PPIs into a single framework. Key updates include continuity of mandates after card reissuance, clarification that customer-set spending controls cannot override valid mandates, and enhanced customer grievance redressal disclosures.
🏦 All CICs now live on ULI: The Reserve Bank Innovation Hub (RBIH) has announced that all four RBI-regulated credit information companies (CICs) – TransUnion CIBIL, CRIF India, Equifax India, and Experian India – are now live on the Unified Lending Interface (ULI). Lenders can now access consumer credit data from these CICs directly through the platform.
🚨 I4C and RBIH Sign MoU to Strengthen AI-Driven Fraud Detection: The Indian Cyber Crime Coordination Centre (I4C) and the Reserve Bank Innovation Hub (RBIH) have signed an MoU to jointly deploy AI tools against mule accounts and cyber-enabled financial fraud. The collaboration will integrate I4C’s cybercrime intelligence with RBIH’s MuleHunter.AI platform to detect and flag suspicious accounts in real time, strengthening the financial system’s defences at scale.
Author Credits: Fintech Team - Aparajita, Astha, Samyukta, Sidharth, Pravi
Image credits: AI generated
For any queries, reach out to us at contact@ikigailaw.com
