An overview of CKYC OTP and MNRL Compliance for Reporting Entities

2. Industry Perspectives: Insights from Our 11th April 2025 Knowledge Sharing Session

On 11th April 2025, we hosted a focused session titled “CKYC OTP Introduction Impact & MNRL Compliance”. The event attracted more than 145 attendees from over 70+ institutions, including banks, NBFCs, insurance companies, and fintech firms.

This session was hosted to provide a platform for industry participants to discuss the regulatory changes, understand their operational impact, and explore best practices for smooth implementation.

We were glad to welcome Mr. Vijay Mahantesh Malagar, Head of Risk Containment Unit at Tyger Capital (formerly Adani Capital), who generously shared his team’s real-world experience preparing for the MNRL screening go-live. Mr. Malagar highlighted their focus on finding a quick and efficient solution to comply with the RBI mandate. Leveraging the Screenzaa platform, Tyger Capital successfully implemented the MNRL screening with zero friction before the 31st March 2025 deadline.

Tyger Capital identified several matches in their customer data and took prompt action to resolve these cases. The integration ensures that every customer’s data now automatically reflects a “Hit” or “No Hit” status against the MNRL, making compliance seamless and ongoing.

The session featured strong audience engagement. Attendees asked insightful questions, raised operational challenges, and shared their strategies for system readiness and team training. This active dialogue underscored the shared goal across the industry: achieving compliance without disrupting business efficiency.

The agenda covered three major regulatory developments:

• The CKYC circular dated April 4, 2025, introducing OTP-based consent for KYC downloads
• The RBI circular from January 17, 2025, mandating screening against the Mobile Number Revocation List
• The RBI’s November 6, 2024, amendments to the Master Direction on KYC processes

Compliance professionals from leading institutions contributed valuable perspectives during the session, including:

• Sudeshna Ghosh – HDFC Bank Ltd.
• Sujeet Singh – YES Bank Ltd.
• Sangeeta Shinde – Suryoday Small Finance Bank Ltd.
• Avanti Chimade – SBM Bank (India)
• Karim Velani – Tata AIA Life Insurance Company Ltd.
• Sripriya Srinivasan Iyengar – SBI Life Insurance Company Ltd.
• Vijayshree Wagghmare – Godrej Capital Ltd.
• Vipul Srivastava – PayU Payments Pvt Ltd.

We remain committed to hosting more such sessions in the future, supporting the compliance community with timely, practical insights and fostering collaboration to strengthen the industry’s overall stance on compliance.

3. CKYC OTP: A Safer Way to Access KYC Records

The CKYC circular introduced a significant change to the way KYC records are accessed. Now, downloading KYC data requires a one-time password (OTP) sent to the customer’s registered mobile number. This applies equally to screen-based downloads via the CKYC portal or API-based access by regulated entities.

Why does this matter?

• Additional Layer of Consent: The OTP mechanism adds a critical step of explicit customer consent before their KYC data is accessed. This helps prevent unauthorized downloads.
• Enhanced Data Security: Identity data misuse is a growing concern. OTP verification helps ensure that only the rightful customer or authorized personnel can retrieve sensitive KYC information.
• Regulatory Compliance: The OTP-based process aligns with RBI’s focus on tightening KYC processes to mitigate fraud risks.

What do regulated entities need to do?

• Update Systems: Organizations must upgrade to the new CKYC API version 1.3 that supports OTP flows.
• Maintain Accurate Mobile Data: OTP delivery depends on up-to-date mobile numbers, so entities should regularly verify and update customer contact details.
• Plan for Possible Delays: In cases where the registered mobile number is outdated or unreachable, KYC downloads may face delays, requiring alternate verification steps.
• Communicate with Customers: It is important to inform customers about the new OTP process to reduce confusion during onboarding or servicing.

Implementing these changes requires coordination between IT, compliance, and customer service teams to ensure smooth adoption and minimal impact on onboarding turnaround times.

4. MNRL Screening: Mandatory Checks to Prevent Mobile-Based Fraud

The Mobile Number Revocation List (MNRL) is a database maintained by the telecom industry, listing mobile numbers that have been disconnected, ported out, or deemed risky.

Why is MNRL screening important?

• Fraud Prevention: Many fraud attempts use mobile numbers that no longer belong to the original user to intercept OTPs and alerts. Screening against MNRL helps identify and block such risks effectively.
• Communication Integrity: Financial alerts, transaction notifications, and authentication messages are sent via SMS or calls to the registered mobile number. Ensuring these numbers are valid is essential for secure customer communication.
• Plan for Possible Delays: In cases where the registered mobile number is outdated or unreachable, KYC downloads may face delays, requiring alternate verification steps.

What does the RBI mandate require?

• Regulated entities must regularly scrub mobile numbers against the MNRL database.
• Accounts linked to revoked or risky numbers must be flagged and monitored closely for suspicious activity.
• Entities should develop Standard Operating Procedures (SOPs) to handle flagged cases, including verification and updating of customer mobile details.
• Communication channels used for transaction alerts and authentication must be validated and kept current.

Implementing MNRL screening helps reduce identity theft and unauthorized transactions, reinforcing customer trust and regulatory compliance.

5. How the Industry Is Adapting: Key Takeaways from Our Event

Our 11th April 2025 knowledge sharing session focused on how institutions are modifying their workflows and systems to accommodate OTP verification and MNRL screening.

• CKYC OTP Integration: Many institutions are revising their consent management workflows and IT systems to incorporate the OTP mechanism. This requires internal process reviews and system testing to ensure smooth functionality.
• MNRL Screening Solutions: Several organizations are partnering with compliance technology providers like Screenzaa to automate MNRL scrubbing, reducing manual efforts and errors.
• SOP Development: Clear procedures are being drafted to manage flagged mobile numbers, including steps for re-verification, customer outreach, and account monitoring.
• Training and Awareness: Teams across compliance, risk, and operations are being trained to understand new requirements and respond effectively to exceptions.
• Customer Communication Plans: Institutions are preparing customer-facing communication to explain changes and minimize onboarding friction.

Tyger Capital’s experience stood out as an example of proactive compliance. Their early adoption of MNRL screening and integration with Screenzaa ensured they met the deadline with ease, showcasing how regulatory technology can simplify regulatory adherence.

The session reinforced that industry collaboration and knowledge sharing are vital to overcoming challenges and achieving compliance without compromising operational efficiency.

6. What Should You Do Next?

To align with the new mandates and protect your customers and institution, here are key action steps:

• Upgrade Your Systems: Implement the latest CKYC API (v1.3) to support OTP-based KYC downloads.
• Scrub Mobile Numbers Regularly: Use reliable tools to cross-check your customer mobile database against the MNRL frequently.
• Develop and Document SOPs: Create detailed procedures to handle cases where mobile numbers are flagged, including verification and remediation steps.
• Train Your Teams: Educate your staff on the new regulatory requirements, operational impacts, and customer communication protocols periodically.
• Communicate with Customers: Inform customers about OTP changes and the importance of keeping their contact information current to avoid onboarding delays or disruptions.
• Stay Engaged: Participate in upcoming learning sessions and stay updated with evolving guidelines and industry best practices as much as possible.