What is CKYCRR 2.0? The Complete Guidelines for Banks & NBFCs
In 2025, India achieved 103 crores of CKYC registrations. What was going on below that figure is a success story, a success story until you look at what was going on below that figure. Many of these records were still in the form of scanned PDF files, with each institution manually checking them, and each institution making changes to the records in isolation, with no synchronization between other financial institutions. If a customer had updated their address in one financial institution, they had no assurance that the address change was received by the other financial institutions where the customer had his/her needs met, including the mutual fund, NBFC, or insurance company.
Finance Minister Nirmala Sitharaman called out this issue explicitly in the Union Budget 2025 and declared its implementation on the basis of a revamped Central KYC Registry as a top priority. The announcement kicked off CKYCRR 2.0.
This post discusses what exactly CKYCRR 2.0 is, its difference from the earlier system, what it will mean to banks and NBFCs in terms of compliance and operations, and how the modern AML software and KYC infrastructure needs to adapt to stay in step.
What is CKYCRR 2.0?
Since 2017, CERSAI, the Central KYC Records Registry, has been running the Central KYC Records Registry (CKYCRR). Version 1.0 created a common national identity database, which any Regulated Entity could access. This was a great achievement at the time.
The new system is called CKYCRR 2.0 and is a complete replacement of the previous system. It eliminates PDF-and-batch and ushers in a real-time, API-first, AI-powered infrastructure that seamlessly integrates with India's digital identity stack, such as Aadhaar, DigiLocker, and PAN validation.
On 2nd December 2024, CERSAI gave a work order of Rs. 161 crore to Protean eGov Technologies (formerly NSDL e-Governance Infrastructure) as the System Integrator for CKYCRR 2.0. The contract is for 69 months. This isn't just an upgrade of conjecture; it's something Protean eGov has been doing since 2016 and is managing the technology stack of India's PAN services platform and the National Pension System. It's a project that's continually operating, and its funding is from the government.
The new CKYCRR is to leverage the use of AI-based matching algorithms, face match technology to enhance the accuracy of verification, facilitate faster onboarding, and provide individuals with greater control over their KYC data, the MD and CEO said in their newsletter.
Why CKYCRR 1.0 Needed Replacing
It is useful to first consider why the original system failed to meet the need before looking at what has been changed.
The PDF problem. The CKYC records were stored in a scanned image and as static PDFs, which were not ingestible by automated systems. All the digital lenders/ NBFCs that wanted to use the data of CKYC had to create manual processes. A system to remove re-verification was creating unnecessary processing loads at each institution implementing it.
At-scale data staleness. There were no means of ensuring synchronization of updates across institutions. A copy of a customer record from one institution could be different from another. Even a small level of staleness resulted in millions of false identity anchors being used to power credit decisions and compliance processes throughout the sector, given that there were 103 crore records in the system.
Synthetic identity fraud. The digital lending revolution in India showed that the lack of any digital systems to match the document and the photo was a problem that could not be solved. Document-only verification may be bypassed if a fraudster is able to present a valid photo or address with fake PAN information. If the fraudster is able to provide a valid document (such as a photo or address) and fake PAN information, he can pass through the document-only verification.
The biometric cross-check, national de-duplication mechanism, and alert system were not in place in CKYCRR 1.0. Synthetic ID fraud was established as a new and growing risk type for digital NBFCs and fintech lenders by 2024.
The RBI itself identified customers who were onboarded through the old CKYC as "high-risk" as a clear warning that there was insufficient rigor in the verification process in the old CKYC. That regulatory stance was inevitable and led to reform.
Difference Between CKYCRR and CKYCRR 2.0
Compliance and technology teams are asking first, "this? Compliance and tech teams ask first, "this? The difference is not incremental:
Data format. This was an enhanced version of the original, which took scanned PDF and image documents. CKYCRR 2.0 mandates KYC records be submitted via validated APIs in structured JSON/XML format. This one change enables straight-through processing for onboarding. A financial institution can now make an API call to the CKYCRR, and get the identity response immediately and with a field-level identity verification, and complete onboarding without the need for a manual review process.
Integration method. In version 1.0, the records were processed in cycles of hours or days with batch file uploads. CKYCRR 2.0 has a real-time REST API with sub-second to second-level response time.
Identity verification. The previous system was based on document and photo matching. The AI-powered facial recognition system is integrated at the registry level in CKYCRR 2.0. The system cross-checks all of the national database of biometrics whenever a new KYC record is uploaded. In case there is a match with any other identity with a different name or PAN, the record is flagged before activation. Structural solution for synthetic identity fraud.
Aadhaar masking. From now on required or done manually. All records are required to be masked and automated for Aadhaar ID in CKYCRR 2.0. So, the unmasked Aadhaar numbers can no longer be saved or shared via the CKYC infrastructure, directly in accordance with the UIDAI directives and the provisions of the DPDP Act 2023.
Consent mechanism. The 1998 version of CKYCRR was based on implicit consent. The explicit consent to download or access the CKYC record by any institution will be obtained via the OTP system for CKYCRR 2.0. An OTP is sent to the customer's registered mobile number, which is to be authenticated for the release of data. This is also a real-time fraud alert - when an OTP is received unexpectedly, it is a warning to the customer that his/her identity is being requested without permission.
Consumer access. In the 1.0 version, there was no consumer-facing portal. CKYCRR 2.0 introduces a self-service portal that allows customers to discover which institutions have had access to their data, to request a single update of a single address or identity, which will be sent to all other institutions with access to the same data, and to submit a dispute directly to CERSAI.
India Stack integration. The limited integration of Aadhaar was available in Version 1.0. CKYCRR 2.0 integrates with DigiLocker for the retrieval of digitally signed documents, PAN vault for real-time cross-checks, and with the Income Tax Department's data layer for verification of income. The CKYC record is not a "snapshot" record for v2.0. It turns into a live profile which gets updated when there are updates of underlying data throughout the India Stack.
CKYCRR 2.0 vs KYC: Key Differences
There is often confusion about the difference between CKYCRR 2.0 and KYC in general. They are not synonyms.
The generic term for the process of verifying the identity of their customer and the evaluation of their risk profile is called Know Your Customer. This includes document collection, face verification, address verification, PEP/sanctions screening, and continuous monitoring. KYC is an owned and operated process by institutions.
The national centralized registry is called CKYCRR 2.0, which keeps and manages KYC records after they have been completed by a regulated entity. It could be considered a distributed government-managed identity repository. An institution onboarding a customer goes through the KYC process and uploads the verified data to CKYCRR. After that, any other regulated entity that adopts the same customer can inquire into CKYCRR as opposed to obtaining new documents.
The key difference with the critical change CKYCRR 2.0 is that this registry is no longer a passive archive. It validates, deduplicates, and records the data in real-time. The distinction is relevant for compliance planning purposes as the institutions have to satisfy two dimensions: the KYC compliance with RBI and PMLA, as well as the integration of the same with CKYCRR 2.0, to meet the new requirements relating to structured data, biometric data, and consent.
Both layers need to be taken into consideration in the AML software that is adopted by banks and NBFCs. Reliable risk scoring for transactions, transaction monitoring, and customer due diligence workflows should be based on current, not cached or stale, information from the CKYCRR.
What CKYCRR 2.0 Means for Banks
From a bank perspective, CKYCRR 2.0 is in large part an infrastructure and compliance event, but with an impact on the bottom line.
Onboarding architecture changes. The banks that have developed their KYC onboarding workflows on the back of batch CKYC uploads must reimagine pipelines for real-time API submission. With the structured JSON/XML requirement, the existing code that is used to put together a PDF upload bundle is no longer in compliance. The new framework also allows KYC updates to be done by a Business Correspondent for its operations, thus broadening the bank's outreach for re-verification periodically.
Audit trail obligations. The RBI has recently updated KYC Master Directions (Circular DOR.AML.REC.30/14.01.001/2025-26) with the addition of advance notice obligations prior to the KYC due dates. Banks need to issue at least three reminders, with one of these being a written letter, prior to when a customer's KYC update is due. If a customer does not make the payments on time, then a minimum of 3 more reminders will be issued after the due date. For audit, all notices should be recorded on all customer records. Those banks that do not have a system to automate and track this reminder cycle will have adverse findings during statutory audits.
Risk-tiered update cycles. Now, banks must have a formal risk classification at the customer level and link the triggers for an update on the CKYC to the customer's risk classification. High-risk customers must be periodically re-identified every 2 years. Medium-risk customers are informed every 8 years. Low-risk customers are updated every 10 years, and the additional ease provided for low-risk customers in June 2025 means that those with an outstanding KYC can now complete the update within 1 year of it being due, or on 30 June 2026, whichever is later. This time period is when a user's accounts need to function normally.
Compliance with the DPDP Act is made structural. By design, banks that are developing their KYC stack with the framework of CKYCRR 2.0 are aligned with consent compliance as they interact with data. The OTP-based consent mechanism at the registry level is straight aligned with the principle of consent-first in the Digital Personal Data Protection Act, 2023.
What CKYCRR 2.0 Means for NBFCs
Many NBFCs are running on digital channels with high volumes of onboarding and have constructed their first integrations for CKYC around workarounds for version 1.0, leaving them with a unique set of challenges as they are required to do so under CKYCRR 2.0.
Integrating the loan origination pipeline. The biggest operational challenge for NBFCs is to seamlessly embed the CKYCRR 2.0 API into their loan origination process. Under real-time fetch, if a customer already has a CKYC record with one of the institutions, he or she can be fetched within seconds, and the verified record will be directly fetched into the origination workflow. This replaces both the manual collection of documents and the delays of batch CKYC queries.
Cost of acquiring new customers. The more that the verification time per customer decreases, the more it scales up the cost reduction. The transition from batch to real-time straight-through processing can directly lower the cost of per-application KYC compliance for NBFCs with tens of thousands of new accounts being opened each month.
Fraud and synthetic identity fraud protection. As digital NBFCs were more vulnerable to synthetic identity fraud in CKYCRR 1.0, the biometric de-duplication feature is especially helpful for these businesses. If a fraudster has created a record at several institutions, he or she will not be able to merge them into one record in the CKYCRR without causing a biometric conflict.
First-time-right submission rates. In the past, when it was in the "batch" model, formatting errors or missing fields appeared in the following batch. The real-time API validation of CKYCRR 2.0 will reject any record that is not compliant as soon as it is submitted; this will allow NBFCs to make the necessary corrections and resubmit the record immediately. First-time-right submission to the institution is over 99% for institutions that use compliant middleware.
The Regulatory Backbone: Key Circulars Compliance Teams Must Know
CKYCRR 2.0 has a multi-layered regulatory structure. Below is a list of the key references for compliance planning.
The RBI KYC Master Direction dated 6th November 2024 (DOR.AML.REC.49/14.01.001/2024-25) brought the KYC process of Regulated Entities in line with the revised PMLA Rules and made the incremental data sharing real-time for all Regulated Entities. The risk-tiered update cycles, low-risk customer relief window, and advance notice requirements have been introduced in the RBI KYC Amendment Directions dated 12 June 2025 (DOR.AML.REC.30/14.01.001/2025-26). The latest Compliance Reference is the RBI Master Direction dated 14th August, 2025.
Violations of the updated notice, reminder, and audit trail requirements after January 1, 2026, could lead to RBI enforcement actions, such as monetary penalties.
Implementation Roadmap: Three Phases That Actually Work
Adoption of the new 2.0 version of CKYCRR is a gradual process. Any institution that has applied it as a simple "plug-and-play" integration project has faced production issues across the board on data quality and consent management.
Phase 1: Data remediation (4 to 12 weeks, depending on legacy volume). Existing KYC records must be reviewed for compatibility with the new KYC system prior to any API work. PDF documents need to be extracted and converted into structured data. All fields must be captured in a consistent format, all free-text addresses need to be standardized, the photograph resolution must be present, and the name must be captured in a consistent way for it to pass the CKYCRR 2.0's field-level validation. In order for the AI facial match to work properly, the image of the portrait should have at least 200x200 resolution. In this stage, issues with data quality that institutions were not aware of, at scale, become apparent.
Phase 2: API integration and sandbox testing (4 to 8 weeks for clean stacks).CERSAI offers a platform for the development and testing of CKYC API flows in a sandbox mode for the approved system integrators before going to production. The integration includes three main functionalities: KYC Search, KYC Download, and KYC Upload. There are three main functionalities of integration: KYC Search, KYC Download, and KYC Upload. Edge cases like partial records, OTP timeout, consent token expiry, and API error codes for malformed submissions should be tested. The following are examples of cases that frequently appear in production for institutions that don't do extensive testing in the sandbox.
Phase 3: Consent architecture and DPDP alignment (parallel to Phase 2). All the data access events of a CKYC should be linked to explicit OTP based consent of the customer. The consent management layer is responsible for collecting the purpose, duration, and scope of each access request and keeping it in an auditable, retrievable format. The consent workflow also needs to be aligned with the institution's notice and reminder schedule to ensure timely periodic updates on KYC as per RBI's amendment dated 22nd June 2025.
The Role of AML Software in a CKYCRR 2.0 World
With the upgrade to CKYCRR 2.0, there is no need to give up AML software. It alters the way and the what this software must do and interact with identity data that is upstream of it.
This will result in less accurate risk scores if the information is based on outdated identity data from PDFs or manually re-keyed from the customer. AML platforms should be designed so that they can programmatically pull the real-time data from CKYCRR, which is structured and validates identities against biometrics, instead of "cached" customer profiles.
Specifically, AML software should not be designed to only be able to be used when a customer is being onboarded, but rather be available for use at the time of their customer risk re-assessment. It must do consent-scoped data access (that is, it must be capable of triggering the OTP consent mechanism for pulling up updated data), and it must include logging of data access events for the purposes of audit trail in the amendment that came into effect in June 2025. Now, instead of looking at an outdated, not always accurate identity profile, transaction monitoring workflows can cross-reference against an updated, accurate identity profile that will flag behavioral anomalies.
Compatibility with CKYCRR 2.0 should not be a consideration when talking about upgrading or evaluating AML software by banks and NBFCs. The only way to ensure the compliance posture of the institution's entire AML programme is as up-to-date as the identity information that it is working with.
Common Migration Mistakes to Avoid
A number of patterns emerge in the occurrence of failures in migrations of CKYCRR 2.0.
The most frequent and most costly error is going directly to API integration without data remediation. Real-time field validation of the CKYCRR 2.0 API will ensure that the records with any formatting errors, lack a photograph resolution, or have an unmasked Aadhaar will be rejected on the spot.
It is not possible to add the consent layer as a post-launch addition. Consent based on OTP should be built at the beginning of the user onboarding process, including the appropriate management of OTPs, the handling of OTP timeouts, and the audit log.
If the institution doesn't map the customer risk categories in CRM before starting migration, it will lead to compliance gaps and a need to re-verify low-risk customers when it is not necessary.
Failure to comply with the amendment's notice and reminder would be picked up as an adverse finding in the next statutory audit. Minimum of 3 advance notices as per the requirement; One of which needs to be by Letter; Logged against each Customer Record is Specific and Auditable.
Sector-Specific Obligations at a Glance
The main action points vary between Sectors for all Regulated Entities with respect to the effects of CKYCRR 2.0.
Batch upload pipelines to the API must be rebuilt in banks and e-KYC terminals for Business Correspondents in the field, and must be made available. Some of the NBFCs should include CKYC fetch in their loan origination process and need to have automation in their CRM system to trigger updates based on risk. As Day 1 requirements, Fintechs and neobanks must have API integration, a workflow of OTP consent, and a DPDP-compliant consent layer. The securities brokerages must make sure that the fields they are fetching for the KYC are SEBI-specific and the V-CIP workflows are kept up-to-date for biometric match compatibility. Existing, PDF-based CKYC records must be completed by insurance companies prior to the renewal cycles. There is no exemption from PMLA obligations by Crypto platforms and VDA service providers when it comes to full integration of the crypto KYCRR 2.0; this becomes mandatory through FIU-IND.
Final Takeaway
CKYCRR 2.0 is NOT a compliance 'check box'. It is a government-funded, government-regulated, business-critical reform of India's national KYC framework with a clear time-bound regulatory plan and regulation that will directly impact every bank, NBFC, and fintech in India's financial sector.
For compliance officers, it means new audit trail requirements and an update cycle that is risk-tiered and needs to be implemented, with a process that cannot just be written down. It translates into a new generation of real-time API integrations that comply with structured data, biometric, and consent requirements, replacing batch-upload architectures, for CTOs and tech teams. In the case of AML software evaluations, it is a requirement that it be of the two-state (CKYCRR 2.0) standard.
Those who consider it a staged and systematic transformation of the infrastructure will discover that the business case, in terms of reduced onboarding time, lower compliance cost, better fraud prevention, and structural alignment with the DPDP Act, is solid. Those who opt not to do it will be exposed to enforcement action, audit risk, and an onerous challenge to migrate when and if the regulators force it.
The new notice, reminder, and audit trail framework requires complete adherence by January 1st, 2026. The migration based on CKYCRR 2.0 is already in progress. It's time to think, not wait, but now is the time to plan.
The CKYCRR KIN (KYC Identifier Number) is a unique 14-digit number assigned to an individual after their KYC details are registered in the Central KYC Records Registry (CKYCRR). It allows financial institutions to retrieve your KYC records without requiring you to submit the same documents again.
How do I check my CKYCRR status?
You can check your CKYCRR status by contacting your bank or financial institution and providing your KYC Identifier (KIN) or registered details. They can verify whether your KYC record is available in the CKYCRR database.
Who needs a CKYCRR in banking?
Anyone opening a bank account, applying for a loan, investing in financial products, or using other regulated financial services may need a CKYCRR record. It enables banks and other financial institutions to verify KYC information quickly and comply with regulatory requirements.
What are the benefits of CKYCRR?
CKYCRR simplifies the KYC process by allowing financial institutions to access a customer's verified KYC records. It reduces duplicate document submissions, speeds up onboarding, improves customer convenience, and ensures regulatory compliance.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
