RegTech Glossary India is a comprehensive reference guide for fintechs, NBFCs, compliance professionals, developers, and product teams working within India’s regulated financial ecosystem. From KYC and AML to CKYC, DPDP, digital lending regulations, fraud prevention, and business verification, understanding compliance workflows in fintech for building compliant financial products. This RegTech Glossary India guide explains 60 essential terms used across the Indian financial services and regulatory technology landscape in 2026.
Table of Contents
- Identity and KYC Terms
- AML and Financial Crime Terms
- Business Verification and KYB Terms
- Digital Lending and Regulatory Terms
- Fraud Prevention Terms
- Frequently Asked Questions
- Conclusion
RegTech Glossary India: Identity and KYC Terms
Aadhaar: The 12-digit biometric identity number issued by UIDAI to every Indian resident. Used as the basis for Aadhaar-based eKYC β real-time identity verification through UIDAI’s database using OTP or biometric authentication.
AUA (Aadhaar User Agency): An entity licenced by UIDAI to use the Aadhaar authentication API. Required for direct Aadhaar-based eKYC. Many fintechs access Aadhaar authentication through sub-AUA relationships with licenced AUAs.
Biometric Verification: Identity verification using physical characteristics β fingerprints, iris patterns, or facial geometry. In the KYC context, usually refers to face match and liveness detection during digital onboarding.
CKYC (Central KYC): The centralised KYC registry maintained by CERSAI. Stores KYC records from all Regulated Entities and assigns a 14-digit KIN (KYC Identification Number) to each verified customer. REs can retrieve existing CKYC records rather than re-collecting KYC documents.
CDD (Customer Due Diligence): The process of identifying and verifying a customer’s identity and assessing the risk they pose. Under the RBI KYC Master Directions, CDD operates on a risk-based approach β Simplified CDD for low-risk, Standard CDD for medium-risk, and Enhanced Due Diligence for high-risk customers.
eKYC: Electronic Know Your Customer β the process of completing identity verification electronically, typically via Aadhaar authentication or video-based methods. Legally equivalent to in-person paper-based KYC when conducted through approved methods.
EDD (Enhanced Due Diligence): A more intensive level of KYC applied to high-risk customers β PEPs, customers from high-risk jurisdictions, complex corporate structures. Requires senior management approval, source of funds verification, and more frequent re-KYC.
Face Match: The biometric process of comparing a captured selfie with a reference photograph (usually from an identity document or the UIDAI database) to confirm they depict the same person. Must be combined with liveness detection to prevent spoofing.
KIN (KYC Identification Number): A 14-digit number assigned by the CKYC Registry to each verified customer. Used by subsequent Regulated Entities to retrieve an existing CKYC record.
KYC (Know Your Customer): The process of verifying a customer’s identity and assessing the risk they present. Mandatory for financial institutions under RBI KYC Master Directions and PMLA. Covers both individual customers (using identity documents) and business customers (using KYB).
Liveness Detection: The component of biometric verification that confirms the person being photographed is genuinely present β not a photograph, video, or deepfake. Required by RBI V-CIP guidelines. Available as active (challenge-response) or passive (single-image analysis) implementations.
Officially Valid Document (OVD): The set of documents accepted by Regulated Entities for identity and address verification under the RBI KYC Master Directions. Includes Aadhaar, PAN, Voter ID, Driving Licence, and Passport.
PAN (Permanent Account Number): The 10-character tax identifier issued by the Income Tax Department of India. Mandatory for financial transactions above prescribed thresholds and for all digital lending applications under RBI guidelines.
Re-KYC: Periodic re-verification of customer identity and risk profile. Required by the RBI KYC Master Directions at intervals depending on the customer’s risk classification: annually for high-risk, every two years for medium-risk, every eight to ten years for low-risk.
V-CIP (Video-based Customer Identification Process): The RBI-approved method for completing identity verification through a live audio-visual interaction. Requires liveness detection, geolocation, document verification, and storage of the recorded session for at least five years.
AML and Financial Crime Terms
AML (Anti-Money Laundering): The set of laws, regulations, and procedures designed to prevent criminal organisations from disguising illegally obtained funds as legitimate income. In India, the primary AML legislation is the Prevention of Money Laundering Act (PMLA).
CTR (Cash Transaction Report): A report filed with FIU-IND for all cash transactions aggregating above βΉ10 lakh in a calendar month. Filing must occur within fifteen days of month-end through the FINnet portal.
FATF (Financial Action Task Force): The intergovernmental body that sets global standards for AML/CFT measures. India is a FATF member and implements FATF recommendations through PMLA and related regulations. The FATF greylists jurisdictions with strategic deficiencies in their AML frameworks.
FIU-IND (Financial Intelligence Unit India): The central national agency responsible for receiving, analysing, and disseminating financial intelligence related to proceeds of crime. All Reporting Entities under PMLA must file CTRs and STRs with FIU-IND.
FINnet: FIU-IND’s financial intelligence network portal, through which Reporting Entities submit CTRs, STRs, and other mandatory reports.
Layering: The second stage of money laundering, involving multiple financial transactions designed to disguise the origin of criminal proceeds β typically rapid transfers through multiple accounts, often across jurisdictions.
MLAT (Mutual Legal Assistance Treaty): A treaty between countries providing the framework for sharing financial intelligence and evidence in cross-border criminal investigations. Relevant for financial institutions handling cross-border transactions involving suspected financial crime.
PEP (Politically Exposed Person): An individual who holds or has held a prominent public function β senior politician, government official, military officer, senior judiciary, PSU executive, or party official β and their close family members and associates. PEPs require Enhanced Due Diligence under PMLA and the RBI KYC Master Directions.
PMLA (Prevention of Money Laundering Act): India’s primary AML legislation, enacted in 2002 and subsequently amended. Establishes the obligations of Reporting Entities β including identification and verification of customers, transaction monitoring, record-keeping, and reporting to FIU-IND.
Reporting Entity (RE): An entity subject to PMLA obligations β including banks, NBFCs above defined thresholds, SEBI-registered intermediaries, and VDASPs. Must implement KYC, transaction monitoring, and file CTRs and STRs.
Sanctions Screening: The process of checking customers and transactions against official sanctions lists β UN Security Council, OFAC SDN, EU Consolidated List, India’s UAPA list β to identify prohibited relationships or transactions.
STR (Suspicious Transaction Report): A report filed with FIU-IND within seven working days of forming a reasonable suspicion that a transaction involves money laundering or terrorist financing proceeds. Must not be disclosed to the customer.
Structuring: The practice of breaking up financial transactions into smaller amounts to avoid reporting thresholds. Also known as smurfing. A red flag for money laundering and itself a PMLA offence when done with the intent to evade reporting requirements.
Typology: A documented pattern of financial transactions associated with a specific money laundering or financial crime method. Used to inform transaction monitoring rule design.
Business Verification and KYB Terms
Beneficial Owner: An individual who ultimately owns or controls a legal entity β defined in PMLA as any person owning more than 25 percent of the shares or voting rights, or exercising effective control. Beneficial owner identification is required under PMLA for all legal entity customers of Reporting Entities.
CIN (Corporate Identification Number): A 21-digit alphanumeric identifier assigned by the MCA to every company incorporated in India. Used for CIN verification through MCA21 to confirm incorporation status, director details, and registered address.
DIN (Director Identification Number): An eight-digit identifier issued by the MCA to every individual who is or intends to be a director of an Indian company. DIN status β active or disqualified β can be verified through MCA21.
GSTIN (Goods and Services Tax Identification Number): The 15-digit identifier assigned to every GST-registered business in India. GSTIN verification through the GSTN database confirms active registration, business type, and return filing status.
KYB (Know Your Business): The process of verifying the identity and legitimacy of a business entity β covering legal registration, beneficial ownership, director status, financial compliance, and adverse signals. Required for all business counterparties under RBI KYC Master Directions and PMLA.
MCA21: The Ministry of Corporate Affairs’ online portal and database for company and LLP registration, filings, and director information. The authoritative source for CIN and DIN verification.
MSME: Micro, Small, and Medium Enterprise β as classified under the MSMED Act based on investment in plant/machinery and annual turnover. UDYAM registration provides government-certified MSME classification.
UDYAM: The registration system for MSMEs in India administered by the Ministry of MSME. Replaces the earlier Udyog Aadhaar scheme. Registration provides access to government schemes and priority sector lending treatment.
UBO (Ultimate Beneficial Owner): See Beneficial Owner. The term UBO is used when the ownership chain passes through one or more legal entities before reaching the natural person who ultimately owns or controls the structure.
Digital Lending and Regulatory Terms
Account Aggregator (AA): A Reserve Bank of India-licensed NBFC that facilitates secure, consent-based sharing of financial information between Financial Information Providers (FIPs, such as banks) and Financial Information Users (FIUs, such as lenders). Enables open banking in India without requiring customers to share credentials.
BNPL (Buy Now Pay Later): A short-term credit product that allows consumers to defer payment for purchases, typically repaid in instalments. Subject to RBI digital lending guidelines when provided through regulated entities.
DPDPA (Digital Personal Data Protection Act): India’s data protection legislation enacted in 2023, with rules notified in November 2025. Establishes the rights of data subjects and the obligations of Data Fiduciaries and Data Processors regarding the collection, use, retention, and sharing of personal data.
LSP (Lending Service Provider): An entity that provides one or more loan-related services (sourcing, credit assessment, recovery) on behalf of a Regulated Entity lender, without itself being a licensed lender. Subject to RBI Digital Lending Guidelines and must be disclosed on the RE’s website.
NBFC (Non-Banking Financial Company): A company registered with the RBI to conduct financial activities including lending, investment, and deposit-taking (with restrictions). Subject to RBI supervision and KYC Master Directions.
RBI (Reserve Bank of India): India’s central bank and primary financial regulatory authority. Supervises NBFCs, banks, payment systems, and foreign exchange management. Issues the KYC Master Directions and digital lending guidelines.
Regulated Entity (RE): Under the RBI KYC Master Directions, a Regulated Entity includes banks, NBFCs, cooperative banks, payment system participants, and other entities supervised by the RBI. REs are required to comply with the KYC Master Directions in full.
V-CIP: See Video-based Customer Identification Process above.
VDASP (Virtual Digital Asset Service Provider): An entity that conducts VDA exchange, transfer, safekeeping, or related financial services. Subject to PMLA as a Reporting Entity following the March 2023 amendment. Must register with FIU-IND.
Fraud Prevention Terms
Account Takeover (ATO): A fraud type where a criminal gains control of a legitimate customer’s account without their consent, typically through SIM swap, phishing, credential stuffing, or vishing. Prevention requires device fingerprint monitoring, session behaviour analysis, and SIM swap detection.
Application Fraud: Misrepresentation of identity, income, or financial position in a credit or account application. Includes identity fraud (using another person’s credentials), synthetic identity fraud (fabricated person), and first-party fraud (genuine applicant misrepresenting their position).
Deepfake: AI-generated synthetic media β manipulated video, cloned voice, or composite facial imagery β used to impersonate real individuals. Used in financial fraud to bypass video KYC liveness detection and to impersonate executives in authorisation fraud.
Device Intelligence: The set of signals derived from the device used in a digital interaction β device type, OS version, browser, geolocation, IP address, and device fingerprint. Used to identify devices associated with prior fraud events and to detect anomalous verification environments.
First-Party Fraud: Fraud committed by the genuine account or loan holder using their own identity β including intentional default and misrepresentation of financial position. Invisible to identity verification; detected through financial document integrity, bureau velocity, and post-disbursement behavioural monitoring.
Mule Account: A bank or wallet account used to receive and forward fraudulent funds as part of a money laundering layering operation. May be operated by a knowing participant or through identity theft.
Synthetic Identity Fraud: A fraud type that combines real data elements (such as a genuine PAN number) with fabricated details to create a fictitious person who can open accounts or apply for credit. Requires cross-database verification for detection.
Tamper Detection: The verification process that identifies whether a document has been modified after original creation. Operates at the metadata level (PDF structure, creation software, edit history) and the pixel level (compression artefacts, font rendering inconsistencies) in addition to content cross-referencing.
TransactionMonitoring: The ongoing analysis of customer financial transactions to identify patterns consistent with money laundering, fraud, or other financial crime. Required under PMLA for Reporting Entities. Generates alerts for human review and STR consideration.
As India’s financial regulations continue to evolve, maintaining a clear understanding of compliance terminology is increasingly important. This RegTech Glossary India resource helps compliance teams, fintech startups, lenders, and regulated entities interpret key regulatory concepts accurately and apply them effectively in day-to-day operations. Whether you’re implementing KYC workflows, AML monitoring, digital lending controls, or DPDP compliance measures, a reliable RegTech Glossary India reference can reduce compliance risk and improve operational efficiency.
Key Takeaways
- CKYC centralises KYC records across all Regulated Entities β a 14-digit KIN allows any subsequent RE to retrieve an existing verified record rather than re-collecting documents.
- PEPs extend beyond the named individual to include immediate family members and close associates β screening that covers only the primary customer is incomplete.
- STRs must be filed within seven working days of forming suspicion β not within seven days of the transaction β and must not be disclosed to the customer.
- KYB goes beyond GSTIN lookup to include CIN, beneficial ownership, and director DIN status β the complete picture of business identity and legal standing.
- First-party fraud is distinct from identity fraud and requires different detection signals: financial document integrity, bureau inquiry velocity, and behavioural analytics.
Frequently Asked Questions
Q: What is the difference between KYC and KYB?
KYC (Know Your Customer) verifies individual identity using documents such as Aadhaar, PAN, and Voter ID. KYB (Know Your Business) verifies legal entities β companies, partnerships, MSMEs β covering incorporation status (CIN), GST compliance (GSTIN), MSME classification (UDYAM), director status (DIN), and beneficial ownership. KYB is required for business counterparties of Regulated Entities under PMLA and the RBI KYC Master Directions.
Q: What is a Reporting Entity under PMLA India?
A Reporting Entity is any entity subject to PMLA obligations: banking companies, financial institutions (including NBFCs above defined thresholds), SEBI-registered intermediaries, insurance companies, and Virtual Digital Asset Service Providers (VDASPs). REs must implement KYC, PEP and sanctions screening, transaction monitoring, and file CTRs and STRs with FIU-IND.
Q: What does DPDP Act mean for fintech compliance in India?
The DPDP Act 2023 (with rules notified in November 2025 and a May 2027 compliance deadline) adds data protection obligations β consent, purpose limitation, retention schedules, data subject rights β on top of existing RBI and PMLA compliance requirements. For fintechs, it restricts how KYC data can be used beyond the regulatory purpose, mandates automated data deletion at the end of retention periods, and requires explicit vendor data processing agreements with all third-party KYC providers.
Q: What is the India fintech compliance landscape in 2026?
In 2026, Indian fintechs and NBFCs operate under a dual compliance framework: RBI sectoral regulations (KYC Master Directions, Digital Lending Guidelines, PA guidelines) and the horizontal DPDP Act data protection regime. The PMLA adds AML obligations for those qualifying as Reporting Entities. VDA platforms also operate under FATF Recommendation 15 and the Travel Rule. The May 2027 DPDP deadline is the most immediate compliance milestone requiring active preparation.
Conclusion
The terminology of RegTech and compliance is not academic β each term represents a specific regulatory obligation, a verification requirement, or a fraud risk that has real operational and financial consequences when misunderstood or misapplied. As India’s regulatory framework continues to evolve β the DPDP Rules, updated AML guidelines, and continued VDA regulation will all generate further definitional developments β maintaining a current understanding of what these terms mean in the regulatory context is foundational to building compliant, trustworthy financial products.
