KYC Requirements for Apps, Startups & Online Platforms in India: PPI and Non-PPI (2025)

With India’s fintech, gaming, and digital commerce ecosystems rapidly expanding, compliance with RBI and allied regulatory norms is more critical than ever. This note serves as a generalised, practitioner-oriented guide for any online business, including but not limited to apps, startups, marketplaces, and digital platforms, whose business model involves loading money in advance and using it for various transaction or disbursal of funds to users. The contents of this note are based on the regulatory framework as available in the public domain as of 01 July, 2025, and are subject to change.

Payment Classification

Prepaid Payment Instruments (PPIs)

A PPI, or Prepaid Payment Instrument, is a financial tool that allows users to load money in advance and use it for various transactions. In India, PPIs are regulated by the Reserve Bank of India (RBI) under the Payment and Settlement Systems Act, 2007 and the Master Directions on PPIs. The RBI Definition of PPIs is as follows:-

“Prepaid Payment Instruments are instruments that facilitate the purchase of goods and services, including funds transfer and remittance, against the value stored in them.”

Under the Payment & Settlement Systems Act, 2007, RBI defines PPIs as instruments that facilitate purchases or fund transfers against the stored value. RBI has issued updated Master Directions on PPIs in August 2021 and further clarifications through circulars up to 2025 (RBI Master Directions).

> Closed System PPIs - Usable only within the issuing entity’s platform (for e.g., in-app wallet for a gaming or e-commerce app) for in-app services. No third-party merchant payments permitted. No fund transfer or withdrawal permitted. Not regulated, but KYC suggested.

> Small PPIs - Require only basic KYC (mobile OTP + self declaration). Reloadable, for purchase of goods and services at specified outlets. No cash withdrawals or fund transfers permitted. Limits: Max Rs. 10,000/- per month/ outstanding; sometimes higher for non-cash loading. OTP + OVD self-declaration - Basic KYC requirements.

> Full-KYC PPI - UPI-enabled; allows wider use including transfers and higher balances; Full KYC mandatory. Fund transfers and cash withdrawals also permissible.

PPIs must be issued by Indian-incorporated entities only, and issuers must maintain escrow accounts with scheduled commercial banks (RBI Notification).

Interoperability with UPI

Since December 27, 2024, full-KYC PPIs are required to be interoperable with the Unified Payments Interface (UPI), allowing users to transact across payment platforms (RBI Circular on UPI Interoperability).

Not All Payment Models = PPIs

Payment Aggregators (PAs) and Payment Gateways (PGs):
If a business uses Razorpay, Cashfree, PayU, etc., it is relying on an RBI-authorised Payment Aggregator who handles the compliance, but the business must still ensure KYC of end users if acting as a merchant or sub-merchant (RBI Guidelines for Payment Aggregators).

Escrow/Marketplace Models: Marketplaces (e.g., for freelancers, tickets, etc.) may not issue PPIs, but if they hold user funds even temporarily before disbursing them (e.g., post-order confirmation), they must structure compliant escrow mechanisms, potentially under RBI supervision.

KYC Thresholds & Periodic Updating

The Master Direction on KYC (updated on June 12, 2025) governs identity verification and updating requirements (KYC Master Direction).

a. Minimum & Full KYC

• Minimum KYC (for PPIs up to ₹10,000): Mobile OTP + self-declaration of name and one Officially Valid Document (OVD), e.g., PAN, Aadhaar.
• Full KYC: Required for higher balances, UPI interoperability, and any fund transfers or withdrawals.

b. Update Obligations

• For low-risk customers, periodic KYC updating is allowed until June 30, 2026 or 12 months past the due date, whichever is later.
• Entities must issue 3 notices and 3 reminders before freezing accounts (RBI Circular on KYC Updating).

Digital Security & Verification Infrastructure

Cyber Resilience & Fraud Protection

RBI has introduced Digital Payment Security Controls for payment operators, applicable in phases until April 2028 (RBI Circular on Cybersecurity).

e-KYC & Aadhaar Authentication

The UIDAI Aadhaar Authentication API provides a mechanism for secure, online identity verification. The latest specifications are detailed in UIDAI’s Aadhaar Authentication API 2.5 and updated authentication regulations (UIDAI Regulations).

For PAN, the Income Tax Department authorizes PAN verification via NSDL’s API portal.

Tax, TDS & AML Compliance

Winnings and Payouts

Any disbursal of prize money, commissions, cashback, or other user earnings may qualify as income under Section 2(24)(ix) of the Income Tax Act, 1961. Where a single payout exceeds ₹10,000, TDS @ 30% + surcharge/cess (totalling 31.2%) must be deducted under Section 194B.

Note: Businesses That Handle Winnings, Cashbacks, or Rewards: Even without PPI issuance, if your platform:

• Disburses contest winnings, cashbacks, referral bonuses, or loyalty rewards, and
• The amounts exceed ₹10,000 in a financial year,

You may be liable for TDS under Section 194B or 194R (benefits or perquisites) of the Income Tax Act.

Ensure PAN collection, TDS deduction (if applicable), and Form 16A issuance.

Documents Required

• PAN: Mandatory for tax compliance and verifying age (18+).
• Bank Statement: Payouts must be credited only to Indian accounts in the user’s name.
• OVDs: Aadhaar, Passport, Voter ID, etc., may be obtained for address and identity verification.

KYC Flow for Online Businesses

• Mobile OTP - Verifies ownership of number/ device.
• PAN Upload - Mandatory for TDS, identity & age proof.
• Bank Statement Upload - Confirms account ownership for disbursements
• Aadhaar/ OVD - Strengthens identity & address verification.
• Video KYC/ V-CIP - Required for full KYC PPIs.
• Geographic Self-Declaration - Avoids onboarding from restricted jurisdictions.

Best Practices & Record Retention

• Maintain records of all PPI transactions and KYC data for 5 years.
• Ensure data security compliance under the IT (Reasonable Security Practices) Rules, 2011.
• Avoid onboarding residents from states where gaming or real-money operations are barred.
• Clarify KYC, disqualification, and tax deduction policies in terms of service.

Data Protection & Storage of KYC

Since KYC data includes sensitive personal information, storing or processing it triggers obligations under:

• IT Act, 2000 + Reasonable Security Practices Rules (2011): Businesses must follow privacy policies, obtain user consent, and ensure protection against data breaches.
• SPDI Rules
• Upcoming Digital Personal Data Protection Act (DPDPA) 2023 (notified but not yet enforced): If enacted, this will bring stricter penalties for misuse or leakage of Aadhaar, PAN, and biometric data.

This reiterates the advantage of linking to online Government API verification, such as:

• UIDAI Aadhaar Authentication APIs (via AUA/KUA framework)
• NSDL PAN Verification API
• Digilocker for direct document fetch (officially supported under MeitY

These reduce the risk of storing documents locally and shift liability to API providers, while improving conversion rates.

Watch Out:

If your business:-

• Handles frequent microtransactions, wallets, or stored credits,
• Disburses significant user funds or rewards,
• Onboards users from foreign jurisdictions or accepts foreign payments,
• Has embedded lending, BNPL, or financing features.

In such cases, compliance advice and structuring becomes necessary. For e.g., PPI licensing, escrow structuring, NBFC tie-ups, FEMA compliance.

KYC is no longer a peripheral compliance requirement. It is foundational to secure and compliant digital businesses. Whether operating a marketplace, wallet, game, investment product, or gig platform, your business must integrate identity verification, tax compliance, and data security into its core operations. As regulatory frameworks evolve, staying ahead of compliance helps protect your users, your reputation, and your bottom line.

Disclaimer: This article is based on publicly available information as of July 2025, including RBI and UIDAI guidelines. Regulatory positions are subject to change. This is not legal advice. For business-specific compliance queries, please contact KTB Law Offices for professional assistance.