Sir, India’s KYC (Know Your Customer) architecture is often presented as one of the quieter success stories of modern financial regulation. Identity verification today is certainly formidable: Aadhaar linkage, PAN mapping, video-KYC, and digital onboarding have made creating fake accounts an increasingly unrewarding hobby. And yet, somewhat inconveniently, fraud losses continue to rise, and money tends to disappear faster than most systems can trace it.
The uncomfortable truth is this: KYC was designed to answer a fairly modest question, “Who opened the account?” Modern fraud, with rather less courtesy, asks a different one altogether: “Who is controlling the account right now?” What we need really is KYOC, or “Know Your Ongoing Controller.” The gap between the two is where most of today’s financial mischief lives. Fraud has shifted away from inventing identities to borrowing perfectly genuine ones and quietly taking them over.
A recent case reported in The Times of India (June 17, 2026) captures the speed of this new world. A fraudster, having accessed the victim’s embedded identity credentials through confidence trickery, managed to obtain a ₹15 lakh loan in the victim’s name within minutes and promptly siphoned off a substantial portion of it. What stands out is not merely the fraud, but the efficiency with which the system assisted its own undoing.
The pattern is by now familiar. A student, a daily wage worker, or a small trader opens a fully KYC-compliant account. Everything is in order, properly documented, and reassuringly “verified.” Thereafter, the account is quietly rented, sold, or taken over by fraud networks. On paper, the original owner of the account still exists; in practice, control has already migrated elsewhere. Within minutes, the account becomes a conduit for rapid, layered transfers across a widening circle of other accounts.
These are not fake accounts. If anything, they are worse: entirely real accounts operating under temporary, invisible control. This is precisely why traditional KYC struggles. It validates entry, not ongoing usage.
Modern fraud is engineered for both speed and opacity. At its core are mule accounts that function as infrastructure, legitimate but compromised accounts used as temporary waypoints for illicit flows. Once inside the system, money is split, rerouted, and re-routed within minutes across UPI and IMPS rails, leaving little time for intervention. Control itself becomes fluid: the same account may be operated through different devices, or effectively change hands, without any formal change in ownership. Meanwhile, transactions are fragmented into multiple small pieces to destroy traceability before anyone can reconstruct the chain. By the time alerts are triggered, the money is already several hops away, and often long converted into less cooperative forms.
The real limitation of today’s banking system, therefore, is not at the point of entry but in what happens after entry. It is strong at onboarding, but far less attentive once the account is in motion. It verifies who opened the account and what documents were provided, but has only a faint sense of who is actually operating it today, whether that control has shifted, or whether behaviour has quietly deviated from the norm. That missing layer, namely, who is really in control at any given moment, is where most of the vulnerability lies.
To address this, the system must move beyond one-time verification towards continuous control monitoring. At a basic level, accounts and payment handles need to be more tightly bound to specific devices, with extra checks when new devices are added, a short waiting period, and alerts sent to the account holder. This alone would make a casual takeover and the rapid passing on of accounts considerably harder.
Banks also need to watch how accounts behave over time. Sudden changes: very rapid transactions, unusual locations, unfamiliar beneficiaries, or odd timing patterns, or other similar disruptive patterns, should act as warning signals that control may have shifted. Each account should carry a continuously updated “trust level,” rising when behaviour is stable and familiar, and falling when anomalies appear. When trust drops, the system should respond in proportion: slow transactions, request additional confirmation, or briefly hold suspicious payments. The point is not to inconvenience everyone, but to introduce friction only when behaviour itself becomes unusual.
Fraud detection must also move beyond isolated accounts. Fraud rarely behaves like a single actor; it behaves like a network. Money moves through chains of accounts, often with deliberate coordination. If one account receives funds and quickly distributes them onward, or if a cluster of accounts begins to behave in tightly synchronised and unusual ways, the system needs to see the pattern holistically rather than as disconnected events.
Equally important are clearer rules for account use, especially when accounts are shared or operated informally by more than one person. Changes in control should be visible to the bank, not hidden within informal arrangements. Moreover, not all transactions need to be instantaneous. Low-risk payments can proceed in real time, but suspicious ones should pause briefly for verification before funds move further. A small window of delay is often cheaper than a large window of regret.
Finally, fraud intelligence must be shared more effectively across banks and payment systems. Suspicious patterns seen in one corner of the system should not remain local secrets; otherwise, fraud simply migrates from one institution to another with commendable ease.
In short, the system must evolve from asking only “Who opened this account?” to continuously asking “Who is actually using it now?” Without that shift, we will continue to enjoy a familiar combination: near-perfect onboarding compliance, followed by rather less perfect post-facto reconstruction. KYC was built for a world where fraud meant fake identities opening fake accounts. Today’s reality is more economical: legitimate identities are borrowed, and control is briefly but decisively seized. The next frontier, therefore, is KYOC, Know Your Ongoing Controller, a framework that asks not only “Who are you?” but, more pointedly, “Who is moving this money, right now?” Until that question is answered in real time, the system will remain elegantly compliant at the front door and quietly vulnerable in the corridors beyond.
Disclaimer
Views expressed above are the author’s own.
