In a significant move to protect consumers from online scams, the Delhi High Court has issued a landmark order making strict e-KYC verification compulsory for all domain name registrants in India. The court observed that lax identity checks have fueled a rise in cyber fraud, phishing websites, and large-scale digital crimes.
Court Cites Anonymity as Key Enabler of Fraud
Justice Prathiba M Singh, while delivering a judgment on a series of suits filed by Dabur India Ltd, highlighted a critical problem. The court noted that the anonymity offered during domain registration has become a major tool for criminals. This practice allows misuse of reputable brand names to mislead the public, often resulting in financial losses through fake franchises, distributorships, and investment schemes.
The bench explicitly stated that the prevailing system of "privacy by default" is unacceptable. Masking registrant details without verified credentials has been identified as a primary factor enabling financial fraud, making it extremely difficult for brand owners, banks, and law enforcement to track down offenders promptly.
New Mandatory Verification Framework
The court has directed all Domain Name Registrants (DNRs) operating in India to implement a robust verification system. As per the order, mandatory KYC checks must be performed at the time of registration and periodically re-verified thereafter. This directive aligns with the government circular issued on April 28, 2022.
The ruling specifies that personal details of a registrant cannot be concealed unless the entity specifically opts for privacy protection after completing the full verification process. Furthermore, DNRs must clarify which data is shared with the National Internet Exchange of India (NIXI) for domains it administers, with updates provided monthly.
Directives for Banks and Government
The court's order extends beyond domain registrars. It has instructed all banks to mandatorily implement the Beneficiary Bank Account Name Lookup facility for all online transactions. This includes payments made via UPI through apps like Google Pay and Paytm, as mandated by an RBI circular dated December 30, 2024.
Banks are also required to follow the Standard Operating Procedures issued by the Central Economic Intelligence Bureau on May 31, 2024, for processing and responding to law enforcement agency requests. The court believes that allowing customers to verify a beneficiary's name before payment will significantly reduce fraud.
In cases of investigation, DNRs must disclose verified registrant details—including name, address, mobile number, email, and payment information—within 72 hours of a request from courts or law enforcement. Non-compliance with KYC and disclosure rules could lead to loss of protection under the IT Act, 2000, and potential blocking of domains under Section 69A.
Push for a Uniform National Framework
Recognizing the urgent need for systemic safeguards, the court has asked the Central Government to explore creating a uniform e-KYC framework for all domain registrars in India. The model should be similar to the system currently used by NIXI.
The government will hold stakeholder consultations with all DNRs and registry operators to develop this comprehensive framework. The overarching goal is to restore consumer trust, protect business interests, and eliminate loopholes that fraudsters exploit.
Justice Singh emphasized that these directions are urgently needed to ensure robust safeguards within the digital ecosystem, preventing parties from committing fraud due to systemic failures.
