1. Why These APIs Matter More Than Ever
estimates)
misrepresentation
integrate
Roopya
The RBI’s Digital Lending Guidelines (2022, updated 2024) and the Prevention of Money Act (PMLA) require regulated lenders to perform specific verification checks at origination. Beyond compliance, every undetected fraud application costs a lender not just the principal but legal recovery costs averaging 3โ5x the loan value.
At the same time, over-verifying applicants slows down legitimate borrowers and kills conversion rates. The art of modern lending is running precisely the right checks, in the right sequence, at the right cost โ automatically.
This guide covers APIs relevant to NBFCs, digital lenders, co-lending partners, and fintech platforms operating in India under RBI oversight. Some APIs (particularly Aadhaar eKYC) require RBI authorisation and can only be accessed through UIDAI-licensed KSA entities.
2. KYC APIs Explained
Know Your Customer (KYC) APIs verify that a borrower is who they claim to be. In India, KYC is
regulated by the RBI’s KYC Master Directions and the PMLA. Different loan products and risk
levels require different tiers of KYC โ from OTP-based Aadhaar verification for small-ticket
loans to full Video KYC for high-value credit.
Aadhaar OTP eKYC
โน15โ25 / call
UIDAI-authorised real-time identity verification using the Aadhaar database. Borrower
enters their Aadhaar number, receives an OTP, and their demographic details (name, DOB,
gender, address) are fetched directly from UIDAI servers. Legally acceptable as full KYC
for loans up to โน60,000 under RBI norms.
Aadhaar Offline XML / DigiLocker
โน3โ8 / call
Borrower downloads their Aadhaar XML from the UIDAI portal or DigiLocker and shares the
digitally signed file. Lower cost than OTP eKYC. Widely used for higher-ticket loan
products where Aadhaar OTP limits are a concern (UIDAI restricts high-volume OTP eKYC).
XML contains an UIDAI-signed data packet verifiable without hitting UIDAI servers.
PAN Verification
โน2โ5 / call
Verifies a PAN number against the Income Tax Department’s database (via NSDL / Protean
APIs). Confirms that the PAN is active, the name matches, and the PAN has not been
de-linked. Also used to check PANโAadhaar linking status, which is mandatory for NBFCs
under current RBI KYC guidelines. A separate API call checks PAN-Aadhaar link status for
โน1โ3.
Face Match & Liveness Detection
โน3โ10 / call
Compares a live selfie captured during the loan application against the photograph
extracted from the Aadhaar or PAN document. Active liveness detection (asking the user
to blink, turn their head) prevents spoofing with printed photos or replay attacks.
Accuracy benchmarks for leading Indian providers (HyperVerge, IDfy) are above 99.5% on
Indian faces.
Video KYC (V-CIP)
โน80โ180 / session
RBI’s Video-based Customer Identification Process (V-CIP) โ a live video call between a
trained agent and the borrower, during which identity documents are verified in real
time. Mandatory for full KYC on certain products (e.g., credit cards, loans above
โน60,000 for certain NBFCs). Asynchronous AI-assisted V-CIP reduces agent dependency and
brings per-session cost down. 3โ5 minutes per session.
CKYC Lookup
โน2โ5 / call
Fetches existing KYC records from the Central KYC Registry (CKYC / CKYCR) operated by
CERSAI. If a borrower has been KYC-verified by any regulated entity before, their CKYC
record is stored centrally. Lenders can retrieve it instead of re-performing KYC,
reducing cost and friction. RBI requires CKYC check before undertaking fresh KYC.
OCR / Document Extraction
โน2โ8 / doc
Optical Character Recognition extracts structured data from unstructured document images
โ PAN cards, Aadhaar, driving licences, passports, GST certificates, rent agreements.
Modern OCR APIs for Indian documents achieve >98% field accuracy. Used to pre-fill
application forms, cross-validate borrower-entered data, and flag tampered documents via
metadata analysis.
Bank Account Verification (Penny Drop)
โน3โ8 / call
Validates that a bank account number and IFSC code are live and belong to the declared
borrower. A Re. 1 penny deposit is made to the account via IMPS/NEFT, and the name
registered with the bank is returned. Used to verify disbursal accounts at origination
and repayment accounts before NACH setup. Reverse penny drop (โน4โ9) validates without
actual credit.
Bank Statement Analysis (BSA)
โน30โ80 / set
Automated parsing and analysis of 3โ12 months of bank statements (PDF or via Account
Aggregator). Extracts income patterns, average monthly balance, EMI obligations, salary
credits, irregular debits, and bounce history. Categorises transactions into 100+
buckets. Output: structured JSON with income, obligations, and risk signals. Critical
for income assessment in unsecured lending.
eSign / Digital Signature
โน15โ35 / sign
Aadhaar-based eSign enables borrowers to digitally sign loan agreements, NACH mandates,
and sanction letters using their Aadhaar OTP as authentication. Legally valid under the
IT Act, 2000. Accepted by courts and regulators as equivalent to a wet signature.
Significantly reduces TAT vs. physical signing and courier. Providers: eMudhra, Digio,
SignDesk, Leegality.
3. Fraud Check APIs Explained
Fraud check APIs go beyond identity verification โ they analyse behaviour, device signals,
network intelligence, and cross-entity data to detect whether an application is genuine. Most
fraud in digital lending involves synthetic identities, misrepresented income, or repeat
defaulters using slightly altered details.
Credit Bureau Pull (CIBIL / Experian / CRIF / Equifax)
โน35โ55 / report
Retrieves a borrower’s full credit history from India’s four credit bureaus. Includes
CIBIL score (300โ900), total outstanding debt, number of active loans, EMI obligations,
DPD (days past due) history, written-off accounts, and settled accounts. Lenders are
required to report to at least one bureau under RBI guidelines. Multi-bureau pulls (all
four) cost โน120โ180 but significantly improve fraud detection for thin-file borrowers.
Device Intelligence & Fingerprinting
โน1โ4 / session
Captures device metadata at the time of application: OS version, browser, screen
resolution, installed fonts, GPS coordinates, IP reputation, VPN/proxy detection,
emulator detection, and device history. A single device associated with multiple PAN
numbers or applications is a strong fraud signal. Providers like Bureau.id assign a
device risk score that persists across lenders.
Mobile Number Intelligence
โน2โ5 / call
Validates a mobile number against telecom data: whether the number is active, its age
(SIM age is a key fraud signal โ SIMs <30 days old are high-risk), whether it is
linked to the declared Aadhaar/PAN, operator, and whether it has been ported recently.
Also checks for SIM swap events in the last 30โ90 days, which indicate account takeover
risk.
Blacklist / Negative Database Check
โน2โ6 / call
Checks a borrower’s PAN, Aadhaar, mobile number, or email against internal and external
fraud lists: RBI’s defaulter lists, SEBI debarred entities, CIBIL’s fraud registry,
CERSAI’s securitisation database, and lender-contributed negative databases. Also
includes PMLA watchlist checks (OFAC, UN sanctions) for regulated lenders. A match
triggers automatic rejection or manual review.
Deduplication Check
โน1โ4 / call
Checks whether a borrower has an existing active loan with the same lender or, through
consortium platforms, with other lenders. Detects serial applicants who apply with
slight variations in name spelling, different phone numbers, or alternate addresses to
bypass rejection. Critical for NBFCs doing microfinance and group lending where
over-indebtedness is a major risk.
Income Fraud Detection (BSA Forensics)
โน20โ50 / call
A specialist layer on top of bank statement analysis that detects income manipulation:
round-number salary credits, credits immediately followed by withdrawals (cash cycling),
unusually regular patterns inconsistent with stated employment, identical credit amounts
on multiple accounts, and forged PDF metadata. Detects both borrower-side and
DSA-facilitated income fabrication.
GST & Business Verification
โน2โ6 / call
For MSME and business loans: validates GSTIN against GSTN’s database, retrieving business
name, address, registration date, filing status, and HSN/SAC codes. Detects dormant GST
registrations being used to inflate business credentials. GST return filing data
(GSTR-3B) provides an independent revenue signal that can be compared against declared
income in the loan application.
Email & Social Intelligence
โน1โ3 / call
Assesses email address risk: age of the email account, whether it appears in breach
databases, whether it is a disposable/temporary address, domain reputation, and whether
it is associated with known fraud patterns. Some providers also offer social graph
analysis โ checking whether the declared employer’s name matches LinkedIn data, or
whether an address is associated with a known fraud cluster.
A note on data privacy: All API calls that involve personal data (Aadhaar,
PAN, bank statements) are governed by the Digital Personal Data Protection Act 2023 (DPDPA)
and respective regulator guidelines. Lenders must obtain informed, specific consent before
each category of data fetch. Roopya’s consent module handles this automatically for every
API call in the flow.
4. How These APIs Work in a Loan Origination System
In a LOS, KYC and fraud APIs do not run independently โ they run as a sequenced orchestration.
The order matters: cheaper, faster checks run first so that obviously fraudulent or ineligible
applications are rejected before expensive checks are invoked.
Typical LOS API Orchestration โ Unsecured Personal Loan
Before the Credit Decision
- Mobile intelligence runs at lead entry to filter SIM <30 days (reject or flag)
- Aadhaar OTP eKYC confirms identity before any bureau cost is incurred
- PAN + PAN-Aadhaar link status check (โน3โ7 total) is a compliance gate
- CKYC lookup โ if existing record found, fresh KYC skipped entirely
- Blacklist and deduplication check stops fraud before bureau pull
- Device fingerprint scored against fraud consortium data
During Credit Assessment
- Credit bureau pull (CIBIL primary, Experian/CRIF for cross-validation)
- Bank statement analysis via Account Aggregator or PDF upload
- Income fraud forensics on BSA output
- GST verification for MSME loans
- Employment verification via EPFO API (PF balance and employer data)
- ITR verification (Form 26AS) for salaried or self-employed
After Approval, Before Fund Transfer
- Face match + liveness against selfie at application vs. Aadhaar photo
- Penny drop or reverse penny drop on disbursal bank account
- eSign on loan agreement and NACH mandate
- Video KYC if product or risk tier requires full KYC
- Final blacklist refresh (24โ48 hr stale checks re-run at disbursal)
Straight-Through Processing (STP)
- Each API result maps to a pass / review / reject outcome in the policy engine
- Cascading rejections stop API sequence early, saving cost
- Bureau not called if mobile SIM age <30 days โ saves โน45 per rejection
- API SLA monitoring auto-routes to fallback provider if primary is down
- All API responses stored in audit log for RBI inspection
5. How These APIs Work in a Loan Management System
KYC and fraud APIs are not just an origination-time concern. In a LMS, they are used for re-KYC,
collections intelligence, fraud monitoring on active accounts, and regulatory reporting.
RBI-Mandated Re-Verification
- RBI KYC Master Directions require re-KYC every 2 years (low risk), 1 year (medium
risk), 6 months (high risk) - Automated Aadhaar eKYC or DigiLocker XML re-verification at scheduled intervals
- Address change validation via fresh Aadhaar pull
- CKYC record update โ lenders must submit updated KYC to CKYCR
- PAN-Aadhaar link status re-checked annually
Payment & Recovery Operations
- Bank account re-verification before NACH mandate renewal (account may change)
- Mobile number freshness check before collections calling โ detects ported/inactive
numbers - Address verification API used by field collections agents to confirm current address
- Deduplication check on restructured loans to detect serial restructurers
Portfolio-Level Fraud Detection
- Periodic device check on customer app logins โ device change flagged for manual
review - SIM swap alerts on registered mobile (via telecom API) โ triggers 2FA enforcement
- Blacklist re-screening of active borrowers as new fraud cases are added to databases
- Bureau refresh for accounts going into early delinquency (30+ DPD) to detect new
credit uptake - Cross-lender fraud signals via consortium fraud networks
Compliance & Audit
- Bureau reporting (monthly submission of account performance to
CIBIL/Experian/CRIF/Equifax) - CKYC submissions for new borrowers within 10 days of onboarding
- PMLA STR (Suspicious Transaction Reports) triggered by fraud API signals
- RBI Central Repository of Information on Large Credits (CRILC) for โน5 Cr+ exposures
- Complete API audit trail exportable for RBI inspection
LMS fraud economics: Bureau refresh on accounts at 30+ DPD typically costs
โน45โ55 but recovers 8โ12x that in collections intelligence value. Lenders who run bureau
refresh on their NPA book before assigning to collection agencies report 15โ25% better
recovery rates because they have current contact details and see if the borrower has new
credit elsewhere.
6. Real-World API Pricing in India (2026)
API pricing in India is volume-tiered and varies significantly between providers. The figures
below represent commercial rates for mid-tier lenders disbursing 500โ5,000 loans/month.
High-volume lenders (50,000+ loans/month) can negotiate 30โ50% lower rates. All prices are
exclusive of GST (18%).
| API / Check | Type | Per-Call Price Range | Cost per Loan (Typical Usage) | Notes |
|---|---|---|---|---|
| Identity & KYC | ||||
| Aadhaar OTP eKYC | KYC | โน15 โ โน25 | โน15 โ โน25 | Via licensed KSA; UIDAI quotas apply |
| Aadhaar Offline XML | KYC | โน3 โ โน8 | โน3 โ โน8 | Lower cost alternative to OTP eKYC |
| PAN Verification | KYC | โน2 โ โน5 | โน2 โ โน5 | Via NSDL / Protean |
| PANโAadhaar Link Status | KYC | โน1 โ โน3 | โน1 โ โน3 | Mandatory per RBI KYC guidelines |
| CKYC Lookup | KYC | โน2 โ โน5 | โน2 โ โน5 | Avoids fresh KYC if record exists |
| Document OCR | KYC | โน2 โ โน8 | โน6 โ โน24 (3 docs) | PAN + Aadhaar + income doc |
| Video KYC (V-CIP) | KYC | โน80 โ โน180 | โน80 โ โน180 | Only for full KYC products |
| eSign (Aadhaar-based) | KYC | โน15 โ โน35 | โน15 โ โน70 (1โ2 docs) | Loan agreement + NACH mandate |
| Fraud & Risk | ||||
| Credit Bureau (CIBIL) | Fraud | โน35 โ โน55 | โน35 โ โน55 | Multi-bureau: โน120โ180 for all 4 |
| Face Match + Liveness | Fraud | โน3 โ โน10 | โน3 โ โน10 | Bundled liveness + match = โน8โ15 |
| Device Intelligence | Fraud | โน1 โ โน4 | โน1 โ โน4 | Bureau.id / similar consortium data |
| Mobile Number Intelligence | Fraud | โน2 โ โน5 | โน2 โ โน5 | SIM age, activation status, TRAI data |
| Blacklist / Negative DB | Fraud | โน2 โ โน6 | โน2 โ โน6 | RBI defaulter, SEBI, PMLA watchlists |
| Deduplication | Fraud | โน1 โ โน4 | โน1 โ โน4 | Internal + consortium dedup |
| Bank Statement Analysis | Both | โน30 โ โน80 | โน30 โ โน80 | Per statement set (3โ12 months) |
| Income Fraud Forensics | Fraud | โน20 โ โน50 | โน20 โ โน50 | Only for flagged BSA cases |
| Bank Account Verification | Both | โน3 โ โน8 | โน3 โ โน8 | Penny drop or reverse penny drop |
| GST Verification | Both | โน2 โ โน6 | โน2 โ โน6 | MSME / business loans only |
A fully-loaded API stack for a standard unsecured personal loan โ identity, fraud, bureau,
income, and eSign โ runs between โน180 and โน380 per application. For a lender disbursing
2,000 loans/month, that is โน36โ76 lakhs per year in API costs alone, before negotiated
volume discounts.
Rejection-aware costing: In a well-designed LOS, not every application goes
through all APIs. A lender rejecting 40% of applications at the fraud screen stage (before
bureau pull) saves approximately โน18โ22 per rejected application. At 2,000
applications/month with 40% early rejection, that is โน1.4โ1.7 lakhs saved monthly just from
sequencing APIs correctly.
7. Key API Providers in India
The Indian KYC and fraud API market has matured significantly since 2020. These are the
established, RBI-compliant providers across each category:
Aadhaar eKYC & Identity
Aadhaar eKYC can only be accessed through UIDAI-licensed KSA (KYC User Agency) entities or KUA
aggregators. Direct API access requires RBI authorisation and a separate license.
Signzy
HyperVerge
Karza Technologies
DigiO
CAMS Finserv
Perfios
Setu (by Pine Labs)
Credit Bureau APIs
Experian India
CRIF High Mark
Equifax India
Bank Statement Analysis
Finbox
Karza Technologies
Setu AA
Cookiejar (FinanceConnect)
Face Match / Liveness / OCR
IDfy
Signzy
Karza Technologies
FaceFirst
Fraud Intelligence & Device
IDfy Fraud Suite
Signzy Risk
Seon (global)
Karza Risk
eSign & Digital Agreements
Digio
SignDesk
Leegality
Zoho Sign
8. Roopya: APIs Built Into the Platform
Most lenders who try to assemble their own API stack discover the same problems: integration
takes months, each provider has its own contract, pricing is opaque, fallback logic needs custom
development, consent management is manual, and audit trails live in 6 different dashboards.
Roopya solves this by pre-integrating all critical KYC and fraud APIs into the LOS and LMS
platform. You configure which checks run in which sequence through the policy engine โ no code
required.
What’s Included in the Platform
- Aadhaar OTP eKYC + Offline XML โ pre-integrated, UIDAI compliant
- PAN + PAN-Aadhaar link verification via NSDL
- CKYC lookup and upload (CKYCR / CERSAI)
- Face match + active liveness detection
- Bank statement analysis via Account Aggregator and PDF
- Credit bureau integration โ CIBIL, Experian, CRIF, Equifax
- Bank account verification (penny drop + reverse penny drop)
- eSign on loan agreements, NACH mandates, sanction letters
- Video KYC (asynchronous + live agent modes)
- Blacklist screening (RBI, SEBI, PMLA, internal)
- Device intelligence and mobile number verification
- Deduplication against Roopya’s shared consortium database
- GST and business verification for MSME products
- Automated re-KYC triggers with RBI periodic re-verification
- All API responses stored in compliance-ready audit log
- Consent management module โ DPDPA compliant
How You Control It
- Policy engine: define which APIs run for which product type and risk tier
- Sequencing rules: set hard stops (reject if X fails) vs. soft flags (review if Y)
- Fallback routing: automatic secondary provider if primary API fails or is slow
- Cost controls: set per-application API budget caps by loan product
- SLA monitoring: real-time API health dashboard with auto-alerts
- A/B testing: run different API combinations on traffic splits to optimise
cost/accuracy - Override rules: allow credit managers to override specific API outcomes with reason
codes - Consent flows: borrower-facing consent screens generated automatically per API type
- Audit export: one-click export of all KYC/fraud checks per application for RBI
inspection
9. Roopya APIs: Consumed Independently
Roopya’s KYC and fraud check capabilities are also available as standalone APIs โ for lenders who
have an existing LOS/LMS but want to upgrade specific verification capabilities, or for fintechs
building custom lending workflows.
Available as Standalone API Products
| API Product | What It Does | Who Uses It Standalone | Pricing Model |
|---|---|---|---|
| Roopya Identity Suite | Aadhaar eKYC, PAN, CKYC, face match, OCR in one unified call | Fintechs with existing LOS; insurance; wallets | Per verification; volume tiers from 500/month |
| Roopya Bureau Gateway | Normalised single API for all 4 bureaus with unified response schema | Lenders wanting multi-bureau without 4 contracts | Per pull; bureau pass-through + โน3โ8 gateway fee |
| Roopya Income API | Bank statement analysis + income fraud forensics | Lenders, insurance underwriters, landlords | Per statement set; โน45โ90 depending on depth |
| Roopya Fraud Score | Device + mobile + blacklist + dedup โ single 0โ100 fraud risk score | Any lender needing a single API fraud gate | Per call; โน8โ15 per comprehensive score |
| Roopya eSign | Aadhaar eSign + workflow for agreements, mandates, letters | Lenders, legal firms, HR platforms | Per signature event |
| Roopya Compliance Check | PEP, sanctions, PMLA, RBI defaulter lists in one call | NBFCs, banks, insurance | Per check; monthly subscription for bulk |
Sample API Request
Roopya’s APIs use a RESTful JSON architecture with OAuth 2.0 authentication. Here is an example
of a single-call identity verification request:
{ "pan": "ABCDE1234F", "aadhaar_mode": "otp_ekyc", "face_image_base64": "<base64-encoded-selfie>", "checks": [ "pan_verify", "pan_aadhaar_link", "ckyc_lookup", "face_match", "liveness" ], "consent": { "purpose": "loan_application", "timestamp": "2026-02-26T09:15:00+05:30", "ip_address": "103.21.xx.xx" } }
{ "status": "verified", "overall_risk": "low", "checks": { "pan_verify": { "pass": true, "name_match": "exact" }, "pan_aadhaar_link": { "pass": true, "linked": true }, "ckyc_lookup": { "pass": true, "ckyc_id": "50012345678" }, "face_match": { "pass": true, "confidence": "98.7%" }, "liveness": { "pass": true, "score": "0.96" } }, "identity": { "full_name": "Ravi Kumar Sharma", "dob": "15-Mar-1989", "gender": "M", "address": "<Aadhaar-verified address>" }, "api_cost_inr": "34.50", "audit_ref": "RPLAT-20260226-09150012" }
The unified response schema means you do not need separate parsers for each provider. One
integration handles all checks, with standardised pass/fail outcomes that map directly into your
credit policy engine or existing LOS workflow.
SLA and Infrastructure
| Metric | Roopya API SLA | Typical DIY Integration |
|---|---|---|
| API Uptime Guarantee | 99.9% (platform-level SLA) | Depends on each provider โ typically 99.0โ99.5% |
| Average Response Time | <1.2 sec (identity suite); <3 sec (bureau) | Varies; 2โ8 sec per provider |
| Fallback on Provider Failure | Automatic within 400ms | Manual โ requires custom code and monitoring |
| Consent Audit Trail | Auto-captured per call, DPDPA compliant | Custom build required |
| API Versioning | Backward-compatible, 12-month deprecation notice | Each provider has own deprecation cycle |
| Integration Time | 1โ3 days (SDK + documentation) | 4โ6 months (20+ separate integrations) |
10. KYC & Fraud API Integration Checklist for Indian Lenders
Before going live with any loan product in India, verify that your KYC and fraud API stack covers
all of the following:
Regulatory Non-Negotiables
- Aadhaar-based KYC (OTP eKYC or XML) via licensed KSA
- PAN verification + PAN-Aadhaar link check
- CKYC lookup before fresh KYC
- CKYC record upload within 10 days of onboarding
- Credit bureau reporting to minimum 1 bureau (monthly)
- PMLA / blacklist screening at origination
- Consent capture per DPDPA 2023 for every API category
- Complete audit trail exportable for RBI inspection
For Portfolio Health
- Bank account verification before NACH setup
- Face match + liveness before disbursal
- Deduplication against internal and external databases
- Periodic re-KYC automation (2yr / 1yr / 6mo by risk tier)
- SIM swap monitoring on registered mobile numbers
- Bureau refresh on accounts at 30+ DPD
- Fallback provider for all critical API categories
- API health monitoring with real-time alerting
Skip the 6-month API integration project.
Every API on this page is pre-integrated in Roopya. Configure your policy, go live in days,
and let Roopya handle provider contracts, fallback routing, and compliance audit trails.
