NEW DELHI: In a sweeping set of directions aimed at tightening the digital ecosystem, the Delhi High Court has ordered mandatory identity verification for domain name registrants and new safeguards for online payments, arguing that anonymity and weak checks have become key enablers of cyber fraud in India.
A Court Steps Into the Digital Marketplace
In a recent judgment, the Delhi High Court laid out an expansive framework to address the rising misuse of domain names and digital payment systems for fraud. Hearing a batch of suits filed by Dabur India Ltd, the court examined how anonymity in domain registrations had allowed fraudsters to impersonate established brands, mislead consumers and siphon off money through fake franchises, distributorships and investment schemes.
Justice Prathiba M Singh observed that the absence of verified identity checks at the time of domain registration had made it “nearly impossible” for brand owners, banks and law enforcement agencies to trace offenders in time. The judgment framed the issue not merely as a private dispute but as a systemic vulnerability affecting consumers, businesses and financial institutions alike.
Mandatory Verification for Domain Registrants
At the centre of the ruling is a clear directive to all domain name registrars operating in India. The court ordered that registrars must carry out mandatory verification of registrant details at the time of registration and conduct periodic re-verification thereafter, in line with Indian KYC norms prescribed under a government circular dated April 28, 2022.
The court rejected the prevailing practice of “privacy by default,” under which registrant details are masked without verified credentials. Such masking, the judgment said, had become a key enabler of financial fraud. Unless a registrant specifically opts for privacy protection after completing verification, personal details cannot be concealed.
Registrars were also directed to clarify what data they are required to share with the National Internet Exchange of India (NIXI) for domains administered by it, and to provide monthly updates. On requests from courts or law enforcement agencies, registrars must disclose verified details—including name, address, mobile number, email ID and payment information—within 72 hours.
Failure to comply, the court cautioned, could result in registrants losing the safe-harbour protection available under the Information Technology Act, 2000, and facing blocking under Section 69A of the Act.
Banks, Payments and the Name Lookup Mandate
The judgment extended beyond domain registrars to banks and payment systems, reflecting the court’s view that digital fraud operates across interconnected platforms. All banks were directed to strictly follow standard operating procedures issued by the Central Economic Intelligence Bureau on May 31, 2024, for processing and responding to requests from law enforcement agencies.
In addition, the court asked banks to mandatorily implement the Beneficiary Bank Account Name Lookup facility for all online payments, in line with a Reserve Bank of India circular dated December 30, 2024. The facility, applicable to UPI and other digital payment platforms such as Google Pay and Paytm, allows users to see the name of the beneficiary before completing a transaction—an added layer the court said could significantly reduce the risk of fraud.
The court noted that when customers are able to verify beneficiary details before transferring money, the chances of deception drop substantially.
Toward a Uniform e-KYC Framework
Beyond immediate compliance measures, the court urged the Centre to take a broader policy view. It asked the government to hold stakeholder consultations with all domain name registrars and registry operators offering services in India, and to explore the creation of a uniform e-KYC framework for domain registrations.
Such a framework, the court suggested, could mirror the system already followed by NIXI, ensuring consistency across registrars and closing regulatory gaps that fraudsters exploit. Emphasising the balance between consumer trust and business interests, the judgment underscored what it described as an “urgent necessity” for safeguards strong enough to prevent fraud without undermining legitimate digital commerce.
