My name is Satheesh Sangaraju, I am one of the director of INFORIDGE IT SERVICES PVT. LTD. and I am writing this article on the topic “DIR-3 KYC” in filing MCA with the purpose of raising public awareness about a serious concern that has come to light through our experience.
“I would like to explain a particularly critical and high-risk scenario. If you are not fully aware of the DIR-3 KYC process, there is a possibility that your Business User account could be compromised. This poses a significant threat not only to you as an individual but also to your entire entity.
If your Digital Signature Certificate (DSC) is not in your direct possession and has been handed over to a professional—who then chooses to act dishonestly—you could find yourself exposed to a wide range of serious and potentially unmanageable consequences.”
What is DIR-3 KYC?
DIR-3 KYC is an annual compliance form required to be filed with the Ministry of Corporate Affairs (MCA), India, by all individuals who have been allotted a DIN (Director Identification Number).
It is part of the government’s effort to maintain up-to-date and verified contact and identity details of directors and individuals holding DINs, and to reduce the risk of shell companies and fake directorships.
How many ways DIR-3 KYC can be done?
we can do DIR-3 KYC in two ways.
- DIR-3 KYC (eForm) — Full Form Filing
- DIR-3 KYC Web — Simplified Web-Based Verification
DIR-3 KYC (eForm) — Full Form Filing, will be used first time filing or if there is any change in mobile number and email id. DSC is required to filing this form.
DIR-3 KYC Web — can be used in case if your contact information email-id and phone number is not changed. It’s simple online form, you will get separate OTPs to mobile number and your email ID.
DIR-3 KYC (eForm) is a Threat for Directors?
Yes, DIR-3 KYC (eForm) can pose a serious threat to directors, and we’d like to share our experience to explain why.
Before diving into the details, we recommend reading the following two articles to understand the background:
Once you’ve reviewed those articles, you’ll understand the issues we’ve encountered involving CA P. Kalyan Kumar and the platform Vakilsearch. Due to filing errors—specifically with SFT —we terminated his services and appointed CA Nikhil Reddy from Bethineedi Associates (Justdial link) for our CS and audit needs.
Based on initial trust, our Digital Signature Certificates (DSCs) were applied for and managed through them.
However, once they obtained access to our DSCs, their responsiveness declined noticeably. The DPT-3 filing issue (initially caused by CA P. Kalyan Kumar) also remained unresolved despite their promises. In the meantime, we sought advice from CS Palavalasa Vijendra (profile) for support and guidance. Unfortunately, due to misleading information from him, we had to terminate his engagement within a month.
Here’s the real concern:
“Bethineedi Associates continue to retain custody of our DSCs and have become unresponsive. Through detailed analysis, we identified a serious vulnerability: the DIR-3 KYC (eForm) can be exploited if a director’s DSC is not under their direct control.”
Why? Because the form allows a third party to:
- Enter a new email ID and mobile number that does not belong to the actual director
- Affix the director’s DSC
- Upload the KYC to the MCA portal
This essentially takes control of your DIN identity on MCA, opening up endless opportunities for misuse or unauthorized filings under your name.
isn’t it security issue from MCA?
“In certain scenarios, the security of the DIR-3 KYC (eForm) process is significantly inadequate. Why doesn’t the MCA implement an additional layer of authentication, such as Aadhaar OTP, to enhance protection?”
Asper our analysis, technically, it can — but currently, it does not, due to a mix of legal, regulatory, and structural limitations.
- MCA is Not a UIDAI-Registered KUA/AUA (Yet)
- Supreme Court Restrictions on Aadhaar Use (2018 Judgment)
- Foreign Nationals and NRIs with DINs
- DSC Is Currently Treated as the “Legal Identity”
What MCA Can Do (and Should Consider):
Directors consent is important.
| Option | Purpose |
|---|---|
| ✅ Optional Aadhaar OTP | For indian directors with Aadhaar, adds a second factor (2FA) |
| ✅ Enable Aadhaar OTP for DIR-3 KYC | Prevents third-party misuse of DSC without director consent |
| ✅ Require Aadhaar OTP for changes to email/mobile | Adds control over core identity data |
| ✅ Apply to become AUA/KUA | Legally enables Aadhaar e-authentication within MCA |
| ✅ Other any viable 2 factor authentication | Any other 2 factor authentication which ensures directors consent. |
Why It Matters?
As our experience shows (DSCs held by third parties, misuse of identity in DIR-3 KYC), relying solely on DSCs and basic OTPs is not enough. Aadhaar OTP adds biometric trust and personal confirmation that cannot easily be faked or bypassed — especially critical for identity-based filings like DIR-3 KYC. Or any other 2 factor verification mechanism has to be integrated.
PREVENTION
“If you’re currently facing a situation similar to ours—where a third party is holding your DSCs and you suspect any misconduct. After our deep analysis, currently there only one way to prevent misuse of DSCs —it is strongly advised to immediately contact the Cyber Crime Department first and second initiate the revocation of your DSCs.
(We will provide a detailed article separately on how to revoke DSCs.)“
A Cautionary Note for Business Owners: When discussing your company’s financial affairs with auditors, bank managers, or other professional service providers, exercise discretion and healthy skepticism. Relying too heavily on—or sharing more detail than necessary with—these advisors can expose you to unnecessary risks.
CAUTION
Read very interesting facts about Digital Audio Forgery
I understand that fear often prevents people from openly sharing information about such large fraud networks. Many individuals hesitate to speak out because they worry about potential consequences, influence, or retaliation from powerful groups behind these operations. However, staying silent only allows these networks to grow stronger and continue exploiting unsuspecting citizens. By bringing these issues to light and raising collective awareness, we can break the cycle of fear, protect others from falling victim, and push for accountability against those who misuse their power for fraudulent purposes.
My purpose in sharing this is to create awareness among the public about how fraud networks operate and engage with individuals without their knowledge. Many people may not even realize they are interacting with fake callers or fraudsters until it is too late, by which time their personal information or recorded responses may already have been misused. It is therefore essential to remain vigilant, verify every communication, and recognize these deceptive tactics before falling victim. Such networks may be supported by powerful interests, including political groups or large companies engaged in malpractice. Only widespread public awareness and caution can help put an end to these practices.