LexOrbis

Strengthening The Digital Gatekeepers: Delhi High Court Mandates E-KYC Norms For Domain Name Registrations To Combat Online Fraud

Strengthening The Digital Gatekeepers: Delhi High Court Mandates E-KYC Norms For Domain Name Registrations To Combat Online FraudThe exponential growth of the digital economy has fundamentally transformed how businesses, consumers, and service providers interact. Domain names have emerged as critical identifiers in this ecosystem, functioning not merely as technical addresses but as digital signifiers of authenticity, credibility, and commercial legitimacy. In an era where consumers increasingly rely on online platforms for financial transactions, employment opportunities, and commercial engagements, the integrity of domain name registrations assumes paramount importance. However, this very infrastructure has been systematically exploited by fraudsters who leverage regulatory gaps, anonymity, and weak verification mechanisms to perpetrate large-scale online fraud.

The Delhi High Court, in its extensive and reasoned judgment in Dabur India Limited vs Ashok Kumar & Ors. [CS (COMM) 135/2022 & I.As. 3423/2022, 1221/2023 & 8858/2025], addressed this growing issue through a combination of IP protection, consumer interest safeguards, and cybercrime prevention measures. While the case arose from trademark infringement and impersonation through deceptively registered domain names, the Court’s analysis goes beyond traditional IP enforcement. It recognises domain name misuse as a systemic threat to public trust, financial security, and the credibility of the digital marketplace. Central to the Court’s remedial framework is the insistence on robust electronic Know Your Customer (E-KYC) norms for domain name registrations.

Domain Names as Instruments of Trust and Deception

The Court acknowledged that domain names today function as digital storefronts, often being the first point of contact between a business and the public. A domain name incorporating a well-known trademark or brand name carries an implicit assurance of authenticity. Fraudsters exploit this trust by registering domain names that are deceptively similar to legitimate ones, creating fake websites that impersonate legitimate enterprises. These websites are then used to solicit money from unsuspecting individuals under the guise of job offers, distributorships, investment schemes, dealership opportunities, or the sale of counterfeit goods.

A recurring pattern identified by the Court was the use of false, incomplete, or unverifiable registrant information at the time of domain registration. WHOIS records often reveal fabricated names, incorrect addresses, inactive phone numbers, and email IDs created solely for the purpose of registration. Even where registrars disclose information pursuant to court orders, such details frequently lead to dead ends. The problem is exacerbated by the routine availability of privacy protection and proxy services, which conceal registrant identities and make tracing perpetrators exceedingly difficult.

The Court noted that the speed and scale at which such frauds operate render traditional post-facto remedies ineffective. By the time a trademark owner secures injunctive relief or disclosure orders, the fraudster has often vanished, funds have been withdrawn, and victims have suffered irreparable loss. This prompted the Court to emphasise the need for preventive regulation, rather than reactive enforcement.

Reason Behind Mandating E-KYC

The Delhi High Court’s insistence on E-KYC stems from a recognition that anonymity at the point of entry into the digital ecosystem enables impunity. Drawing parallels with the banking, telecom, and financial services sectors, the Court observed that KYC norms are mandatory in these industries precisely because anonymity facilitates fraud, money laundering, and financial crimes. The Court questioned why domain name registrars, who control access to the digital marketplace, should be exempt from similar obligations, particularly when their services are demonstrably being misused to defraud the public.

The Court rejected arguments that global domain name governance frameworks or data protection norms justify minimal verification. While acknowledging privacy concerns, including obligations under GDPR-like regimes, the Court held that privacy cannot be elevated to a shield for illegality. The right to privacy, it observed, is not absolute and must yield to compelling public interest considerations, especially where large-scale consumer fraud is involved. Privacy protection mechanisms, therefore, must operate subject to accountability and lawful disclosure.

Significantly, the Court also addressed jurisdictional objections raised by foreign registrars. It held that registrars offering services to Indian users, earning revenue from India, and enabling activities with legal consequences within Indian territory cannot evade Indian legal standards. This finding establishes clear accountability for ICANN-accredited registrars operating in India and reinforces the enforceability of E-KYC obligations.

The Court’s approach treats E-KYC not as a procedural formality but as a preventive safeguard capable of disrupting the existing modus operandi of online fraudsters. Meaningful E-KYC, linked to verifiable identity credentials, validated contact details, and traceable payment instruments, raises the cost of wrongdoing and deters casual or opportunistic fraud. While acknowledging that no system can eliminate fraud entirely, the Court emphasised that stronger entry-point verification would significantly reduce misuse and enhance traceability.

Importantly, the Court recognised that domain name registrations do not exist in isolation. Fraudulent domains are often the first step in a chain involving fake bank accounts, digital wallets, payment gateways, and rapid fund transfers. E-KYC at the registration stage, therefore, complements financial sector regulations and strengthens downstream enforcement by enabling quicker identification and coordination among registrars, banks, payment intermediaries, and law enforcement agencies.

Court-Issued Guidelines and Directions on E-KYC and Registrar Due Diligence

In order to operationalise its findings, the Delhi High Court issued detailed directions establishing a structured E-KYC framework for domain name registrations. These guidelines impose enhanced due diligence obligations on Domain Name Registrars (DNRs), registry operators, and governmental authorities, with the objective of ensuring traceability, accountability, and consumer protection:

  • Domain Name Registrars must implement mandatory and meaningful E-KYC verification at the time of registration, particularly where the domain name incorporates, imitates, or is deceptively similar to a registered trademark, a well-known mark, or an established brand.
  • Mere collection of registrant information is insufficient. Registrars are required to ensure that identity details are verified, authentic, and reliable, and capable of being used by courts and law enforcement agencies.
  • E-KYC must rely on verifiable electronic credentials, such as government-issued identity documents, validated mobile numbers, and authenticated email addresses, rather than self-declarations.
  • Registrars must adopt a risk-based approach, requiring heightened scrutiny where domain names include or closely resemble registered trademarks, well-known marks or names of reputed companies, institutions, or public-facing brands. In such cases, registrars are expected to conduct additional verification checks to ascertain the legitimacy of the registrant’s claim, particularly where no apparent nexus exists between the registrant and the brand owner.
  • Automated or neutral processing cannot be used as a defence where the risk of impersonation or fraud is evident from the domain name itself.
  • Registrars must ensure active verification of mobile numbers and email addresses, ensuring they are functional, accessible, and traceable over time.
  • Disposable, temporary, or unverifiable contact details should not be accepted, especially for commercial or public-facing domain names.
  • Where registrars provide bundled services such as hosting, cloud infrastructure, or email services, the obligation of verification extends to those services as well.
  • Privacy protection or proxy services cannot be offered as a default option, particularly for domain names that prima facie indicate impersonation, commercial misuse, or fraud.
  • Registrars must maintain strict internal safeguards, ensuring that the true registrant’s identity is available and can be disclosed promptly upon lawful demand.
  • Privacy mechanisms must not operate as shields for illegal activity and must be balanced against public interest and consumer protection considerations.
  • Registrars are required to maintain complete, accurate, and up-to-date records of registrant information, including identity documents, contact details, payment information, and associated services. Such records must be securely preserved for a reasonable period, even after expiry, suspension, or transfer of the domain name.
  • Failure to maintain proper records undermines the purpose of E-KYC and may attract legal consequences.
  • Registrars must retain and disclose payment instruments used for registration, transaction identifiers, and billing and payment details linked to the registrant when lawfully directed.
  • E-KYC must extend beyond identity verification to include financial traceability, aligning domain registrations with anti-fraud and anti-money laundering objectives.
  • Registrars are under a strict obligation to promptly comply with court orders, including directions for disclosure, suspension, locking, or takedown of fraudulent domain names.
  • Delays, non-cooperation, or selective disclosure may result in loss of intermediary protections and other legal consequences.
  • Registrars must actively cooperate with law enforcement agencies investigating cyber fraud, ensuring that E-KYC data is structured for swift retrieval and disclosure.
  • The Court directed the Government of India, through MeitY and DoT, to examine the feasibility of uniform E-KYC norms for all domain name registrations offered to Indian users, irrespective of the registrar’s place of incorporation.
  • Coordination was encouraged among NIXI, ICANN-accredited registrars, cybercrime authorities, and financial regulators to develop a standardised and enforceable framework.

Conclusion

The Delhi High Court’s directions on E-KYC for domain name registrations mark a decisive shift in Indian internet governance. By recognising registrars as active gatekeepers rather than passive intermediaries, the Court has expanded the contours of accountability in the digital economy. The judgment situates domain name regulation within a broader matrix of consumer protection, financial security, and cybercrime prevention.

E-KYC, as envisaged by the Court, is not a temporary compliance measure but a structural reform aimed at restoring trust in the digital marketplace. As India’s online footprint continues to grow, the principles laid down in this judgment are likely to influence regulatory policy, contractual standards, and future judicial approaches to online fraud. The message is unequivocal: access to the digital ecosystem carries responsibility, and anonymity cannot be allowed to undermine public trust in the internet.

Authors: Manisha Singh and Shivi Gupta

First Published by: Mondaq here