RBI amends Video KYC & KYC updation rules
RBI announced an amendment to its Master Direction on KYC late on May 12, 2021.
The amendment covers a broad range of topics concerning Video KYC, V-CIP (Video-based Customer Identification Procedure), and KYC updation.
The amendment was preceded by a speech by the governor of the RBI in which the bank’s intention to rationalise compliance with existing KYC norms was made clear. The present amendment takes forward this intention in a number of ways.
Here are the short highlights of the amendment to the KYC Master Direction.
- The definition of V-CIP has been amended
- The scope of V-CIP has been extended to include new categories of customers & new KYC transactions
- The minimum standards of infrastructure required for V-CIP have been updated
- The procedure to be followed for V-CIP has been amended
- The rules for periodic updation have also been amended to include V-CIP
Let’s examine what the amendment says in detail & what it entails.
What are the amendments to V-CIP?
V-CIP is a video & consent-based customer due diligence (CDD) procedure, in which an authorized official conducts an audio-visual interaction with the customer to collect the required identifying information for onboarding.
V-CIP was originally instituted on January 9, 2020, in a previous amendment to the Master Direction of KYC. V-CIP has since been in use by banks & NBFCs to verify customers digitally, but the scope was still not as extensive as the RBI intended, hence the present amendments to V-CIP.
These current updates to V-CIP are described in detail below.
V-CIP Has a New Definition
The previous definition of V-CIP was as follows.
“ Video-Based Customer Identification Process (VCIP) is a method of customer identification by an official of the RE by undertaking a seamless, secure, real-time, and consent-based audio-visual interaction with the customer, to obtain identification information including the documents required for Customer Due Diligence purpose, and to ascertain the veracity of the information furnished by the customer. Such a process shall be treated as a face-to-face process (the equivalent of OSV – Originally Seen and Verified process) for the purpose of this Master Direction. “
The newly amended definition of V-CIP is now –
“Video-based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining an audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP for the purpose of this Master Direction. “
Note here that while V-CIP was previously interpreted as equivalent to OSV, it will now be treated on par with face-to-face CIP.
V-CIP Is Now More Widely Applicable
The new amendment to the Master Direction of KYC broadens the scope of V-CIP in a number of ways.
- V-CIP can be carried out for non-individuals
V-CIP is now applicable to individual customers and proprietors in the case of proprietorship firms authorised signatories & beneficial owners of legal entities.
- V-CIP can be used to convert half KYC accounts to full accounts
Accounts opened via non face-to-face eKYC, which are counted as half KYC accounts with certain restrictions can be converted to full KYC accounts via V-CIP.
- V-CIP can be used for periodic KYC updation
RBI mandates that customer KYC for accounts be updated periodically. V-CIP can now be used to perform this updation process remotely.
The amendment also details the minimum infrastructure banks must have in place to conduct V-CIP.
V-CIP Will Require New & Secure Infrastructure
The infrastructure requirements for V-CIP, according to RBI’s Master Direction on KYC, are as follows.
(i) The technology infrastructure for V-CIP is to be housed on the premises of the RE (read bank) and the V-CIP interaction must originate from the secured network domain of the bank. All technology-related outsourcing for V-CIP should be compliant with RBI guidelines & baseline cybersecurity measures must be followed.
(ii) The V-CIP interaction must be end-to-end encrypted between the customer’s device and the hosting point of the V-CIP application. The customer’s consent should be recorded & stored in a secure & retrievable manner.
(iii) The V-CIP application should be capable of preventing connections from IP addresses outside India or from spoofed IP addresses.
(iv) The video recordings of the interaction between RE & customer should contain the live GPS coordinates (geotagging) of the customer undertaking V-CIP, along with dates & time stamps. The quality of the live video in V-CIP should allow identification of the customer beyond any doubt.
(v) The application shall have components to ensure liveness, perform facial matching with a high degree of accuracy & spoof detection. Artificial intelligence (AI) technology can be used to ensure that V-CIP is robust.
(vi) The technology infrastructure for V-CIP, including application software as well as workflows, shall be regularly upgraded for security purposes. Any detected case of forged identity through V-CIP shall be reported as a cybersecurity event under RBI’s present regulatory guidelines.
(vii) The V-CIP infrastructure must undergo tests such as Vulnerability Assessment, Penetration Testing, and a Security Audit to ensure its robustness and end-to-end encryption capabilities. These tests are to be conducted by suitably accredited agencies as prescribed by RBI & must be carried out periodically.
(viii) The V-CIP application software, APIs & web services must undergo appropriate testing of functional, performance, maintenance strength before being taken live. Applications are to be rolled out only after fixing all critical issues & such testing must be undertaken periodically.
This covers the new infrastructure mandated for V-CIP. The new V-CIP amendment also details an updated procedure for conducting V-CIP, let’s take a look at what the new process is like.
Procedure for V-CIP Has Been Updated
The previous procedure for V-CIP was outlined in one of RBI’s previous amendments to its Master Direction on KYC & has been in use for nearly a year.
The previous steps for V-CIP can be found here.
The updated procedure for V-CIP, according to the new amendment, contains a few new steps. Here’s all you need to know about the steps in the updated V-CIP.
(i) V-CIP is to be conducted only by officials of the RE (here banks) specially trained for this purpose. The official must carry out a liveliness check and detect any other fraudulent manipulation or suspicious activity from the customer conduct and act upon it.
(ii) If there is a disruption in V-CIP, the process should be aborted and a fresh session initiated./p>
(iii) The sequence and/or type of questions asked by the official to the customer during V-CIP must be randomized to establish that the interaction is taking place in real-time.
(iv) If the customer prompts any questions or reactions from the official, the V-CIP will be rejected.
(v) REs must structure the V-CIP workflow to take into account existing, new, or previously rejected customers.
(vi) The authorised official performing V-CIP must record both audio & video of the customer, capture a live photograph of the customer present for identification and obtain the identification information using any one of the following:
- OTP based Aadhaar e-KYC authentication – Aadhaar number of the customer, in this case, must be redacted or blacked out
- Offline Verification of Aadhaar for identification – The XML file or QR code used for verification must not be older than 3 days at the time of V-CIP
- KYC records downloaded from CKYCR, using the KYC identifier provided by the customer – V-CIP must be undertaken within 3 days of downloading identifying information from CKYCR
- Scanned copies of Officially Valid Documents (OVDs) including documents issued through DigiLocker – V-CIP is to be performed within 3 days of downloading e-documents
(vii) If the address of the customer is different from that indicated in the OVD, the current address of the customer must be captured via suitable records.
(viii) REs must capture a clear image of the customer’s PAN card during V-CIP, except when e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority including through DigiLocker.
(ix) Usage of a printed copy of e-document including e-PAN is not allowed for V-CIP.
(x) The authorised official of the RE must ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN match with the details provided by the customer.
(xi) Assisted V-CIP will only be permissible when banks utilise Banking Correspondents (BCs) to facilitate V-CIP at the customer’s end. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized.
(xii) All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of the process and its acceptability of the outcome.
Here’s what the updated V-CIP procedure for banks will look like.
Finally, let’s examine what the new amendment means for KYC updation.
What are the changes to KYC updation policies?
RBI recommends a risk-based approach to KYC updation. This means that REs are to update KYC information based on the calculated risk of the customer account.
- For high-risk customers, KYC must be updated at least once every 2 years
- For medium risk customers, KYC is to be updated at least once every 8 years
- For low-risk customers, this period is increased to at least once every 10 years
The amendment also lays down the rules to be adhered to for KYC updation of Individual & Non-Individual customers.
- If there’s no change in KYC information, a self-declaration must be obtained from the customer’s registered email ID, mobile number, ATMs, digital channels such as online or mobile banking, or through a letter.
- If there’s a change in address, a self-declaration of the new address is to be obtained via the means described previously. The new address must be confirmed within 2 months.
- If the account holder is no longer minor, fresh photographs of the customer as an adult must be obtained & KYC details must be updated wherever required.
- If there’s no change in KYC information, a self-declaration of the same must be obtained from the Legal Entity (LE) via digital channels or a letter from an authorised official of the LE. Banks must also ensure that the information pertaining to the Beneficial Owners (BOs) are accurate.
- If there’s a change in KYC information, banks must undertake the KYC process equivalent to onboarding a new LE customer
Now that we’ve covered the contents of the new amendment to the KYC Master Direction, let’s examine what it means for FIs.
What this amendment means for banks
Here’s what banks should take away from the new V-CIP amendment to KYC norms.
- Video KYC will become more widely used
Video KYC is much faster, more convenient & more cost-effective for banks compared to the usual paper-based KYC process; and due to this enlargement of scope, banks can now experience more of the benefits of automated KYC verification.
This will lead to increased adoption of V-CIP due to the numerous advantages it affords.
- Video KYC will become faster & easier to use
By allowing the KYC identifier used by CKYCR to also be used in V-CIP, the Video KYC process will be simplified & expedited.
The KYC identifier of CKYCR is usually a 16-digit KYC Identification Number (KIN). This number is generated once cKYC has been completed & can be used to quickly complete KYC with any regulated FI.
Integrating KIN or other KYC identifiers with Video KYC will speed up the process as the customer’s OVDs & relevant identifying information will already be stored in CKYCR & can be retrieved instantly using KIN. This reduces the number of steps in V-CIP & ensures quick & easy KYC completion.
- Video-based KYC transactions will become the norm for FIs
The governor’s statement also mentions how digital channels will be made available for all KYC transactions, and not just account opening.
Video-enabled KYC in particular is set to become a benchmark for FIs, as V-CIP enables remote & instant transactions with a high level of security.
- KYC & compliance costs will be massively reduced
Video KYC has been shown to reduce operational costs for banks by between 85-90% & reduce TAT on customer KYC verification by nearly 99%.
By increasing the scope of V-CIP, RBI has ensured that banks will now be able to comply more easily & at significantly reduced costs. This will increase the number of customers onboarded, which will, in turn, boost the formal economy & allow more people to access financial services, while also being beneficial to banks.
V-CIP, therefore, is here to stay. The cost & efficiency benefits of automated KYC verification are simply too enticing for banks to pass upon. So who should you trust with providing you the best automated V-CIP solution?
Award-winning V-CIP and Video KYC
SignDesk is an award-winning provider of AI-powered verification and documentation solutions to businesses.
Our verification solutions have helped 250+ clients including 50+ major banks reduce onboarding expenses, cut down on KYC drop-offs, reduce TAT by 99%, and safeguard against fraud using cutting-edge compliance technology. Our efforts to automate KYC have additionally been recognised in the form of numerous awards.
SignDesk’s V-CIP solution utilizes AI-powered document verification, OCR-based image data extraction & ML-enabled fraud filters to make customer KYC verification completely digital & extremely cost-effective.
Are you ready to join 250+ enterprises and start onboarding with Video KYC? Book a demo with us now and let’s get started!