The RBI has put an end to the ‘on-premise vs. cloud’ debate for video KYC deployment. In its latest clarification, the RBI has explicitly allowed the use of video KYC solutions hosted on the virtual private clouds.
“It is clarified that our requirement of ‘technology infrastructure should be housed in own premises of the RE’, does not imply that regulated entities (REs) including banks may not use the cloud deployment model.
However, it shall be ensured that the ownership of data in such a model rests with the RE only and all the data including video recording is transferred to the RE’s exclusively owned/ leased server(s) including cloud server.”
Background: Amendments introduced on 10th May 2021
Back in May 2021, the RBI announced landmark changes to the extant KYC norms. These changes meant that video KYC, or V-CIP, could now be used to:
- Complete the re-KYC process of banking customers
- Convert limited KYC to full KYC accounts
- Onboard non-individual entities, such as SMEs and businesses
Along with unlocking new use cases, RBI also introduced some changes to the V-CIP process and issued new instructions on the V-CIP/technology infrastructure.
We talked extensively about the new norms, what they meant for institutions in the RBI universe, and how IDfy can help. You can read it here.
These were steps in the right direction, making compliance easier for customers and financial institutions alike.
However, there were certain elements in the regulations that weren’t clear up front. For example, does video KYC need to be housed on-premise or can it be deployed on cloud as well? What does RBI mean by ‘a disruption in the V-CIP procedure’? And more…
Many banks and industry bodies had written to the RBI for further clarification. Recently, the RBI provided the needful.
Latest clarifications from the RBI regarding video KYC
Please refer to RBI’s May 10th circular for exact reference to the instructions mentioned below.
|V-CIP instruction||RBI’s clarification|
|18(a)(i) – The technology infrastructure should be housed in own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines.||Clarity has been requested by banks regarding use of cloud deployment model for V-CIP.
In this regard it is clarified that our requirement of ‘technology infrastructure should be housed in own premises of the RE’, does not imply that regulated entities (REs) including banks may not use the cloud deployment model. However, it shall be ensured that the ownership of data in such model rests with the RE only and all the data including video recording is transferred to the RE’s exclusively owned/ leased server(s) including cloud server, if any, immediately after the V-CIP process is completed and no data shall be retained by the cloud service provider or third party technology provider assisting the V-CIP of the RE.
|18(a) (vii) – The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted by suitably accredited agencies as prescribed by RBI. Such tests should also be carried out periodically in conformance to internal / regulatory guidelines.||REs shall get the audit done by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In).|
|18(b) – VCIP Procedure (ii) – If there is a disruption in the VCIP procedure, the same should be aborted and a fresh session initiated.||Disruption of any sort including pausing of video, reconnecting calls etc., should not result in creation of multiple video files. If pause or disruption is not leading to the creation of multiple files, then there is no need to initiate a fresh session by the RE. However, in case of call drop/ disconnection, a fresh session shall be initiated.|
These clarifications are along the lines of how they were being interpreted earlier for the most part. Now, the subjectivity of interpretation has made way for concrete directions from the RBI.
Feel free to get in touch with us at firstname.lastname@example.org for any further clarification regarding the RBI’s KYC norms, new or old. We’re happy to help.