What is Video KYC as per RBI?
Video-based Customer Identification Process (V-CIP) is a method of customer identification. Here, an authorized official of the regulated entity (RE) conducts facial recognition and customer due diligence (CDD) using video interaction with the customer. This interaction is secure, live, and informed-consent-based. It obtains identification information for CDD and confirms the information submitted by the customer through independent verification while maintaining an audit trail of the process.
Where can VCIP be used?
i) It can be used for new customer onboarding. The different use cases for this are individual onboarding, proprietor onboarding for a proprietorship firm, and authorized signatories’ and Beneficial Owners’ (BOs) onboarding for a legal entity (LE) as a customer.
Note: In the case of the CDD of a proprietorship firm, REs must also obtain the equivalent e-document of the activity proofs of the proprietorship firm.
ii) It can be used for converting minimum KYC accounts that were opened using non-face-to-face mode. These minimum KYC accounts are the ones that were opened using Aadhaar OTP-based e-KYC.
iii) It can also be used for updating KYC for eligible customers.
What RBI says about VKYC (norms & guidelines)
(a) Here’s what RBI says about the V-CIP Infrastructure
i) The RE must follow the RBI guidelines on resilience framework for banks, minimum baseline cyber security, and general IT risks. The V-CIP’s technology infrastructure should be housed in the RE’s premises. Also, its connection and interaction should originate from the RE’s secured network domain. If the RE decides to outsource any technology-related processes, it must comply with the relevant RBI guidelines.
ii) The RE must follow appropriate encryption standards and ensure end-to-end data encryption between customer device & hosting. The customer consent recording must be auditable and alteration-proof.
iii) The V-CIP must be able to detect IP addresses from outside India or IP spoofing and prevent connection with the same.
iv) The video recording should be geo-tagged (containing live GPS coordinates of the customer) and have a date-time stamp. The live video quality in the V-CIP must be clear enough for a doubtless identification of the customer.
v) Even though the responsibility of customer identification lies with the RE, the V-CIP must be able to detect face liveness and spoofing and also conduct a face match. REs can use appropriate artificial intelligence (AI) technology to ensure a robust V-CIP.
vi) Based on experience with forged identity cases, the V-CIPs technology infrastructure, application software, and workflows must be regularly updated. Any case of forged identity should be reported as a cyber event under exact regulatory guidelines.
vii) To ensure the V-CIP’s robustness & encryption capabilities, it must undergo tests such as Vulnerability Assessment, Penetration testing, and Security Audit. These tests must be run periodically (as per internal/regulatory guidelines) and conducted by suitably accredited agencies as prescribed by the RBI. Any critical issues found during testing must be resolved before implementation.
viii) The functional, performance, and maintenance strength of the V-CIP application and APIs must be tested before being used in a live environment. These tests must be run periodically (as per internal/regulatory guidelines). Any critical issues found during testing must be resolved before implementation.
(b) RBI guidelines for VCIP Procedure
i) The RE must create a clear workflow and standard operating procedure for V-CIP and adhere to it. Next, the V-CIP process must be operated only by specially trained officials of the RE. This official should be capable of conducting liveliness checks, detecting fraudulent attempts, and acting upon them.
ii) If a V-CIP process is disrupted due to some reason, it should be aborted and a fresh session should be started.
iii) The sequence and/or the type of security questions (including those that indicate the liveness of the customer) during the video call should be varied to ensure real-time interaction and the absence of per-recording.
iv) On detection of any prompting at the customer’s end, the RE must reject the account opening process.
v) Details about the customer undergoing V-CIP – like if they are new or existing, had been rejected before, or their name appears in some negative list – should be considered at an appropriate stage of the V-CIP workflow.
vi) The official of the RE (one who is conducting the V-CIP) must record the audio-visual and capture a photograph of the customer during the video call for identification. Further, they must obtain identification information using any of the below ways:
- OTP-based Aadhaar e-KYC authentication
- Offline Verification of Aadhaar for identification
- KYC records downloaded from CKYCR, following Section 56, using the KYC identifier provided by the customer
- Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through Digilocker
RE must redact or blackout the Aadhaar number in terms of Section 16.
When verifying a customer using an offline Aadhaar XML file or Aadhaar Secure QR code, the RE shall ensure that the file or the QR code is not more than 3 days older from the date of conducting V-CIP. Further, in rare cases, if the entire process cannot be completed in one go, the RE shall also ensure that the V-CIP is undertaken within these 3 days after obtaining the identification information. However, REs shall ensure that no incremental risk is added due to this.
vii) If the current customer is different from the one in their OVD (Officially Valid Documents), appropriate records of the same shall be captured. Also, the economic and financial details of the customer must be confirmed by the customer suitably undertaking the V-CIP.
viii) The RE must click a clear picture of the PAN card displayed by the customer during the V-CIP, except for when a customer provides an e-PAN. Next, the PAN details must be verified from the database of the issuing authority or through DigiLocker.
ix) Printed copy of an equivalent e-document including e-PAN is not valid for the V-CIP.
x) The RE official must match the photograph and details of the customer on Aadhaar/OVD and PAN/e-PAN with the customer undertaking V-CIP.
xi) Assisted V-CIP is allowed when banks take the help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks must maintain the BC’s details. The ultimate responsibility for customer due diligence will be with the bank.
xii) Any account opened using V-CIP should be made operational only after a concurrent audit of the video call. This ensures the integrity of the process and the acceptability of the outcome.
xiii) Other matters that aren’t mentioned here, but required under other statutes (such as Information Technology Act) must be appropriately complied with by the RE.
(c) V-CIP Records and Data Management
i) The data and recordings of the must be stored in India-based, safe, and secure system(s). The recordings must also bear the date and time for easy historical data search. The extant instructions on record management, as stipulated in this MD, are also applicable for V-CIP.
ii) The RE must preserve the activity log along with the credentials of the official performing the V-CIP.
Here’s what IDfy’s V-CIP looks like:
