In early January this year, the Reserve Bank of India (RBI) issued an amendment to the Master Direction on KYC processes to be followed by RBI-regulated entities. Widely considered to be a big step forward for the Fintech industry as a whole, RBI’s approval of video-based KYC will go a long way in simplifying daunting, unnecessarily expensive KYC procedures.
Today, we break down these new RBI guidelines, and make sense of the black, white, and grey areas of the amendment.
Perhaps the most important aspect of RBI’s changed guidelines is the explicit approval of video authentication in place of physical In-Person Verification (IPV).
The Video Customer Identification Process (or V-CIP), is a consent-based alternative method of identity verification and will allow banks and other RBI-regulated entities to onboard customers online + simplify the authentication process for several financial institutions, new-age fintech companies, digital wallet providers, and NBFCs.
Let’s break down the technicalities of the amendment under four main categories:
I. Initiation of the Process
II. Information to be Obtained
III. Verification Requirements
IV. Technicalities
Before we delve into these, it’s important to understand the following definitions:
a. Digital KYC: Capturing a LIVE photograph of the customer and an Officially Valid Document (OVD) or the proof of possession of Aadhaar (where offline verification cannot be carried out) along with latitude + longitude of the location where the live photograph is being taken by an authorized official of the “Reporting Entity” (RE).
b. Equivalent e-Document: The electronic equivalent of a document, issued by the Issuing Authority of the documents with its valid digital signature, including documents issued to the Digital Locker account of the customer (as per Rule 9 of the IT — Preservation & Retention of Information by Intermediaries Providing Digital Locker Facilities — Rules, 2016).
I. Initiation of the Process
- Informed consent to be obtained from the customer before the live Video Customer Identification (V-CIP) process is initiated
- The V-CIP process has to be undertaken by a Regulated Entity (RE) or bank official, and not by agents of any kind
Important to note: The services of Business Correspondents (BCs) can be used by banks to facilitate the process. BCs can aid the process only at the customer’s end and the official at the other end of V-CIP interaction should necessarily be a bank official (as mentioned in the point above). Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.
II. Information to be Obtained
- The RE or bank official must record the video AND capture the photograph of the customer undertaking the identification procedure, and obtain other identification information as below:
— BANKS: Can use OTP-based Aadhaar eKYC authentication or Offline Aadhaar verification (XML or Secure QR Code)
— RE’s OTHER THAN BANKS: Can ONLY use Offline Aadhaar verification methods (XML or Secure QR Code)
- The RE or bank official must capture a clear photograph of the customer displaying their PAN except when the customer provides their ePAN. PAN details must then be verified against the database of the Issuing Authority.
- The RE or bank official must capture the LIVE LOCATION (Geotagging) to ensure that the customer is physically present in India
III. Verification Requirements
- Customer’s PAN details to be verified against the database of the Issuing Authority (either the photograph of the PAN displayed by the customer during the VCIP interaction or the ePAN)
- Customer’s Aadhaar/PAN photograph to be matched against the individual undertaking the VCIP, and Aadhaar/PAN details to be verified against the details provided by the customer during the VCIP interaction
- The RE/bank official to ensure that the sequence/type of questions asked during the VCIP vary, to guarantee that the interactions are live and not pre-recorded
IV. Technicalities
- In case of Offline Aadhaar verification, RE official to ensure that the generation date of the XML file/QR Code is not older than 3 days from when the VCIP is being carried out
- All accounts opened via VCIP must be subject to concurrent audit before being made operational to ensure the integrity of the process
- RE should make certain that the process is a seamless, real-time, secured, and end-to-end encrypted audiovisual (AV) interaction with the customer, with quality good enough to allow identification of the customer beyond any doubt
- The RE must check for the liveliness of the interactions to avoid the possibility of any fraudulent manipulations
- The RE should carry out software and security audit and validation of the VCIP application before rolling it out
- The AV interaction can be triggered ONLY from the domain of the RE, and NOT from any third-party service provider, and should be carried out only by officials specifically trained for this purpose
- Activity logs and credentials of the RE/bank officials to be preserved
- Video recording should be stored safely and securely, with the date and timestamp
- REs are encouraged to take advantage of technology such as Artificial Intelligence (AI), face matching, etc.
- The RE must redact or blackout the customer’s Aadhaar number as per Section 16
The main points are summarized below;
Digio’s V-CIP Solution
DigiKYC, as discussed in an earlier article, makes customer onboarding quick and easy with the help of Artificial Intelligence (AI), Optical Character Recognition (OCR), and the latest in face-matching technology.
Here’s how DigiKYC addresses all of RBI’s guidelines:
While Digio is already being used by a large part of the Fintech ecosystem for KYC processes like Aadhaar Offline eKYC, Digilocker, ID card verification & analysis, bank account verification, digital document collection and more, RBI’s new guidelines now allow even highly regulated entities to leverage the deep tech stack built by Digio.
For more information or to request a demo, feel free to reach out to us at support@digio.in.
