1. What is Video KYC
Video KYC allows a regulated entity to open an account-based relationship with a customer without meeting the customer face to face. The customer can, through a video call, chat directly with a Banker, provide all the identity documents to verify who they are and complete the account opening steps in a few minutes.
2. Is this approved by the Indian regulator?
Yes. The Indian Central Bank (RBI) provided the approved details of Video Customer Identification Process (V-CIP) vide circular DOR.AML.BC.№27/14.01.001/2019–20 dated 09 January 2020. Section 18 of the circular elaborates on the process to be followed by regulated entities.
3. How can Video KYC help Regulated Entities?
Video verification removes the need for customers to go into a branch, share paper copies, or wait for days for the account-opening process to be completed. This will transform the way bank accounts are opened in the future and reduces the cost of onboarding dramatically. One estimate puts that it costs between 150–200 for face to face onboarding. The same can be reduced to a fraction by doing video KYC without having to meet the customer face to face.
4. What forms of ID are supported within Video KYC?
Banks can use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for customer identification. All other regulated entities can only do Aadhaar Offline verification. For offline verification, customers can use Aadhaar Offline XML or Aadhaar Encrypted QR. However, when using Aadhaar Offline, the shareable Aadhaar Offline files and Encrypted QR should not be more than three days old.
5. How can Regulated Entities ensure that the Aadhaar Offline files are no more than three days old?
We strongly recommend that the customer be allowed to download the files fresh during the live video call to ensure that the Aadhaar Offline files are in compliance with RBI regulations. Our Video KYC interface provides a screen share option during the live video call to allow the customer to download a copy of the Aadhaar Offline XML file for verification with the Agent or do an OTP based e-KYC. The Agent can see the Aadhaar Offline file in real time and do a face match as well during the call. The entire download process and verification is recorded for audit purposes putting to rest spoofing attempts by potential fraudsters. This will ensure Regulated Entities are totally compliant with the central aspect of the Video KYC verification.
6. Can the customer record and upload Videos as part of Video KYC?
No. The regulator has made it clear that “regulated entities may undertake live video customer identification process”. The regulator then goes on to insist: “Regulated Entity shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio visual interaction with the customer”. Anything other than a live video interaction would be in violation of the current Video KYC or V-CIP process as defined by the regulator.
7. Who can do the Video KYC with customers?
A trained official will need to complete the video KYC process. However, regulated entities can take the help of business correspondents to aid the customer with the video at the customer end. While the Video KYC is touted to be non-face to face, the regulator asserts that there may be cases where assistance may be needed by the customer to complete the same (e.g. rural population who may or may not possess a smart phone or the connectivity may not be amenable for a video call). Therefore, regulated entities, can take the assistance of business correspondents at the customer end to complete the video verification process without additional paper work.
8. Can the Bank or Regulated Entity outsource the entire Video KYC process to third party business correspondents?
No. The regulator states that “the V-CIP process shall be operated by officials specifically trained for this purpose”. The regulator further insists that “BCs can facilitate the process only at the customer end and as already stated above, the official at the other end of V-CIP interaction should necessarily be a bank official.”
9. How can the Video KYC be initiated by the Regulated Entity?
There are no right or wrong ways to initiate the video call. Either the Banker can initiate the call or the customer can initiate the call. There are practical difficulties for customer enabling the call as there needs to be sufficient Agents on board and as per demand to carry out Video KYCs. Our solution, however, works by allowing the Banker to initiate the call once the customer has registered his intent and has provided his consent and contact details for a video KYC.
10. What details need to be captured during the Video KYC process?
The following details will have to be captured during the live video KYC process. It can be done in any order:
1) Aadhaar Offline (by any regulated entity) or OTP based Aadhaar (only for Banks).
2) Proof of possession of Aadhaar Number. This would suggest that the official sees the original Aadhaar card before Aadhaar Offline is carried out.
3) A picture of the customer in the live video is captured.
4) A picture of the PAN card is captured.
5) The live location of the customer is captured and verified that the customer is physically present in India (geo tagging and verification).
6) Checks carried out during the call need to be captured.
7) Any notes entered during the call need to be captured.
8) Timestamps, geo locations and metadata related to the video call needs to be captured.
11. How can regulated entities go about implementing Video KYC?
Technically it’s just establishing a video connection between two parties. However, in our experience, business, audit, compliance, risk, operations, legal, products and IT teams have to come together to create a scalable process that is legally vetted and totally compliant. The following set of questions are a good place to start for regulated entities.
1) Does the solution meet all the compliance requirements?
2) Can the solution be deployed on-premises?
3) Can the solution scale and can it be deployed on a fail-safe and scalable architecture?
4) Does the solution work on mobile and web for users to complete their video KYC?
5) Does the solution do a live streaming of video (and not video recording and uploading)?
6) Does the solution provide logs, audits, maker-checker and approvals workflow?
7) Does the solution come with APIs that can help integrate with existing back-end systems to provision account opening steps once the KYC is completed?
8) Can the solution augment artificial intelligence capabilities for face match, OCR, ID verification, image quality checks and spoofing checks?
9) Does the solution provide full audit trail and related data associated with the video KYC?
10) Is the system easy to use without having to go through long training cycles for Agents?
12. Does the Video KYC solution have to be deployed on premises?
The regulator has asserted that the link that is used by customers to begin the video chat should necessarily originate from the domain of the regulated entity. This squarely eliminates generic video tools such as skype, zoom, webex, duo and other popular applications that are hosted on skype.com, zoom.com and such like. Instead, the regulator is looking for something like abcbank.com/videokyc so phishing and other malicious attacks can be prevented. A safer way to achieve this would be to integrate this into existing Banks’ mobile Apps or online Banking portal which triggers the video call from a safe and verified domain. And this would suggest that the entire set up is done on-premises and cloud-based solutions or even hybrid solutions will have a tough time getting through the internal compliance and legal team’s approval. The only exception to this rule is when ID verification needs to be done which usually needs to be an external API call with the issuing authority.
13. Does the PAN need to be verified against the issuing authority?
Yes. The regulator has clearly stated that regulated entities shall “capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority”. There are several API based solutions and can be done concurrently once the PAN image is captured.
14. How can the Regulated Entity verify that the PAN or Aadhaar card belongs to the customer in the Video KYC?
The regulator encourages the use of advanced artificial intelligence solutions to match the image from PAN/Aadhaar to that of the image of the customer in the video call. This will with a high degree of confidence ensure that the customer is in possession of Aadhaar (by way of Aadhaar Offline), Customer is in possession of PAN (PAN verified to be legitimate against issuing authority) and that the details in PAN and Aadhaar match. In addition, the face image matches with the PAN and Aadhaar image with a high degree of confidence. This triangulation of checks will ensure that the customer is legit and spoofing or identity manipulation is quickly flagged for review.
15. Does the Aadhaar number in the Aadhaar Card shown in the video call need to be masked as per regulations?
Without a doubt, Yes. The circular states that wherever customer submits a proof of possession of Aadhaar containing Aadhaar Number, the same is redacted. For instance, in the video KYC process, the Bank official can ask to see the Aadhaar card before Aadhaar Offline is carried out. Therefore, the video captured will have the Aadhaar image and should be subject to Aadhaar Masking as per regulations. The good news is that AI technologies exist to complete this step.
16. Can a regulated entity initiate the video call through a link shared with the customer via email and SMS?
While this may sound novel, we strongly recommend not to use this method. Web links are fraught with high risks of fraud for Banks and could inconvenience genuine customers. Any fraudster could send a link to a customer in the guise of video KYC and could potentially gain access to sensitive information. Therefore, we strongly recommend that Banks initiate this only within their web portals and their Mobile Apps which usually are built with several security features to protect customers from fraud.
17. What are the other general precautions that the regulated entities must take to ensure that the Video KYC is full proof?
The video call must be done in real time (video recording and uploading is not permitted), video is stored encrypted; questions in videos are varied to prevent spoofing attempts; quality of the video must verify the customer beyond doubt; sufficient liveness checks carried out by the officer; full audit logs maintained; video bears date and timestamp; audits done to verify that the compliance steps are enforced. While technology will play a major role and will push the boundaries of possibilities, the ultimate responsibility of this whole process rests with the regulated entity.
