Video KYC — It has never been easier to open a Bank Account in India
Video KYC: Indian Regulator lets customers open bank accounts with a live video
The move removes the need to go into a branch, invite strangers to your house, share paper copies, or wait for days for the account-opening process to be completed. Instead, the customer can, through a stroke of a video call, chat directly with a Banker, provide all the identity documents to verify who they are and complete the account opening steps in a few minutes. This is precisely what the regulator has acceded to.
Sounds like magic. But wait a second. Let’s unpack the nuances from the regulator’s words. This paper refers to the circular DOR.AML.BC.№27/14.01.001/2019–20 dated 09 January 2020 — amendment to master direction on KYC. While there are several amendments in this circular, this paper will focus on the video customer identification process (V-CIP), simply referred to as video KYC, which is covered under section 18 of the master KYC document. The salient points and ensuing challenges of video KYC are discussed here.
Video by trained official — The video KYC must be carried out by a trained bank official. REs can take the services of business correspondents to aid with the video identification process. Note that the business correspondent cannot complete this step on behalf of the banker, instead aid the customer with V-CIP during the live video with the bank official. This will be debated in the outsourced models.
Aadhaar KYC — The only permitted ID for video KYC is Aadhaar. However, there are a number of ways the official can collect Aadhaar from the customer. Banks can do OTP based eKYC or Aadhaar Offline (XML and Encrypted QR). Other REs can only do Aadhaar Offline. As video verification is treated as face to face process (definition 3.xx of the master circular), the limitations observed for OTP based account as part of section 17 of the master circular will not apply. However, a technical challenge is having a live video chat and at the same time completing Aadhaar Offline (as it redirects the user to UIDAI website, download the XML after a set of steps within the UIDAI website and then upload the file is a technical challenge — we will write more on this later). The fact that Aadhaar Offline is carried out as part of the workflow (same video kyc session) will mean that REs will comply with Aadhaar offline files not being older than 3 days as per the circular (another issue is that there is nothing in the Aadhaar Offline file or QR which can verify the age of the file).
Capture photos — A clear photo of the customer must be captured during the course of the video call by the bank official. This will then be used for matching against the ID images (PAN and Aadhaar) provided by the customer.
Capture PAN — A clear photo of the PAN card must be captured during the course of the video call. The regulator has provided an exception to this when ePAN is shared (however, it is not clear how such a process can seamlessly be integrated into the live video call).
PAN to be verified against issuing authority — This is a welcome step. With the availability of reliable APIs, this step can be done concurrently while the video is in progress. And what’s more, there are solutions that will OCR the PAN data and do the background check simply by capturing the picture of the PAN card in a simple and seamless step.
Customer photo matches with PAN/Aadhaar photo — Sophisticated face matching algorithms are now available to ensure that the face in the PAN/Aadhaar matches with the customer photo. AI can complement human intelligence to verify that the ID photo indeed matches with the live photo.
Geotagging of customer (verify within in India) — While geotagging is a simple step, the particular challenge will be the ability to detect GPS spoofing in Android devices.
Domain — The video streaming is triggered from the domain of the regulated entity. Surprisingly, this is a well thought out point. This squarely eliminates generic video tools such as skype, zoom and other popular applications that are hosted on skype.com, zoom.com and such like. Instead, the regulator is looking for something like video.abcbank.com or abcbank.com/video so phishing and other malicious attacks can be prevented. A safer way to achieve this would be to integrate this into existing Banks’ mobile Apps which triggers the video call from a safe and verified domain.
Aadhaar Number Masking — As Aadhaar is the primary identity document displayed to the officer in the video as part of video verification, the Aadhaar number in the video must be redacted. This is as per the earlier notification from UIDAI to redact Aadhaar numbers before storing them.
Others — There are other standard bells and whistle prescription such as the video being secure, real time (video recording and uploading is not permitted) and encrypted; questions in videos are varied to prevent spoofing attempts; quality of the video must verify the customer beyond doubt; sufficient liveness checks carried out by the officer; logs maintained; videos stored safely and bears date and timestamp; audits done to verify that all of the above are enforced. While technology will play a major role and will push the boundaries of possibilities, the ultimate responsibility of this whole process rests with the regulate entity.
This is a formidable step which would benefit both businesses and consumers. Stay tuned for more information in the coming weeks.
