What Is DigiLocker and Why RBI Recognises It for KYC
DigiLocker is a flagship initiative of the Ministry of Electronics and Information Technology (MeitY), Government of India, launched in 2015 as part of the Digital India programme. It is a cloud-based platform that provides citizens with a digital wallet to store, share, and verify documents and certificates issued by government agencies and other organisations. As of 2026, DigiLocker has over 250 million registered users and hosts documents from more than 2,700 issuing organisations, including the UIDAI (for Aadhaar), the Ministry of Road Transport (for driving licences), the Election Commission (for Voter IDs), and numerous state governments for birth certificates, educational credentials, and property records.
The legal foundation for DigiLocker's recognition in KYC processes rests on the Information Technology Act, 2000, as amended by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules. Section 9 of the IT Act provides that documents issued through DigiLocker are deemed equivalent to their original physical counterparts and have the same legal validity. This equivalence was further reinforced by an amendment to Rule 9 of the PML Rules, which recognises documents fetched from DigiLocker as valid Officially Valid Documents (OVDs) for the purpose of KYC under the PMLA framework.
The RBI, through its Master Direction on KYC, has acknowledged DigiLocker as an acceptable source of OVDs for customer identification. The RBI's position is that documents retrieved from DigiLocker carry a digital signature from the issuing authority, which provides a higher level of authenticity assurance than a physical document that could potentially be forged or tampered with. This makes DigiLocker-fetched documents particularly valuable in the V-CIP context, where the agent is viewing documents over a video call and cannot physically inspect them for signs of tampering.
The recognition of DigiLocker for KYC represents a significant shift in the regulatory approach to document verification. Traditional KYC relied heavily on physical documents, with agents trained to check for watermarks, holograms, and other physical security features. DigiLocker shifts the trust model from physical document security to cryptographic digital signatures, which are far more difficult to forge. For financial institutions, this means that a DigiLocker-fetched document can be verified programmatically (by checking the digital signature) rather than relying solely on the visual judgement of a V-CIP agent, which improves both accuracy and efficiency.
DigiLocker Documents Accepted as OVDs for V-CIP
Under the PML Rules, the Officially Valid Documents that can be used for KYC are Passport, Voter's Identity Card, Aadhaar (issued by UIDAI), and Driving Licence. All four of these documents are available through DigiLocker, issued by their respective government authorities with digital signatures. When fetched through DigiLocker's API, these documents come with a digitally signed XML or JSON payload that can be cryptographically verified by the receiving application, ensuring that the document has not been altered since it was issued.
The Aadhaar card fetched through DigiLocker deserves special mention because of the specific regulatory framework around Aadhaar usage for KYC. Under Section 11A of the PMLA (inserted by the Finance Act, 2019) and the corresponding amendments to the Aadhaar Act, financial institutions can use Aadhaar for KYC with the customer's informed consent. DigiLocker provides a convenient mechanism for this: the customer authorises the share of their Aadhaar from DigiLocker, and the institution receives a digitally signed document without needing to collect or store a physical copy of the Aadhaar card. This also helps institutions comply with the UIDAI's guidelines on Aadhaar data handling, which restrict the storage and display of full Aadhaar numbers.
Beyond the four statutory OVDs, DigiLocker also hosts PAN cards (issued by the Income Tax Department), which are required for KYC verification though not classified as an OVD. Additionally, DigiLocker provides access to address proof documents such as utility bills, property tax receipts, and bank account statements from participating issuers. While these are not OVDs, they can serve as supporting documents for address verification during V-CIP, particularly in cases where the customer's OVD address does not match their current residential address.
It is important to note that not all documents in a customer's DigiLocker account carry the same level of verification. DigiLocker distinguishes between "issued documents" (which are pushed by the issuing authority and carry the issuer's digital signature) and "uploaded documents" (which are scans uploaded by the user and are not verified by any authority). For KYC purposes, only issued documents with valid digital signatures should be accepted as OVDs. The V-CIP platform must be configured to validate the digital signature and reject uploaded (unverified) documents, even if they appear to be legitimate OVDs.
Technical Integration: DigiLocker API with Video KYC Platforms
DigiLocker provides a set of well-documented APIs that enable third-party applications to request and receive documents from a user's DigiLocker account, with the user's explicit consent. The integration follows the OAuth 2.0 authorisation framework, where the V-CIP platform redirects the customer to DigiLocker's authentication page, the customer logs in with their Aadhaar-linked mobile number and OTP, grants consent to share specific documents, and the platform receives the documents via a secure API callback.
The technical flow typically begins before the V-CIP session. During the pre-call phase, the customer is prompted to share their OVD from DigiLocker. The V-CIP platform initiates a DigiLocker API request, the customer authenticates and consents on the DigiLocker interface, and the document is fetched and stored in the V-CIP session record. By the time the video call begins, the agent already has the digitally verified document available for review, which means the customer does not need to hold up a physical document to the camera. This significantly reduces call duration and eliminates issues with poor lighting, camera quality, and document glare that commonly plague physical document verification over video.
The DigiLocker API returns documents in multiple formats depending on the issuer: PDF, XML, or JSON. For KYC purposes, the XML/JSON formats are preferred because they enable programmatic extraction of data fields (name, date of birth, address, document number) and cryptographic verification of the digital signature. The V-CIP platform should parse these structured formats to auto-populate the customer's details in the KYC form, verify the digital signature against the issuer's public key, and present a human-readable version of the document to the agent during the call.
From a security standpoint, the DigiLocker API integration must be implemented with care. The API credentials (client ID and secret) issued by DigiLocker to the V-CIP platform must be stored securely and rotated periodically. All API communications must occur over TLS 1.2 or higher. The consent flow must be transparent to the customer, clearly indicating which documents are being requested and for what purpose. The platform must also handle API failures gracefully, including timeouts, rate limiting, and service unavailability. A fallback mechanism that allows the customer to present their physical OVD during the video call should always be available in case the DigiLocker integration encounters issues.
Benefits: Eliminating Physical Document Handling and Forgery Risk
The most immediate benefit of DigiLocker integration with V-CIP is the elimination of physical document handling. In a traditional V-CIP session, the customer must locate their physical OVD, hold it up to the camera at the correct angle and distance, and wait while the agent captures a screenshot. This process is prone to multiple failure modes: the customer may not have the physical document readily available, the document may be damaged or faded, the camera may not capture a sufficiently clear image, or glare from lamination may obscure critical details. DigiLocker bypasses all of these issues by providing a clean, digital version of the document directly to the platform.
Forgery risk is dramatically reduced when documents are sourced from DigiLocker. A physical document presented over a video call is inherently difficult to authenticate. The V-CIP agent can check for obvious signs of tampering, but cannot perform the detailed physical examination (checking holograms, watermarks, paper quality, UV features) that would be possible in person. A sophisticated forgery might pass visual inspection over video. DigiLocker documents, by contrast, carry a cryptographic digital signature from the issuing authority. Verifying this signature is a deterministic, automated process that cannot be fooled by visual forgery. If the signature is valid, the document is genuine. If it is not, the document is rejected.
Processing efficiency improves significantly with DigiLocker integration. The average V-CIP call duration for physical document verification is 8 to 12 minutes, with document display and capture accounting for 3 to 5 minutes of that time. When DigiLocker is used, the document is already available to the agent before the call begins, and the call can focus on liveness verification, face matching, and the risk assessment conversation. Institutions that have adopted DigiLocker integration report a reduction in average call duration of 30% to 40%, which translates directly into higher agent throughput and lower cost per verification.
Data accuracy is another significant benefit. When the agent manually reads and enters data from a physical document displayed on a video call, transcription errors are common, especially for long alphanumeric strings like Aadhaar numbers or passport numbers. DigiLocker provides structured data that can be auto-populated into the KYC form without manual entry, virtually eliminating transcription errors. This reduces the rate of post-processing rejections due to data mismatches and improves the straight-through processing rate for V-CIP verifications.
DigiLocker vs Aadhaar eKYC vs Physical OVD in Video KYC
To understand where DigiLocker fits in the V-CIP ecosystem, it is helpful to compare it with the other two primary document verification methods: Aadhaar eKYC and physical OVD presentation. Aadhaar eKYC involves authenticating the customer's Aadhaar number using biometric (fingerprint or iris) or OTP-based verification through the UIDAI's authentication infrastructure. It is the fastest method, completing in seconds, but is classified as a simplified KYC measure by the RBI, which means accounts opened solely through Aadhaar eKYC are subject to certain transaction limits (currently INR 1 lakh annual credit and INR 10,000 monthly debit for prepaid instruments).
Physical OVD presentation during V-CIP is the traditional approach where the customer holds up their original document to the camera. This constitutes full KYC and has no transaction limits, but suffers from the practical challenges discussed above: dependency on physical document availability, image quality issues, forgery risk, and longer call durations. It is also entirely dependent on the agent's visual judgement for document authentication, with no programmatic verification.
DigiLocker document fetch during V-CIP occupies a middle ground that combines the advantages of both approaches. Like Aadhaar eKYC, it is a digital, automated process that provides verified data. Like physical OVD verification, it constitutes full KYC because the document is a digitally signed equivalent of the original OVD, recognised as such under the IT Act and PML Rules. This means that V-CIP sessions using DigiLocker documents can open unrestricted accounts while benefiting from the speed, accuracy, and security advantages of digital verification.
The choice between these methods often depends on the customer segment and use case. Aadhaar eKYC is ideal for small-value, high-volume products where speed is paramount and transaction limits are acceptable. Physical OVD is the fallback for customers who do not have a DigiLocker account or whose documents are not yet available on the platform. DigiLocker is the optimal choice for full KYC when the customer has an active DigiLocker account with the relevant OVDs, offering the best combination of speed, security, and regulatory compliance. A well-designed V-CIP platform should support all three methods and route each customer to the most appropriate path.
Current Adoption Challenges and Limitations
Despite its clear advantages, DigiLocker adoption for V-CIP faces several practical challenges. The most fundamental is user awareness and readiness. While DigiLocker has over 250 million registered users, a large proportion of India's adult population, particularly in rural areas and among older demographics, either does not have a DigiLocker account or has not linked their key documents to it. This means that the V-CIP platform cannot rely on DigiLocker as the sole document verification method and must always maintain the physical OVD fallback.
Document availability within DigiLocker is another limitation. While Aadhaar and driving licences are generally available for most registered users, other OVDs such as Voter's ID and Passport may not be linked if the issuing authority has not integrated with DigiLocker or if the user has not initiated the linking process. The availability varies significantly by state and by document type. For instance, driving licences from states that use the Vahan/Sarathi system are generally available, but licences from states with legacy systems may not be. This inconsistency makes it difficult for institutions to standardise on DigiLocker for all customers.
Technical reliability is a concern that has improved over time but is not yet at the level expected for mission-critical financial services. DigiLocker's API has experienced periodic outages and latency spikes, particularly during periods of high demand (such as when a large institution launches a new digital onboarding campaign). For a V-CIP session, where the customer and agent are both on a live video call, an API timeout during the DigiLocker fetch creates an awkward situation that disrupts the customer experience. Robust error handling and fallback mechanisms are essential.
Privacy and consent management also require careful attention. Under the Digital Personal Data Protection Act (DPDPA), 2023, the customer's consent for sharing personal data through DigiLocker must be informed, specific, and freely given. The V-CIP platform must clearly communicate to the customer what data is being requested, why it is needed, how it will be used, and how long it will be retained. The consent flow should be designed so that the customer can easily understand and control what they are sharing. Institutions must also ensure that DigiLocker data is stored and processed in accordance with the DPDPA's data protection obligations, including purpose limitation, storage limitation, and data security requirements.
How BaseKYC Supports DigiLocker Document Fetch During V-CIP
BaseKYC offers native DigiLocker integration as part of its V-CIP platform, providing a seamless document verification experience for both customers and agents. The integration is built into the pre-call workflow: when a customer is scheduled for a V-CIP session, they receive a link to authorise document sharing from their DigiLocker account. The customer authenticates with DigiLocker using their Aadhaar-linked mobile OTP, selects the documents to share (typically Aadhaar and PAN), and the documents are fetched and stored securely in the V-CIP session record before the call begins.
During the V-CIP call, the agent sees the DigiLocker-fetched documents in a structured, easy-to-read format alongside the live video feed. The platform automatically validates the digital signatures on the fetched documents and displays a verification status (valid/invalid) to the agent. If the signatures are valid, the agent can proceed with confidence that the documents are authentic. The customer's details are auto-populated in the KYC form from the structured DigiLocker data, eliminating manual data entry. The agent's role shifts from document verification to face matching and liveness confirmation, which makes the call faster and more focused.
BaseKYC handles the fallback scenario gracefully. If the customer does not have a DigiLocker account, if the required documents are not available on DigiLocker, or if the API is temporarily unavailable, the platform automatically switches to the physical OVD verification flow. The customer is notified that they will need to present their original documents during the video call, and the agent's interface adjusts to include the document capture and OCR workflow. This dual-mode capability ensures that no customer is turned away due to DigiLocker limitations.
From a compliance and audit perspective, BaseKYC stores the complete DigiLocker fetch record, including the raw API response, the digital signature verification result, and the timestamp of the fetch, as part of the V-CIP audit trail. This provides a robust chain of evidence that can be presented to regulators or auditors to demonstrate that the OVD was verified through a trusted digital channel. The platform also manages consent records in accordance with DPDPA requirements, storing the customer's consent for DigiLocker data sharing as a separate, auditable record linked to the V-CIP session.