Not all KYC is created equal. Under the RBI's regulatory framework, the level of KYC verification directly determines what a customer can do with their account -- the transaction limits, the products available, the account's operational lifespan. The critical distinction is between "full KYC" and everything else. Full KYC -- achieved through face-to-face identification or its regulatory equivalent -- unlocks unrestricted account access. Anything less imposes limits. The Video-based Customer Identification Process (V-CIP), as defined in the Master Direction on KYC (amended by RBI/2021-22/35, dated May 10, 2021), is the only remote verification method that achieves full KYC status. This article explains exactly how and why.
Full KYC vs. Limited KYC vs. Minimum KYC: The Regulatory Hierarchy
The RBI's KYC framework operates on a tiered system. Understanding these tiers is essential for grasping why V-CIP matters, and why institutions that rely solely on OTP-based e-KYC face a structural compliance problem.
Minimum KYC (Small Accounts / Simplified Measures)
Under the RBI's simplified due diligence provisions and the PMLA rules for "small accounts," customers can open accounts with minimal documentation -- typically a self-attested photograph and a self-declaration. These accounts carry severe restrictions: aggregate credits capped at INR 1 lakh per year, aggregate withdrawals capped at INR 10,000 per month, and a maximum balance of INR 50,000 at any point. Small accounts are valid for 12 months initially and can be extended by another 12 months if the customer provides proof of having applied for an OVD. After 24 months, if full KYC is not completed, the account must be frozen.
Limited KYC (OTP-Based Aadhaar e-KYC)
OTP-based Aadhaar e-KYC provides a faster, digital verification path. The customer authenticates using their Aadhaar number and a one-time password sent to their registered mobile number. UIDAI's CIDR returns demographic data (name, address, date of birth, gender, photograph) to the regulated entity. This process is entirely digital and can be completed in under 2 minutes. However, the RBI classifies this as limited KYC, not full KYC. The critical limitation: accounts opened through OTP-based e-KYC cannot exceed a validity of one year unless the customer undergoes full identification -- either through face-to-face verification (Section 16 of the Master Direction) or through V-CIP.
The one-year limit is not a guideline or a recommendation. It is a binding regulatory requirement. If the account is not upgraded to full KYC within 12 months of opening, the institution must restrict the account's operations -- no new credits (except interest), no debits, and no new products or services linked to the account. For institutions that have onboarded millions of customers via Aadhaar OTP, this creates an ongoing operational and compliance burden that grows with every month of new e-KYC onboarding.
Full KYC (Face-to-Face or V-CIP)
Full KYC is achieved when the customer's identity is verified through one of the methods that the RBI considers equivalent to physical, in-person verification. Under the Master Direction, there are two paths to full KYC:
Section 16 -- Physical verification: The customer presents original Officially Valid Documents (OVDs) at a branch or before a designated official. The official visually examines the documents, verifies their authenticity, captures copies, and records the verification in the system. This has been the traditional path to full KYC for decades.
Section 18 -- V-CIP: The customer undergoes a live video-based verification session with an authorized official of the RE, complying with all prescribed technical and procedural standards. The circular is explicit: V-CIP conducted in compliance with prescribed standards "shall be treated on par with face-to-face CIP." Full KYC means no time-bound limitations on the account, no transaction restrictions beyond standard product limits, and access to all products and services offered by the institution.
KYC Methods Comparison: Account Limits and Validity
The following table summarizes the practical differences between the three KYC tiers, based on the provisions of the Master Direction and PMLA rules:
| Parameter | Minimum KYC (Small Account) | Limited KYC (OTP e-KYC) | Full KYC (V-CIP / In-Person) |
|---|---|---|---|
| KYC Status | Minimum | Limited | Full |
| Account Validity | 12 months (extendable to 24) | 12 months (must upgrade) | No time limit |
| Annual Credit Limit | INR 1 lakh | Product-specific limits | No regulatory cap |
| Monthly Withdrawal | INR 10,000 | Product-specific limits | No regulatory cap |
| Maximum Balance | INR 50,000 | Product-specific limits | No regulatory cap |
| Verification Method | Self-declaration + photo | Aadhaar OTP | V-CIP / Branch visit |
| Customer Presence | Not required | Not required | Live (video or physical) |
| Products Available | Basic savings only | Limited product suite | All products and services |
| Re-KYC Period | Account renewal at expiry | Must upgrade within 1 year | Risk-based: 2/8/10 years |
| Legal Standing | Conditional | Temporary | Full equivalence with in-person |
Why OTP-Based e-KYC Has a One-Year Limit
The one-year limit on OTP-based e-KYC accounts is rooted in a fundamental distinction the RBI draws between electronic authentication and genuine customer identification. OTP-based Aadhaar authentication confirms that the person initiating the transaction possesses the mobile phone registered against a particular Aadhaar number. It does not confirm that the person is physically present, that they are who they claim to be in real-time, or that their documents are genuine physical objects rather than replicated data.
The Supreme Court of India's 2018 judgment in Justice K.S. Puttaswamy vs. Union of India, while upholding Aadhaar's constitutional validity, restricted its mandatory use for banking services and struck down Section 57 of the Aadhaar Act that permitted private entities to demand Aadhaar authentication. Following this judgment, the RBI's framework treats OTP-based Aadhaar e-KYC as a temporary measure that enables quick onboarding but requires subsequent full verification.
The regulatory logic is sound: OTP-based e-KYC is vulnerable to SIM swap fraud, social engineering attacks that intercept OTPs, and scenarios where the Aadhaar holder and the account opener are different persons. While these risks are manageable for temporary, low-value accounts, they are unacceptable for full, unrestricted financial accounts. The one-year window gives institutions time to perform proper identification while allowing customers immediate (but limited) access.
V-CIP addresses every weakness that makes OTP-based e-KYC insufficient for full KYC. The live video interaction confirms physical presence. Face matching against identity documents confirms the person's identity in real-time. Liveness detection prevents deepfakes and impersonation. The authorized official's assessment adds a human judgment layer that pure electronic authentication lacks. This is why the RBI treats V-CIP as equivalent to face-to-face verification -- it provides the same assurance of customer identity that a physical branch visit provides.
How V-CIP Achieves Full KYC Status: The Legal Basis
The RBI's Master Direction on KYC (Section 3) defines V-CIP and establishes its legal equivalence with face-to-face CIP:
"Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP."
The phrase "on par with face-to-face CIP" is the legal foundation for V-CIP's full KYC status. This is not a secondary recognition or a conditional approval. It is an unqualified equivalence declaration. When a V-CIP session complies with all prescribed standards -- the infrastructure mandates, the procedural controls, the identification requirements, the audit trail obligations -- the resulting KYC verification carries the same legal weight as a customer walking into a bank branch with their original documents.
This equivalence has several practical consequences. First, accounts opened through compliant V-CIP have no time-bound restrictions -- unlike OTP e-KYC accounts, they do not expire after one year. Second, there are no product restrictions -- customers verified through V-CIP can access the same products and services as customers verified in person. Third, the Re-KYC cycle follows the standard risk-based schedule (2 years for high-risk, 8 years for medium-risk, 10 years for low-risk), not the truncated one-year cycle that applies to OTP e-KYC accounts.
The Five Verification Methods for V-CIP
The Master Direction permits five distinct identification methods during a V-CIP session. Each method has specific requirements, advantages, and regulatory considerations. A robust V-CIP platform should support all five to provide operational flexibility and accommodate different customer profiles.
1. OTP-Based Aadhaar e-KYC
During the live video session, the customer provides their Aadhaar number and authenticates via OTP sent to their Aadhaar-registered mobile number. UIDAI's CIDR returns demographic data and photograph, which the system uses for identity verification and face matching. When used within a V-CIP session (as opposed to standalone e-KYC), the OTP-based verification is combined with live face matching, liveness detection, and official assessment, elevating it from limited KYC to full KYC status.
2. Offline Aadhaar Verification (XML / QR Code)
Customers can provide their identity data through Aadhaar XML downloaded from UIDAI's resident portal or through the QR code printed on their Aadhaar card. The Master Direction imposes a critical freshness requirement:
The Aadhaar XML or QR code data must not be more than 3 days old at the time of the V-CIP session.
This three-day rule is frequently overlooked but strictly enforced. If a customer downloads their Aadhaar XML on Monday, the V-CIP session must be conducted by Wednesday. By Thursday, the XML is stale and cannot be used. The platform must automatically validate the XML/QR generation timestamp against the session timestamp and reject expired data. Offline verification is particularly useful for customers who do not have their Aadhaar-registered mobile phone available during the session or whose Aadhaar-linked phone number is outdated, as it does not require OTP delivery.
3. CKYCR Records
The Central KYC Records Registry (CKYCR), operated by CERSAI (Central Registry of Securitisation Asset Reconstruction and Security Interest of India), maintains a centralized database of KYC records. When a customer has been previously KYC-verified by any regulated entity that has uploaded their records to CKYCR, the verifying RE can download and use this record during V-CIP. The customer's 14-digit CKYC Identifier (KIN) is used to retrieve the record. This method reduces documentation burden and leverages previously verified data, while the live V-CIP session adds the real-time identity confirmation layer.
4. OVDs via DigiLocker
DigiLocker is the Government of India's digital document storage platform under the Ministry of Electronics and Information Technology. Documents issued to citizens by government departments and stored in DigiLocker are treated as equivalent to original documents under the Information Technology Act, 2000. During a V-CIP session, customers can share Officially Valid Documents -- Aadhaar, PAN, Passport, Voter ID, Driving License -- from their DigiLocker account. The RE's platform fetches these documents through DigiLocker's API, verifying both the document content and its digital provenance. This eliminates the need for customers to hold up physical document cards to the camera, improving verification accuracy and session quality.
5. PAN Capture and Verification
Permanent Account Number (PAN) verification is mandatory for all financial account openings under the Income Tax Act and PMLA rules. During V-CIP, the customer's PAN must be captured -- either from the physical card displayed on camera, from a DigiLocker-sourced document, or from manual entry -- and verified against the Income Tax Department's database in real-time. The verification confirms the PAN's validity, the associated name, and its linkage status with Aadhaar (as mandated under Section 139AA of the Income Tax Act). PAN verification is not a standalone identification method but a mandatory complement to whichever primary OVD method is used during the session.
The Three-Day Rule: Aadhaar XML and QR Code Freshness
The three-day freshness requirement for offline Aadhaar data deserves special attention because it creates operational complexity that many institutions initially underestimate. The rule requires that the Aadhaar XML or QR code data presented during a V-CIP session must have been generated no more than 3 days before the session date.
The rationale behind this rule is preventing identity data replay attacks. Aadhaar data, once downloaded, is static. If a fraudster obtains someone's Aadhaar XML, they could theoretically use it indefinitely for identity fraud. The three-day window drastically limits this attack surface by ensuring the data is near-real-time, reflecting the customer's current Aadhaar record rather than a potentially outdated snapshot.
For V-CIP platforms, this means implementing automated timestamp validation. When a customer uploads their Aadhaar XML or scans the QR code during the session, the platform must parse the XML/QR data, extract the generation timestamp, compare it against the current session timestamp, and reject the data if the gap exceeds 72 hours. This validation must happen before the official proceeds with the verification, not as a post-session check.
The operational implication for customer scheduling is significant. If a customer schedules a V-CIP session for Friday, they must download their Aadhaar XML no earlier than Tuesday. If the session is rescheduled to Monday, the Friday-downloaded XML is already stale. Institutions must communicate this requirement clearly to customers during the scheduling process and ideally guide them through the XML download as part of the pre-session workflow.
The Concurrent Audit Requirement: The Final Gate to Full KYC
A V-CIP session, by itself, does not immediately activate a full KYC account. The Master Direction mandates a concurrent audit before accounts opened through V-CIP become operational. This audit serves as a quality gate between the V-CIP session and account activation.
The concurrent auditor reviews the complete session record, which includes the video recording, liveness detection scores, face match results, document verification outcomes, GPS coordinates and timestamps, consent record, activity log, sanctions screening results, and the authorized official's decision and rationale. The auditor verifies that every prescribed standard was met and that the session record is complete and untampered.
If the auditor identifies gaps -- an incomplete video, insufficient liveness confidence, missing consent records, or procedural lapses -- the session is flagged for remediation. The customer may need to undergo another V-CIP session, or the institution may need to supplement the V-CIP with additional verification before the account can be activated.
The practical challenge is speed. Customers expect near-instant account activation. Adding a concurrent audit step introduces a potential delay that can degrade the customer experience. The solution is automated audit workflows: platforms that automatically check session completeness, validate technical parameters (liveness scores, face match thresholds, GPS plausibility, timestamp consistency), and flag only exceptions for manual audit review. This approach maintains the regulatory requirement while minimizing the delay to seconds or minutes rather than hours or days.
V-CIP for Account Upgrades: Converting Limited KYC to Full KYC
One of the most impactful use cases for V-CIP under Section 18 of the Master Direction is the conversion of OTP-based e-KYC accounts to full KYC accounts. This use case addresses the structural one-year limit on e-KYC accounts and provides institutions with a scalable mechanism to retain customers whose accounts would otherwise be frozen.
The conversion process is straightforward: the institution identifies customers whose e-KYC accounts are approaching the one-year mark, proactively schedules V-CIP sessions, conducts the live video verification with all prescribed standards, completes the concurrent audit, and upgrades the account status from limited KYC to full KYC. Once upgraded, the account operates without the one-year time restriction and with full product access.
The scale of this requirement is significant. A digital bank or fintech that onboards 100,000 customers per month via Aadhaar OTP creates a pipeline of 100,000 accounts per month that must be upgraded to full KYC within 12 months. Without V-CIP, each of these upgrades would require a physical branch visit -- logistically impossible for most digital-first institutions that operate without branch networks. V-CIP transforms this from an impossible logistical challenge into a scalable, technology-enabled process.
BASEKYC's platform includes dedicated workflows for account upgrade campaigns. Our RE Dashboard identifies accounts approaching the one-year threshold, triggers automated customer notifications with scheduling links, streamlines the V-CIP session for upgrade-specific flows (where the institution already has preliminary customer data from the original e-KYC), and processes the concurrent audit in near-real-time to minimize the gap between session completion and account upgrade.
V-CIP for Re-KYC: Periodic Renewal Without Branch Visits
The Master Direction mandates periodic KYC renewal on a risk-based schedule. The timelines are mandatory:
High-risk customers: every 2 years. These include PEPs, customers from high-risk countries, customers with unusual transaction patterns, and those flagged by the institution's internal risk models. The short renewal cycle reflects the elevated risk of money laundering, terrorist financing, or other financial crimes associated with this category.
Medium-risk customers: every 8 years. This is the largest category by volume, encompassing the majority of retail and SME customers. For a bank with 50 million customers, medium-risk Re-KYC alone can generate 6-7 million renewal requirements per year.
Low-risk customers: every 10 years. Long-standing customers with stable transaction patterns, full documentation, and no adverse information. The extended cycle recognizes the lower risk profile but does not eliminate the renewal requirement entirely.
V-CIP's explicit approval for Re-KYC under Section 18 means that none of these renewals require a branch visit. Customers can complete their periodic KYC update from their home, office, or any location with a smartphone and internet connection. For institutions, this eliminates the operational overhead of managing millions of branch appointments, reduces Re-KYC processing costs by up to 90%, and significantly improves completion rates -- customers who would never visit a branch for a KYC renewal are far more likely to complete a 5-minute video call.
Practical Implementation: Steps to Achieve Full KYC via V-CIP
Implementing V-CIP for full KYC requires a systematic approach that addresses technology, process, people, and compliance simultaneously. Here is the practical implementation roadmap:
Step 1: Platform selection and infrastructure setup. Deploy a V-CIP platform that meets all infrastructure mandates -- premises-based hosting or secure cloud deployment within India, end-to-end encryption, geo-IP blocking, spoofed IP detection, and VA/PT-certified security. The platform must support all five identification methods (Aadhaar OTP, Offline Aadhaar, CKYCR, DigiLocker, PAN) and integrate liveness detection with face matching capabilities.
Step 2: SOP development and regulatory filing. Develop comprehensive Standard Operating Procedures covering session workflow, official authorization, questioning protocols, rejection criteria (including prompting detection), disruption handling (abort and restart), negative list checking, and escalation procedures. These SOPs must be filed with or available to the RBI upon request.
Step 3: Official training and authorization. Train and formally authorize V-CIP officials. Training must cover document verification techniques, fraud identification (deepfakes, impersonation, coaching detection), regulatory requirements, the institution's specific SOP, and the platform's technical features. Maintain a register of authorized officials and update it as personnel change.
Step 4: Concurrent audit framework. Establish the concurrent audit function -- either within internal audit or through external auditors. Define audit checklists aligned with the Master Direction's requirements, set turnaround time targets for audit completion, and implement automated pre-screening to flag exceptions and expedite reviews.
Step 5: Security assessment. Commission VA/PT and security audit from an RBI-accredited or CERT-In empanelled agency. Address all findings before launching V-CIP operations. Schedule periodic reassessments (at least annually) and maintain current audit certificates.
Step 6: Pilot and scale. Begin with a controlled pilot -- limited geography, limited customer segments, limited daily session volumes. Monitor session quality, audit outcomes, customer feedback, and platform performance. Address issues before scaling. Once stabilized, progressively increase volumes while maintaining quality metrics.
Step 7: Ongoing monitoring and compliance. Implement continuous monitoring of V-CIP operations: session completion rates, rejection reasons, audit findings, customer complaints, and regulatory feedback. Review and update SOPs quarterly. Retrain officials annually. Maintain an incident register and escalation protocols for fraud attempts and system failures.
How BASEKYC Delivers Full KYC Through Video
BASEKYC is purpose-built to deliver full KYC status through V-CIP, addressing every regulatory requirement while providing the performance and scalability that institutions need for production-grade operations.
Our platform supports all five identification methods with automated validation -- including the three-day freshness check for Aadhaar XML/QR, real-time PAN verification against the Income Tax database, CKYCR record retrieval, and DigiLocker integration. AI-powered liveness detection and face matching run during the session, providing the authorized official with confidence scores that exceed the "beyond doubt" standard. GPS coordinates, timestamps, and device fingerprints are captured automatically.
The concurrent audit workflow in BASEKYC automates the majority of audit checks -- session completeness, technical parameter validation, identification method compliance, and consent record integrity -- flagging only exceptions for manual review. This reduces audit turnaround from hours to seconds for standard sessions, enabling near-instant account activation while maintaining full regulatory compliance.
For institutions running account upgrade campaigns, our platform includes automated identification of approaching-expiry e-KYC accounts, customer notification workflows, upgrade-specific V-CIP flows, and bulk processing capabilities that handle tens of thousands of upgrades per day. For Re-KYC, we offer risk-based scheduling, automated customer outreach, and streamlined renewal sessions that leverage existing customer data.
Whether you need to onboard new customers, upgrade limited-KYC accounts, or process periodic renewals, BASEKYC delivers full KYC status through video -- with every V-CIP session treated on par with face-to-face CIP, exactly as the RBI's Master Direction requires.