The Reserve Bank of India's Master Direction on Know Your Customer has undergone several amendments since its original issuance on February 25, 2016. Among the most consequential of these is the circular RBI/2021-22/35 (DOR.AML.REC.No.15/14.01.001/2021-22), dated May 10, 2021, which formalized and expanded the Video-based Customer Identification Process (V-CIP) as a fully recognized method of customer due diligence. This article provides a clause-by-clause breakdown of the V-CIP provisions within the Master Direction, explains their legal implications for regulated entities, and outlines how BASEKYC's platform addresses every requirement specified in the circular.
The Circular: Context and Legal Authority
The RBI's Master Direction on KYC (originally DBR.AML.BC.No.81/14.01.001/2015-16, dated February 25, 2016) is issued under Section 35A of the Banking Regulation Act, 1949, Section 45JA and 45L of the Reserve Bank of India Act, 1934, and Rule 9(14) of the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. These provisions collectively give the RBI the authority to prescribe customer identification and due diligence standards for all regulated entities (REs) -- including scheduled commercial banks, regional rural banks, local area banks, small finance banks, payments banks, cooperative banks, NBFCs (including housing finance companies), and all India financial institutions.
The May 2021 amendment (RBI/2021-22/35) introduced critical updates to V-CIP, building on the initial framework that the RBI had introduced in its January 9, 2020 amendment. The 2021 circular expanded V-CIP use cases, strengthened infrastructure requirements, tightened procedural controls, and clarified the legal equivalence of V-CIP with traditional face-to-face verification. Every regulated entity conducting V-CIP today must comply with the provisions as consolidated in this direction.
Non-compliance with the Master Direction carries severe consequences. Under Section 47A of the Banking Regulation Act, the RBI can impose penalties on banking companies. For NBFCs, penalties under Section 45MA of the RBI Act can extend to INR 10 crore for initial contraventions, with additional daily penalties for continuing violations. Beyond monetary penalties, the RBI can issue cease-and-desist orders, restrict business operations, or require remedial action plans -- any of which can materially disrupt an institution's operations.
V-CIP Definition: What the Circular Actually Says
Section 3 of the Master Direction provides the definitional framework. The definition of V-CIP is precise and deliberately comprehensive. The circular defines it as follows:
"Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP."
Every word in this definition carries regulatory weight. Let us parse the critical elements:
"Alternate method" -- V-CIP is not a replacement for face-to-face CIP. It is an alternative that coexists with physical verification. Regulated entities may offer both methods, but neither is mandatory to the exclusion of the other. Customers retain the right to choose physical verification if they prefer.
"Facial recognition and customer due diligence" -- The definition explicitly mandates facial recognition as a core component. This is not optional. Any V-CIP implementation that does not include automated or manual face matching against the customer's identity documents is non-compliant. The "customer due diligence" component requires that the same CDD standards applicable to face-to-face verification (risk categorization, sanctions screening, PEP checks, negative list verification) must also be applied during V-CIP.
"Authorised official of the RE" -- The video interaction cannot be conducted by a third-party agent, business correspondent, or outsourced service provider acting independently. The official must be authorized by the regulated entity and must be identifiable as such. This means the RE must maintain records of which officials are authorized to conduct V-CIP, and those officials must be adequately trained.
"Seamless, secure, live, informed-consent based audio-visual interaction" -- Five distinct requirements embedded in a single phrase. "Seamless" means the session must be uninterrupted and continuous. "Secure" mandates encryption and network-level protections. "Live" prohibits pre-recorded or asynchronous verification. "Informed-consent based" requires that the customer be explicitly told about the recording, data capture, and purpose before consenting. "Audio-visual" confirms that both video and audio channels are mandatory -- a video-only or audio-only session does not qualify.
"On par with face-to-face CIP" -- This is the most legally significant phrase in the entire definition. It establishes that a V-CIP session, when conducted in compliance with prescribed standards, has the same legal standing as a physical, in-branch customer identification. Accounts opened through V-CIP carry no reduced status, no additional restrictions, and no time-bound limitations. This is what distinguishes V-CIP from OTP-based e-KYC, which creates accounts with a one-year validity limit unless upgraded.
V-CIP Use Cases Under Section 18
Section 18 of the Master Direction specifies the approved use cases for V-CIP. These are not merely suggestions -- they define the boundaries within which regulated entities may deploy video-based verification. The approved use cases include:
1. Customer Due Diligence for new individual customers: V-CIP can be used for the initial onboarding of individuals opening savings accounts, current accounts, fixed deposits, loan accounts, or any other product or service requiring KYC. This is the most widely used V-CIP application across the industry.
2. Proprietorship firms: Proprietors of sole proprietorship entities can be identified through V-CIP. Since a proprietorship firm does not have a separate legal identity, the identification of the proprietor constitutes the identification of the firm.
3. Authorized signatories and beneficial owners of legal entities: For companies, partnerships, trusts, and other legal entities, the authorized signatories and beneficial owners (BOs) can be identified through V-CIP. However, the entity itself still requires documentation verification (Certificate of Incorporation, partnership deed, trust deed, etc.) through standard channels.
4. Conversion of accounts opened through non-face-to-face channels: Accounts originally opened using OTP-based e-KYC (which have a one-year validity limit) can be converted to full-KYC accounts through V-CIP, without requiring the customer to visit a branch. This is a critical use case, as it allows institutions to retain customers who might otherwise churn when their limited-validity accounts approach expiry.
5. Periodic updation / Re-KYC: V-CIP is explicitly approved for periodic KYC renewal. Under the risk-based approach mandated by the Master Direction, high-risk customers must undergo Re-KYC every 2 years, medium-risk customers every 8 years, and low-risk customers every 10 years. V-CIP eliminates the need for customers to visit branches for these periodic renewals, significantly reducing operational burden for both institutions and their customer base.
The One-Year Limit: OTP-Based e-KYC Accounts
One of the most operationally significant provisions in the Master Direction concerns the treatment of accounts opened through OTP-based Aadhaar e-KYC. The circular is unambiguous: accounts opened using OTP-based e-KYC cannot remain operational beyond one year unless the customer undergoes full identification through V-CIP or through the methods prescribed under Section 16 of the Master Direction (physical verification with original documents).
This provision creates a structural mandate for V-CIP. Institutions that have onboarded millions of customers through Aadhaar OTP-based e-KYC face a ticking clock on each of those accounts. Without a scalable mechanism to upgrade these accounts to full-KYC status, they risk mass account freezing and customer attrition. V-CIP is the only remote method that achieves this upgrade, making it operationally indispensable for any institution with a significant e-KYC customer base.
The practical implication is straightforward: if a customer opened a savings account via Aadhaar OTP on June 1, 2025, that account must be upgraded to full KYC by May 31, 2026. If the institution fails to upgrade the account, it must be frozen or restricted. V-CIP provides the mechanism to perform this upgrade remotely, at scale, without requiring any physical interaction.
Infrastructure Mandates: What Regulated Entities Must Build
The Master Direction prescribes detailed infrastructure requirements for any institution deploying V-CIP. These are not best-practice recommendations -- they are binding requirements, and failure to comply can result in the entire V-CIP operation being declared non-compliant. The key infrastructure mandates include:
Premises requirement: The V-CIP infrastructure must be housed within the regulated entity's own premises. This means the servers, video infrastructure, and operational facilities used for V-CIP sessions must be physically located at facilities owned or exclusively leased by the RE. Shared data centers or multi-tenant cloud environments must be configured to ensure logical and physical segregation.
Secured network domain: V-CIP sessions must originate from a secured network domain controlled by the RE. The circular specifically requires that the network infrastructure prevent connections from outside India and detect and block spoofed IP addresses. This means the platform must implement geo-IP verification, IP reputation checking, and VPN/proxy detection at the network level.
End-to-end encryption: All communications during a V-CIP session -- video, audio, data, and document images -- must be encrypted end-to-end. The circular does not prescribe specific encryption protocols, but industry practice and RBI supervisory expectations point to TLS 1.2 or higher for transport encryption and AES-256 for data-at-rest encryption.
Consent recording: Customer consent must be recorded in an auditable, alteration-proof manner. This means the consent record cannot be a simple checkbox or text entry -- it must be captured in a format that is tamper-evident (such as a digitally signed record with timestamps) and stored as part of the immutable audit trail.
GPS coordinates and timestamps: Video recordings must include GPS coordinates and date-time stamps. This dual requirement ensures that the geographic location of the customer at the time of the session is recorded (and can be verified against claimed location), and that the temporal sequence of the session is documented for audit purposes.
Video quality standards: The video quality must be sufficient to allow identification of the customer beyond reasonable doubt. While the circular does not specify minimum resolution or bitrate, the "beyond doubt" standard implies that the video must be clear enough for a reviewing authority (including auditors and regulators) to independently verify the customer's identity from the recording.
Face liveness and spoof detection: The platform must implement face liveness detection and spoof detection with high accuracy. The circular explicitly permits the use of AI technology for this purpose. Liveness detection must confirm that the person on the video call is physically present (not a photograph, pre-recorded video, mask, or digitally generated face), and face matching must compare the live face against the photograph on the identity document with sufficient accuracy to constitute reliable identification.
Security audit by accredited agencies: The V-CIP infrastructure must undergo Vulnerability Assessment (VA), Penetration Testing (PT), and Security Audit by agencies accredited by the RBI or certified bodies such as CERT-In empanelled auditors. This is not a one-time requirement -- institutions are expected to conduct periodic security assessments and maintain current audit certifications.
Procedural Requirements: The V-CIP Workflow
Beyond infrastructure, the Master Direction prescribes specific procedural requirements for how V-CIP sessions must be conducted. These procedural mandates are designed to ensure consistency, prevent fraud, and maintain audit-quality documentation.
Clear workflow and Standard Operating Procedures: Every RE must develop and maintain a documented, clear workflow and SOP for V-CIP operations. This SOP must cover the end-to-end process from session scheduling to audit trail storage, and must be reviewed and updated periodically. The SOP must be available to auditors and regulators upon request.
Trained officials only: V-CIP sessions must be operated only by officials who have been specifically trained in V-CIP procedures. Training must cover document verification techniques, fraud identification, liveness assessment, regulatory requirements, and the RE's specific SOP. Untrained officials conducting V-CIP sessions represent a compliance violation.
Disruption protocol: If a V-CIP session is disrupted at any point -- whether due to network failure, application crash, customer disconnection, or any other reason -- the session must be aborted and restarted from the beginning. Partial sessions cannot be combined or resumed from the point of interruption. This requirement ensures that the audit trail for every completed session represents a continuous, unbroken verification.
Varied questions: Officials must ask varied questions during the V-CIP session. The circular does not prescribe specific questions, but the intent is clear: scripted, repetitive questioning defeats the purpose of a live interaction. Varied questions help the official assess the customer's genuineness, detect coached responses, and identify potential impersonation or fraud.
Prompting leads to rejection: If the official detects that the customer is being prompted or coached by another person during the session, the session must be rejected. This is a mandatory rejection criterion, not a discretionary one. The official must be trained to identify signs of prompting, including eye movements toward off-screen cues, delayed responses suggesting earpiece instructions, and verbal patterns inconsistent with spontaneous conversation.
Negative list checking: Before completing a V-CIP session, the RE must check the customer against applicable negative lists, sanctions lists (including UN Security Council sanctions), and the RE's own internal watchlists. This is the same requirement that applies to face-to-face CIP, reinforcing the "on par" standard.
Identification Methods Permitted Under V-CIP
The Master Direction specifies the identification methods that may be used during a V-CIP session. These methods provide the documentary basis for customer identification and must be applied rigorously:
OTP-based Aadhaar e-KYC: Aadhaar authentication through OTP, where the customer's demographic and biometric data is retrieved from UIDAI's CIDR in real-time. This is the most commonly used method due to its speed and reliability.
Offline Aadhaar Verification: Using Aadhaar XML or QR code for identity verification without accessing UIDAI's online database. The circular imposes a critical restriction here: the Aadhaar XML or QR code data must not be more than 3 days old at the time of the V-CIP session. This three-day freshness requirement prevents the use of stale identity data and ensures the verification reflects the customer's current Aadhaar record.
CKYCR records: The Central KYC Records Registry (CKYCR), maintained by CERSAI, allows REs to download and verify KYC records that have been uploaded by other regulated entities. During V-CIP, the RE can pull the customer's CKYCR record to verify identity details, reducing documentation burden.
OVDs via DigiLocker: Officially Valid Documents (OVDs) -- Aadhaar, PAN, Passport, Voter ID, Driving License -- can be verified through DigiLocker, the Government of India's document storage and verification platform. Documents accessed through DigiLocker carry the same legal validity as original documents under the Information Technology Act, 2000.
PAN capture and verification: PAN card details must be captured during the V-CIP session and verified against the Income Tax Department's database. PAN verification is mandatory for all financial account openings and serves as both a proof of identity and a mechanism for tax compliance. The live video session must include visual inspection of the PAN card (physical or digital) by the authorized official.
Data Localization and Record-Keeping
The Master Direction imposes strict data localization requirements on V-CIP data. The key provisions are unambiguous:
All data stored in India: All V-CIP data -- including video recordings, captured documents, identity data, consent records, GPS coordinates, activity logs, and any processed or derived data -- must be stored within India. This aligns with the RBI's broader data localization directive (RBI/2017-18/153) and the requirements under the Digital Personal Data Protection Act, 2023. Cross-border storage, even for backup or disaster recovery purposes, is not permitted unless specifically approved by the RBI.
Video stored safely with date-time stamp: The complete video recording of every V-CIP session must be stored securely with date-time stamps. "Safely" in regulatory context implies encryption at rest, access controls, integrity verification (to detect tampering), and retention for the prescribed period. Industry practice dictates a minimum retention period of 5 years after the business relationship is terminated, though recent RBI supervisory expectations suggest 8 years.
Activity log with official credentials preserved: A detailed activity log of every V-CIP session must be maintained, including the credentials of the authorized official who conducted the session. This log must record every action taken during the session: session initiation, identity checks performed, documents verified, liveness detection results, questions asked, customer responses, approval/rejection decision, and session closure. The official's employee ID, authorization level, and digital signature (where applicable) must be linked to each session record.
Concurrent Audit Requirement
One provision that institutions frequently underestimate is the concurrent audit requirement. The Master Direction mandates that a concurrent audit must be completed before accounts opened through V-CIP become operational. This means the V-CIP session and its audit trail must be reviewed by an independent audit function (either internal audit or external auditors) before the customer's account is activated.
In practice, this creates a two-step activation process: first, the V-CIP session is completed by the authorized official; second, the session record is reviewed by the audit function. Only after the auditor confirms that the session complied with all prescribed standards is the account activated. This review must cover the completeness of the video recording, the quality of the identity verification, the adequacy of the questioning, the liveness detection results, the consent record, and the official's decision rationale.
Institutions that skip or delay the concurrent audit risk regulatory action on two fronts: non-compliance with the V-CIP audit requirement, and potentially operating accounts without completed KYC (a violation of PMLA rules). The audit function must be adequately staffed and resourced to process V-CIP audit reviews at the same volume as V-CIP sessions, to avoid bottlenecks that delay account activation and degrade customer experience.
Periodic KYC Renewal: Risk-Based Timelines
The Master Direction requires regulated entities to periodically update customer identification data. The timelines are risk-based and non-negotiable:
High-risk customers: Re-KYC every 2 years. This category includes customers with unusual transaction patterns, those from high-risk jurisdictions, politically exposed persons (PEPs) and their relatives, and customers flagged by internal risk models.
Medium-risk customers: Re-KYC every 8 years. The majority of retail customers fall into this category, making it the highest-volume Re-KYC requirement.
Low-risk customers: Re-KYC every 10 years. Typically includes long-standing customers with stable, predictable transaction patterns and no adverse information.
V-CIP's approval for Re-KYC is transformative for institutions managing large customer bases. A bank with 50 million customers might need to process 5-8 million Re-KYC renewals annually. Without V-CIP, each of these requires a branch visit -- logistically impossible for many customers and prohibitively expensive for the institution. V-CIP enables these renewals to be completed remotely, at scale, while maintaining full compliance with the Master Direction.
Which Entities Must Comply
The Master Direction applies to all entities regulated by the RBI under the PMLA framework. The complete list of regulated entities that must comply with V-CIP provisions (if they choose to deploy V-CIP) includes:
Scheduled Commercial Banks (including foreign banks operating in India), Small Finance Banks, Payments Banks, Regional Rural Banks, Local Area Banks, Cooperative Banks (state and central), All India Financial Institutions (NABARD, NHB, SIDBI, EXIM Bank), NBFCs registered with the RBI (including systemically important NBFCs, NBFC-MFIs, NBFC-AAs, NBFC-P2Ps), Housing Finance Companies, Payment System Operators, and Prepaid Payment Instrument issuers.
It is important to note that compliance is not optional once an institution decides to implement V-CIP. An RE cannot selectively comply with some provisions and ignore others. The Master Direction operates as a unified framework -- deploying V-CIP means accepting and implementing every prescribed standard, procedure, infrastructure requirement, and record-keeping obligation. Partial compliance is treated as non-compliance.
Penalties for Non-Compliance
The consequences of non-compliance with V-CIP requirements are multi-layered and extend beyond monetary penalties:
Monetary penalties: Under Section 47A of the Banking Regulation Act, banking companies can face penalties up to INR 1 crore for each contravention, with additional penalties for each day the violation continues. For NBFCs, Section 45MA of the RBI Act allows penalties up to INR 10 crore for initial contraventions.
Supervisory actions: The RBI can issue directions requiring the institution to cease V-CIP operations until compliance is achieved, mandate external audits at the institution's expense, require remediation plans with defined timelines, or impose enhanced supervisory reporting requirements.
Account-level consequences: V-CIP sessions conducted in a non-compliant manner may be retrospectively invalidated. This means the KYC status of accounts opened through non-compliant sessions reverts to incomplete, triggering account restrictions under PMLA rules. For an institution that has processed thousands or millions of V-CIP sessions, a retrospective invalidation can be operationally catastrophic.
Reputational risk: The RBI publicly discloses enforcement actions, including penalties and directions. A compliance failure in V-CIP can damage an institution's reputation with customers, partners, investors, and rating agencies, with consequences that extend far beyond the immediate penalty amount.
How BASEKYC Addresses Every V-CIP Requirement
BASEKYC was engineered specifically to address the V-CIP requirements laid out in the Master Direction. Every feature of our platform maps directly to a regulatory provision:
Infrastructure compliance: BASEKYC offers both cloud and on-premise deployment options. Our on-premise deployment runs entirely within the RE's infrastructure, satisfying the premises requirement. All data is stored exclusively in India across our Indian data centers. Our platform implements end-to-end encryption (TLS 1.3 for transport, AES-256 for storage), geo-IP blocking for connections from outside India, spoofed IP detection, and VPN/proxy identification.
Liveness and face matching: Our AI-powered liveness detection engine supports both active (challenge-response) and passive (continuous analysis) modes, detecting deepfakes, printed photographs, screen replays, 3D masks, and other spoofing attempts. Face matching against identity documents is performed with high-accuracy algorithms that exceed the "beyond doubt" standard. GPS coordinates, date-time stamps, and device fingerprints are captured automatically during every session.
Consent and audit trail: Customer consent is captured as a digitally signed, timestamped, alteration-proof record. The complete audit trail -- including video recording, activity log, document images, liveness scores, face match results, GPS coordinates, consent record, and official credentials -- is packaged and stored as a single immutable session record. This record is immediately available for concurrent audit review.
Procedural controls: Our agent dashboard enforces the prescribed workflow and SOP. Sessions that are disrupted are automatically aborted and must be restarted. Our question randomization engine suggests varied questions to officials, preventing scripted interactions. Prompting detection algorithms flag sessions where coaching is suspected. Negative list and sanctions screening is integrated directly into the session workflow, with automatic checks against OFAC, UN, EU, and custom watchlists.
Identification method support: BASEKYC integrates all five identification methods permitted under the Master Direction: OTP-based Aadhaar e-KYC, Offline Aadhaar (XML/QR) with automated 3-day freshness validation, CKYCR record retrieval, DigiLocker OVD verification, and PAN capture with real-time verification against the Income Tax database.
Security and audit: Our platform undergoes regular VA/PT and security audits by CERT-In empanelled auditors. Audit certificates and reports are available to REs for their own compliance documentation. Our infrastructure is assessed against ISO 27001 controls and the RBI's cybersecurity framework, ensuring that the security posture meets regulatory expectations.
Conclusion: Compliance is the Starting Point, Not the End Goal
The RBI's V-CIP Master Direction establishes a comprehensive regulatory framework that treats video-based customer identification as fully equivalent to in-person verification -- provided every prescribed standard is met. For regulated entities, this framework represents both an obligation and an opportunity. The obligation is clear: comply with every provision or face penalties. The opportunity is equally clear: V-CIP enables institutions to onboard customers remotely, upgrade e-KYC accounts at scale, process Re-KYC renewals without branch visits, and deliver a customer experience that physical verification simply cannot match.
BASEKYC exists to ensure that compliance is the starting point of your V-CIP journey, not a constraint that limits it. Our platform handles the regulatory complexity -- the infrastructure mandates, the procedural controls, the data localization, the audit trails, the security assessments -- so your institution can focus on what matters: serving your customers. Whether you are a scheduled commercial bank processing millions of Re-KYC renewals or an NBFC onboarding your first thousand customers through video, BASEKYC delivers the compliance infrastructure you need, ready to deploy in days.