The Reserve Bank of India has issued its most comprehensive update to Video-based Customer Identification Process (V-CIP) guidelines since the framework was first introduced in 2020. The 2026 circular brings significant changes that every bank, NBFC, and regulated entity must understand and implement within the stipulated timeline.
Understanding V-CIP: A Quick Recap
Video-based Customer Identification Process (V-CIP) allows regulated entities to perform KYC verification through a live video interaction between an authorized official and the customer. Introduced as an alternative to in-person verification, V-CIP has become the primary onboarding channel for digitally-forward institutions. The process requires real-time capture of the customer's live photograph, Aadhaar-based verification, PAN validation, and the official's assessment of the customer's identity -- all within a recorded video session.
Key Changes in the 2026 Guidelines
The updated circular introduces several critical requirements that strengthen the security and integrity of the video KYC process:
1. Enhanced Liveness Detection Requirements
The RBI now mandates multi-modal liveness detection during every V-CIP session. This goes beyond simple challenge-response mechanisms (like asking the customer to blink or turn their head). Institutions must deploy AI-based passive liveness detection that can identify deepfakes, face swaps, and pre-recorded video replay attacks. The system must achieve a minimum spoof detection rate of 99.5% as certified by an independent audit.
2. Mandatory Geo-Tagging
Every video KYC session must now capture and log the geo-location of both the customer and the verification official. GPS coordinates must be recorded with an accuracy of at least 100 meters and stored as part of the audit trail. If the customer's location falls outside India (for domestic accounts), the session must be flagged for additional review. This requirement aims to prevent cross-border fraud and ensures that the person being verified is physically present where they claim to be.
3. Stricter Audit Trail Requirements
The 2026 guidelines significantly expand what must be captured in the audit trail. Beyond the existing requirements of video recording and document images, institutions must now log: timestamp-level activity records for every action taken during the session, AI model outputs (liveness scores, face match confidence, fraud risk assessments), agent decision rationale for approved or rejected applications, and any manual overrides of automated recommendations. All audit data must be retained for a minimum of 8 years (up from 5 years previously).
4. Multi-Factor Authentication During Sessions
Customers must now undergo at least two independent authentication factors during the video session itself. Acceptable combinations include: Aadhaar OTP + live photo match, PAN verification + Aadhaar XML with photo, or biometric authentication (fingerprint/iris via registered devices) + document verification. This layered approach reduces reliance on any single verification method.
5. Session Integrity Controls
The RBI has introduced new technical requirements for session integrity. Video sessions must use end-to-end encrypted channels with certificate pinning. Sessions that lose video feed for more than 10 continuous seconds must be terminated and restarted. Screenshot and screen recording must be technically blocked on the customer's device during the session. The video must maintain a minimum resolution of 720p throughout.
Impact on Existing KYC Workflows
For institutions already running V-CIP processes, these changes require both technological upgrades and process redesign. The enhanced liveness requirements mean upgrading or replacing existing face verification SDKs. Geo-tagging integration requires changes to both the customer-facing application and the agent interface. The expanded audit trail necessitates larger storage infrastructure and potentially new database schemas. Most critically, the multi-factor authentication requirement may increase session duration by 30-60 seconds, requiring workflow optimization to maintain completion rates.
Compliance Checklist for Banks
Here is a practical checklist to help your institution prepare for compliance:
- Deploy AI-based passive liveness detection with minimum 99.5% spoof detection rate
- Integrate GPS-based geo-tagging for both customer and agent devices
- Upgrade audit trail systems to capture AI model outputs and agent decision rationale
- Implement at least two independent authentication factors within the video session
- Ensure end-to-end encryption with certificate pinning on all video channels
- Update data retention policies to 8-year minimum
- Obtain independent audit certification for liveness detection accuracy
- Train verification officials on updated processes and escalation protocols
How BASEKYC Helps You Stay Compliant
BASEKYC's platform is built from the ground up for regulatory compliance. Our latest release already incorporates all 2026 V-CIP requirements including multi-modal deepfake detection with certified 99.8% accuracy, built-in geo-tagging for customer and agent, comprehensive audit trails with AI model output logging, and configurable multi-factor authentication workflows. Our compliance team monitors regulatory updates proactively so your platform stays ahead of requirements -- not scrambling to catch up.