V-CIP compliance is not something you achieve once and forget about. The Reserve Bank of India's Video-based Customer Identification Process framework is a living regulatory standard that has been updated multiple times since its introduction in January 2020, and each update has tightened requirements, closed loopholes, or introduced new obligations. For banks, NBFCs, and other regulated entities conducting video KYC in India, a single compliance gap -- an improperly recorded consent, a missing geo-tag, an untrained agent conducting sessions -- can result in session invalidation, regulatory penalties, and in severe cases, restrictions on further customer onboarding. This article provides a comprehensive V-CIP compliance checklist covering every stage of the video KYC process: pre-session requirements, during-session obligations, post-session documentation, technical infrastructure standards, agent training mandates, and audit preparation. Whether you are implementing V-CIP for the first time or auditing your existing compliance posture, this checklist will help you identify and close gaps before regulators do.
What is V-CIP and Why Compliance Matters
The Video-based Customer Identification Process (V-CIP) is the RBI-approved method for performing Know Your Customer (KYC) verification through a live video interaction between an authorized official of a Regulated Entity (RE) and the customer. Introduced through an amendment to the Master Direction on KYC (DoR.AML.REC.12/14.01.001/2024-25, as updated), V-CIP allows banks, NBFCs, payment aggregators, and other RBI-regulated entities to complete full KYC without requiring the customer to physically visit a branch.
V-CIP is not merely a technology feature -- it is a regulated process with specific legal standing under the Prevention of Money Laundering Act (PMLA), 2002 and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. A V-CIP session conducted in compliance with RBI guidelines carries the same legal weight as an in-person KYC verification. Conversely, a session that fails to meet any of the mandatory requirements is legally invalid, which means the customer relationship established through that session is also on questionable legal ground.
Legal consequences of non-compliance are substantial and escalating. The RBI has progressively increased its enforcement of KYC norms. Penalties for KYC violations under Section 13 of the PMLA can range from INR 10,000 per violation to INR 1 lakh per violation for repeated non-compliance, with no upper cap on aggregate penalties. In practice, the RBI has levied penalties ranging from INR 50 lakhs to several crores on regulated entities for systemic KYC deficiencies. Beyond monetary penalties, the RBI can issue directions restricting customer onboarding, require remediation of all non-compliant accounts, and in extreme cases, restrict the entity's ability to conduct certain categories of business.
Reputational risk is equally significant. Regulatory actions are published on the RBI's website and widely covered by financial media. For customer-facing institutions, a publicized penalty for KYC non-compliance can erode customer trust, impact credit ratings, and create downstream compliance concerns with banking correspondents and international partners. The cost of maintaining rigorous V-CIP compliance is a fraction of the cost of non-compliance -- but only if you know exactly what compliance requires.
The Complete RBI V-CIP Regulatory Framework
Understanding RBI video KYC rules requires familiarity with the regulatory architecture that governs V-CIP. The requirements are not contained in a single document but are distributed across multiple circulars, master directions, and amendments. Here are the key regulatory references that compliance teams must track:
Master Direction -- Know Your Customer (KYC) Direction, 2016 (as updated): This is the primary regulatory document governing KYC for all RBI-regulated entities. Section 18 (as amended) specifically addresses V-CIP, including the conditions under which it may be used, the technical requirements, and the documentation standards. The Master Direction has been updated multiple times, with significant amendments in 2020 (introducing V-CIP), 2021 (expanding scope), 2023 (tightening technical requirements), and 2025 (incorporating DPDPA alignment and enhanced deepfake prevention requirements).
RBI Circular on Video-based Customer Identification Process (January 9, 2020): The foundational circular that introduced V-CIP as an acceptable method of CDD (Customer Due Diligence). This circular established the core requirements: live video interaction, authorized official, OVD verification, liveness detection, geo-tagging, consent capture, and audit trail.
PMLA Rules and RBI KYC Guidelines 2025 amendments: The Prevention of Money Laundering (Maintenance of Records) Rules define the Officially Valid Documents (OVDs) that must be verified during KYC, the data that must be captured and retained, and the reporting obligations of regulated entities. Recent amendments have aligned KYC requirements with the Digital Personal Data Protection Act, 2023, introducing new consent and data processing requirements that directly impact V-CIP workflows.
RBI Guidelines on Information Technology Framework: These guidelines establish the IT security and governance standards that apply to all technology systems used by RBI-regulated entities, including V-CIP platforms. They cover requirements for data encryption, access control, business continuity, disaster recovery, and vulnerability management -- all of which are relevant to the technical infrastructure supporting video KYC operations.
Pre-Session Compliance Requirements Checklist
V-CIP compliance begins before the video session starts. Several requirements must be satisfied during the customer initiation and scheduling phase:
Customer identity pre-verification: Before scheduling a V-CIP session, the RE must collect and validate the customer's basic information -- name, date of birth, mobile number, and email. The mobile number should be verified through OTP authentication. This pre-verification ensures that the person requesting the video KYC session has at minimum a verified mobile number linked to their identity.
Informed consent capture: The customer must provide explicit, informed consent for the V-CIP process before the session begins. This consent must cover recording of the video session, capture and processing of identity documents, collection and storage of biometric data (facial image), geo-location capture, and data retention for the regulatory period. The consent must be captured in a verifiable format -- digital signature, OTP-confirmed acceptance, or recorded verbal consent with a clear audit trail. Generic consent buried in terms and conditions is not sufficient; the V-CIP consent must be specific and prominently presented.
Device and environment checks: The V-CIP platform must assess the customer's device and connectivity before initiating the session. Minimum requirements include a camera capable of capturing clear video (720p recommended minimum), sufficient bandwidth for stable video streaming (500 kbps minimum, 1 Mbps recommended), enabled GPS/location services for geo-tagging, and a supported browser or application version. Sessions initiated on devices that do not meet minimum requirements should be blocked or flagged, not allowed to proceed with degraded quality.
Agent authorization verification: The system must verify that the official assigned to conduct the V-CIP session is specifically authorized by the RE for this purpose. Not every employee of a bank or NBFC is authorized to conduct V-CIP -- only officials who have completed the required training and have been formally designated by the institution can conduct compliant sessions. The platform should maintain an authorization registry and prevent unauthorized officials from conducting sessions.
During-Session Compliance Requirements Checklist
The live video session is where the most critical compliance requirements apply. Every element listed below must be satisfied within a single, uninterrupted session for the V-CIP to be valid under RBI video KYC rules.
Live, real-time video interaction: The session must be a live, bi-directional video call -- not a pre-recorded video, not an asynchronous document review, and not a voice-only call with screen sharing. Both the customer's face and the agent's face must be visible throughout the session. The video must be continuous; sessions with significant interruptions (defined as loss of video feed for more than 30 seconds) should be terminated and restarted.
Liveness detection: The platform must perform liveness detection to confirm that the person on the video is physically present and not a spoofing attempt. RBI guidelines require that the technology must be robust enough to detect printed photograph attacks, video replay attacks, mask attacks, and digital manipulation. Both active liveness (challenge-response, such as asking the customer to perform specific actions) and passive liveness (continuous AI-based analysis of facial micro-movements, skin texture, and depth cues) should be employed. The liveness check result, including the confidence score and the method used, must be recorded in the audit trail.
OVD verification in real-time: The customer must display their original Officially Valid Documents (Aadhaar, PAN, Passport, Voter ID, or Driving License) to the camera during the live session. The agent must visually inspect the document for authenticity, and the platform should simultaneously perform electronic verification -- Aadhaar through UIDAI (XML or OTP mode), PAN through NSDL/UTIITSL. The document details captured during the session must match the information provided by the customer during the pre-session phase.
Geo-tagging: GPS coordinates of the customer must be captured during the session and recorded in the audit trail. The IP address of the customer's device must also be logged. For domestic KYC, the customer's location must be within India. The geo-location must be captured from the customer's device (not the agent's device or the server), and it must be captured during the active session (not before or after). Location spoofing detection is recommended but not explicitly mandated -- however, platforms that detect common GPS spoofing techniques provide significantly better compliance assurance.
End-to-end encryption: The entire video stream, all document images transmitted during the session, and all data exchanged between the customer's device and the platform must be encrypted end-to-end using industry-standard protocols (TLS 1.2 or higher for transport, AES-256 for data at rest). Encryption must cover the communication between the customer and the server, between the server and the agent, and any intermediate processing nodes. The encryption implementation must prevent man-in-the-middle attacks and ensure that even the platform operator cannot access unencrypted session content without appropriate authorization.
Consent confirmation during session: The agent must verbally confirm the customer's consent for the V-CIP process at the beginning of the video session. This confirmation must be captured in the video recording. The agent should clearly state that the session is being recorded, explain the purpose of the verification, and obtain the customer's verbal acknowledgment. This verbal consent supplements the written/digital consent captured during the pre-session phase and provides additional evidence in case of dispute.
Live photograph capture: A clear photograph of the customer must be captured directly from the live video feed during the session. This photograph becomes part of the customer's KYC record and must be of sufficient quality for future identification purposes. The photograph must be captured while the customer is live on video -- using a pre-uploaded photograph or a snapshot from a paused video does not satisfy this requirement.
Session recording: The complete video session must be recorded from start to finish, including audio. The recording must capture both the customer's video feed and the agent's video feed. The recording must be stored securely with tamper-evident controls (such as cryptographic hashing) that ensure the recording has not been altered after the session. The recording format must be in a standard, non-proprietary format that can be played back during audits without requiring specialized software from the vendor.
Post-Session Requirements: Audit Trail, Data Retention, and Reporting
Once the V-CIP session is completed, a comprehensive set of post-session requirements must be satisfied to maintain compliance. These requirements cover documentation, storage, reporting, and ongoing data management.
Comprehensive audit trail: Each V-CIP session must generate a complete audit trail that includes the session date and time (with timezone), session duration, unique session identifier, customer identification details (name, Aadhaar number -- masked, PAN), agent identification (name, employee ID, authorization status), liveness detection results and confidence scores, face match results and confidence scores, geo-location coordinates and IP address, consent records (both pre-session and during-session), document verification results (Aadhaar verification status, PAN validation status), agent's decision (approved/rejected/escalated) with rationale, complete video recording reference, and all captured document images and photographs. This audit trail must be generated automatically by the platform -- manual compilation of audit records is both error-prone and non-compliant. The audit trail must be immutable; once generated, no element should be modifiable without creating a clearly flagged amendment record.
Data retention requirements: RBI KYC guidelines mandate that KYC records, including V-CIP session records, must be maintained for a minimum of five years after the business relationship has ended or the account has been closed. For active accounts, records must be maintained for the duration of the relationship plus five years. Recent regulatory guidance has recommended eight years as best practice, and many institutions have adopted this longer retention period. Video recordings, which consume significant storage, must be retained for the same period as other session records. The platform must support automated data lifecycle management -- purging records only after the retention period has expired, with appropriate audit logging of the purge action.
Suspicious activity reporting: If during the V-CIP session the agent identifies indicators of potential fraud, identity theft, or suspicious activity, the session record must be flagged and reported to the institution's MLRO (Money Laundering Reporting Officer) for evaluation. Indicators include document discrepancies, liveness detection failures, customer behavior suggesting coaching or coercion, multiple failed verification attempts from the same identity, and geo-location inconsistencies. The V-CIP platform should support workflow integration with the institution's AML/CFT reporting systems to facilitate seamless escalation.
CKYCR upload: Following successful V-CIP, the institution must upload the customer's KYC data to the Central KYC Records Registry (CKYCR) within the prescribed timeline. The V-CIP platform should generate CKYCR-compatible data files automatically, reducing manual effort and ensuring data consistency between the institution's records and the central registry. Failure to upload to CKYCR is a separately reportable compliance gap.
Technical Infrastructure Requirements
The RBI's IT framework guidelines, read together with the V-CIP requirements, establish a set of technical infrastructure standards that the platform and the institution's supporting infrastructure must meet.
Data center requirements: All V-CIP data -- including video recordings, customer documents, biometric data, and audit trails -- must be stored in data centers located within India. This applies regardless of whether the platform is cloud-hosted, on-premise, or hybrid. For cloud-hosted platforms, the institution must verify that the vendor's cloud infrastructure uses Indian regions exclusively for data storage and processing. The data center must have appropriate physical security, environmental controls, and redundancy. A disaster recovery site (also within India) must be available with a defined Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Network security: The V-CIP platform must be deployed behind appropriate network security controls -- firewalls, intrusion detection/prevention systems, DDoS protection, and web application firewalls. All API endpoints must be authenticated and rate-limited to prevent abuse. The video streaming infrastructure must use secure protocols (WebRTC with SRTP for media, WSS for signaling) and must not expose raw video streams to unauthorized access.
Access control and authentication: Access to the V-CIP platform -- both the agent interface and administrative functions -- must be controlled through strong authentication mechanisms. Multi-factor authentication (MFA) is mandatory for all users. Role-based access control (RBAC) must ensure that agents can only access sessions assigned to them, supervisors can review but not modify session records, administrators can manage system configuration but not access individual session recordings without appropriate authorization, and audit reviewers have read-only access to session records and audit trails. All access must be logged with user identity, timestamp, action performed, and source IP address.
Business continuity and disaster recovery: The V-CIP platform must have documented business continuity and disaster recovery plans. These plans must address scenarios including data center outage, network disruption, platform component failure, and cyber attack. The institution must have tested its DR plan for the V-CIP platform at least annually, with documented test results and remediation actions for any gaps identified. For cloud-hosted platforms, the vendor must provide SLA commitments for uptime (99.9% or higher is the market standard) and documented DR capabilities.
Agent Training and Authorization Requirements
One of the most frequently overlooked aspects of V-CIP compliance is the requirement for formal agent training and authorization. The RBI mandates that V-CIP sessions must be conducted by officials specifically authorized by the RE -- meaning the institution must maintain a documented process for agent selection, training, certification, and ongoing competency assessment.
Training curriculum requirements: V-CIP agents must be trained on the regulatory framework governing KYC and V-CIP (PMLA, RBI Master Direction, relevant circulars), document verification techniques including identification of forged or tampered documents, fraud identification including social engineering tactics, impersonation indicators, and coached customer behavior, platform operation including all technical features, session management, and escalation procedures, data privacy and DPDPA requirements including lawful data processing, consent management, and customer data rights, and communication skills including managing sessions with customers who have limited technical literacy or language barriers.
Authorization process: Following training, agents must be formally authorized by a designated senior official of the RE. The authorization must be documented, including the date of authorization, the authorizing official, the scope of authorization (which products or customer segments the agent is authorized to handle), and the validity period. Authorizations should be reviewed periodically (at least annually) and revoked promptly when an agent leaves the organization, transfers to a non-V-CIP role, or fails a competency assessment.
Ongoing competency monitoring: The institution must have mechanisms to monitor agent performance and compliance on an ongoing basis. This includes regular quality audits of completed V-CIP sessions (sampling at least 5-10% of sessions per agent per month), monitoring of session completion rates, rejection rates, and escalation rates by agent, periodic refresher training (at least annually, and whenever regulatory requirements change), and documented corrective action for agents who demonstrate compliance gaps. The V-CIP platform should support quality monitoring features such as session replay, compliance scoring, and supervisor review workflows.
Common V-CIP Compliance Gaps and How to Avoid Them
Based on regulatory audit findings and industry experience, certain V-CIP compliance gaps appear with disproportionate frequency. Knowing these common pitfalls allows institutions to proactively address them before they become audit findings.
Gap 1: Inadequate consent capture. Many institutions capture consent through a generic checkbox in their application form rather than through a specific, prominently presented V-CIP consent mechanism. Auditors look for evidence that the customer was clearly informed about what V-CIP involves (video recording, document capture, biometric processing, data retention) and actively consented to each element. Fix: Implement a dedicated V-CIP consent screen with individual consent items that the customer must actively accept, supplemented by verbal consent confirmation at the start of the video session.
Gap 2: Liveness detection as a checkbox, not a capability. Some institutions deploy V-CIP platforms with basic liveness detection that can be defeated by readily available spoofing techniques. A liveness check that only asks the customer to blink or turn their head, without deeper AI analysis, provides minimal protection against modern presentation attacks including deepfakes. Fix: Deploy multi-layered liveness detection that combines active challenge-response with passive AI analysis, depth estimation, and injection attack detection. Require vendors to demonstrate their liveness detection against standardized attack benchmarks.
Gap 3: Incomplete audit trails. Audit trails that are missing one or more required elements -- most commonly geo-location coordinates, liveness detection scores, or the agent's formal decision rationale -- are a frequent finding. Fix: Configure the V-CIP platform to make all audit trail elements mandatory before a session can be marked as complete. The platform should block session closure if any required element is missing.
Gap 4: Agent authorization gaps. Agents conducting V-CIP sessions without formal authorization, or with expired authorization, is a common finding -- particularly in institutions that have scaled V-CIP operations rapidly. Fix: Implement system-level controls that prevent unauthorized agents from accessing the V-CIP platform. Authorization status should be checked at login and at session assignment, not just at onboarding.
Gap 5: Session recording quality and integrity. Recordings that are of insufficient quality (poor video resolution, inaudible audio), incomplete (missing the beginning or end of the session), or stored without tamper-evident controls compromise the evidentiary value of the session. Fix: Set minimum recording quality standards (720p video, clear audio), implement automatic recording start at session initiation (before the customer joins), and apply cryptographic hashing to all recordings immediately upon session completion.
Gap 6: Data retention non-compliance. Institutions that either purge V-CIP records before the mandated retention period or fail to purge them after the retention period expires are both non-compliant -- the former under KYC regulations, the latter under DPDPA data minimization requirements. Fix: Implement automated data lifecycle management with configurable retention periods per record type, automated purge workflows with approval gates, and comprehensive logging of all data retention and purge actions.
SEBI VIPV: Key Differences from RBI V-CIP
Securities market intermediaries regulated by SEBI must comply with the Video In-Person Verification (VIPV) framework, which is broadly aligned with RBI V-CIP but includes several important differences that require attention.
CKYCR integration mandate: SEBI requires that VIPV data be uploaded to the Central KYC Records Registry (CKYCR) and that the KYC Identification Number (KIN) be obtained and linked to the customer's account. While RBI also requires CKYCR upload, SEBI's framework places greater emphasis on real-time CKYCR integration during the verification process itself, not just post-session upload.
IPV completion requirements: SEBI VIPV requires that the In-Person Verification component be completed by a SEBI-registered intermediary or an authorized official of a SEBI-registered entity. The authorization requirements are similar to RBI's but are specific to SEBI registration, meaning an official authorized for RBI V-CIP is not automatically authorized for SEBI VIPV unless they also hold appropriate SEBI-entity authorization.
Document requirements: SEBI mandates specific document combinations for securities market account opening. PAN verification is mandatory (not optional as in some RBI V-CIP scenarios), and the VIPV process must capture specific data fields required for securities market KYC (such as income range, occupation, and politically exposed person status) that are not part of the standard RBI V-CIP data set. Institutions operating under both RBI and SEBI must ensure their V-CIP platform can be configured for both regulatory frameworks -- ideally through workflow templates rather than separate system instances.
IRDAI VBIP Requirements
The Insurance Regulatory and Development Authority of India (IRDAI) has established the Video-Based Identification Process (VBIP) for insurance companies. While similar in structure to RBI V-CIP, IRDAI VBIP has requirements specific to the insurance industry.
Nominee and beneficiary verification: For life insurance policies, IRDAI VBIP may require verification of nominee details during the video session, depending on the policy type and sum assured. This extends the scope of the video verification beyond the primary customer to include verification of the nominee's identity details -- a requirement that does not exist in RBI V-CIP or SEBI VIPV.
Medical history declarations: For certain insurance products, the VBIP session may include declaration of medical history, with the video recording serving as evidence of the customer's declarations. This creates additional data handling requirements, as medical information is subject to enhanced privacy protections under DPDPA.
IIB integration: Insurance companies must check customer identity against the Insurance Information Bureau of India (IIB) database for deduplication and fraud prevention. The VBIP platform should support integration with IIB for real-time identity checks during the video session. This requirement is unique to the insurance sector and is not part of the RBI or SEBI frameworks.
Audit Preparation: What Regulators Look For
When RBI examiners audit V-CIP operations, they follow a structured approach that compliance teams should anticipate and prepare for. Understanding what auditors look for allows you to proactively address gaps and prepare documentation in advance.
Policy and procedure documentation: Auditors will first request your institution's V-CIP policy document, standard operating procedures (SOPs), and any internal circulars related to video KYC. These documents must clearly define who is authorized to conduct V-CIP, what training they receive, what the session workflow is, how exceptions are handled, and how quality is monitored. Vague or outdated policy documents are a red flag that invites deeper scrutiny.
Sample session review: Auditors will select a sample of completed V-CIP sessions (typically 20-50 sessions from different time periods and different agents) and review them end-to-end. They will watch the video recordings, check the audit trail completeness, verify that liveness detection and geo-tagging were performed, confirm that the agent was authorized, and validate that the documents captured during the session match the customer's account records. Any discrepancy in even a single sample session can trigger a broader review.
Technology assessment: Auditors will evaluate the V-CIP platform's technical compliance -- encryption standards, access controls, data storage location, backup and DR capabilities, and security certifications. They may request recent penetration test reports, vulnerability assessment results, and evidence of security patch management. For institutions using third-party V-CIP platforms, auditors will review the vendor due diligence documentation, including the vendor's security certifications, data processing agreements, and business continuity commitments.
Agent authorization and training records: Auditors will verify that every agent who has conducted V-CIP sessions during the audit period was formally authorized at the time of the session. They will review training records, authorization letters, competency assessment results, and evidence of ongoing quality monitoring. Gaps in training records -- such as agents who were authorized but have no documented training, or agents who conduct sessions after their authorization has expired -- are common audit findings.
How BASEKYC Ensures V-CIP Compliance Out of the Box
BASEKYC was built with V-CIP compliance as the foundational design principle, not an afterthought. Every feature, workflow, and technical decision in the platform reflects the requirements of Indian financial regulators, and our compliance team continuously monitors regulatory updates to ensure the platform stays current.
Automated compliance enforcement: BASEKYC does not rely on agents or administrators to remember compliance requirements. The platform enforces compliance through system-level controls: sessions cannot be initiated without consent capture, cannot proceed without liveness detection, cannot be closed without complete audit trail generation, and cannot be conducted by unauthorized agents. Compliance is built into the workflow, not layered on top of it.
Complete audit trail generation: Every BASEKYC session automatically generates a comprehensive, regulation-grade audit trail that includes every element required by RBI, SEBI, and IRDAI. The audit trail is immutable, cryptographically hashed for tamper detection, and stored with configurable retention periods. Audit trails can be exported in regulator-friendly formats for examination purposes, eliminating the manual effort of compiling compliance documentation during audits.
Multi-regulator support: BASEKYC supports configurable workflow templates for RBI V-CIP, SEBI VIPV, and IRDAI VBIP. Each template enforces the specific requirements of the relevant regulator -- including different document requirements, data capture fields, and integration endpoints (CKYCR for SEBI, IIB for IRDAI). Institutions operating under multiple regulators can standardize on a single platform without compromising regulatory compliance for any framework.
Agent management and quality monitoring: BASEKYC includes built-in agent authorization management -- agents must be formally authorized in the system before they can conduct sessions, and the system automatically prevents sessions by agents with expired or revoked authorization. Session quality monitoring features include automated compliance scoring, supervisor review workflows, and sampling-based quality audit tools. Training records and competency assessments can be managed within the platform, providing a single system of record for audit purposes.
Proactive compliance updates: When regulatory requirements change, BASEKYC's compliance team assesses the impact, implements platform updates, and communicates changes to customers -- typically within days of the regulatory update. Our customers receive compliance advisories, impact assessments, and implementation guidance, ensuring they stay ahead of regulatory expectations rather than scrambling to catch up after an audit finding.