RBI introduced essential amendments to the Master Direction on KYC, reinforcing the importance of KYC in financial transactions and introducing Video KYC as a modern and secure method of customer identification for Banks, NBFCs, and other financial entities.
It is a significant step to enhance security and streamline the Know Your Customer (KYC) process through the Video-based Customer Identification Process (V-CIP).
This amendment’s major focus is on the Customer Due Diligence (CDD) process of improving KYC guidelines including Video KYC and Facial recognition systems. It allows businesses to adhere to CERT-in (The Indian Computer Emergency Response Team) compliance standards while onboarding new customers on their platform.
Video KYC also known as Video-based Customer Identification Process (VCIP) is a new customer identification method conducted by an authorized entity for a secure, seamless, on-time, and informed-consent-based live visual interaction between two parties(Regulated Entities and their customers). Its purpose is to obtain documents required for Customer Due Diligence(CDD) while ensuring the accuracy of the data provided.
REs should follow RBI Norms to define customers’ onboarding process and categorize them into different risk categories (based on individual/business profiles). It reduces scams and fake identities by providing reliable customer verification which results in a big-scale solution to prevent money laundering, terrorist financing, and fraudulent activities.
It's essential for all Regulated Entities as well as First Layer Video based Infrastructure provider who provides video banking service to all major Banks and NBFCs to adopt these changes swiftly to ensure compliance and security in today's digital age. These measures not only protect customers but also strengthen the overall integrity of financial institutions and businesses.
The REs should have complied with the RBI guidelines on the minimum baseline cyber security and resilience framework for banks. The infrastructure, including application software and workflows, should be regularly upgraded.
To ensure the security and integrity of the V-CIP infrastructure/application, it must possess the capability to prevent connections from IP addresses outside of India or from spoofed IP addresses. This measure is essential in safeguarding against potential threats and unauthorized access, thereby enhancing the overall security of the system.
Financial institutions and regulated entities (REs) are required to verify the identity of their customers using secure and live, Informed-consent-based audio-visual seamless interactions. This process includes facial recognition and customer due diligence conducted by an authorized official of the RE. The official interacts with the customer to gather the required identification information for customer due diligence (CDD) purposes.
The RE shall ensure end-to-end encryption of data between the customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration-proof manner.
The video recordings should contain the live GPS coordinates (geo-tagging) of the customer undertaking the V-CIP and the date-time stamp. The video recordings will serve as a reliable and secure source of evidence for the V-CIP procedure. This will provide a comprehensive V-CIP process record and help verify the customer's identity.
The significance of Video-based KYC or V-CIP treated with Face-to-Face customer identification for regulatory purposes components with face liveness/spoof detection as well as face-matching technology with a high degree of accuracy, especially in the context of digital banking and remote customer onboarding, even though the ultimate responsibility of any customer identification rests with the REs.
It's essential for all Regulated Entities (REs) as well as First Layer Infrastructure (FLI) provider who provides video banking service to all major Banks and NBFCs, to adopt these changes swiftly to ensure compliance and security in today's digital age.
CERT-in is the national nodal agency for responding to cyber security incidents. CERT-in stands for The Indian Computer Emergency Response Team. It performs in the area of collection, analysis, and dissemination of information on cyber securities. Such tests should also be carried out periodically in conformance with internal/regulatory guidelines.
To ensure the security and authenticity of video KYC software, every business should prioritize the use of Vulnerability Assessment and Penetration Testing (VAPT) and security audits. These measures are essential for independent verification of provided information and maintaining a secure audit trail. By conducting VAPT and security audits, businesses can identify and address any critical issues before implementing their video KYC software, ensuring its robustness and security.
To ensure data security and compliance, every business should host its software on Indian data servers. This includes conducting appropriate tests for functional, performance, and maintenance strength before using the V-CIP application software and its relevant APIs/web services in a live environment. It is also important to conduct periodic tests by internal regulatory guidelines to ensure compliance with data localization requirements.
RBI's new video KYC guidelines emphasize the importance of conducting necessary tests. Many Indian infrastructures shall undergo required tests such as Vulnerability Assessment, Penetration Testing, and a Security Audit to ensure their robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. It is recommended to conduct these tests with the empaneled auditors of the Indian Computer Emergency Response Team (CERT-In) periodically by internal and regulatory guidelines.
For detailed information and guidance on RBI's V-CIP and KYC updates, you can visit the official website of the Reserve Bank of India.
You can talk with our team if you have any questions regarding CERT compliance or Video KYC infrastructure.