RBI introduced essential amendments to the Master Direction on Video KYC, reinforcing the importance of the KYC and Customer Identification process in financial transactions and introducing Video KYC as a modern and secure method of customer identification for Banks, NBFCs, and other financial entities.

It is a significant step to enhance security and streamline the Know Your Customer (KYC) process through the VCIP (Video-based Customer Identification Process).

This amendment’s major focus is on the Customer Due Diligence (CDD) process of improving KYC guidelines including Video KYC, video customer identification process, and Facial recognition systems. It allows businesses to adhere to CERT-in (The Indian Computer Emergency Response Team) compliance standards while onboarding new customers on their platform. To know more, You can download RBI KYC Master Direction:

Download Free eBook : New Compliance for Video KYC Guideline RBI (2024)

What is Video KYC?

Video KYC also known as VCIP (Video Customer Identification Process) is a process of customer identification used by regulated entities (REs) by RBI. This process involves the usage of facial recognition technology and customer due diligence completed by an authorized official of the RE. Video KYC (V-CIP) is a secure, live, informed consent-based audio-visual interaction with the customer to collect the required identification information for Customer Due Diligence (CDD) purposes.

RBI Video KYC Guidelines

What are the RBI guidelines on video KYC?

RBI Video KYC (Know Your Customer) is a method introduced by the Reserve Bank of India (RBI) to enable banks and other financial institutions to verify the identity of their customers remotely through video conferencing. This process allows customers to open accounts or avail of various financial services without physically visiting a branch.

With Video KYC, customers can complete the KYC process from the comfort of their homes or offices using a smartphone or computer with internet connectivity. During the video call, the customer interacts with a bank representative who verifies their identity by asking for relevant documents and conducting necessary checks. This video customer identification method is aimed at enhancing customer convenience while ensuring compliance with regulatory requirements for identity verification.

Which Regulations matter for Video KYC in your app?

It's essential for all Regulated Entities as well as First Layer Video-based Infrastructure providers who provide video banking services to all major Banks, Fintech, Payment aggregators, and NBFCs to adopt these changes swiftly to ensure compliance and security in today's digital age. These measures not only protect customers but also strengthen the overall integrity of financial institutions and businesses.

? Cyber Security & Frameworks

The REs should have complied with the RBI guidelines on the minimum baseline cyber security and resilience framework for banks. The infrastructure, including application software and workflows, should be regularly upgraded.

? Spoof IP detection

To ensure the security and integrity of the V-CIP infrastructure/application, it must possess the capability to prevent connections from IP addresses outside of India or from spoofed IP addresses. This measure is essential in safeguarding against potential threats and unauthorized access, thereby enhancing the overall security of the system.

? Seamless, Secure and Visual infrastructure

Financial institutions and regulated entities (REs) are required to verify the identity of their customers using secure and live, Informed-consent-based audio-visual seamless interactions. This process includes facial recognition and customer due diligence conducted by an authorized official of the regulated entities. The official interacts with the customer to gather the required identification information for customer due diligence (CDD) purposes.

? End-to-end encryption for protecting customer data

The regulated entities shall guarantee end-to-end encryption of data between the customer device and the hosting point of the VCIP application, as per relevant encryption standards. The customer approval should be recorded in an auditable and alteration-proof manner.

? Geo-tagging of customer interactions

The video recordings should contain the live GPS coordinates (geo-tagging) of the customer undertaking the VCIP and the date-time stamp. The video recordings will serve as a reliable and secure source of evidence for the VCIP procedure. This will provide a comprehensive VCIP process record and help verify the customer's identity.

? Face-to-face CIP (Customer Identification Process)

The significance of Video-based KYC or/and V-CIP treated with Face-to-Face customer identification for regulatory purposes components with face liveness/spoof detection as well as face-matching technology with a high degree of accuracy, especially in the context of digital banking and remote customer onboarding, even though the ultimate responsibility of any customer identification rests with the REs.

Why CERT-in And VPAT Are Confidential Compliances For Video KYC Software?

It's essential for all Regulated Entities (REs) as well as First Layer Infrastructure (FLI) provider who provides video banking services to all major Banks and NBFCs, to adopt these changes swiftly to ensure compliance and security in today's digital age.

CERT-in Compliances

CERT-in is the national nodal agency for responding to cyber security incidents. CERT-in stands for The Indian Computer Emergency Response Team. It performs in the area of collection, analysis, and dissemination of information on cyber securities. Such tests should also be carried out periodically in conformance with internal/regulatory guidelines.

VAPT and Security Audits

To ensure the security and authenticity of video KYC software, every business should prioritize the use of Vulnerability Assessment and Penetration Testing (VAPT) and security audits. These measures are essential for independent verification of provided information and maintaining a secure audit trail. By conducting VAPT and security audits, businesses can identify and address any critical issues before implementing their video KYC software, ensuring its robustness and security.

Data Localization

To ensure data security and compliance, every business should host its software on Indian data servers. This includes conducting appropriate tests for functional, performance, and maintenance strength before using the V-CIP application software and its relevant APIs/web services in a live environment. It is also important to conduct periodic tests by internal regulatory guidelines to ensure compliance with data localization requirements.

Conclusion

RBI KYC guidelines for video highlight the importance of conducting necessary tests. Many Indian infrastructures shall undergo required tests such as Vulnerability Assessment, Penetration Testing, and a Security Audit to ensure their robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. It is recommended to conduct these tests with the empaneled auditors of the Indian Computer Emergency Response Team (CERT-In) periodically by internal and regulatory guidelines.

For detailed information and guidance on RBI's V-CIP and KYC updates, you can visit the official website of the Reserve Bank of India.

You can talk with our team if you have any questions regarding CERT compliance or Video KYC for your app.