TLDR: Building a video KYC system for an NBFC requires a live bidirectional video session, real-time face and liveness verification, and immutable audit-grade recording, all compliant with RBI's Video KYC guidelines (Master Direction on KYC, 2016, updated 2021). This tutorial walks through a working implementation using VideoSDK, based on the official vkyc-react-sdk-example repository, covering architecture, setup, token generation, stream handling, and compliance requirements.
What is a video KYC system for NBFCs?
A video KYC system for an NBFC is a regulated digital onboarding mechanism that replaces in-person document verification with a live, recorded video session between a customer and a trained verification agent. The Reserve Bank of India (RBI) permits V-CIP (Video-based Customer Identification Process) as a valid KYC method for Non-Banking Financial Companies under its Master Direction on Know Your Customer (KYC) Direction, 2016. The system must capture a live video call, verify an original Aadhaar or officially valid document (OVD), perform geolocation checks, conduct a live liveness test, and store the entire session as a tamper-proof audit record.
Building a video KYC system in the NBFC India context requires WebRTC-based real-time communication infrastructure, a secure token-authenticated backend, AI-assisted identity verification, and compliant encrypted storage. This tutorial covers all of those layers.
Introduction
Non-Banking Financial Companies (NBFCs) in India operate under strict RBI oversight. Customer onboarding, specifically KYC verification, has historically required physical branch visits or in-person agent visits. The RBI circular dated January 9, 2020 (updated in the Master Direction, Know Your Customer (KYC) Direction, 2016) formally recognised V-CIP as a compliant remote onboarding method, enabling NBFCs to onboard customers digitally at scale.
The practical challenge is that building a compliant video KYC system for NBFC India requires more than a video call. It demands session integrity, liveness detection, geolocation validation, agent-controlled document capture, and audit-grade recording retention, all within a single, auditable workflow.
This guide shows you how to build that system using VideoSDK, a WebRTC-based real-time communication platform. The implementation is grounded in the official sample repository: https://github.com/videosdk-community/vkyc-reactsdk-example
Architecture overview
A production-grade video KYC system for NBFCs has four distinct layers. Understanding how data flows across these layers before writing any code prevents architectural mistakes that are costly to reverse under audit conditions.
System flow
- User device (camera + microphone) initiates the KYC session from a browser or mobile app
- Branded frontend application, built in React, manages session UI, document capture prompts, and user-facing flow control
- VideoSDK client SDK layer handles WebRTC peer connection, media stream negotiation, and session event signaling
- VideoSDK cloud infrastructure processes the session through a signaling server, SFU (Selective Forwarding Unit) media server for low-latency multi-party streams, and recording services that capture the full session
- Backend server (Node.js) manages authentication, JWT token generation, session logging, agent assignment, and pushes metadata to audit storage
- Compliance storage layer persists encrypted KYC records, video recordings, agent action logs, and geolocation metadata for the mandatory retention period
Side components
- AI verification service: performs face match against Aadhaar photo, liveness detection (challenge-response or passive), and OCR on presented documents
- Admin dashboard: used by compliance officers to review flagged sessions, approve or reject KYC submissions, and generate audit reports
Prerequisites
- Node.js 18+ and yarn installed
- A VideoSDK account, create one at https://app.videosdk.live/signup
- A VideoSDK API key and secret (available in the dashboard)
- Basic familiarity with React and REST APIs
- An HTTPS-enabled development environment (WebRTC requires secure context)
- Optional: a third-party liveness and face-match API (e.g., IDfy, HyperVerge, IDFC FIRST's integration partners)
Step-by-step implementation for Video KYC System for NBFCs
Step 1: Clone the sample project
Clone the repository to your local environment.
git clone https://github.com/videosdk-live/vkyc-react-sdk-example.gitStep 2: Copy the .env.example file to .env
Open your favourite code editor and copy .env.example to .env.
cp .env.example .envStep 3: Modify the .env file
Generate a temporary token from your VideoSDK account at https://app.videosdk.live/signup and paste it as the value for REACT_APP_VIDEOSDK_TOKEN.
REACT_APP_VIDEOSDK_TOKEN = "YOUR_VIDEOSDK_TOKEN"Step 4: Install the dependencies
Install all the dependencies required to run the project.
yarnStep 5: Run the sample app
Start the development server. The sample app opens in your browser and the V-CIP session flow is ready to explore.
yarn startRBI V-CIP compliance requirements for NBFCs
The Reserve Bank of India's V-CIP framework (as detailed in the Master Direction on Know Your Customer (KYC) Direction, 2016, last updated in 2021) specifies both technical and procedural requirements. Non-compliance can result in regulatory penalties, rejection of onboarded customers, and adverse findings during RBI inspections. The official document is available at: https://www.rbi.org.in/Scripts/BS_ViewMas Directions.aspx?id=11566
Technical requirements
- Live, interactive video session, pre-recorded video is explicitly prohibited
- End-to-end encryption of the video session
- Geolocation of the customer captured and validated at session start
- Date and time stamp embedded in the video recording
- Face match between live video capture and the OVD (Officially Valid Document) photograph
- Liveness detection to confirm a live human is present
- Full session recording retained for a minimum of 5 years
Procedural requirements
- Only trained, bank-appointed agents may conduct V-CIP sessions
- Customer must present an original OVD (Aadhaar, PAN, passport, driving licence, voter ID)
- The agent must ask questions and verify responses in real time
- Consent of the customer must be obtained and recorded before the session
- The NBFC must maintain an audit trail of all V-CIP sessions
Compliance checklist
| Compliance requirement | Required | Implementation point |
|---|---|---|
| Live bidirectional video | Yes | VideoSDK MeetingProvider |
| Session recording | Yes | startRecording() + backend storage |
| Geolocation capture | Yes | navigator.geolocation at session start |
| Face match | Yes | Third-party API (IDfy, HyperVerge) |
| Liveness detection | Yes | Third-party API integration |
| Encrypted storage | Yes | AES-256 at rest, TLS in transit |
| Customer consent log | Yes | Timestamped consent record |
| OVD verification | Yes | Agent visual + OCR confirmation |
| Audit trail | Yes | Immutable session log in backend DB |
Risks of non-compliance
- Regulatory penalties: RBI can impose financial penalties and direct the NBFC to re-verify all onboarded customers under a non-compliant process
- Onboarding rejection: accounts opened through deficient V-CIP may be declared invalid, requiring customer re-onboarding
- Audit failures: internal and external auditors will flag V-CIP gaps as a material control weakness, affecting NBFC credit ratings and investor confidence
- Legal exposure: inadequate KYC can make the NBFC liable under Prevention of Money Laundering Act (PMLA) provisions
Common errors and fixes
| Error | Cause | Fix |
|---|---|---|
| Camera not accessible | Non-HTTPS development environment | Use localhost or configure HTTPS; WebRTC requires secure context |
| Token expired during session | Short token TTL | Implement token refresh before session join; use 60-90 min TTL for V-CIP |
| Recording webhook not firing | Incorrect webhook URL in startRecording() | Use a publicly reachable URL; test with ngrok in development |
| Participant stream not rendering | MediaStream not attached in useEffect | Ensure webcamStream dependency is in the useEffect array |
| CORS error on token API | Missing CORS headers on backend | Add cors middleware to Express; whitelist your frontend origin |
| Meeting not found on join | Wrong meetingId or expired room | Generate a fresh roomId per session; do not reuse rooms |
Key takeaways
- A video KYC system NBFC India must satisfy both technical and procedural requirements under RBI's V-CIP framework, technology alone is not sufficient for compliance
- VideoSDK's vkyc react sdk example provides a working scaffold for the core session layer; compliance extensions (geolocation, AI verification, encrypted storage) must be added by your team
- Always generate VideoSDK tokens server-side using short-lived JWTs; never expose API secrets in the frontend
- Session recording must be triggered programmatically at session start, and recordings must be retained for a minimum of 5 years in your own encrypted storage
- Non-compliance with RBI V-CIP guidelines carries financial, legal, and reputational risk, validate your implementation against the official Master Direction before going live