TLDR: Selecting the wrong video KYC vendor exposes banks to regulatory penalties, audit failures, and broken customer onboarding flows. This guide provides a structured RFP framework, covering compliance, infrastructure, security, and cost, for procurement heads and product teams running formal vendor evaluations in India.
Introduction
India's digital lending and banking sector onboarded over 80 million new customers remotely between 2020 and 2023, with Video KYC, formally called Video Customer Identification Process or V-CIP, becoming the regulatory backbone of paperless account opening. The Reserve Bank of India (RBI) mandated V-CIP via its January 2020 circular (RBI/2019-20/138), allowing regulated entities to complete KYC remotely through a live, consent-based video interaction between a trained bank official and the customer.
For procurement heads, compliance teams, and VP Product at banks running a video KYC vendor evaluation RFP checklist exercise, the challenge is not a shortage of vendors, it is the absence of a rigorous, compliance-anchored evaluation framework. This guide fills that gap.
Regulatory and market context in India
What RBI's V-CIP guidelines actually require
The RBI's V-CIP framework (as updated in Master Direction on KYC, 2016, last amended 2023) defines the minimum technical and process requirements for video-based customer identification. Key mandates include:
- The video interaction must be live (not pre-recorded) and geo-tagged to confirm the customer is physically in India at the time of onboarding.
- The bank official conducting the V-CIP must be a trained and designated officer.
- The session must capture a clear image of the customer's face, PAN card, and Aadhaar (with masked Aadhaar number or OTP-based XML verification).
- All audio-video recordings must be stored securely in India, with an audit trail maintained for a minimum of five years.
- The system must include liveliness detection and random question prompts to prevent spoofing.
The Insurance Regulatory and Development Authority of India (IRDAI) has issued parallel guidelines permitting insurers to use video-based KYC for policy issuance, with similar requirements around agent training, recording retention, and data localisation.
Non-compliance consequences include regulatory penalties from RBI (monetary fines, operational restrictions), failed internal and external audits, suspension of digital onboarding capabilities, and customer onboarding disruption during remediation periods.
Market context
India's digital KYC infrastructure market is fragmented. Vendors range from full-stack KYC SaaS platforms to infrastructure-layer providers offering video session management, AI-based document verification, and liveness detection as separate components. Banks and NBFCs must decide whether to procure a single vendor or assemble a multi-vendor stack, a decision that directly affects integration complexity, vendor accountability, and audit trail coherence.
Must Read: RBI video KYC guidelines compliance guidelinces
Core vendor evaluation framework
A sound video KYC vendor evaluation RFP checklist for banks is organised across six pillars. Each maps to a distinct set of risks.
1. Vendor capability checklist
Before any technical due diligence, verify that the vendor can demonstrate the following capabilities in a production environment, not just in a demo.
| Capability | What to verify |
|---|---|
| Live video session with in-session recording | End-to-end session recording stored and retrievable by session ID |
| Document capture and OCR | PAN, Aadhaar, passport capture with field-level extraction accuracy > 95% |
| Liveness detection | Active (challenge-response) and passive liveness, with anti-spoofing certifications |
| Face match | Real-time face comparison against document photo with confidence score logging |
| Geo-tagging | IP and GPS-based location verification, India-only restriction enforcement |
| Masked Aadhaar support | Aadhaar XML parsing with last 4 digits visible only |
| Consent capture | Digital consent recorded in session with timestamp |
| Audit log export | Per-session logs exportable in JSON or PDF for regulatory submission |
Ask vendors to demonstrate each capability in a sandbox environment with a test PAN and Aadhaar. Vendors who cannot demonstrate masked Aadhaar handling or geo-restriction enforcement in a controlled test should be eliminated from the RFP.
2. Compliance readiness
Compliance readiness refers to the degree to which a vendor's system, documentation, and support processes are pre-aligned with Indian regulatory requirements, reducing the compliance burden on the bank's own team.
Use this checklist when evaluating each vendor:
- RBI V-CIP compliant architecture documented in vendor's technical whitepaper
- IRDAI compliance documentation available (if applicable)
- Data localisation: all video and data stored on servers physically located in India
- Retention policy: session data retained for minimum five years with access controls
- Aadhaar handling compliant with UIDAI guidelines (masked, XML, OTP-based)
- DPDP Act 2023 readiness: data minimisation, purpose limitation, consent management
- CERT-In incident reporting: vendor has defined process for breach notification
- Audit reports: SOC 2 Type II or ISAE 3402 available for review
- Third-party compliance assessments: IS Audit reports available
- Contractual data processing agreement with liability clauses
Note: If a vendor cannot produce documentation for any of the above, treat it as a red flag. Do not accept verbal assurances. Engage your compliance counsel to review all contractual compliance claims before award.
3. Infrastructure and scalability
Infrastructure in the context of video KYC refers to the underlying technology that manages real-time video sessions, including media servers, session routing, connection quality management, and failover.
Questions to ask vendors:
- What is the maximum concurrent session capacity on your infrastructure? Provide load test reports.
- How is session quality managed for customers on 2G/3G networks? (Critical for India's Tier 2 and Tier 3 markets.)
- What is the session establishment time (time from agent initiating call to customer joining)?
- Do you use WebRTC for peer-to-peer video, or a proprietary protocol? What are the failover paths?
- Where are your media servers physically located? Are they within India?
- What is your platform's uptime SLA? Provide historical uptime data for the past 12 months.
- How do you handle network degradation mid-session, reconnect logic, session resume?
Infrastructure providers like VideoSDK offer real-time communication infrastructure, including WebRTC-based session management, adaptive bitrate streaming, and recording pipelines. that can underpin a bank's V-CIP session layer. VideoSDK's infrastructure is accessible via SDK and API, and its documentation covers session recording, participant management, and media server configuration relevant to V-CIP technical requirements. It positions as a building block rather than a full KYC compliance solution, so banks integrating it must layer compliance controls separately or through a compliance-certified KYC partner.
4. Security and data handling
Data handling security in video KYC encompasses encryption in transit and at rest, access control for session recordings, and breach response capability.
Key evaluation criteria:
| Security dimension | Minimum requirement |
|---|---|
| Encryption in transit | TLS 1.2 or higher for all streams |
| Encryption at rest | AES-256 for stored recordings and extracted documents |
| Access control | Role-based access; agent can only access assigned sessions |
| PII handling | Aadhaar, PAN, and facial data subject to strict access logging |
| Penetration testing | Annual third-party VAPT report available |
| SIEM integration | Vendor supports log export to bank's SIEM |
| Data deletion | Verifiable deletion process at end of retention period |
| Breach SLA | Vendor contractually commits to CERT-In-aligned breach notification timelines |
Request a copy of the vendor's most recent penetration testing report and VAPT summary. Vendors who cannot provide this should not progress past initial screening in your RFP.
5. Integration and developer experience
Integration complexity is a frequently underweighted evaluation criterion. Banks that choose vendors with poor SDK documentation, unstable APIs, or opaque webhook behaviour face extended implementation timelines and higher internal engineering costs.
Evaluate integration readiness using these criteria:
- SDK availability: Web (JavaScript), Android, iOS SDKs with version history and changelog
- API documentation quality: REST API reference with full parameter documentation, error code glossary, and rate limits
- Webhook support: Session completion, failure, and timeout events push to bank backend in real time
- Sandbox environment: Full-featured sandbox with test Aadhaar/PAN for QA and compliance testing
- Migration support: Vendor provides data export in standard formats if the bank switches providers
- Integration SLA: Vendor commits to a supported integration timeline with dedicated technical account management
- Change management: API versioning policy, deprecation notice periods, and backward compatibility guarantees
Score each vendor on a 1–5 scale across these dimensions. Vendors scoring below 3 on SDK quality or sandbox availability should be deprioritised.
6. Cost and SLA evaluation
Total cost of ownership (TCO) for a video KYC vendor includes not only per-session fees but also infrastructure costs, compliance overhead, and the cost of SLA failures.
Standardise your RFP cost response template to capture:
| Cost line item | Questions to ask |
|---|---|
| Per-session fee | Is this inclusive of recording storage? Document verification? Liveness? |
| Minimum commitment | Monthly or annual session minimums? Penalties for underuse? |
| Overage pricing | Cost per session above contracted volume? |
| Storage costs | Per-GB pricing for archived session recordings over 5-year retention period |
| Professional services | Integration support, compliance advisory, agent training |
| SLA penalties | What financial credit does the vendor provide for downtime breaches? |
| Renewal terms | Auto-renewal clauses, price escalation caps |
Request a 3-year TCO model from each vendor using your projected monthly session volumes at three scenarios: base, 2x growth, and peak (e.g., tax season, festive period).
Decision matrix
Use this weighted scoring matrix to compare shortlisted vendors. Adjust weights to reflect your bank's specific risk profile and strategic priorities.
How to score: Rate each vendor from 1 to 5 on each pillar, then multiply by the pillar weight to get a weighted score. Sum all weighted scores for the vendor's final total. The example below illustrates a completed evaluation for three hypothetical vendors.
Scoring scale: 1 = does not meet requirements / no documentation available | 2 = partially meets requirements with significant gaps | 3 = meets baseline requirements | 4 = meets all requirements with strong documentation | 5 = exceeds requirements; proactive compliance posture and verifiable third-party certification
| Evaluation pillar | Weight | Vendor A score (1–5) | Vendor A weighted | Vendor B score (1–5) | Vendor B weighted | Vendor C score (1–5) | Vendor C weighted |
|---|---|---|---|---|---|---|---|
| Compliance readiness | 30% | 5 | 1.50 | 3 | 0.90 | 4 | 1.20 |
| Infrastructure and scalability | 20% | 4 | 0.80 | 5 | 1.00 | 3 | 0.60 |
| Security and data handling | 20% | 4 | 0.80 | 4 | 0.80 | 3 | 0.60 |
| Integration and developer experience | 15% | 3 | 0.45 | 4 | 0.60 | 5 | 0.75 |
| Cost and SLA | 10% | 3 | 0.30 | 2 | 0.20 | 4 | 0.40 |
| Vendor financial stability | 5% | 4 | 0.20 | 3 | 0.15 | 2 | 0.10 |
| Total weighted score | 100% | — | 4.05 | — | 3.65 | — | 3.65 |
In this example, Vendor A is the strongest overall choice despite scoring lower on integration — because its compliance readiness score of 5 carries the highest weight and reflects the primary risk in a regulated V-CIP deployment. Vendor B and C tie on total score but differ in risk profile: Vendor B is stronger on infrastructure (better for high-volume deployments) while Vendor C is stronger on integration (better for banks with lean engineering teams). Use this trade-off analysis, not just the total score, to inform your final recommendation.
Note on disqualifying scores: Any vendor scoring 1 or 2 on compliance readiness should be eliminated from the RFP regardless of their total weighted score. No other pillar performance can compensate for a compliance gap in a regulated V-CIP deployment.
Compliance readiness carries the highest weight because a vendor who cannot demonstrate RBI V-CIP alignment is disqualifying regardless of other scores. Infrastructure and security follow because both affect customer experience and audit outcomes simultaneously.
Common mistakes in video KYC vendor evaluation
1. Treating compliance as a checkbox rather than a continuous obligation
RBI's KYC guidelines are updated periodically. A vendor who is compliant at contract award may not remain so after a regulatory amendment. Require vendors to include a contractual obligation to notify the bank within 30 days of any regulatory change that affects the V-CIP system.
2. Evaluating only on demo performance
Demos are curated. Always require a sandbox POC (proof of concept) using your own test data, your agent's device, and a simulated low-bandwidth environment. Many vendors who perform flawlessly on fibre fail on mobile networks typical in Tier 3 India.
3. Ignoring agent-side UX
Banks often evaluate the customer-facing flow and neglect the bank officer's interface. Agent fatigue, session management complexity, and poor queue visibility directly reduce throughput and onboarding completion rates.
4. Underestimating storage cost
A 10-minute V-CIP session at acceptable quality generates approximately 500 MB to 1 GB of video data. Over a five-year retention period at 10,000 sessions per month, storage costs can exceed the per-session fee. Evaluate storage costs explicitly.
5. Skipping vendor financial due diligence
Video KYC infrastructure is mission-critical. A vendor insolvency mid-contract creates a compliance gap, archived session recordings may become inaccessible. Request audited financials or a parent company guarantee as part of the RFP.
Key takeaways
- RBI's V-CIP mandate requires live geo-tagged video sessions with consent capture, document verification, liveness detection, and data stored in India for a minimum of five years.
- Compliance readiness is the highest-weight criterion in any video KYC vendor evaluation; vendors who cannot produce a V-CIP compliance whitepaper and audit documentation should be eliminated at the RFP screening stage.
- Infrastructure reliability and low-bandwidth performance are critical for India's Tier 2 and Tier 3 markets; always test vendor systems in degraded network conditions.
- Total cost of ownership must include per-session fees, five-year recording storage, and SLA penalty credits, not just the headline per-verification price.
- Use a weighted decision matrix with compliance at 30% weight; no other pillar score can compensate for a compliance failure.
FAQ
Q1. What is the RBI's legal basis for video KYC in India?
The Reserve Bank of India introduced Video Customer Identification Process (V-CIP) through its circular RBI/2019-20/138 dated January 9, 2020, issued under the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, and the KYC Master Direction (2016, as amended). Regulated entities including scheduled commercial banks, NBFCs, and payment banks are permitted, not mandated, to use V-CIP as an alternative to in-person KYC. Banks must comply with all procedural and technical requirements specified in the Master Direction before operationalising V-CIP.
Q2. How long must banks store V-CIP session recordings?
RBI's KYC Master Direction requires that records used for KYC verification, including V-CIP session recordings, be maintained for at least five years after the business relationship ends or, in the case of a one-time transaction, at least five years after the transaction date. Banks must ensure recordings remain retrievable and tamper-evident throughout the retention period, with access restricted to authorised personnel only.
Q3. Can a bank use a foreign-hosted video KYC vendor?
No. RBI's data localisation requirements and the broader framework under the Reserve Bank of India (Outsourcing of IT Services) Directions mandate that data belonging to Indian banking customers be stored within India. Any video KYC vendor processing or storing session data, including facial images, document extracts, and audio-video recordings, must host this data on servers physically located in India. Banks bear regulatory responsibility for vendor compliance with this requirement.
Q4. What is liveness detection, and why does it matter for V-CIP compliance?
Liveness detection is a biometric security mechanism that confirms the person in the video session is a physically present, live individual rather than a photograph, video replay, or deepfake. RBI's V-CIP guidelines require banks to implement measures to prevent spoofing attacks, and liveness detection, both active (challenge-response prompts) and passive (algorithmic analysis), is the primary technical control. Vendors should be able to provide third-party certification or test results demonstrating liveness detection accuracy and anti-spoofing resilience.
Q5. What is the difference between a full-stack KYC vendor and an infrastructure provider?
A full-stack video KYC vendor provides an end-to-end solution, including agent interface, document verification, liveness detection, consent capture, and regulatory reporting, as a single integrated product. An infrastructure provider, such as a real-time communication platform, supplies the underlying video session layer (WebRTC, recording pipelines, session management) on which the bank or a system integrator builds the compliance workflow. Banks procuring infrastructure components must ensure the compliance layer, liveness, document OCR, consent logging, geo-tagging, is either built in-house or sourced from a certified compliance partner.
Q6. How should banks handle vendor lock-in risk in video KYC contracts?
Vendor lock-in risk in video KYC is primarily a data portability problem: if the bank changes vendors, can it access and migrate five years of archived session recordings? RFPs should require vendors to commit contractually to providing session recording exports in standard formats (MP4 for video, JSON for metadata) within a defined timeframe upon contract termination. Banks should also negotiate escrow arrangements for source code or data if the vendor is a small or early-stage company.
Q7. How does IRDAI's video KYC framework differ from RBI's?
IRDAI's video-based KYC framework for insurers is broadly modelled on RBI's V-CIP structure but includes insurance-specific requirements such as verification of the proposer's identity in relation to the proposed insured, and specific agent training mandates under IRDAI (Protection of Policyholders' Interests) Regulations. Insurers using video KYC must also ensure the interaction is conducted through an IRDAI-approved channel and that the session is retained per IRDAI's record-keeping norms. Banks offering bancassurance products should verify that their vendor's V-CIP system is also IRDAI-compliant if it will be used across both use cases.
Q8. What SLA terms should banks negotiate with video KYC vendors?
At minimum, RFPs should require vendors to commit to 99.9% platform uptime (excluding planned maintenance), session establishment time under five seconds on a 4G network, a maximum incident response time of four hours for P1 outages, and financial credits of at least 10% of monthly fees for each percentage point of uptime below the SLA threshold. Banks should also require the vendor to provide real-time status page access and post-incident root cause analysis within 48 hours of any service disruption exceeding 15 minutes.