RBI Amends Master Directions on Bank KYC To Allow Video CIP, Simple Periodic Updation
Moneylife Digital Team 12 May 2021
The Reserve Bank of India (RBI) has amended its master directions on know-your-customer (KYC) norms to further leverage the video-based customer identification process (V-CIP), while simplifying the process of periodic updation for bank customers.
This follows from RBI's announcements last week when governor Shaktikanta Das directed banks not to impose any punitive restriction on customers for failure to update KYC till 31 December 2021 while also announcing a series of measures to enhance video KYC for customers. Video KYC, will now be considered on par with the face-to-face customer identification process.
The decision by RBI had addressed several issues raised by Moneylife Foundation in a memorandum submitted to the RBI governor on 12 April 2021 along with detailed cases studies. See the detailed memorandum here: 
The V-CIP can be used for new account openings as well as for periodic KYC updation of existing bank customers. It has also been extended to new proprietorship firms, authorised signatories, and beneficial owners of legal entity customers. The regulated entities have to comply with prescribed standards and procedures as set by the RBI.
In its master directions, the central bank has specified certain minimum standards which regulated entities will have to follow while opting to undertake V-CIP. As per the amended provisions, a regulated entity (RE) should have complied with the RBI guidelines on minimum baseline cyber security and resilience framework for banks. The RBI regulated entities REs include banks, NBFCs (non-banking finance companies) and payment system operators, among others.. 
"The technology infrastructure should be housed in its own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines," RBI says.
Also, the RE should ensure end-to-end encryption of data between customer devices and the hosting point of the V-CIP application, as per appropriate encryption standards. 
It added that each RE should formulate a clear workflow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process should be operated only by officials of the RE specially trained for this purpose.
The authorised official should record audio-video as well as capture photographs of the customer present for identification. The official can obtain the identification information using OTP based Aadhaar e-KYC authentication, offline verification of Aadhaar for identification, KYC records downloaded from Central KYC Registry (CKYCR) or equivalent e-document of officially valid documents (OVDs) including documents issued through DigiLocker. Further, the RE will have to ensure to redact or blackout the Aadhaar number, RBI says.
The regulated entities or REs may also undertake V-CIP for conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication, and updation or periodic updation of KYC for eligible customers. 
In video KYC process, an authorised official of the RE completes customer identification by obtaining and verifying personal identification information through an audio-visual interaction as required for due diligence. The process should be undertaken live using a secured network.  
As per the master direction, video-KYC process has to be carried out only via the bank’s website or its mobile application and the customer cannot leave the bank’s website or the app until the video KYC process is completed.
The customer’s consent has to be recorded in an auditable and alteration-proof manner. The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the video-KYC and should have a date-time stamp. If there is a disruption in the video-KYC recording, it should be aborted and a fresh session must be initiated. 
There is no requirement of any third-party video calling apps such as Zoom, WhatsApp and Skype, RBI clarified.
Never share personal details, PAN card and Aadhaar number if a link on SMS or email takes you outside the bank’s website to complete the video KYC as it could be fraudsters trying to gain access to your bank account.
As per RBI norms, banks should adopt a risk-based approach for periodic updation of KYC. For high-risk customers, banks can carry out updating of KYC at least once every two years. For medium risk customers, updating of KYC should be done once every eight years and for low-risk customers, updating of KYC needs to be done once every 10 years from the date of opening of the account or date of last KYC updation.
Given the current pandemic situation, RBI has allowed periodic updation of KYC through various modes of communication. This includes a self-declaration through a registered email ID, a postal letter, net banking or mobile banking. Hence, customers don’t need to visit the bank branch in person for KYC updation.
Earlier on 18 December 2020, RBI had amended the master directions on KYC norms and sought to mandate all legal entities whose accounts are opened prior to 1 April 2021, to upload their KYC data onto the CKYCR, pursuant to Rule 9 (1A) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules).This amendment helps in streamlining the KYC process ensuring that it remains time-efficient and promotes ease of use for the REs as well as their customers, through these additional provisions:
REs shall directly retrieve online KYC records from CKYCR using the KYC Identifier as submitted by the customer (along with an explicit consent for usage of such reports). Consequently, there would be no additional customer requirement for submission of KYC records, unless there is either a change in customer information; or the customer's address requires verification; or such additional KYC records are required by the RE in order to conduct either enhanced due diligence; or risk profiling for the customer (as required under the master directions).
REs shall communicate generation of the KYC Identifier by CKYCR, to the respective individual or legal entity.
Time Period for KYC Compliance with the CKYCR
As part of the customer due diligence, under the provisions of Rule 9 (1A) of the PML Rules, every RE is required to capture customer's KYC data and to file an electronic copy of the customer's KYC records with the central KYC records registry. Such filing must be made within 10 days from commencement of an account-based relationship with the customer.
With the objective of promoting ease of doing business, the government had formed CKYCR as a centralised KYC repository, to reduce the cost and burden of maintaining KYC documents by each financial institution or intermediary. This had in turn authorised Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), to perform the functions of and manage the CKYCR. Since the central registry is now fully operational for individual customers, as a logical corollary, RBI has extended the CKYCR compliance requirements to legal entities.


Meenal Mamdani
3 years ago
Not a single reader of MLF newsletter has answered my question - is this repeated queries to customers to update their KYC done anywhere else besides India?

If no, then are our bank officials incompetent that they need to do this every few years when nothing on the account has changed because they have been incompetent and not collected adequate data when the account was opened?

Are the bank officials in smaller town using this as a pretext to extract money from hapless customers?
Replied to Meenal Mamdani comment 3 years ago
The problem is that we Indians -- especially the educated middle class - continue to live with a colonial mindset and tamely accept draconian rules. We do it because the alternative of getting together, putting up a fight, objecting to faulty rules is too onerous! We try to do it at Moneylife Foundation, but the number of issues that require agitation/ litigation are too many and we can only take up a small fraction. We the educated do not even want to work at making our elected representatives accountable. These are issues that ought to be discussed by parliamentary committees of finance. They don't bother. We have five financial regulators who are constantly working at inventing new red tape "for our protection". None of them bother to meet any stakeholder or stakeholder representative. Most people don't care until they are personally affected. Until this changes, the gigantic task of resolving issues is going to be slow with some small victories to keep us going! Finally - to answer your query - other countries do not have such outrageous rules that permit a bank manager to freeze your deposits kept in trust. Other countries do not even charge you for withdrawing your own money from the bank. But you can be sure that a few readers will post comments here saying 'banks need to be compensated for their service' without understanding the basics of how banks function!
Meenal Mamdani
Replied to sucheta comment 3 years ago
Thank you.
May be the pandemic catastrophe will wake up the people.
3 years ago
Kudos to Sucheta Dalal and team. Countless citizens are relieved.
3 years ago
Is Video KYC process applicable to NRI's living out of India on a work permit butstill holds indian passports ?
Meenal Mamdani
3 years ago
Congratulations to Ms Dalal and the MLF team.

However, I must point out that
1. This does not make it any easier for people in small towns or villages to get their bankers to do this.
2. After the first KYC is done within 10 days of opening an account, there is no need to update this information periodically unless there has been a change in the persons registered on that account.

As far as I know, this repeated updating is not done any where else.
Perhaps the readers of this newsletter are aware of this practice and if so can enlighten us.
Free Helpline
Legal Credit