On May 10, 2021, the Reserve Bank of India (“RBI”) amended the ‘Master Direction-Know Your Customer (“KYC”) Direction, 2016’ (“KYC Directions”) to further leverage the Video Based Customer Identification Process (“V-CIP”) and to simply the process of periodic updation of KYC.
A brief overview of the key amendments are as follows:
(a) The definition of V-CIP has been modified to specify that it is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the regulated entity (“RE(s)”). The new definition also provides that the process should be informed-consent based and the veracity of the information furnished by the customer should be ascertained through independent verification and maintaining audit trail of the process. The V-CIP process will be treated on par with the face-to-face process if it complies with the prescribed standards and procedures.
(b) Earlier, the KYC Directions provided that accounts (both deposit and borrowal) opened using OTP based e-KYC will not be allowed for more than one year within which identification as per Section 16 of the KYC Directions is to be carried out. The amended KYC Directions provides that such accounts will not be allowed for more than one year unless identification as per Section 16 or as per Section 18 (V-CIP) is carried out. If Aadhaar details are used under Section 18, the process will have to be followed in its entirety including fresh Aadhaar OTP authentication.
(c) Prior to the amendment, the KYC Directions provided that the REs may undertake live V-CIP for establishment of an account based relationship with an individual customer. The amended KYC Directions provide that the REs may undertake V-CIP to carry out the following:
(i) Customer due diligence (“CDD”) in case of new customer on-boarding for individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (“BOs") in case of Legal Entity (“LE”) customers. In case of CDD of a proprietorship firm, the REs are required to also obtain the equivalent e-document of the activity proofs (such as tax returns/ registrations etc.) as provided in Section 28 of the KYC Directions;
(ii) Conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication as mentioned in Section 17 of the KYC Directions; and
(iii) Updation/periodic updation of KYC for eligible customers.
(d) The amended KYC Directions also provide for the minimum standards for the V-CIP infrastructure, which include the following:
(i) REs should be in compliance with the RBI guidelines on minimum baseline cyber security and resilience framework for banks, as updated from time to time as well as other general guidelines on IT risks. The technology infrastructure should be housed in the own premises of the REs and the V-CIP connection and interaction should necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines.
(ii) REs should ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards and the customer consent should be recorded in an auditable and alteration proof manner.
(iii) The V-CIP infrastructure/ application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.
(iv) The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP should be adequate to allow identification of the customer beyond doubt.
(v) The application should have components with face liveness/ spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with the REs. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.
(vi) Based on experience of detected/ attempted/ ‘near-miss’ cases of forged identity, the technology infrastructure should be regularly upgraded. Any detected case of forged identity through V-CIP should be reported as a cyber security event under extant regulatory guidelines.
(vii) The V-CIP infrastructure should undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process should be mitigated before rolling out its implementation. Such tests should be conducted by suitably accredited agencies as prescribed by RBI. The V-CIP application software and relevant APIs/ webservices should also undergo appropriate testing of functional, performance, maintenance strength before being used in live environment. Only after closure of any critical gap found during such tests, the application should be rolled out. Such tests should also be carried out periodically in conformance to internal/ regulatory guidelines.
(e) Further, the amended KYC Directions also provide for the minimum standards for the V-CIP procedure, which include the following:
(i) REs should formulate a clear work flow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process should be operated only by officials of the RE specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.
(ii) If there is a disruption in the V-CIP procedure, the same should be aborted and a fresh session initiated. Further, any prompting observed at end of customer should lead to rejection of the account opening process.
(iii) The sequence and/ or type of questions, including those indicating the liveness of the interaction, during video interactions should be varied in order to establish that the interactions are real-time and not pre-recorded.
(iv) The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factored in at appropriate stage of work flow.
(v) Earlier, the KYC Directions provided that banks could use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for identification, however, other REs could only carry out Offline Verification of Aadhaar for identification. The amended KYC Directions provide that all REs can obtain the identification information using any one of the following:
• OTP based Aadhaar e-KYC authentication;
• Offline verification of Aadhaar for identification;
• KYC records downloaded from Central KYC Records Registry (“CKYCR”) using the KYC identifier provided by the customer;
• Equivalent e-document of Officially Valid Documents (“OVDs”) including documents issued through DigiLocker. However, use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP.
(vi) REs are now required to ensure that the video process of the V-CIP is undertaken within three days of downloading/ obtaining the identification information through CKYCR/ Aadhaar authentication/ equivalent e-document, if in rare cases, the entire process cannot be completed at one go or seamlessly. However, REs should ensure that no incremental risk is added due to this.
(vii) If the address of the customer is different from that indicated in the OVD, suitable records of the current address should be captured, as per the existing requirement. It should be ensured that the economic and financial profile/information submitted by the customer is also confirmed from the customer undertaking the V-CIP in a suitable manner.
(viii) REs are also required to comply with all matters not specified under the KYC Directions but required under other statutes such as the Information Technology Act, 2000.
(ix) The entire data and recordings of V-CIP is required to be stored in system(s) located in India. Further, the activity log along with the credentials of the official performing the V-CIP is required to be preserved.
2. Periodic Updation of KYC
The provisions pertaining to periodic updation of KYC have been amended to include the following:
(i) The policy for periodic updation should be documented as part of the REs’ internal KYC policy duly approved by the Board of Directors (or any committee thereof) of REs.
(ii) Separate processes have been prescribed for individual customers and other customers.
(iii) In order to ensure customer convenience, REs can consider making available the facility of periodic updation of KYC at any branch, in terms of their duly approved internal KYC policy.
(iv) REs should ensure that their internal KYC policy and processes on updation/ periodic updation of KYC are transparent and adverse actions against the customers should be avoided, unless warranted by specific regulatory requirements.
Any additional and exceptional measures adopted by the REs should be clearly specified in their duly approved internal KYC policy.
Please find a copy of the amended notification here.
This update has been contributed by Aastha (Partner) and Ashwarya Bhargava (Associate).
Argus Knowledge Centre is now on WhatsApp! Send us a message on +91 8433523504 to receive updates from our Knowledge Centre.
11, 1st Floor, Free Press House
215, Nariman Point
Mumbai – 400021
9 – 10 Bahadur Shah Zafar Marg
Delhi – 110002
68 Nandidurga Road
Bengaluru – 560046
3rd Floor, 27B Camac Street
Kolkata – 700016
Ahmedabad – 380054
The rules of the Bar Council of India do not permit advocates to solicit work or advertise in any manner. This website has been created only for informational purposes and is not intended to constitute solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work in any manner. By clicking on 'Agree' below, you acknowledge and confirm the following:
a) there has been no solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
b) you are desirous of obtaining further information about us on your own accord and for your use;
c) no information or material provided on this website is to be construed as a legal opinion and use of this website will not create any lawyer-client relationship;
d) while reasonable care has been taken in ensuring the accuracy of the contents of the website, Argus Partners shall not be responsible for the results of any actions taken on the basis of information provided in this website or for any error or omission in the website; and
e) in cases where the user has any legal issues, the user must seek independent legal advice.