RBI amends Master Direction on KYC norms

RBI on Tuesday amended the MD on KYC to further leverage the Video-based Customer Identification Process (V-CIP) and to simplify and rationalise the process of periodic updating of KYC.

Banks and other regulated entities have to undertake Customer Due Diligence (CDD) while dealing with the customers as per the process laid out in Master Direction (MD) of RBI on KYC as amended from time to time. As per prevailing provisions, REs shall adopt a risk-based approach for periodic updation of KYC and carry out at least once in every two years for high-risk customers, once in every eight years for medium risk customers, and once in every ten years for low-risk customers from the date of opening of the account / last KYC updation.

Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the regulated entity by undertaking seamless, secure, and live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process.  According to the amended provision clause (xx) of Section 3 of KYC norms, such processes complying with prescribed standards and procedures shall be treated on par with face-to-face Customer Identification Process. In case of individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity (LE) customers, Customer Due Diligence (CDD), the V-CIP to be carried out by the regulated entities d in terms of amended Section 18. Provided, in case of Customer Due Diligence (CDD) of a proprietorship firm, REs shall obtain the equivalent e-document of the activity proofs with respect to the proprietorship firm, as mentioned in Section 28, apart from undertaking CDD of the proprietor.

The amended Section 17 Clause (v), states that accounts, both deposit, and borrowal, opened using OTP-based e-KYC shall not be allowed for more than one year unless identification as per Section 16 or as per Section 18 (V-CIP) is carried out. If Aadhaar details are used under Section 18, the process shall be followed in its entirety including fresh Aadhaar OTP authentication. The above rule also applies for conversion of existing accounts opened in non-face-to-face mode using Aadhaar OTP-based e-KYC authentication/  Updation/Periodic updation of KYC for eligible customers. The central bank has also specified certain minimum standards that regulated entities will have to follow while opting to undertake V-CIP. “The technology infrastructure should be housed in own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology-related outsourcing for the process should be compliant with relevant RBI guidelines,” it said. The authorized official performing the V-CIP shall record audio-video as well as capture photographs of the customer present for identification and obtain the identification information using any one of the following, it said.

• OTP based Aadhaar e-KYC authentication
• Offline Verification of Aadhaar for identification
• KYC records downloaded from CKYCR, in accordance with Section 57, using the KYC identifier provided by the customer
• Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker.

The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses, it said. The amended sections further specify that video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt. Any detected case of forged identity through V-CIP shall be reported as a cyber security event under extant regulatory guidelines. Also, the RE should ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent has to be recorded in an auditable and alteration proof manner.RE shall ensure to redact or blackout the Aadhaar number in terms of Section 16.

In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code,Banks and other regulated entities are required to ensure that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP. Further, REs shall ensure that the video process of the V-CIP is undertaken within three days of downloading / obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document, if in the rare cases, the entire process cannot be completed at one go or seamlessly. However, REs shall ensure that no incremental risk is added due to this.

Wherever, the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured, as per the existing requirement. The economic and financial profile/information submitted by the customer shall be confirmed from the customer undertaking the V-CIP in a suitable manner. The clear image of PAN card shall be displayed during the process, except in cases where e-PAN is provided by the customer. It is important to note that use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP. The PAN details shall be verified from the database of the issuing authority including through DigiLocker.

The authorised official of the RE shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer. However, Assisted V-CIP shall be permissible when banks take help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.

“All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of the process and its acceptability of the outcome. All matters not specified under the paragraph but required under other statutes such as the Information Technology (IT) Act shall be appropriately complied with by the RE” said RBI.