Summary
If your business accepts customers via digital means, regardless of whether it’s an institution, NBFC, payment aggregator, or insurance company, it is essential to understand that the RBI’s Video KYC guidelines aren’t an option. It’s an essential operational obligation.
The guidelines have been updated numerous times since the initial 2020 guidelines, and have seen significant changes in 2021 and 2022, and a third time on August 20, 2025. Each update is a response to the real-world threats that regulators have seen in the industry. This guide explains the current rules and what will change in 2025, as well as what your checklist of compliance requirements should be in 2026.
Background: How Video KYC Became Legal in India
Before 2020, KYC in India required either a physical in-person process or an Aadhaar-based eKYC. The RBI changed this with a circular issued in January 2020 under the Prevention of Money Laundering (Maintenance of Records) Rules. This circular introduced Video-based Customer Identification Process — V-CIP — as a formally permitted method of KYC.
The introduction of V-CIP was significant. A customer sitting at home could complete a live video interaction with a trained bank official, present their PAN card or Aadhaar, and be onboarded — without visiting a branch. The 2020 framework has since been refined through several master directions and amendments.
Who Does This Apply To?
RBI’s Video KYC guidelines apply to all regulated entities under the Prevention of Money Laundering Act framework:
- Scheduled commercial banks and small finance banks
- Non-Banking Financial Companies (NBFCs) including HFCs
- Payment system operators and payment aggregators
- White-label ATM operators
- Prepaid payment instrument issuers
- Account aggregators
Core Requirements Under RBI’s V-CIP Framework
Live Interaction
The video call must be live and real-time. Pre-recorded videos are not permitted. The interaction must take place between the customer and a trained official of the regulated entity — not an automated system alone.
Document Verification
The customer must present the original physical document on camera. Accepted documents include PAN card (mandatory for most financial products), Aadhaar (with customer consent), or other Officially Valid Documents. The document must be clearly visible and legible on video.
Geo-Tagging
The customer’s location must be captured and verified at the time of the video call. The system must confirm the customer is physically present in India. Calls from international locations are not permitted for domestic KYC completion.
Facial Match
The live face captured during the video call must be matched against the photograph in the identity document. This is a mandatory step.
Audit Trail
The full video recording must be stored securely and be retrievable for audit purposes. The recording must be encrypted at rest and in transit.
Data Localisation
All KYC data, including video recordings and associated customer information, must be stored on servers located in India.
What Changed in August 2025
Key Amendment
The August 2025 amendment added a new technical requirement: regulated entities must implement technical safeguards specifically designed to detect synthetic media, AI-generated faces, and video injection attacks during V-CIP sessions. Basic active liveness detection is no longer sufficient on its own.
By mid-2025, regulators had documented cases of fraudsters using deepfake video technology to impersonate customers during live video KYC sessions. A synthetic face, generated by AI, was being used to pass identity verification checks that relied only on visual inspection and basic liveness prompts.
In practical terms, the amendment means:
- Basic active liveness detection (asking users to blink or turn their head) is no longer sufficient on its own.
- Systems must include automated checks that can identify the signs of a deepfake or injected video stream.
- The technical controls must be documented and demonstrable to RBI during inspections.
Compliance Checklist for 2026
Use this as a reference against your current V-CIP implementation:
| Requirement | Compliant? |
|---|---|
| Live, real-time video session | ✓ |
| Trained official present during session | ✓ |
| PAN/OVD verified on camera | ✓ |
| Facial match against document photo | ✓ |
| Geo-location capture and India verification | ✓ |
| Session fully recorded and encrypted | ✓ |
| Data stored on India-based servers | ✓ |
| Explicit customer consent captured | ✓ |
| Deepfake/anti-spoofing detection in place | ? |
| Audit trail maintained and retrievable | ✓ |
| Sessions conducted within business hours | ✓ |
Common Compliance Gaps Found in Audits
Inadequate liveness controls
Using only basic active prompts without any passive or AI-based detection layer. Post-August 2025, this is a direct compliance gap.
Incomplete audit trails
Video recordings stored without timestamps, session metadata, or official identification tags.
Geo-location not verified
Capturing GPS coordinates but not validating that the IP address and location data are consistent with each other, making the control easy to bypass with a VPN.
Consent records not linked to KYC records
Consent captured in a separate system without a unique reference linking it to the specific V-CIP session.
Frequently Asked Questions
Q – Can a customer complete Video KYC on a mobile phone?
A – Yes. RBI permits V-CIP on any device capable of conducting a live video call with adequate camera and audio quality.
Q – Is Video KYC valid for all financial products?
A – Not for every product. Certain high-risk accounts and products may still require physical verification. Check the specific product-level rules in the relevant master direction.
Q – How often do the RBI guidelines get updated?
A – The rules have been updated at meaningful intervals — 2020, 2021, 2022, and August 2025. Compliance teams should subscribe to RBI circulars and plan for periodic reviews of their V-CIP infrastructure.
Q – Does every customer need a live official or can AI handle the session?
A – A trained human official must be available during the session. AI tools can assist with verification tasks, but they cannot replace the mandatory human interaction element under current guidelines.
