The Reserve Bank of India (RBI) has amended its master directions on known-your-customer (KYC) norms to further leverage the video-based customer identification process (V-CIP) while simplifying the process of periodic updating for the bank customers.
This follows from the RBI announcements last week when governor Shaktikanta Das directed banks not to impose any punitive restriction on customers for failure to update KYC till 31 December 2021 while also announcing a series of measures to enhance video KYC for customers. Video KYC, will now be considered on par with the face-to-face customer identification process.
The V-CIP can be used for new account openings as well as for periodic KYC updation of existing bank customers. It has also been extended to new proprietorship firms, authorised signatories, and beneficial owners of legal entity customers. The regulated entities have to comply with prescribed standards and procedures as set by the RBI.
In its master directions, the central bank has specified certain minimum standards, which regulated entities will have to follow while opting to undertake V-CIP.
As per the amended provisions, a regulated entity (RE) should have complied with the RBI guidelines on minimum baseline cybersecurity and resilience framework for banks. The RBI-regulated entities (REs) include banks, NBFCs, and payment system operators among others.
“The technology infrastructure should be housed in its own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology-related outsourcing for the process should be compliant with relevant RBI guidelines,” RBI says.
Also, the RE should ensure end-to-end encryption of data between customer devices and the hosting point of the V-CIP application, as per appropriate encryption standards.
It added that each RE should formulate a clear workflow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process should be operated only by officials of the RE specially trained for this purpose.
“ The authorized official should record audio-video as well as capture photographs of the customer present for identification. The official can obtain the identification information using OTP based Aadhaar e-KYC authentication, offline verification of Aadhaar for identification, KYC records downloaded from Central KYC Registry (CKYCR) or equivalent e-document of officially valid documents (OVDs) including documents issued through DigiLocker. Further, the RE will have to ensure to redact or blackout the Aadhaar number, RBI says.”
The regulated entities or REs may also undertake V-CIP for conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication, and updation or periodic updation of KYC for eligible customers.
In video KYC process, an authorised official of the regulated entity completes customer identification by obtaining and verifying personal identification information through an audio-visual interaction as required for due diligence. The process should be undertaken live using a secured network.
As per the master direction, video-KYC process has to be carried out only via the bank’s website or its mobile application and the customer cannot leave the bank’s website or the app until the video KYC process is completed.
The customer’s consent has to be recorded in an auditable and alteration-proof manner. The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the video-KYC and should have a date-time stamp. If there is a disruption in the video-KYC recording, the same should be aborted and a fresh session must be initiated.
There is no requirement of any third-party video calling apps such as Zoom, WhatsApp, and Skype, RBI clarified.
Never share personal details, PAN card and Aadhaar number if a link on SMS or email takes you outside the bank’s website to complete the video KYC as it could be fraudsters trying to gain access to your bank account.
As per RBI norms, banks should adopt a risk-based approach for periodic updation of KYC. For high-risk customers, banks can carry out updating of KYC at least once every two years. For medium risk customers, updating of KYC should be done once every eight years and for low-risk customers, updating of KYC needs to be done once every ten years from the date of opening of the account or date of last KYC updation.
Given the current pandemic situation, RBI has allowed periodic updation of KYC through various modes of communication. This includes a self-declaration through a registered email ID, a postal letter, net banking or mobile banking. Hence, customers don’t need to visit the bank branch in person for KYC updation.
Earlier on 18 December 2020, the RBI had amended the master directions on KYC norms and sought to mandate all legal entities whose accounts are opened prior to 1 April 2021, to upload their KYC data onto the Central KYC Records Registry (CKYCR), pursuant to Rule 9 (1A) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules).This amendment helps in streamlining the KYC process ensuring that it remains time-efficient and promotes ease of use for both the REs and their customers, through these additional provisions:
- REs shall directly retrieve online KYC records from CKYCR using the KYC Identifier as submitted by the customer (along with explicit consent for the usage of such reports). Consequently, there would be no additional customer requirement for submission of KYC records, unless there is either a change in customer information; or the customer’s address requires verification; or such additional KYC records are required by the RE in order to conduct either enhanced due diligence or risk profiling for the customer (as required under the master directions).
- REs shall communicate generation of the KYC Identifier by CKYCR, to the respective individual or legal entity.
The time period for KYC compliance with the CKYCR
As part of the customer due diligence, under the provisions of Rule 9 (1A) of the PML Rules, every RE is required to capture the customer’s KYC data and to file an electronic copy of the customer’s KYC records with the central KYC records registry. Such filing must be made within 10 days from the commencement of an account-based relationship with the customer.
With the objective of promoting ease of doing business, the government had formed CKYCR as a centralized KYC repository, to reduce the cost and burden of maintaining KYC documents by each financial institution or intermediary. This had in turn authorized the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), to perform the functions of and manage the CKYCR. Since the central registry is now fully operational for individual customers, as a logical corollary, RBI has extended the CKYCR compliance requirements to legal entities.