Digital KYC and live video based customer identification process

Introduction

The Reserve Bank of India (“RBI”) notified an amendment to the Know Your Customer (“KYC”) Master Direction 2016 (“KYC Directions”) on 9th January 2020. The amendment permits Digital KYC and Video based Customer Identification (“V-CIP”) as methods to verify a customer’s identity.

Digital KYC

To facilitate Customer Due Diligence (“CDD”) procedures, the RBI now allows Regulated Entities (“REs”) to authenticate a customer’s identity through Digital KYC [1] – i.e. by capturing a live photograph of the customer. Digital KYCs shall be carried out to verify either any Officially Valid Document (“OVD”) or Aadhaar in the absence of offline verification. The photograph must be captured by an authorised officer of the RE along with the latitude and longitude of the location where such photograph is taken. The live photograph which is embedded in the customer application form. Banks may employ business correspondents to carry out such authentication.

The amended KYC Directions now detail the process to be undertaken by REs for carrying out Digital KYC. The process primarily includes the following:

1. Developing a secure application to carry out the process which records accurate technical details such as the application number, GPS coordinates, date and time stamps, the authorised official’s name and his/her assigned unique employee code;
2. Ensuring that the photograph of the customer and the OVD or Aadhaar captured live, is with a white background and taken in adequate light. The REs must ensure that the photograph is not skewed or tilted;
3. Ensure OTP verifications are undertaken to verify the details provided by the customer and to verify the identity of the authorised officer of the RE;
4. Ensure that while the application form along with the live photographs are digitally signed, the original OVD or Aadhaar is returned to the customer; and
5. The KYC Directions clarify that Digital KYC can be conducted either by the authorised officer of the RE visiting the customer or by the customer visiting the location of the authorised officer.

Video-based customer identification process

In addition to the OTP based e-KYC, the RBI has now introduced another option that is the VCIP under the CDD procedure, for undertaking verification of documents for an account-based relationship . V-CIP is a real-time, consent based audio visual interaction between the RE and the customer for the purpose of identification.

V-CIP can be undertaken by an official of the RE who records live video and captures a live photograph of the customer as well as the document being submitted for identification i.e. either the Permanent Account Number (“PAN”) card or the Aadhaar.

1. If the customer wishes to give his/her PAN card, the same is verified with the database of the issuing authority.
2. If the customer wishes to give Aadhaar for identification in the process, REs other than banks may carry out offline verification while banks are allowed to undertake OTP based e-KYC authentication. However, the Aadhaar number must be redacted or blacked out. Further, if an XML file or an Aadhaar Secure QR Code is used for offline verification, such XML file or QR code should not be older than 3 days from the date of carrying out V-CIP.

To carry out V-CIP, the REs must primarily ensure the following:

1. The official of the RE must be specifically trained for this purpose and must ensure that the photograph and details of the PAN/Aadhaar match with the details provided by the customer. The video feed must be triggered from the domain of the RE itself and not on a third party’s domain.
2. The sequence and nature of questions during the live video must be shuffled in order to ensure that the identification is happening in real-time.
3. Technical safeguards must be put in place with regular software and security audits. There must be end-to-end encryption, geotagging (to ensure that the customer is in India), maintenance of activity logs, recording of date and time stamps and secure storage. The RBI also encourages the use of artificial intelligence and facial recognition technologies.
4. While banks may employ business correspondents to facilitate V-CIP, the business correspondents can facilitate the process only at the customer’s end. The person at the other end of the video interaction must be a bank official. Further, the banks must maintain details of the business correspondents that assist the customer during V-CIP.

Equivalent E-documents

In a long-awaited move, the KYC Directions now recognise the validity of e-documents which can be produced by customers for CDD procedures. Such documents must contain valid Digital Signatures [2] and would include documents issued to the customer through respective digital locker accounts envisioned by the government under the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.

Conclusion

RBI’s move will have a huge impetus on easing KYC challenges and hurdles faced by the REs until now. Needless to state, not only would the implementation of such procedures by REs make their identification systems more secure, it also opens up commercially less burdensome processes to ensure easy onboarding and inclusion of customers across the nation.

____________________________________________

Footnotes:

[1] Digital KYC as per section 3(a)(viii) of the KYC Directions involves capturing of the live photo of the customer and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the RE as per the provisions contained in the Prevention of Money-Laundering Act, 2002.

[2] Digital Signature as per section 2(1)(p) of the Information Technology Act, 2000 means the authentication of any electronic record by a subscriber effected by the use of an asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.