On 10th May this year, the Reserve Bank of India (RBI) amended the Master Directions (MD) on KYC to expand the scope and usage of Video-based Customer Identification Process (V-CIP).
These amendments are a welcome move as they effectively eliminate the various ambiguities associated with the implementation of a V-CIP solution.
Here’s our humble attempt to decode these amendments and shed light on their technical and regulatory implications on Regulated Entities (REs). For convenience of the readers, all the clauses mentioned in the RBI circular are stated in Italics. Kindly bear with us and this post is going to be a long read considering the number of amendments and the gravity of their implications. Let’s begin!
1. Amendment to Clause (xx) of Section 3: Definition of V-CIP
As per the new amendments, “Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP for the purpose of this Master Direction.”
Implication:
During our regular interactions with REs, we learnt that some REs were mulling the idea of implementing an automated AI-driven V-CIP process without any in-person participation by the V-CIP agent.
The idea was to allow customers to directly interact with this automated AI-driven V-CIP engine wherein the customers would read out aloud their responses to the random questions displayed on the screen and the AV (Audio & Video) file of this interaction would be recorded for completing the KYC process.
These REs were of the opinion that since the Video KYC Agents (Makers) and the verifiers (Checkers) would view the recorded AV file on a post-facto basis to either approve or reject the KYC transaction, the process would automatically abide with the regulatory mandates.
In light of the latest amendments, we would like to unequivocally assert that the aforementioned automated model would not comply with RBI’s mandates due to the following reasons:
1) The amendments clearly mention that the interaction has to be between the customer and the authorised official of the RE, thereby implying that any implementation of an automated V-CIP solution without the participation of the Agent will not meet the regulatory requirement.
2) Furthermore, the amendments clarify that this interaction between the authorised official of the RE and the customer should be “seamless, secure, live”, thereby implying that post-facto participation of the Maker will not suffice in meeting the regulatory requirement.
In a nutshell, the V-CIP process has to be a LIVE 2-way Audio Visual interaction, and not an automated one that skips the in-person participation of the Agent.
2. Amendment to Section 18 on V-CIP
The amendments cite that “REs may undertake V-CIP to carry out:
i) CDD in case of new customer on-boarding for individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity (LE) customers. Provided that in case of CDD of a proprietorship firm, REs shall also obtain the equivalent e-document of the activity proofs with respect to the proprietorship firm, as mentioned in Section 28, apart from undertaking CDD of the proprietor.
ii) Conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication as per Section 17.
iii) Updation/Periodic updation of KYC for eligible customers.”
Implications:
1) REs can now use V-CIP for full KYC/Customer Due Diligence (CDD) of the authorised signatories/beneficial owners/proprietors for opening Current Accounts. The earlier mandate had permitted V-CIP for KYC of individual account holders for opening Savings Accounts only.
2) V-CIP can be now used for re-KYC and KYC updation also. RBI’s earlier notification had no mention of the usage of V-CIP for re-KYC and KYC update transactions.
3. V-CIP Infrastructure
i) The technology infrastructure should be housed in own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines.
Implication:
This amendment clearly implies that REs cannot opt for SaaS-based V-CIP service wherein the V-CIP infrastructure is hosted with their service provider.
ii) The RE shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner.
Implication:
During our interactions with REs, we noticed that many REs who have already implemented Video KYC as a part of their customer acquisition process are not recording their customer consent in an AV form during the Video KYC process.
Considering the latest amendments, we urge REs to record the consent of their customers in Audio Visual form during the LIVE V-CIP interaction and ensure that the same is an intrinsic part of the recorded and stored AV file.
iii) The V-CIP infrastructure/application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.
iv) The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt.
Implication:
Many REs who have implemented a V-CIP solution are embedding only the date and time stamp in their AV recording. With the latest amendments, REs are now mandated to auto-embed their customers’ GPS co-ordinates as well in the V-CIP AV recording.
v) The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with the RE. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.
Implication:
With this amendment, RBI has strongly encouraged the REs to implement automated modules/solutions to measure and record liveness and spoof detection in addition to the facial authentication process.
From what we understand, RBI wants to automate the process of detecting liveness and facial authentication with an intention to minimise, and if possible eliminate, any human discretion for this activity. This automation can be easily achieved by integrating robust AI-powered facial authentication and liveness check services like the ones offered by us.
vi) Based on experience of detected / attempted / ‘near-miss’ cases of forged identity, the technology infrastructure including application software as well as work flows shall be regularly upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber security event under extant regulatory guidelines.
Implication:
What this amendment means is that, going forward, REs have to mandatorily keep a record of all the KYC transactions where their customers were suspected to forge their identity or provided incorrect/false information, and flag off all such transactions as cyber security events and report the same to the regulators as per their existing reporting process.
(vii) The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted by suitably accredited agencies as prescribed by RBI. Such tests should also be carried out periodically in conformance to internal / regulatory guidelines.
(viii) The V-CIP application software and relevant APIs / webservices shall also undergo appropriate testing of functional, performance, maintenance strength before being used in live environment. Only after closure of any critical gap found during such tests, the application should be rolled out. Such tests shall also be carried out periodically in conformity with internal/regulatory guidelines.
Implications:
REs will now have to conduct Vulnerability Assessment (VA) and Penetration Testing (PT) for the V-CIP infrastructure as well as for the V-CIP application. Our recommendation is that REs should appoint CERT-IN certified auditors to handle these security audit activities and to certify the sanctity of the application as well as the infrastructural components.
4. V-CIP Procedure
i) Each RE shall formulate a clear work flow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process shall be operated only by officials of the RE specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.
Implication:
This clause again asserts that the V-CIP transactions should be processed only by the officials of the RE, meaning that automated V-CIP services wherein the customers directly interact with an automated BOT, will not be permitted.
ii) If there is a disruption in the V-CIP procedure, the same should be aborted and a fresh session initiated.
Implication:
This amendment lends the much-needed clarity to the design of the V-CIP process. It unequivocally reaffirms that the recorded V-CIP interaction between the Agent and the customer has to be a seamless and single continuous interaction. A fragmented/broken V-CIP process will not therefore not adhere to RBI’s new mandates.
iii) The sequence and/or type of questions, including those indicating the liveness of the interaction, during video interactions shall be varied in order to establish that the interactions are real-time and not pre-recorded.
iv) Any prompting, observed at end of customer shall lead to rejection of the account opening process.
v) The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factored in at appropriate stage of work flow.
Implications:
1) The officials of the RE handling the V-CIP transactions (Makers as well as Checkers) should be able to flag off suspicious transactions and reject the same.
2) The V-CIP engine should have an in-built feature of maintaining a bucket / flag for all transactions which were rejected earlier and the REs are expected to record all such transactions.
3) The V-CIP process should capture customer details while initiating any new V-CIP transaction and automatically check the same with the reject list maintained by the V-CIP engine. Any customer / transaction which was rejected earlier should be flagged off to the V-CIP Agent.
4) If any customer has been rejected earlier by any V-CIP official of the RE, the appropriate details of the same (e.g. reason of rejection, date and time stamp of the rejected transaction, name of the RE officer rejecting the customer, etc.) should be displayed to the RE’s officials.
vi) The authorised official of the RE performing the V-CIP shall record audio-video as well as capture photograph of the customer present for identification and obtain the identification information using any one of the following:
- OTP based Aadhaar e-KYC authentication
- Offline Verification of Aadhaar for identification
- KYC records downloaded from CKYCR, in accordance with Section 57, using the KYC identifier provided by the customer
- Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker
RE shall ensure to redact or blackout the Aadhaar number in terms of Section 16.
Implications:
1) These amendments have enhanced the usability of the V-CIP ecosystem manifold. REs are now permitted to obtain the identification of the customer through e-KYC, Offline KYC, CKYC and equivalent e-documents of Officially Valid Documents (OVDs) and documents issued through DigiLocker.
2) The data obtained from any of the above mentioned sources can be verified by the RE’s officials through a V-CIP transaction with the customer.
3) If a copy of Aadhaar is received in the response from CERSAI or DigiLocker, the Aadhaar number on the same should be redacted, implying that the V-CIP engine should be integrated with the Aadhaar masking application.
To Sum It Up
In our opinion these new amendments have paved the way for a faster adoption of V-CIP as a crucial e-KYC tool. As a leading e-KYC company in India, ECS’s V-CIP solution meets most of the new mandates outlined by RBI in these new amendments.
Please feel free to get in touch with our colleague Amit Joshi on amit@eastcs.com if you have any queries on these new amendments or need more information about ECS’s V-CIP and e-KYC solutions suite.