1. What is Video KYC
Video KYC allows a regulated entity to open an account-based relationship with a customer without meeting the customer face to face. The customer can, through a video call, chat directly with a Banker, provide all the identity documents to verify who they are and complete the account opening steps in a few minutes.
2. Is this approved by the Indian regulator?
Yes. The Indian Central Bank (RBI) provided the approval for Video Customer Identification Process (V-CIP) vide circular DOR.AML.BC.№27/14.01.001/2019–20 dated 09 January 2020. Section 18 of the circular elaborates on the process to be followed by regulated entities.
3. How can Video KYC help Regulated Entities?
Video KYC verification removes the need for customers to go into a branch, share paper copies, or wait for days for the account-opening process to be completed. This will transform the way bank accounts are opened in the future and reduces the cost of onboarding dramatically. One estimate puts that it costs between 150–200 for face to face onboarding. The same can be reduced to a fraction by doing video KYC without having to meet the customer face to face.
4. What forms of ID are supported within Video KYC?
Banks can use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for customer identification. All other regulated entities can only do Aadhaar Offline verification. For offline verification, customers can use Aadhaar Offline XML or Aadhaar Encrypted QR. However, when using Aadhaar Offline, the shareable Aadhaar Offline files and Encrypted QR should not be more than three days old.
5. How can Regulated Entities ensure that the Aadhaar Offline files are no more than three days old?
We strongly recommend that the customer be allowed to download the files during the live video call. This will ensure that the rightful owner of the Aadhaar is downloading the offline file and that the video will ensure that the download was done instantly complying with the Aadhaar file being within three days old.
6. Can the customer record and upload Videos as part of Video KYC?
No. The regulator has made it clear that “regulated entities may undertake live video customer identification process”. The regulator then goes on to insist: “Regulated Entity shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio visual interaction with the customer”. Anything other than a live video interaction would be a violation of the current Video KYC or V-CIP process as defined by the regulator.
7. Who can do the Video KYC with customers?
A trained official will need to complete the video KYC process. However, regulated entities can take the help of business correspondents to aid the customer with the video at the customer end using the BC’s device if needed. While the Video KYC is touted to be non-face to face, the regulator asserts that there may be cases where assistance may be needed by the customer to complete the same (e.g. rural population who may or may not possess a smart phone or the connectivity may not be amenable for a video call). Therefore, regulated entities, can take the assistance of business correspondents at the customer end to complete the video verification process without additional paper work.
8. Can the Bank or Regulated Entity outsource the entire Video KYC process to third party business correspondents?
No. The regulator states that “the V-CIP process shall be operated by officials specifically trained for this purpose”. The regulator further insists that “BCs can facilitate the process only at the customer end and as already stated above, the official at the other end of V-CIP interaction should necessarily be a bank official.”
9. How can the Video KYC be initiated by the Regulated Entity?
There are no right or wrong ways to initiate the video call. Either the Banker can initiate the call or the customer can initiate the call. There are practical difficulties for customer enabling the call as there needs to be sufficient Agents on board and as per demand to carry out Video KYCs. Our solution, however, works by allowing the Banker to initiate the call once the customer has registered his interest and has provided his consent and contact details for a video KYC.
10. What details need to be captured during the Video KYC process?
The following details will have to be captured during the live video KYC process. It can be done in any order:
1) Aadhaar Offline (by any regulated entity) or OTP based Aadhaar (only for Banks). Note that this must be done during the live video call through a screen share option in the video KYC solution.
2) Proof of possession of Aadhaar Number. This would suggest that the official sees the original Aadhaar card before Aadhaar Offline is carried out. And maybe a picture is taken to ensure that the Aadhaar card has been seen by the Bank official (although this is not mandated explicitly in the master KYC circular)
3) A picture of the customer in the live video is captured.
4) A picture of the PAN card is captured.
5) The live location of the customer is captured and verified that the customer is physically present in India (geo location verification).
6) All the questions and checks carried out during the call need to be captured.
7) Any notes entered during the call need to be captured.
8) Timestamps and metadata related to the video call needs to be captured for audit purposes.
11. How can regulated entities go about implementing Video KYC?
Technically it’s just establishing a video connection between two parties. However, in our experience, business, audit, compliance, risk, operations, legal, products and IT teams have to come together to create a scalable process that is legally vetted and totally compliant. The following set of questions are a good place to start for regulated entities.
1) Does the solution meet all the compliance requirements?
2) Can the solution be deployed on-premises?
3) Can the solution scale and can it be deployed on a fail-safe and scalable architecture?
4) Does the solution work on mobile and web for users to complete their video KYC?
5) Does the solution do a live streaming of video (and not video recording and uploading)?
6) Does the solution provide logs, audits, maker-checker and approvals workflow?
7) Does the solution come with APIs that can help integrate with existing back-end systems to provision account opening steps once the KYC is completed?
8) Can the solution augment artificial intelligence capabilities for face match, OCR, ID verification, image quality checks, Aadhaar masking and liveness checks?
9) Does the solution provide full audit trail and related data associated with the video KYC?
10) Is the system easy to use without having to go through long training cycles for Agents?
11) Does the system come with plug and play integration for mobile and web to take this solution to customers quickly?
12. Does the Video KYC solution have to be deployed on premises?
The regulator has asserted that the link that is used by customers to begin the video chat should necessarily originate from the domain of the regulated entity. This squarely eliminates generic video tools such as skype, zoom, webex, duo and other popular applications that are hosted on skype.com, zoom.com and such like. Instead, the regulator is looking for something like abcbank.com/videokyc so phishing and other malicious attacks can be prevented. A safer way to achieve this would be to integrate this into existing Banks’ mobile Apps or online Banking portal which triggers the video call from a safe and verified domain. And this would suggest that the entire set up is done on-premises and cloud-based solutions or even hybrid solutions will have a tough time getting through the internal compliance and legal team’s approval. The only exception to this rule is when ID verification needs to be done which usually needs to be an external API call with the issuing authority.
13. Does the PAN need to be verified against the issuing authority?
Yes. The regulator has clearly stated that regulated entities shall “capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority”. There are several API based solutions and can be done concurrently once the PAN image is captured.
14. How can the Regulated Entity verify that the PAN or Aadhaar card belongs to the customer in the Video KYC?
The regulator encourages the use of advanced artificial intelligence solutions to match the image from PAN/Aadhaar to that of the image of the customer in the video call. This will with a high degree of confidence ensure that the customer is in possession of Aadhaar (by way of Aadhaar Offline), Customer is in possession of PAN (PAN verified to be legitimate against issuing authority) and that the details in PAN and Aadhaar match. In addition, the face image matches with the PAN and Aadhaar image with a high degree of confidence. This triangulation of checks will ensure that the customer is legit and spoofing or identity manipulation is quickly flagged for review.
15. Does the Aadhaar number in the Aadhaar Card shown in the video call need to be masked as per regulations?
Without a doubt, Yes. The circular states that wherever customer submits a proof of possession of Aadhaar containing Aadhaar Number, the same is redacted. For instance, in the video KYC process, the Bank official can ask to see the Aadhaar card before Aadhaar Offline is carried out. Therefore, the video captured will have the Aadhaar image and should be subject to Aadhaar Masking as per regulations. The good news is that AI technologies exist to complete this step.
16. Can I initiate the video call through a link I share with the customer?
While this is technically possible, and may even sound novel, we strongly recommend not to use this method. Web links are fraught with high risks of fraud for Banks and could inconvenience genuine customers. Any fraudster could send a link to a customer in the guise of video KYC and could potentially gain access to sensitive information. Therefore, we strongly recommend that Banks initiate this only within their web portals and their Mobile Apps which usually are built with several security features to protect customers from fraud.
17. What are the other general precautions that the regulated entities must take to ensure that the Video KYC is full proof?
The video call must be done in real time (video recording and uploading is not permitted), video is stored encrypted; questions in videos are varied to prevent spoofing attempts; quality of the video must verify the customer beyond doubt; sufficient liveness checks carried out by the officer; full audit logs maintained; video bears date and timestamp; audits done to verify that the compliance steps are enforced. While technology will play a major role and will push the boundaries of possibilities, the ultimate responsibility of this whole process rests with the regulated entity.
About: We are building a digital identity and fraud prevention platform that will benefit a billion people to securely and privately share their identities with business that need them. The latest Video KYC solution from your friends at frslabs is set to revolutionize customer onboarding.