1.What is Video KYC
Video KYC allows a regulated entity to open an account-based relationship with a customer without meeting the customer face to face. The customer can, through a video call, chat directly with a Banker, provide all the identity documents to verify who they are and complete the account opening steps in a few minutes.
2. Is this approved by the Indian regulator?
Yes. The Indian Central Bank (RBI) provided the approval for Video Customer Identification Process (V-CIP) vide circular DOR.AML.BC.№27/14.01.001/2019–20 dated 09 January 2020. Section 18 of the circular elaborates on the process to be followed by regulated entities. Soon after this SEBI on 24 April 2020 provided approval for Video in Person Verification (VIPV). IRDAI then approved Video Based Identification Process (VBIP) on 21 September 2020. And finally PFRDA approved Video KYC for intermediaries to service pension subscribers without meeting face to face.
3. How can Video KYC help Regulated Entities?
Video KYC verification removes the need for customers to go into a branch, share paper copies, or wait for days for the account-opening process to be completed. This will transform the way bank accounts are opened in the future and reduces the cost of onboarding dramatically. One estimate puts that it costs between 150–200 for face to face onboarding. The same can be reduced to a fraction by doing video KYC without having to meet the customer face to face.
4. What forms of ID are supported within Video KYC?
Banks can use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for customer identification. All other regulated entities can only do Aadhaar Offline verification. For offline verification, customers can use Aadhaar Offline XML or Aadhaar Encrypted QR. However, when using Aadhaar Offline, the shareable Aadhaar Offline files and Encrypted QR should not be more than three days old.
5. How can Regulated Entities ensure that the Aadhaar Offline files are no more than three days old?
While we recommend getting the user to do an Aadhaar Offline during the Video call (through screen sharing so the whole process is recorded for audit purposes), it may not always be the natural flow for some businesses (e.g. when businesses are looking to convert minimum KYC customers to full KYC customer through V-CIP). As part of the Aadhaar Offline XML file, UIDAI provides a reference ID which has the timestamp which can be used to verify if the shareable file is older than three days.
6. Can the customer record and upload Videos as part of Video KYC?
No. The regulator has made it clear that “regulated entities may undertake live video customer identification process”. The regulator then goes on to insist: “Regulated Entity shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio visual interaction with the customer”. Anything other than a live video interaction would be a violation of the current Video KYC or V-CIP process as defined by the regulator.
7. Who can do the Video KYC with customers?
A trained official will need to complete the video KYC process. However, regulated entities can take the help of business correspondents to aid the customer with the video at the customer end using the BC’s device if needed. While the Video KYC is touted to be non-face to face, the regulator asserts that there may be cases where assistance may be needed by the customer to complete the same (e.g. rural population who may or may not possess a smart phone or the connectivity may not be amenable for a video call). Therefore, regulated entities, can take the assistance of business correspondents at the customer end to complete the video verification process without additional paper work.
8. Can the Bank or Regulated Entity outsource the entire Video KYC process to third party business correspondents?
No. The regulator states that “the V-CIP process shall be operated by officials specifically trained for this purpose”. The regulator further insists that “BCs can facilitate the process only at the customer end and as already stated above, the official at the other end of V-CIP interaction should necessarily be a bank official.”
9. How can the Video KYC be initiated by the Regulated Entity?
There are no right or wrong ways to initiate the video call. Either the Banker can initiate the call from a CRM system (that integrates the Video KYC web software) or the customer can initiate the call from a mobile App (that integrates the Video KYC mobile software), a dedicated web portal or a link sent to the customer’s registered mobile or email. Regulated entities can choose to invoke the Video call in multiple ways that suits their onboarding flows best.
10. What details need to be captured during the Video KYC process?
The following details will have to be captured during the live video KYC process. It can be done in any order:
1) Aadhaar Offline (by any regulated entity) or OTP based Aadhaar (only for Banks). Note that this must be done during the live video call through a screen share option in the video KYC solution.
2) Proof of possession of Aadhaar Number. This would suggest that the official sees the original Aadhaar card before Aadhaar Offline is carried out. And maybe a picture is taken to ensure that the Aadhaar card has been seen by the Bank official (although this is not mandated explicitly in the master KYC circular)
3) A picture of the customer in the live video is captured.
4) A picture of the PAN card is captured.
5) The live location of the customer is captured and verified that the customer is physically present in India (geo location verification).
6) All the questions and checks carried out during the call need to be captured.
7) Any notes entered during the call need to be captured.
8) Timestamps and metadata related to the video call needs to be captured for audit purposes.
11. How can regulated entities go about implementing Video KYC?
Technically it’s just establishing a video connection between two parties. However, in our experience, business, audit, compliance, risk, operations, legal, products and IT teams have to come together to create a scalable process that is legally vetted and totally compliant. The following set of questions are a good place to start for regulated entities.
1) Does the solution meet all the compliance requirements?
2) Can the solution be deployed on-premises?
3) Can the solution scale and can it be deployed on a fail-safe and scalable architecture?
4) Does the solution work on mobile and web for users to complete their video KYC?
5) Does the solution do a live streaming of video (and not video recording and uploading)?
6) Does the solution provide logs, audits, maker-checker and approvals workflow?
7) Does the solution come with APIs that can help integrate with existing back-end systems to provision account opening steps once the KYC is completed?
8) Can the solution augment artificial intelligence capabilities for face match, OCR, ID verification, image quality checks, Aadhaar masking and liveness checks?
9) Does the solution provide full audit trail and related data associated with the video KYC?
10) Is the system easy to use without having to go through long training cycles for Agents?
11) Does the system come with plug and play integration for mobile and web to take this solution to customers quickly?
12. Does the Video KYC solution have to be deployed on premises?
This is a tricky one. The regulator has asserted that the link that is used by customers to begin the video chat should necessarily originate from the domain of the regulated entity. And for good reasons such as to prevent large scale identity fraud. This squarely eliminates generic video tools such as skype, zoom, webex, duo and other popular video applications. And customers will soon be aware that regulated entities will never ask for personal details over a zoom call. However, this doesn’t mean that the regulated entities cannot use the Video KYC services that are hosted and managed on the cloud – hosted by or on behalf of the regulated entity with its own domain name. We recommend regulated entities choosing a supplier who can provide both on-cloud and on-prem options to handle current and future needs and adapt to volatile regulatory changes that may arise in the near future once this technology scales across India.
13. Does the PAN need to be verified against the issuing authority?
Yes. The regulator has clearly stated that regulated entities shall “capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority”. There are several API based solutions and can be done concurrently once the PAN image is captured.
14. How can the Regulated Entity verify that the PAN or Aadhaar card belongs to the customer in the Video KYC?
The regulator encourages the use of advanced artificial intelligence solutions to match the image from PAN/Aadhaar to that of the image of the customer in the video call. This will with a high degree of confidence ensure that the customer is in possession of Aadhaar (by way of Aadhaar Offline), Customer is in possession of PAN (PAN verified to be legitimate against issuing authority) and that the details in PAN and Aadhaar match. In addition, the face image matches with the PAN and Aadhaar image with a high degree of confidence. This triangulation of checks will ensure that the customer is legit and spoofing or identity manipulation is quickly flagged for review.
15. Does the Aadhaar number in the Aadhaar Card shown in the video call need to be masked as per regulations?
Without a doubt, Yes. The circular states that wherever customer submits a proof of possession of Aadhaar containing Aadhaar Number, the same is redacted. For instance, in the video KYC process, the Bank official can ask to see the Aadhaar card before Aadhaar Offline is carried out. Therefore, the video captured will have the Aadhaar image and should be subject to Aadhaar Masking as per regulations. The good news is that AI technologies exist to complete this step.
16. Can I initiate the video call through a link I share with the customer?
Yes. However, we strongly recommend sufficient safeguards from phishing and clickbaits to protect vulnerable customers. Web links are fraught with high risks of fraud for Banks and could inconvenience genuine customers. Any fraudster could send a link to a customer in the guise of video KYC and could potentially gain access to sensitive information. Therefore, we strongly recommend that Banks initiate this only within their web portals and their Mobile Apps which usually are built with several security features to protect customers from fraud.
17. What are the other general precautions that the regulated entities must take to ensure that the Video KYC is full proof?
The video call must be done in real time (video recording and uploading is not permitted), video is stored encrypted; questions in videos are varied to prevent spoofing attempts; quality of the video must verify the customer beyond doubt; sufficient liveness checks carried out by the officer; full audit logs maintained; video bears date and timestamp; audits done to verify that the compliance steps are enforced. While technology will play a major role and will push the boundaries of possibilities, the ultimate responsibility of this whole process rests with the regulated entity.
About: FRSLABS is an award-winning research and development company focussed on identity verification and fraud prevention solutions for businesses. We are building the next generation video KYC, OCR, face verification, identity verification and IRSF fraud prevention solutions to benefit a billion people.