In the midst of an unprecedented crisis, it is emerging that the future can never really be anything like the past. With physical movements restricted and much less desired, financial institutions must rethink ways to onboard their customers safely and securely. On 09 January 2020, the Indian financial regulator made a remarkable amendment to the Master KYC directive allowing financial institutions to onboard customers through a Video call. The V-CIP process, according to the master direction, shall be treated on par with face-to-face onboarding. Since then, we have answered numerous questions on this subject from those who are trialing this service. We have laid down ten common questions raised and answered so far.
Can you provide me the link to the Master KYC directive?
While we think this is a given, we are astonished how many times this question is asked by Bankers. So here it is: Video Customer Identification Process (V-CIP) vide circular DOR.AML.BC.No.27/14.01.001/2019-20 dated 09 January 2020 and the master KYC directive: DBR.AML.BC.No.81/14.01.001/2015-16 last amended on 20 April 2020. Section 18 of the master direction elaborates on the process to be followed by regulated entities to establish an account-based relationship with an individual customer.
What forms of IDs are supported within Video KYC to be considered as full KYC?
Banks can use either OTP based Aadhaar e-KYC authentication or Offline Verification of Aadhaar for customer identification. All other regulated entities can only do Aadhaar Offline verification. For offline verification, customers can use Aadhaar Offline XML or Aadhaar Encrypted QR. However, when using Aadhaar Offline, the shareable Aadhaar Offline files and Encrypted QR should not be more than three days old.
How can Regulated Entities ensure that the Aadhaar Offline files are no more than three days old?
While we recommend getting the user to do an Aadhaar Offline during the Video call (through screen sharing so the whole process is recorded for audit purposes), it may not always be the natural flow for some businesses (e.g. when businesses are looking to convert minimum KYC customers to full KYC customer through V-CIP). As part of the Aadhaar Offline XML file, UIDAI provides a reference ID which has the timestamp which can be used to verify if the shareable file is older than three days.
Do I need to also capture the Aadhaar Card images during the live Video KYC?
Technically no if eKYC or Aadhaar Offline has been completed successfully as part of the V-CIP process. However, should the regulated entity decide to take a picture of the Aadhaar image (e.g. to verify if the details match with the XML file), then the Aadhaar numbers in the images and video needs to be redacted before storing. The regulation does not, however, prevent from taking the necessary documents to establish identity beyond doubt.
If a Bank Executive is not available to take the call, can a customer record and upload a video as part of the Video KYC process?
No. The regulator has made it clear that regulated entities must undertake a live video customer identification process. The regulator then goes on to insist: “Regulated Entity shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio-visual interaction with the customer”. Anything other than a live video interaction would be in violation of the current V-CIP process as defined by the regulator.
Who can do the Video KYC with customers?
A trained official will need to complete the Video KYC process. However, regulated entities can take the help of business correspondents to aid the customer with the video at the customer end. While the Video KYC is touted to be non-face to face, the regulator asserts that there may be cases where assistance may be needed by the customer to complete the same (e.g. rural population who may or may not possess a smart phone or the connectivity may not be amenable for a video call). Therefore, regulated entities, can take the assistance of business correspondents at the customer end to complete the video verification process without additional paper work.
How can a Regulated Entity initiate a Video KYC call with the customer?
There are no right or wrong ways to initiate the video call. Either the Banker can initiate the call from a CRM system (that integrates the Video KYC web software) or the customer can initiate the call from a mobile App (that integrates the Video KYC mobile software), a dedicated web portal or a link sent to the customer’s registered mobile or email. Regulated entities can choose to invoke the Video call in multiple ways that suits their onboarding flows best.
Does the Video KYC solution have to be deployed on premises to comply with the directive that video calls should originate from the REs own domain and not from third party service provider?
This is a tricky one. The regulator has asserted that the link that is used by customers to begin the video chat should necessarily originate from the domain of the regulated entity. And for good reasons such as to prevent large scale identity fraud. This squarely eliminates generic video tools such as skype, zoom, webex, duo and other popular video applications. And customers will soon be aware that regulated entities will never ask for personal details over a zoom call. However, this doesn’t mean that the regulated entities cannot use the Video KYC services that are hosted and managed on the cloud – hosted by or on behalf of the regulated entity with its own domain name. We recommend regulated entities choosing a supplier who can provide both on-cloud and on-prem options to handle current and future needs and adapt to volatile regulatory changes that may arise in the near future once this technology scales across India.
How can the Regulated Entity verify that the PAN or Aadhaar card belongs to the customer in the Video KYC?
The regulator encourages the use of advanced artificial intelligence solutions to match the image from PAN/Aadhaar to that of the image of the customer in the video call. This will with a high degree of confidence ensure that the customer is in possession of Aadhaar (by way of Aadhaar Offline or Aadhaar eKYC), Customer is in possession of PAN (PAN verified to be legitimate against issuing authority) and that the details in PAN and Aadhaar match. These checks will ensure that the customer in the Video KYC process is the true owner of the ID documents and any spoofing attempts can instantly be flagged for fraud review.
What other general precautions should the regulated entities take to ensure that the Video KYC is full proof?
The video is stored encrypted; questions in videos are varied to prevent spoofing attempts; quality of the video must verify the customer beyond doubt; sufficient liveness checks carried out by the officer; full audit logs maintained; video bears date and timestamp; audits done to verify that the compliance steps are enforced. While technology will play a major role, the ultimate responsibility of this whole process rests with the regulated entity so sufficient checks and balances will need to be in place prior to the rollout.