The KYC process in banks is a four-stage discipline: collect customer information, verify identity and address, profile customer risk, and monitor the relationship continuously. Globally, the framework comes from FATF Recommendations 10 to 12. In India, it is enforced through the RBI Master Direction on KYC, the Prevention of Money-Laundering Act, 2002, and the PML Rules of 2005.
We cover RBI’s stage-by-stage workflow, V-CIP procedure, the CKYCR upload obligation, the 2025 amendments that changed how periodic re-KYC must be handled, and the bank-type variations that make commercial banks, NBFCs, payment banks, SFBs, and UCBs operationally different. The primer on what KYC compliance involves covers the conceptual layer. This is the practitioner’s reference.
The KYC process in banks: 4 stages in 60 seconds
Globally, every bank’s KYC process moves through the same four stages, regardless of jurisdiction. The vocabulary changes between rule books, but the operational shape is consistent.
The standard 4 stages
Collect customer information (CIP): capture name, address, identity document, contact details, and, for non-individuals, ownership structure.
Verify identity and address: match documents to identity, validate against authoritative databases, and confirm the address is real and current.
Profile the customer’s risk (CDD / EDD): assign a risk tier based on identity, occupation, geography, product mix, and behaviour. Escalate high-risk customers to enhanced due diligence.
Monitor the relationship continuously: re-screen against sanctions and adverse media, watch for change-of-circumstance triggers, and refresh KYC on a risk-tier-based cadence.
Why banks specifically have heavier KYC
Banks sit at the centre of the financial system, which is why their KYC obligations are heavier than those of most other regulated entities. Globally, the Bank Secrecy Act and the USA PATRIOT Act in the US, the EU’s AMLD series, and the FATF Recommendations set the international perimeter. In India, the Prevention of Money-Laundering Act and the RBI Master Direction set the rules every bank must follow. The stakes are visible in the enforcement record: AML actions in the hundreds of millions of dollars, license risk, and reputational damage that compounds across years.
India’s bank KYC framework: the RBI Master Direction
The Indian framework has its own structure, its own vocabulary, and its own enforcement cadence, all of which a working compliance head has to know cold.
RBI Master Direction on KYC (2016 + amendments)
The RBI’s Master Direction on KYC, dated 25 February 2016, is the operative rulebook for every Regulated Entity in India: banks, NBFCs, payment banks, small finance banks, and urban co-operative banks. It sits above each bank’s internal KYC policy and defines the boundaries within which the policy must operate. Periodic amendments, typically twice a year, update specific paragraphs to reflect operational lessons or shifts in regulatory direction.
PMLA + PML Rules: the statutory base
The Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 are the statutory base. Every Regulated Entity is a “reporting entity” under PMLA, with obligations to maintain records, file STRs and CTRs with FIU-IND, and apply customer due diligence proportionate to risk. The RBI Master Direction operationalises these obligations; the PMLA gives them statutory teeth.
Recent amendments: operational changes
Recent RBI Master Direction amendments, covered in detail in the breakdown of the new RBI amendments to the KYC Master Direction, have changed the operational tempo around periodic re-KYC. Banking-correspondent-led KYC updation has been formalised, expanding the channels through which low-risk customers can complete refresh. Notice and reminder cadences for periodic updation have also been tightened, with banks now expected to deliver advance intimation followed by reminders before any restriction lands on the account.
Sector-specific Master Directions
The RBI has progressively published sector-specific operational guidance for commercial banks, NBFCs, payment banks, and urban co-operative banks. Each variant inherits the core Master Direction but adds operational nuance. UCBs face different periodic-updation expectations than commercial banks, and payment banks operate under deposit caps that change which KYC tier applies. Compliance teams covering more than one bank type have to reconcile the variants explicitly rather than assuming the parent rulebook generalises.
The bank KYC process: RBI stages step-by-step
The Indian process maps to the global four-stage framework but adds intermediate steps that banks operating under the Master Direction must follow. Each stage produces evidence that auditors will look for, so the operational work is also the audit pipeline.
Pre-KYC: application and initial data capture
The customer submits the account application, the bank KYC form, a self-declaration of risk profile, nominee details, and the OVD set. At this stage, no formal verification has happened. The bank is capturing intent and the data needed to initiate due diligence on the next stage.
In-principle account opening: limited operations
Where permitted under the Master Direction, the bank may open the account in principle with operational limits while full KYC is still in progress. This is most common for Aadhaar OTP-based eKYC accounts and small accounts where document constraints would otherwise block the customer entirely. Transaction caps and product restrictions stay in force until the full KYC completes.
Full KYC: verification and biometric
Full KYC is where the core verification happens. The bank validates the OVD, runs PAN verification, confirms address, and completes the chosen biometric or video step. Aadhaar-based eKYC, with Aadhaar masking applied to the document copy, is the dominant channel for retail accounts. The Aadhaar eKYC reference covers the available routes (OTP, biometric, offline XML). For non-face-to-face onboarding, video KYC replaces the physical IPV step. The full list of officially valid documents sets the document set the bank must accept.
Periodic updation
The RBI mandates periodic updation at least once every two years for high-risk customers, eight years for medium risk, and ten years for low-risk customers, per Q22 of the RBI FAQ on the Master Direction on KYC. The cadence runs from the date of last KYC, not from the calendar year. Banks may set tighter internal cadences but cannot exceed the regulatory ceilings.
Re-KYC triggers outside the cycle
Periodic updation is the floor, not the ceiling. Re-KYC is triggered earlier when a customer’s risk tier changes, for example when a low-risk customer moves into a high-cash-velocity business. It is also triggered when a suspicious-transaction signal is flagged, or when a sanctions or PEP list update implicates the existing customer. Modern programmes treat these triggers as the meaningful drivers of re-KYC volume; the periodic cycle becomes the background cadence.
V-CIP / Video KYC for banks
Video-based Customer Identification Process is one of the defining shifts in Indian banking KYC. The RBI’s V-CIP guidelines and the bank-specific implementation context in video KYC in banks cover the operational layer in depth. The summary below is the procedural anchor.
When V-CIP is permitted
Per the RBI FAQ, V-CIP is treated on par with face-to-face customer identification. Banks can use V-CIP for new customer onboarding, for converting Aadhaar OTP-based eKYC accounts to full-KYC, and for periodic updation of eligible customers. Assisted V-CIP, where banking correspondents facilitate the customer end of the process, is also permitted.
V-CIP workflow
The session must be live, secure, and consent-based. The bank captures the geo-tagged location of the customer, runs a live audio-visual interaction with an authorised employee, captures and validates the OVD in real time, runs liveness checks, and stores the recording with timestamps for audit. Per the RBI FAQ, specific facial gestures like blinking or smiling are not mandatory for the liveness check, and the operator must accommodate customer needs.
Common V-CIP procedural lapses
The patterns that cause audit findings are consistent. Recordings go missing or become unrecoverable when sample customers are pulled. Geo-tag errors creep in when the captured location does not match the consent record. Operator quality varies between officers in how rigorously they walk the OVD verification step. Banks that invest in operator training and recording-integrity checks rarely surface these issues in audit. Banks that treat V-CIP as a check-box almost always do.
CKYC record upload: the bank’s reporting obligation
CKYC sits parallel to bank KYC and is run by CERSAI as the Central KYC Records Registry. Every reporting entity uploads new customer KYC into the registry as part of its operational obligation, and the registry returns a reusable KYC Identifier that other regulated entities can pull on consent.
What CKYCR is and who runs it
The Central KYC Records Registry is operated by CERSAI under the Department of Economic Affairs. Banks and other reporting entities upload customer KYC data on a defined format, and the registry assigns a KYC Identifier per customer that can be reused across regulated entities. Per Q14 of the RBI FAQ, the KYC Identifier is the unique number assigned by CKYCR.
Upload obligation and format
Uploading customer KYC data to CKYCR is mandatory for new accounts opened by reporting entities. The format and field set are defined by CERSAI. Re-uploads are required when KYC information is updated or amended, because the registry must reflect the current state of the customer’s KYC.
How CKYC reduces re-KYC burden
When a customer with an existing CKYC ID approaches a different bank, the receiving bank can pull the existing KYC record on the customer’s consent and avoid asking for the same documents again. Per the RBI FAQ, the KYC Identifier can be used both for opening accounts and for periodic updation. The practical limits in 2026 are mostly about data freshness and field completeness. Older CKYC records may not contain attributes (mobile, email) that current Master Direction obligations require, in which case the receiving entity supplements rather than replacing.
Documents required for bank KYC
The OVD set is established by the RBI Master Direction and the underlying PMLA Rules. The list has been stable for years, with periodic refinements.
Officially Valid Documents (OVDs)
Per Q5 of the RBI FAQ, the six accepted OVDs are: passport, driving licence, proof of possession of Aadhaar number, Voter’s Identity Card issued by the Election Commission of India, NREGA job card duly signed by an officer of the State Government, and the letter issued by the National Population Register. PAN or Form 60 is required in addition to the chosen OVD.
Address-proof variations
When the OVD does not carry the current address, deemed OVDs apply. The accepted set includes utility bills not more than two months old (electricity, telephone, post-paid mobile, piped gas, water), property or municipal tax receipts, pension or family pension payment orders, and employer-allotted accommodation letters. The customer must submit an updated OVD with current address within three months of the deemed-OVD submission.
Documents for non-resident accounts
NRIs, PIOs, and OCIs face a different document set. The valid passport is the primary identity document. Visa or relevant overseas residency document, overseas address proof, and PAN (where held) round out the standard package. NRE versus NRO accounts have minor variance, and NRE accounts repatriating foreign earnings may require additional employment or income documentation.
Bank-type compliance comparison
The Master Direction applies across bank types, but each bank type has operational nuance that buyers and customers should understand. The differences are larger than they look on paper.
Commercial banks
Commercial banks carry universal KYC obligations under the Master Direction. Branch and digital coverage runs at scale. Periodic updation runs to the standard 2/8/10 cadence. The most resourced compliance programmes typically sit here, simply because the regulatory weight is heaviest.
NBFCs
The Master Direction applies to NBFCs as well. Sector-specific guidance has progressed in recent years, and lower-friction CDD on certain product lines is permitted where the underlying risk profile justifies it. The core obligations themselves are not relaxed.
Payment banks
Payment banks operate under limited deposit caps under the licensing regime. Tiered KYC is permitted, with small accounts running under simplified KYC and full accounts under the standard process. The product mix means re-KYC volume is driven differently than at universal banks.
Small Finance Banks (SFBs)
SFBs run a hybrid retail and microfinance KYC profile. Branch and agent-led models coexist. The agent-led channel adds intermediary risk that pure direct-to-customer flows do not have, since the human in the middle becomes part of the control surface.
Urban Co-operative Banks (UCBs)
Sector-specific Master Direction guidance applies to UCBs. The member-versus-customer KYC distinction matters here, because members carry additional obligations under co-operative regulations on top of the KYC framework that applies to all customers.
Failure modes: where bank KYC processes break
The patterns are consistent across institutions, and almost all failures fall into three buckets. Reading them in order is useful, because each one tends to cascade into the next.
Onboarding drop-off
V-CIP wait queues frustrate customers and pull them out of the funnel. OVD upload failures driven by image quality or DPI mismatches add another layer of attrition. Liveness rejections that misclassify real customers as spoof attempts compound the problem. Each of these is fixable, and together they decide what the bank’s onboarding conversion rate looks like in any given quarter.
Periodic re-KYC bottlenecks
Stale customer contact information breaks the advance-notice flow before it starts. Notice delivery friction, including emails that bounce and SMS that goes unread, compounds the problem. Account freeze fallout follows when periodic updation lapses without the customer having been reachable. The end-to-end KYC process reference covers how integrated programmes handle the lifecycle to reduce this.
CKYC upload errors
Format mismatches with the CERSAI specification are the first issue. Duplicate identity records, where the same customer ends up with two CKYC IDs at different reporting entities, are the second. The remediation is mostly procedural but consumes ops capacity disproportionately for the volume involved.
How automation changes the bank KYC process
The automation layer has reshaped what bank KYC can do at scale. The high-ROI surface areas are well-defined and stable.
Where automation has the highest ROI
OCR and intelligent document recognition for OVDs deliver the largest gains. Aadhaar masking on capture, applied automatically to the document copy retained on the bank’s side, is the next-highest ROI. Sanctions and PEP screening at onboarding and continuously thereafter sits alongside it. V-CIP scheduling and routing to the right operator pool closes out the high-ROI list. The customer due diligence and enhanced due diligence flows benefit most when the automation feeds clean evidence to the human reviewers.
Integration with core banking
Most Indian banks run on Finacle, Temenos T24, or BaNCS as the core banking system. KYC platforms typically integrate at four touchpoints: at customer onboarding (push KYC record into core), at periodic updation (pull customer for refresh), at sanctions hit (alert on existing customer match), and at re-KYC trigger event (orchestrate the next refresh cycle). AML compliance and KYC best practices discipline run alongside the integration. Tooling alone does not deliver the outcome.
See how Indian banks run V-CIP, eKYC, and re-KYC at scale
If you are building or refreshing the KYC stack for an Indian bank, NBFC, payment bank, or UCB, and you want to see how V-CIP, Aadhaar eKYC, periodic re-KYC, and CKYCR coordination come together in production, book a walkthrough with our team. The end-to-end KYC process explainer covers the operational layer at a higher level.
FAQs
What is the KYC process in banks?
The KYC process in banks is a four-stage discipline: collect customer information, verify identity and address, profile the customer’s risk, and monitor the relationship on an ongoing basis. In India, it is governed by the RBI Master Direction on KYC, the Prevention of Money-Laundering Act, 2002, and the PML Rules, 2005.
What are the 4 steps of KYC?
The four steps are: customer identification programme (CIP) for data capture, identity and address verification, customer due diligence (CDD) including risk profiling, and ongoing monitoring with re-screening and periodic updation.
How long does KYC take in a bank?
Aadhaar OTP-based eKYC clears in real time. V-CIP completes in minutes to hours. Aadhaar offline XML clears same-day. Traditional branch KYC takes one to three business days. Time depends on channel choice and the bank’s internal verification queues.
What documents are needed for bank KYC?
One Officially Valid Document (passport, driving licence, Aadhaar, Voter ID, NREGA job card, or NPR letter) plus PAN or Form 60. If the OVD does not contain the current address, a deemed OVD such as a utility bill not older than two months can supplement it, with an updated OVD due within three months.
What is periodic re-KYC in banks?
Periodic re-KYC is the regulator-mandated refresh of customer KYC at least once every two years for high-risk customers, eight years for medium-risk, and ten years for low-risk customers, per Q22 of the RBI FAQ on the Master Direction on KYC.
What is V-CIP KYC in banks?
V-CIP is Video-based Customer Identification Process: a live, secure, consent-based audio-visual interaction between the customer and an authorised bank employee, used for onboarding and KYC updation. Per the RBI FAQ, V-CIP is treated on par with face-to-face customer identification.
Is KYC mandatory for all bank accounts?
Yes. KYC is mandatory at account opening, for occasional transactions of ₹50,000 or more by walk-in customers, for any international money transfer operations, when the bank doubts the authenticity of customer information, and when the bank sells its own products or third-party products as an agent for amounts above the threshold.
What happens if KYC is not completed in a bank?
The bank must intimate the customer in advance and follow up with reminders. If the customer still does not complete pending KYC, the Prevention of Money-Laundering Rules require the bank to close the account after due notice. Reactivation later requires completing the pending KYC.
What is CKYC in bank?
CKYC, or Central KYC, refers to the Central KYC Records Registry operated by CERSAI. Banks and other reporting entities upload customer KYC data to CKYCR, and the registry assigns a unique KYC Identifier per customer. The Identifier can be reused across regulated entities to avoid duplicate KYC submissions.
Can NRIs complete bank KYC online?
Yes. NRIs can complete bank KYC through V-CIP or non-face-to-face channels, subject to the bank’s policy and the relevant document set (valid passport, visa or overseas residency document, overseas address proof, PAN where held). Some banks may require certified copies of documents from approved overseas certifying authorities for non-face-to-face onboarding.
