How DigiLocker Is Used for KYC Verification in India (2026 Guide)

Digilocker in KYC is one of the two or three highest-trust paths to collect customer documents during onboarding in India. Unlike a photographed upload, a document fetched from DigiLocker arrives digitally signed by the issuing authority, which means the regulated entity does not have to run OCR or tamper-analysis before trusting it.

This guide explains how DigiLocker KYC actually works end-to-end, where it fits alongside Aadhaar OTP eKYC and offline XML, how to handle the common failure modes in production, and how the combination of DigiLocker, CKYC, and video KYC has become the default onboarding stack for Indian banks and NBFCs.

What is DigiLocker KYC and Why It Matters in 2026

DigiLocker is a cloud-based platform launched by India’s Ministry of Electronics and IT that lets citizens store and share their verified documents digitally. It’s like a government-backed digital wallet for all your official documents.

DigiLocker documents are recognized as “equivalent e-documents,” holding the same legal validity as original physical documents under the Information Technology Act, 2000. 

According to RBI’s 2025 KYC Direction guidelines, regulated entities (RE) are legally authorized to accept DigiLocker OVDs as part of the customer identification process. 

DigiLocker works as a bridge between three critical identity systems: 

• Aadhaar: Users link their Aadhaar with DigiLocker, enabling instant verification using OTP and optionally biometrics for enhanced security
• PAN: PAN cards issued by NSDL or the Income Tax Department are fetched and verified as OVDs through DigiLocker
• C-KYC Registry: DigiLocker supports integration with the Central KYC Records Registry, letting REs reuse KYC records and reduce document redundancy

What does this mean? 

Banks can instantly pull verified Aadhaar and PAN from DigiLocker, cross-check against C-KYC records, and complete verification in one flow. This three-way integration turns what used to be a multi-day process into a few minutes of automated checks.

How DigiLocker KYC Actually Works: End-to-End Flow

DigiLocker KYC is often described at the conceptual level (“a digital document wallet”) without an end-to-end explanation of how a regulated entity actually uses it at onboarding. This section gives the mechanical flow.

User Consent via DigiLocker OAuth

The customer authenticates on the DigiLocker portal (or inside the regulated entity’s app through an embedded flow) using mobile OTP plus, optionally, an Aadhaar-linked mobile number. DigiLocker then asks the customer to authorise the regulated entity to fetch specific documents. Nothing moves without this consent step. The authorisation is scoped (specific document types, time-limited) and revocable, which is a meaningful privacy upgrade over a plain document upload flow.

Pulling Issued Documents vs Uploaded Documents

This is the distinction most DigiLocker content misses and it matters for compliance. Documents in DigiLocker fall into two categories. Issued documents are pulled directly from the issuing authority (UIDAI, NSDL, state transport departments) into the customer’s DigiLocker account and carry the issuer’s digital signature. Uploaded documents are user-uploaded copies and carry no such signature. For KYC purposes, only issued documents are considered self-authenticating under the IT Act and RBI guidance. A regulated entity that relies on uploaded documents is, effectively, accepting a self-attested photocopy, which defeats the point of using DigiLocker in the first place. Check the signature status before accepting.

Document Signature Verification and Non-Repudiation

Every issued document in DigiLocker carries a PKI-based digital signature from the source authority. The regulated entity’s KYC stack verifies this signature on fetch, which confirms two things: the document is authentic (issued by the claimed authority) and it has not been altered since issuance. This gives DigiLocker KYC a non-repudiation property that paper uploads and even Aadhaar OTP eKYC do not have. For compliance teams, this is the real compliance strength of DigiLocker, not the paperless experience.

DigiLocker vs Other KYC Methods: When to Use Which

DigiLocker, Aadhaar OTP eKYC, offline Aadhaar XML, and physical OVD upload each have legitimate use cases. Picking the wrong one adds friction or regulatory exposure.

DigiLocker vs Aadhaar OTP eKYC

Aadhaar OTP eKYC returns Aadhaar demographic data from UIDAI based on an OTP authentication. DigiLocker goes one step further and returns an authenticated digital copy of the Aadhaar XML (or other documents) that the customer has in their DigiLocker account. For regulated entities that need the document artefact (not just the demographic data), DigiLocker is the cleaner path. For entities that only need demographic verification, Aadhaar OTP eKYC is faster and lighter. Many stacks combine both: OTP eKYC for instant verification, DigiLocker for document collection.

DigiLocker vs Physical OVD Upload

Physical OVD upload is a scanned or photographed copy of the document submitted by the customer. It requires the regulated entity to run OCR, anti-tampering checks, and quality validation. DigiLocker-fetched documents skip all of that because they arrive as structured, digitally-signed records from the issuer. Whenever the customer has the document in DigiLocker, fetching via DigiLocker is the better path.

DigiLocker vs Offline Aadhaar XML

Offline Aadhaar XML is a UIDAI-provided encrypted file that a customer generates on the UIDAI portal and hands to a regulated entity. It works offline (no UIDAI API call at the moment of verification) but the customer has to perform a separate download step. DigiLocker streamlines this by fetching the Aadhaar XML on demand, with consent, in a single flow. If the customer has a linked DigiLocker account, DigiLocker is usually the better experience; offline XML remains useful as a fallback for customers who do not.

The Evolution of Video KYC and RBI’s Latest Guidelines

RBI’s master guidelines issued on 9th Jan 2020 officially recognized the Video-based Customer Identification Process (V-CIP) as a method to verify customer identity remotely through secure live video calls. 

This same notification also permitted the use of DigiLocker-issued Officially Valid Documents, positioning DigiLocker as a cornerstone of compliant digital onboarding by 2025. 

Here are the key V-CIP updates between 2023 and 2025: 

Authorizing DigiLocker-issued OVDs in video KYC

The April-May 2023 issue mandated the use and acceptance of DigiLocker-issued OVD as legally valid proof for identity and address verification during video KYC. The authorized official performing V-CIP can now fetch verified documents through DigiLocker APIs in real-time, streamlining both onboarding and KYC updates. 

Expanding V-CIP scope for KYB (know your business)

RBI expanded the scope of the Video-based Customer Identification Process (V-CIP) KYC in 2025 to include sole proprietors, authorized signatories, and beneficial owners. Meaning, DigiLocker OVDs can now be used for KYB for legal entities and proprietorship firms.

RE can capture identity information of sole proprietors and beneficial owners from Digilocker through documents like: 

• Aadhaar Card (including offline verification or e-KYC authentication)
• PAN Card (or equivalent e-document)
• Passport
• Voter ID Card
• Driving License
• Job Card issued under NREGA

V-CIP can also be used to convert half KYC accounts to full accounts and for periodic KYC updation. 

Mandating robust V-CIP infrastructure requirements

Between 2023 and 2025, RBI Video KYC guidelines were introduced, outlining key infrastructure and regulatory enhancements requirements. This includes: 

• The video recordings should contain the live GPS coordinates (geo-tagging) of the customer undertaking the V-CIP and a date-time stamp
• The application shall have components with face liveness/spoof detection as well as face matching technology with a high degree of accuracy. An AI technology can be used to detect liveness
• The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing, and a Security Audit to ensure its robustness and end-to-end encryption capabilities
• The V-CIP infrastructure/application should be capable of preventing connections from IP addresses outside India or from spoofed IP addresses
• The RE shall ensure end-to-end encryption of data between the customer device and the hosting point of the V-CIP application, as per appropriate encryption standards

Here’s a quick timeline glance at how RBI guidelines have been updated over the years: 

January 2020: Legal acceptance of Video KYC (V-CIP) and authorization of DigiLocker OVDs

April 28, 2023: Mandated secure data handling, geo-tagging, and introduced single-session rules 

May 4, 2023: Reduced BO threshold (10%), extended Aadhaar XML validity to three working days, and excluded third-party video platforms

June 12, 2025: Authorized Business Correspondents for KYC updation, emphasized AI-powered liveness detection, multilingual support, and low-bandwidth optimization

August 14, 2025: Expanded V-CIP scope, reinforced Indian server storage

How C-KYC and DigiLocker Streamline Video KYC

C-KYC, coupled with DigiLocker, digitizes the verification of OVDs during V-KYC. Think of C-KYC, DigiLocker, and Video KYC as three pillars that together create a seamless digital verification experience.

How exactly do they fit in the process? 

• C-KYC acts as India’s centralized identity vault. Once the customer completes KYC with any financial institution, their verified data gets stored in the Central KYC records. Regulated entities can fetch and reuse these financial details without requiring customers to repeatedly produce their KYC details.
• DigiLocker serves as the customer’s government-backed digital document wallet. Their Aadhaar, PAN, and other official documents live here in authenticated form. During video KYC, banks can pull these documents directly with customer consent. 
• Video KYC brings real-time human verification into the mix. An authorized official verifies the customer’s identity through a live video call, checking both their face and documents.

How does this interoperability help banks and regulated entities? 

RBI has mandated the integration of Video KYC data with the Central KYC Registry. According to the 2025 Master Direction and recent amendments, regulated entities must upload and update customer KYC data obtained through the V-CIP to the CKYCR in real-time.

This creates a feedback loop where every new verification strengthens the system.

When a bank completes your video KYC, that verified data gets uploaded to C-KYC. The next bank you approach can download this record using your KIN. They still need to verify you’re the same person (through video KYC), but the heavy lifting is done.

Regulated entities must obtain customer consent to download KYC records for Customer Due Diligence.

Here’s a quick visual workflow in action: 

Common DigiLocker KYC Failure Modes and How to Handle Them

DigiLocker is reliable at scale but not 100% available. Production KYC flows that depend on it need defined fallbacks. Three failure modes account for the majority of real-world incidents.

User Has No Linked Documents

A small but real segment of customers either does not have a DigiLocker account or has an account with no documents linked. The flow should detect this before asking the user to authenticate (by checking the DigiLocker-enabled flag or by offering the DigiLocker path as an option, not the only option) and gracefully fall back to Aadhaar OTP eKYC or physical OVD capture. Never strand a customer on a DigiLocker-only path.

Document Fetch Fails or Service Downtime

Like any API, DigiLocker has occasional downtime and transient fetch failures. The KYC stack should have retry logic with exponential backoff, a short session-level timeout (usually 30-45 seconds), and a fallback path to Aadhaar OTP eKYC or physical upload after retry exhaustion. Log the failure so the analytics dashboard surfaces systemic DigiLocker outages rather than burying them inside a generic “KYC failed” count.

Stale or Revoked Issued Documents

Rarely, an issued document in DigiLocker may be stale (the issuer reissued but the customer has not refreshed) or revoked (the issuer invalidated the original). The signature verification step catches most of these. For documents where the issuer’s revocation mechanism is weak, add a second check against the issuer’s status API where available (for example, for Aadhaar, a soft validation against UIDAI’s latest record).

Integration Blueprint for Banks and NBFCs

Banks and NBFCs are required to integrate Video KYC (V-CIP) as part of their digital onboarding processes. But how exactly do they orchestrate a balance between security, fraud detection, and identity verification without causing friction? 

Step-by-step implementation workflow

Customer consent and Digilocker authentication

The process starts with the user verifying their Aadhaar via DigiLocker. Once the Aadhar is verified, they are added to the queue or offered an option to schedule a live video call. 

Video call verification

Authorized officials of the RE conduct a live video call and record the entire session. During the call, the official performs identity authentication and liveness verification by:

• Requesting the customer to display their PAN card and capturing a clear image for verification
• Asking the customer to verbally confirm details such as name, address, and other information from their PAN and Aadhaar
• Conducting liveness checks through randomized prompts (blinking, nodding, or head movements) to confirm physical presence
• Matching the customer’s live facial image with photographs on Aadhaar and PAN documents
• Obtaining the customer’s live signature for record-keeping purposes

Central KYC (C-KYC) check & unique KYC identifier creation

After video KYC, user details are cross-verified with the CKYC Registry to ensure no duplicate or inconsistent KYC exists. 

Final approval and onboarding

Once the above steps are validated and completed, the financial institution grants customer onboarding approval. 

Technical requirements for video KYC

API stack

• Implementation of secure, scalable APIs to connect with DigiLocker for fetching verified digital documents.
• Video KYC APIs handle the live call infrastructure, face matching, and liveness detection. 

Remember, APIs must support real-time data exchange, retry, and error handling (with fallback mechanisms) to ensure smooth customer onboarding. Everything that HyperVerge video KYC API offers. 

Encryption

End-to-end encryption of all video streams, document transfers, and personal data, compliant with RBI and IT Act data security standards.

Audit trails

Maintenance of immutable logs recording every step of the Video KYC process, including: 

• Customer consent
• Document fetch timestamps
• Video verification records
• Liveness and geo-validation results
• Approval actions

Secure storage

Secured and tamper-proof storage of KYC data and video call recordings for a minimum retention period of 7 years as per RBI norms. 

Need an all-in-one solution? 

HyperVerge provides ready-to-deploy SDKs and APIs that handle the entire technical complexity, including liveness detection, face matching, OCR, and geo-validation. 

With its HyperVerge ONE VKYC, you can build end-to-end customizable workflows with fallback options to reduce drop-offs during onboarding. With an average call duration of 70 seconds, HyperVerge offers 88-95% conversion rates. 

Trusted by over 400 banks, insurance companies, securities firms, digital lenders, and financial services, HyperVerge is recognized for its exceptionally low false positive rate (99.5%). Book a demo now.