The RBI KYC guidelines are the operative rule set for every Regulated Entity in India: banks, NBFCs, payment banks, small finance banks, urban co-operative banks, and the broader regulated financial system. They sit inside the RBI Master Direction on KYC, dated 25 February 2016, with amendments released through 2025 that have materially reshaped how compliance programmes operate. The statutory base is the Prevention of Money-Laundering Act, 2002 and the PML Rules, 2005. The international anchor is FATF Recommendations 10 to 12.
We cover what the Master Direction says, what changed in 2025, how the rules differ across institution types, what V-CIP and periodic updation actually require, where CKYCR fits in, and the 2026 readiness checklist compliance leads can use as a sanity pass. The explainer of what KYC compliance involves covers the broader discipline. This is the rule book.
What the RBI KYC Master Direction is, and why 2026 matters
The RBI Master Direction on KYC is the primary regulatory instrument governing customer identification, due diligence, and ongoing monitoring across every Regulated Entity in India. Issued under the authority of the PMLA, the Master Direction operationalises the statutory obligations into clauses that REs must follow. The 2026 angle matters because the recent amendment cadence has been steady, and several operational expectations sharpened materially through 2025.
The 2016 baseline
The Master Direction on KYC was issued on 25 February 2016 as the umbrella framework consolidating earlier RBI circulars on KYC and AML. The PMLA, 2002 and the PML Rules, 2005 are the statutory root, and the Master Direction operationalises these obligations for the RBI-supervised perimeter. The RBI owns KYC supervision for every regulated entity in its remit. SEBI, IRDAI, PFRDA, and other sector regulators run their own KYC frameworks for the entities they supervise.
What the 2025 refresh changed
The Master Direction has been amended periodically since 2016. Recent amendments through 2025 introduced sector-specific guidance for institution types, simplified the periodic updation flow, formalised banking-correspondent-led KYC, and tightened V-CIP procedural requirements. Compliance programmes that built advance-notice flows ahead of the rule fared better than those reacting after publication. The same is true for programmes that consolidated documentation standards across institution types early.
Who this applies to
The RBI KYC guidelines apply to every Regulated Entity. The list is broad: commercial banks (public sector, private sector, foreign), regional rural banks, urban co-operative banks, state co-operative banks, all NBFC categories, payment banks, small finance banks, asset reconstruction companies, microfinance institutions, and the rest of the RBI-supervised perimeter. Each institution type inherits the core rulebook, with operational variations specific to its licence category.
The 2016 vs 2025 Master Direction: clause-mapped comparison
The structural shape has stayed consistent. The operational content has tightened materially, and the differences show up clause by clause.
Identification and verification clauses
The CIP framework remains anchored in the Officially Valid Document set listed under Q5 of the RBI FAQ on Master Direction on KYC: passport, driving licence, proof of possession of Aadhaar number, Voter’s Identity Card, NREGA job card, and the letter issued by the National Population Register. PAN or Form 60 is required in addition to the chosen OVD. The list of officially valid documents covers the operational depth.
The shift in recent years has been around eKYC. Aadhaar-based eKYC (OTP-based, biometric-based, and offline XML) is recognised under multiple clauses, with operational refinements that strengthened tamper-evidence requirements and consent capture. The Aadhaar eKYC reference covers the channel detail.
V-CIP clauses
Video-based Customer Identification Process (V-CIP) is treated on par with face-to-face customer identification, per Q19 of the RBI FAQ. The 2016 baseline established the framework. Subsequent amendments refined operational expectations: recording integrity, consent flow, geo-tag capture, and the explicit allowance for assisted V-CIP through banking correspondents. The RBI’s V-CIP guidelines reference and the bank-specific V-CIP implementation cover the operational layer.
Periodic KYC updation clauses
Per Q22 of the RBI FAQ, periodic updation runs at least once every two years for high-risk customers, eight years for medium-risk, and ten years for low-risk. The cadence has been stable. The operational additions have been the advance-notice and reminder regime. Per Q27, REs must intimate customers in advance of the due date and follow up with reminders. Per Q28, failure to complete periodic updation after due notice triggers the obligation to close the account under the PML Rules.
CKYCR record-upload clauses
Reporting entities are required to upload customer KYC records to the Central KYC Records Registry (CKYCR), operated by CERSAI. Per Q14 of the RBI FAQ, CKYCR assigns a unique KYC Identifier per customer that can be reused across regulated entities on consent. The upload obligation applies to new accounts and to records that have been updated or amended.
Institution-type compliance matrix
The Master Direction applies across institution types, but the operational shape varies meaningfully. Compliance programmes that treat the rules as identical across institution types tend to surface findings later, when an inspector probes the variant the programme didn’t explicitly cover.
Commercial banks
Commercial banks carry universal CIP, CDD, EDD, and ongoing monitoring obligations under the Master Direction. V-CIP is available across customer categories. CKYCR upload is mandatory for new accounts. Periodic updation runs the standard 2/8/10-year cadence. Branch and digital coverage operates at scale, and the most resourced compliance programmes in the country typically sit here.
NBFCs
The Master Direction applies to NBFCs with sector-specific operational guidance refined in recent years. Risk-tier-based simplifications are permitted on certain product lines where the underlying risk profile justifies them, but the core obligations are not relaxed. The CKYCR upload obligation applies, and V-CIP is available.
Payment banks and small finance banks
Payment banks operate under deposit caps that constrain product mix. Tiered KYC is permitted, with simplified onboarding allowances for small accounts under the Master Direction’s small-account framework. SFBs run a hybrid retail and microfinance KYC profile, with both branch and agent-led models in operational use.
Urban cooperative banks and cooperative banks
The Master Direction applies, with sector-specific guidance covering the operational nuances of UCB and cooperative-bank governance. The member-versus-customer KYC distinction matters at UCBs. Members carry additional obligations under co-operative regulations on top of the KYC framework that applies to all customers. Phased-compliance considerations have been a recurring theme in recent amendments for this sector.
V-CIP under the 2025 Master Direction
V-CIP is the highest-searched sub-topic within RBI KYC, and the operational framework around it has matured rapidly. Most of the practical questions compliance teams ask about RBI KYC concern V-CIP details, so it is worth walking through the requirements explicitly.
Operational requirements
A trained authorised official conducts the live audio-visual interaction. The session is consent-based. Geo-tag capture of the customer’s location is required. Recording is mandatory, with tamper-evidence retention. Liveness checks must be conducted, and per Q20 of the RBI FAQ, specific facial gestures like blinking or smiling are not mandatory for the liveness check, with explicit accommodation required for customer needs.
Technology requirements
Liveness detection has to meet a regulator-acceptable standard, increasingly aligned with iBeta PAD certification. OCR plus Aadhaar XML or offline eKYC pathways handle document validation. Recording infrastructure with timestamps must survive audit. Tamper-evidence on the stored session is non-negotiable. Recordings that cannot be retrieved, or that show signs of post-hoc modification, fail audit on contact.
Recent simplifications
Banking-correspondent-led updation has been formalised, expanding the channels through which low-risk customers can complete refresh without visiting a branch. Assisted V-CIP, where the BC facilitates the customer end of the process while the authorised RE official conducts the verification, is permitted under the Master Direction. The simplifications reduced the operational drag on REs serving customers in geographies where branch coverage was thin.
Periodic KYC updation and the advance-notice rule
The cadence is the floor. The discipline is the practice. Every recent enforcement action involving periodic updation has come back to the procedural layer below the cadence, not the cadence itself.
Updation frequency by risk tier
Per Q22 of the RBI FAQ on the Master Direction on KYC: high-risk customers, at least once every two years; medium-risk customers, at least once every eight years; low-risk customers, at least once every ten years. REs may set tighter internal cadences. They cannot exceed these regulatory ceilings.
The advance-notice procedure
Per Q27, REs must intimate customers in advance of the due date for periodic updation. Reminders follow if the customer does not respond by the due date. Recent amendments tightened the documentation banks must keep around the notice cadence and the reminders that followed. The procedural addition prevents accounts from being restricted without the customer having had clear opportunity to comply.
What happens on non-response
Per Q28, failure to complete periodic updation after due notice triggers the obligation to close the account under the PML Rules. Account restrictions typically progress before closure: limited transactions, new-product holds, providing a final remediation window. Reactivation of a closed account requires the customer to complete the pending KYC.
CKYCR and KYC record upload
CKYCR is the cross-regulator KYC infrastructure that the RBI Master Direction interfaces with. Its purpose is to reduce duplicate KYC submissions across the regulated financial system, and it sits parallel to (rather than inside) the RBI’s own supervision.
Upload timelines and formats
Reporting entities upload customer KYC data in the format specified by CERSAI. Re-uploads are required when the underlying KYC record is updated or amended. Specific timeline expectations are defined in the Master Direction and in CERSAI’s own operational instructions for CKYCR participants.
How the CKYC ID is generated and reused
CKYCR assigns a unique KYC Identifier, typically a 14-digit number, to each customer on first upload by any reporting entity. Per Q14 to Q18 of the RBI FAQ, the KYC Identifier can be retrieved by another RE on the customer’s consent and used to obtain the existing KYC record without asking the customer to resubmit documents. The mechanism reduces duplicate KYC submissions across the regulated financial system.
Penalties for non-compliance
The stakes are visible. RBI enforcement against KYC lapses has been active across the regulated perimeter, and the patterns repeat institution to institution.
Types of RBI enforcement actions
Monetary penalties under section 47A of the Banking Regulation Act and equivalent provisions for other entity types. Supervisory letters that document specific deficiencies and require corrective action plans. Licence conditions that constrain the RE’s operations until compliance is restored. Public censure where the regulator deems it necessary. The severity of the action correlates with the materiality of the lapse and the RE’s response history.
Common drivers of enforcement
Documentation gaps where evidence cannot be produced for sample customers pulled by inspectors. Stale risk ratings where every customer in a tier has carried the same rating from the day of onboarding to the day of inspection. PEP screening lapses. V-CIP recordings missing or unrecoverable. Failure to file STRs for transactions the regulator concludes should have been reported. Each is a programme-design failure, not a tooling failure, and each is recoverable with clear remediation.
2026 compliance readiness checklist
This is the practitioner artefact compliance leads can share internally. It is a sanity pass, not a substitute for the Master Direction itself.
Deliverables expected of REs
A board-approved KYC and AML policy reflecting current Master Direction obligations, with a documented review and refresh cadence. A risk-tier framework that maps customers consistently across the institution. A V-CIP technology stack with iBeta-certified liveness, recording integrity, and geo-tag capture in operational compliance with the Master Direction. CKYCR integration that satisfies the upload obligations for new accounts and updated records. Sanctions, PEP, and adverse media screening running continuously, with sanctions screening best practice discipline. A documented periodic-updation flow that satisfies the advance-notice and reminder requirements.
Clause-to-capability decoder
For compliance and engineering teams planning the technology stack, the rough mapping looks like this:
- CIP clauses: document verification, OCR, biometric matching, OVD validation API.
- V-CIP clauses: live audio-visual platform with recording, liveness detection, geo-tag capture, operator workflow.
- CDD and EDD clauses: risk-scoring engine, source-of-funds documentation pipeline, customer due diligence and enhanced due diligence workflow.
- Periodic updation clauses: notice and reminder orchestration, customer communications pipeline, status tracking.
- CKYCR clauses: registry upload integration, KYC Identifier retrieval, format validation.
- Ongoing monitoring clauses: continuous sanctions and PEP screening, adverse media monitoring, transaction monitoring, change-of-circumstance triggers.
Buy-vs-build prompts apply at each layer. Most REs buy V-CIP, document verification, and screening as platform capabilities, and most build the orchestration logic that ties them together. The bank KYC process reference covers how the layers fit together in operational practice.
See how HyperVerge helps banks and NBFCs stay RBI-compliant
If you are running a compliance programme under the RBI Master Direction at a bank, NBFC, payment bank, SFB, or UCB, and want to see how V-CIP, Aadhaar eKYC, periodic updation orchestration, CKYCR integration, and continuous AML screening come together in production, book a working session with our team. The KYC best practices reference and the KYC process reference cover the underlying disciplines.
The AML compliance reference covers the broader discipline that runs alongside KYC. For sector-specific overlays, the insurance KYC under IRDAI guidelines walks through how KYC works inside the IRDAI framework.
FAQs
What are the new KYC guidelines issued by RBI in 2025?
Recent RBI Master Direction amendments through 2025 introduced sector-specific operational guidance for different institution types, formalised banking-correspondent-led KYC updation, tightened the advance-notice and reminder regime for periodic updation, and refined V-CIP procedural requirements. Compliance programmes are expected to align with the updated obligations through 2026.
How often does RBI require KYC updates?
Per Q22 of the RBI FAQ on the Master Direction on KYC, periodic KYC updation is required at least once every two years for high-risk customers, eight years for medium-risk customers, and ten years for low-risk customers. REs may set tighter internal cadences, but they cannot exceed these regulatory ceilings.
What is the RBI Master Direction on KYC?
The RBI Master Direction on KYC is the primary regulatory instrument governing customer identification, due diligence, and ongoing monitoring across every Regulated Entity in India. Issued on 25 February 2016 with periodic amendments through 2025, it operationalises the statutory obligations from the Prevention of Money-Laundering Act, 2002 and the PML Rules, 2005.
What documents are mandatory under RBI KYC guidelines?
Per Q5 of the RBI FAQ, the six accepted Officially Valid Documents are: passport, driving licence, proof of possession of Aadhaar number, Voter’s Identity Card, NREGA job card, and the letter issued by the National Population Register. PAN or Form 60 is required in addition to the chosen OVD.
What is V-CIP as per RBI?
V-CIP, or Video-based Customer Identification Process, is a live, secure, consent-based audio-visual interaction between an authorised RE official and the customer used for identity verification. Per Q19 of the RBI FAQ, V-CIP is treated on par with face-to-face customer identification. Recording, geo-tag capture, and liveness checks are required.
What is the penalty for non-compliance with RBI KYC rules?
Penalties include monetary fines under section 47A of the Banking Regulation Act and equivalent provisions, supervisory letters requiring corrective action, licence conditions constraining RE operations, and public censure for material lapses. The severity correlates with the materiality of the failure and the RE’s response history.
Can banking correspondents do KYC now?
Yes. Recent Master Direction amendments formalised banking-correspondent-led KYC updation, expanding the channels through which low-risk customers can complete refresh without visiting a branch. Assisted V-CIP, where the BC facilitates the customer end while the authorised RE official conducts verification, is also permitted.
What is Aadhaar masking under RBI KYC rules?
Aadhaar masking is the practice of obscuring the first eight digits of the Aadhaar number on document copies retained by REs, in line with UIDAI guidelines and India’s data-protection framework. The full Aadhaar number is captured for verification, but the stored copy shows only the last four digits, reducing exposure if the document is later compromised.
What is the difference between KYC and AML under RBI rules?
KYC focuses on customer identification and due diligence at onboarding and on refresh. AML is the broader anti-money-laundering discipline, including KYC, transaction monitoring, suspicious-transaction reporting, sanctions screening, and the institutional posture against financial crime. The Master Direction covers both. KYC sits inside the broader AML programme.
What is the 3-notice rule for periodic KYC updation?
The advance-notice and reminder regime under recent RBI Master Direction amendments requires REs to intimate customers in advance of periodic updation due dates and follow up with reminders if the customer does not respond. Failure to complete periodic updation after due notice triggers the obligation to close the account under the PML Rules.
