RBI’s Video-based Customer Identification Process (V-CIP) allows banks and NBFCs to verify customer identity through a live, supervised video interaction. RBI treats it as equivalent to in-person verification when the controls are followed: a live officer, liveness checks, geo-tagging, encrypted recording, maker-checker review, and a documented audit trail. The framework was introduced through RBI’s January 9, 2020 notification and consolidated into the KYC Master Direction.
For banks, NBFCs, and now payment aggregators (added under the November 28, 2025 KYC Master Direction), V-CIP is the standard alternative to branch-based onboarding. It works for retail, NRI, and segments where Aadhaar is unavailable. This article walks through what video KYC is end to end: the 6-step V-CIP process, RBI’s mandatory controls, what changed in the 2025 KYC MD, the deepfake risk that the original 2020 framework did not anticipate, and how SEBI VIPV and IRDAI VBIP work as parallel but distinct frameworks for mutual funds and insurance.
What V-CIP is not
V-CIP is not a self-serve recorded video. It is not equivalent to OTP-based Aadhaar eKYC. It is not a substitute for periodic updation. Each of these distinctions matters because conflating them is the most common cause of regulatory observations during inspections.
Why RBI introduced V-CIP
The 2020 V-CIP notification responded to four pressures. Pandemic-era branch closures created an immediate need for branchless onboarding. Aadhaar’s limitations for non-residents and customers without Aadhaar left a gap that OTP-based eKYC could not fill. Manual cancelled-cheque verification was a long-standing fraud surface. And financial inclusion mandates required ways to onboard tier-2 and tier-3 customers without forcing branch visits. V-CIP solved for all four. See video KYC for financial inclusion for the inclusion-side framing.
The V-CIP process: Step 1 to Step 6
RBI’s framework leaves implementation choices to the regulated entity but defines the controls each step must include. The six-step flow that emerges in practice:
Step 1: Customer consent and session initiation
The customer initiates the V-CIP session through the bank or NBFC’s web domain or app, with explicit consent captured and timestamped. The session must be initiated by the entity, not by a third-party redirector. Consent capture covers data collection, recording, geo-tagging, and downstream use.
Step 2: Document capture
The customer captures Proof of Identity (POI) and Proof of Address (POA) documents live during the session. OCR extracts data; image quality checks reject blurry, glare-affected, or low-resolution captures with a re-capture prompt. Live capture is mandatory; uploaded scans alone do not meet the V-CIP standard. See officially valid documents under RBI KYC for the accepted document list.
Step 3: Live officer interaction
A trained bank or NBFC officer conducts the live interaction. The officer reads from a randomized script of questions to confirm the customer’s identity through indicators that cannot be pre-rehearsed. Officer training requirements are explicit in the KYC Master Direction and include fraud detection, identity verification, and customer-service judgment.
Step 4: Liveness and face match
A liveness check confirms the live capture is a real person, not a photo, video, or face spoofing attempt. Face match compares the photo on the customer’s POI document with the live capture. Both must pass before the session can proceed to recording.
Step 5: Geo-tagging and encrypted recording
The customer’s location is captured through GPS and IP cross-validation; sessions originating outside permitted jurisdictions are rejected. The full session is recorded and encrypted at rest, with retention for the regulator-mandated period. Access to recordings is logged and restricted to authorized officers.
Step 6: Maker-checker review and audit trail
Every V-CIP session passes through a maker-checker review: the officer who conducted the session does not approve it. A second authorized officer reviews the recording, the document captures, the liveness and face-match results, and the audit trail before issuing approval or rejection. Concurrent audit and retry tracking complete the loop.
RBI’s mandatory V-CIP requirements
The compliance checklist that risk and IT teams should track against, refreshed for the 2025 updates.
Infrastructure and security
End-to-end encryption on the live session and on stored recordings. Data localization in compliance with RBI norms; recordings cannot reside on infrastructure outside permitted jurisdictions. PCI-DSS-grade access controls for the systems holding session data. Documented disaster recovery and incident response procedures.
Operational procedures
Officer training programs with documented curriculum, completion records, and refresher cycles. Randomized question generation that varies meaningfully across sessions. Defined retry policy when a session fails. Escalation rules for cases the officer cannot resolve. The randomization is the control most often weakened in production: scripts drift toward template questions over time, and inspections flag the drift.
Data management and storage
Recording retention for the regulator-mandated period (typically 5 years from session). Access controls with role-based permissions and audit logs on every access event. Audit trails covering session initiation, consent capture, document capture, liveness results, face-match outcome, and maker-checker decision. The audit trail must be regulator-ready: exportable, complete, and readable without vendor-side translation.
Permitted use cases and applicability
Banks and NBFCs are the original applicability scope. The November 28, 2025 KYC Master Direction brought payment aggregators (PAs) into V-CIP-equivalent compliance. SEBI VIPV (mutual funds) and IRDAI VBIP (insurance) operate as parallel but distinct frameworks, governed by their respective regulators.
2026 V-CIP compliance checklist
A scannable checklist for compliance teams running V-CIP at scale:
- Customer-initiated session through entity-controlled web domain or app
- Live consent capture and audit log
- POI and POA captured live (not uploaded)
- OCR with quality-floor checks and re-capture prompts
- Officer training records on file, refreshed at defined cadence
- Randomized officer questions with variation across sessions
- Liveness check (passive single-image or active gesture-based)
- Face match between document photo and live capture
- GPS-level geo-tagging cross-validated with IP
- Encrypted session recording with documented retention
- Maker-checker review with separate officer accountability
- Audit trail covering every decision point, regulator-ready
- Documented exception protocol for failed sessions
- Vendor exit clause and data portability provision
V-CIP vs Aadhaar eKYC vs Offline KYC
The three KYC pathways are not interchangeable. Each fits different customer segments and risk profiles.
| Dimension | V-CIP | Aadhaar eKYC (OTP) | Offline KYC |
|---|---|---|---|
| Customer presence | Live video | Self-serve | In-branch |
| Officer involvement | Required | None | Required |
| Documents | POI + POA captured live | Aadhaar number + OTP | Physical originals |
| Suitable for | High-value, NRI, customers without Aadhaar | Aadhaar holders, low-value, fast onboarding | Branch walk-ins, large-ticket products |
| Time to complete | 5 to 10 minutes | Under 2 minutes | 30 minutes or more |
| Cost per KYC | Mid | Low | High |
| Compliance scope | RBI (banks, NBFCs, payment aggregators from Nov 2025) | UIDAI plus RBI | RBI |
| Best for | Onboarding without an Aadhaar dependency | High-volume, low-friction onboarding | Walk-in branches, complex products |
Most lenders run all three in parallel: Aadhaar eKYC for the default low-friction path, V-CIP for non-Aadhaar customers and higher-ticket products, offline KYC for branch walk-ins and segments that need physical originals. See Aadhaar verification for the eKYC API view.
What changed in V-CIP in 2026
Two regulatory updates in 2025 reshape how V-CIP is run and audited.
June 12, 2025: RBI KYC Amendment Directions
The June 12, 2025 amendment refined the periodic updation cadence and formalized BC-facilitated re-KYC. For V-CIP, the practical change is that re-KYC sessions for low-risk customers can be conducted through V-CIP at intervals shorter than the previous self-declaration window, with audit trails retained for the same regulator-mandated period as the original onboarding.
November 28, 2025: KYC Master Direction 2025
The KYC MD 2025 supersedes the 2016 framework and brings payment aggregators explicitly into KYC scope. Headline implications for V-CIP:
- Payment aggregators must implement V-CIP-equivalent controls for direct customer onboarding where applicable.
- Audit trails must be regulator-ready for inspection, with documented decision logic for every approval and rejection.
- Periodic updation must use a documented method (V-CIP, BC-facilitated, or self-declaration where permitted), not ad-hoc checks.
- Officer training and randomized-question protocols must be reviewable by auditors.
Operational implications for compliance teams
The 2025 updates do not require V-CIP redesign. They tighten the audit and documentation expectations around it. Compliance teams running V-CIP at scale should expect inspection focus on training records, randomized-question variation, geo-tag failure rates, and maker-checker rejection rationale. Vendors that cannot produce these records on demand are now a compliance risk.
Deepfake and synthetic-media risk in V-CIP
RBI’s V-CIP framework was published in 2020. Generative AI capable of producing real-time face-swap deepfakes was not mainstream then. The framework’s controls still hold, but compliance teams need to understand why.
Why V-CIP is a deepfake target
Live video plus face match is exactly the surface that real-time face-swap tools target. A determined attacker uses a stolen or generated identity document, runs a face-swap model on a webcam feed, and tries to walk through V-CIP as the document holder. The attack has been documented across global KYC providers since 2023; it now has commercial tooling.
How RBI’s controls counter deepfake
The framework’s defenses, in order of effectiveness against deepfake:
- Liveness detection. Modern passive liveness rejects synthetic faces by detecting AI-artifact signatures, lighting inconsistencies, and depth-field anomalies that face-swap tools struggle to reproduce.
- Randomized officer questions. A face-swap model cannot anticipate or respond to bespoke questions in real time. The officer’s randomized script is a deepfake control even though it was originally written as a fraud control.
- Geo-tagging. Forces the attacker to spoof location as well as identity, raising the cost of the attack.
- Officer judgment. Trained officers detect micro-anomalies (eye contact, head movement, audio sync) that automated systems can miss.
What HyperVerge V-CIP adds beyond the RBI baseline
Passive single-image liveness, deepfake artifact detection, and iBeta-certified ISO 30107-compliant controls. See deepfake examples for concrete cases and how to spot a deepfake for the operational view.
Common mistakes in V-CIP implementation
Five recurring failure modes account for most V-CIP rejections during RBI inspections.
Treating V-CIP as a recorded-video task
The single most common mistake. V-CIP is a live, two-way interaction. A pre-recorded customer video, even with a live officer reviewing it later, does not meet the standard. Live in both directions is the threshold.
Under-training officers on randomized questions
Officer scripts that drift toward template questions over time defeat the randomization control. Training must cover randomized question generation, judgment cues for fraud detection, and escalation rules. Training records must be auditable.
Skipping geo-tagging or relying on IP only
IP geolocation is spoofable. The framework requires GPS-level location capture cross-validated against IP. IP-only geo-tagging is a frequent inspection finding.
Inadequate retention or audit trail
Recordings must be retained for the regulator-mandated period (typically 5 years from session). Retention shorter than the requirement, missing audit trails on access, or recordings stored in a system that does not log access events all surface during inspections.
Vendor lock-in without an exit clause
Many V-CIP implementations rely on a vendor’s hosted infrastructure. Without a documented exit clause and data-portability provision, switching vendors becomes a multi-quarter migration. Compliance teams should require exit-and-data-portability clauses in vendor contracts upfront.
V-CIP integration with CKYCR and DigiLocker
CKYCR (Central KYC Records Registry) and DigiLocker are India’s two centralized KYC infrastructure layers. V-CIP integrates with both.
How CKYCR fits into V-CIP
CKYCR is a centralized registry of KYC records maintained by CERSAI. After a successful V-CIP session, the regulated entity uploads the customer’s KYC record to CKYCR, generating a CKYC Identifier (KIN). Future regulated entities can pull the existing KYC record from CKYCR using the KIN, eliminating duplicate KYC for the customer.
CKYCR is informational context here. The registry is operated by CERSAI under the Ministry of Finance. Regulated entities integrate with CKYCR by pulling and pushing KYC records as part of V-CIP completion.
DigiLocker for document fetch
DigiLocker is India’s government-issued document repository. Customers can authorize fetch of their Aadhaar (XML), driving licence, PAN, and other documents directly from DigiLocker into the V-CIP flow. DigiLocker-fetched documents are tamper-proof at source: they carry the issuing authority’s signature, eliminating the document-forgery risk vector entirely. Read V-CIP with CKYC and DigiLocker for the integration view.
V-CIP across SEBI VIPV and IRDAI VBIP
RBI V-CIP applies to banks, NBFCs, and payment aggregators. Mutual funds and insurance run parallel but distinct frameworks.
SEBI VIPV for mutual funds
SEBI’s Video-based In-Person Verification (VIPV) framework, issued for mutual funds and other SEBI-regulated entities, mirrors the V-CIP structure: live video, document capture, liveness check, recorded session. The differences are in scope (only SEBI entities), the regulator (SEBI rather than RBI), and the documentation expectations (KRAs and AMCs handle records differently from banks).
IRDAI VBIP for insurance
IRDAI’s Video-based Identification Process (VBIP) for insurance follows similar mechanics. The differences here are in the document set (insurance often relies on additional health or income documents), the customer journey (often longer because of medical or product-disclosure requirements), and the audit framework (IRDAI inspection rather than RBI).
Buyers in the MF and insurance segments should not assume RBI V-CIP guidance maps directly to their framework. Coordinate with the relevant regulator’s circulars before any implementation. See HyperVerge’s V-CIP solution and video KYC API for cross-framework integration patterns. For a vendor-comparison view, see top video KYC providers.
See HyperVerge V-CIP in action
V-CIP under the 2025 KYC Master Direction is a live, audited, regulator-ready process. The right setup catches deepfake attempts, generates inspection-ready audit trails, and runs at the scale Indian banks and NBFCs need.
Talk to our team about V-CIP to see how the layered model fits your onboarding flow.
FAQs
Is video KYC legally valid in India?
Yes. RBI introduced V-CIP through its January 9, 2020 notification and consolidated it into the KYC Master Direction. RBI treats V-CIP as equivalent to in-person verification when the mandatory controls are followed: live officer interaction, liveness check, geo-tagging, encrypted recording, and maker-checker review. SEBI’s VIPV (mutual funds) and IRDAI’s VBIP (insurance) provide parallel legal validity for those sectors.
What are the RBI guidelines for video KYC?
RBI’s V-CIP framework requires: customer consent and entity-initiated session, live capture of POI and POA documents (not uploads), trained officer interaction with randomized questions, liveness check and face match, GPS-level geo-tagging cross-validated with IP, encrypted session recording with regulator-mandated retention, and maker-checker review by a separate officer. The November 28, 2025 KYC Master Direction tightened audit-trail expectations and brought payment aggregators into scope.
What documents are required for video KYC?
RBI accepts Officially Valid Documents (OVDs) for V-CIP: Aadhaar (full or masked under DPDPA), passport, voter ID, driving licence, NREGA card. PAN is mandatory as a separate identity check. Customers must capture both Proof of Identity (POI) and Proof of Address (POA) live during the session; the same document can serve both roles where it qualifies (Aadhaar, passport).
Can video KYC be done from outside India?
No. RBI’s V-CIP framework requires the customer’s location to be captured and cross-validated. Sessions originating outside the permitted jurisdiction are rejected. NRI customers can complete V-CIP only when physically present in India during the session, or through specific NRI-onboarding pathways defined by individual banks.
How long does video KYC take?
A typical V-CIP session takes 5 to 10 minutes end-to-end: consent and initiation (under a minute), document capture (1 to 2 minutes), live officer interaction (2 to 5 minutes), liveness and face match (under a minute), maker-checker review (asynchronous, typically minutes to hours). The live portion is usually under 5 minutes for routine cases.
What happens if video KYC fails?
A V-CIP rejection routes the customer to a documented alternative: re-attempt with corrected inputs, escalation to a senior officer, redirection to branch-based offline KYC, or request for additional documents. The framework requires regulated entities to have a written exception protocol that covers each failure type. Generic “rejection without reason” is a recurring inspection finding.
Can video KYC be done at any time?
RBI’s framework does not specify a time-of-day restriction, but regulated entities typically run V-CIP during operational hours when trained officers are available. Some banks offer extended hours; some restrict to weekday business hours. The customer-side experience depends on each entity’s operational policy.
What is the difference between video KYC and Aadhaar eKYC?
Video KYC (V-CIP) involves a live officer interaction, document capture, liveness and face match, and maker-checker review; it works for any customer with valid OVDs and takes 5 to 10 minutes. Aadhaar eKYC (OTP-based) is self-serve, requires the customer to have an Aadhaar with a registered mobile, and completes in under 2 minutes; it does not involve a live officer. Most Indian banks offer both pathways and route customers to the right one based on Aadhaar availability and risk profile.
