Re-KYC is how banks, NBFCs, mutual funds, and insurers keep customer records current after onboarding. The rules are risk-based (two years for high-risk customers, eight for medium, ten for low), and they have tightened meaningfully through 2025 with a mid-year circular permitting fully digital re-KYC, an August 2025 amendment adding strict outreach and rejection-reasoning requirements, and a deadline extension for low-risk customers to June 30, 2026. Most content on the internet quotes the frequencies without explaining the framework behind them. This guide is the complete re-KYC reference: what re-KYC is, why it exists, how risk categorisation drives the timelines, which event triggers override the periodic calendar, how the process works end-to-end in 2026, what the high-risk EDD overlay adds, and what a well-run re-KYC programme looks like from the inside. For the operational companion, our KYC checklist covers the full onboarding and periodic workflow.
What Is Re-KYC?
Re-KYC is the scheduled or event-triggered refresh of a customer’s KYC record after onboarding. It is not re-onboarding, and it is not a new account. The customer relationship continues; what changes is the currency of the identity and risk data the regulated entity holds.
Re-KYC Defined
Re-KYC is a periodic or event-driven update to a customer’s KYC record, required by the RBI KYC Master Direction and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. The update covers identity documents (if any have expired or changed), address proof (if the customer has moved), risk rating (if the profile has shifted), and contact details. The scope of what gets refreshed depends on what has actually changed since the last review.
Re-KYC vs Re-Verification vs Perpetual KYC
Three overlapping terms that compliance teams routinely mix up. Re-KYC is the scheduled customer record refresh. Re-verification is an event-triggered document check (for example, when an ID on file has expired). Perpetual KYC (pKYC) is the model where the customer record is updated continuously based on data triggers rather than scheduled dates, a different operating model that can replace the periodic calendar for mature programmes. Think of the periodic calendar as the schedule, re-KYC as the action, and pKYC as an alternative model that removes the calendar as the primary trigger.
Who Is Responsible
The regulated entity is responsible for re-KYC. That is the bank, NBFC, mutual fund, insurer, or other reporting entity holding the customer relationship. The customer’s role is to respond to outreach and provide documents when asked. Regulators expect the regulated entity to drive the cadence, send reminders, and escalate appropriately when the customer does not respond, not to wait for the customer to initiate.
Why Re-KYC Exists: The Regulatory Drivers
Three layers of regulation require re-KYC, and each adds a specific obligation.
PMLA and the Maintenance of Records Framework
The Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 are the legal basis for periodic KYC updation in India. The Rules require reporting entities to identify customers, verify identity, maintain records for at least five years after the business relationship ends, and keep those records current. Re-KYC is how the “keep current” obligation is operationalised.
RBI Master Direction on KYC
The RBI KYC Master Direction sets the operational parameters for re-KYC: the 2/8/10-year cadence, the OVD list, the digital KYC methods, and the customer communication standards. The 2nd Amendment to the KYC Master Direction issued on August 14, 2025 added explicit obligations around rejection reasoning, accessibility for persons with disabilities, and the three-advance-intimations outreach standard that applies to every periodic update. The November 28, 2025 sector-specific Master Directions preserved the substance of these requirements and reorganised them by institution type.
FATF Recommendation 10 and Ongoing Due Diligence
FATF Recommendation 10 treats ongoing due diligence as a core component of customer due diligence, not an optional overlay. Indian supervisory practice aligns with this baseline, which is why a compliance operation that runs strong onboarding but weak periodic updation gets flagged at FATF mutual evaluations and at RBI inspections.
Risk Categorisation: The Foundation of Re-KYC
The 2/8/10-year cadence rests on a single input: the customer’s risk rating. Everything downstream (documentation depth, frequency, EDD overlay) flows from that rating. Getting risk categorisation right is what makes re-KYC efficient rather than a generic administrative task.
Factors That Determine Customer Risk
Risk rating considers occupation (exposure to cash, politically sensitive roles), geography (domestic vs high-risk jurisdictions), nature of activity (normal vs unusual account behaviour), transaction patterns (frequency, amount, counterparties), source of funds (known and documented vs ambiguous), and product or account type (savings account carries less inherent risk than a high-velocity business account). The rating is a composite, and each factor can shift over time.
How Regulated Entities Typically Implement Risk Rating
Most regulated entities run a rule-based scorecard at onboarding that assigns a low, medium, or high rating. Larger banks and more digitally-mature NBFCs layer machine learning on top, which produces a dynamic score that can shift between reviews. Either way, the rating sits in the customer record and is visible to the downstream processes (transaction monitoring, re-KYC scheduling, EDD triggering).
Triggers That Move a Customer Into a Higher Bucket
Certain events trigger an intra-period risk rating change: appearance on a sanctions list, PEP status change, adverse media hit, high-value inbound or outbound transfers to new counterparties, or activity in a high-risk jurisdiction. A re-rating is not itself re-KYC, but it accelerates the next re-KYC (a newly high-risk customer now follows the two-year cadence rather than whatever they were previously scheduled on).
Re-KYC Frequency by Risk Category (the 2/8/10 Rule)
The cadence is the most searched and cited part of re-KYC, so it deserves a table and a section of its own.
| Risk Category | Re-KYC Frequency | Notes |
|---|---|---|
| Low | Every 10 years | Extended deadline to June 30, 2026 for customers whose update has fallen due |
| Medium | Every 8 years | Shifted from 5 years under the pre-2022 framework |
| High | Every 2 years | Unchanged from the pre-2022 framework |
Low-Risk Customers: 10 Years
The vast majority of retail customers at banks and NBFCs fall into the low-risk bucket. Periodic updation for this segment happens every ten years under the current RBI framework. For low-risk customers whose update has fallen due, the 2nd Amendment to the KYC Master Direction extended the deadline to June 30, 2026, giving regulated entities a runway to migrate customers to digital re-KYC before the deadline.
Medium-Risk Customers: 8 Years
Medium-risk customers refresh every eight years. This bucket typically covers customers with moderate transaction velocity, some exposure to less common income sources, or customer segments where the regulated entity has decided to apply additional conservatism. The eight-year frequency replaced the earlier five-year frequency when the framework shifted from 2/5/10 to 2/8/10.
High-Risk Customers: 2 Years
High-risk customers require re-KYC every two years. The two-year cadence reflects the supervisory expectation that higher-risk relationships should be reviewed often enough to catch profile drift. It also dovetails with the Enhanced Due Diligence obligations that apply to high-risk customers at onboarding; those same enhanced checks re-apply at each re-KYC.
How the Rule Changed (From 2/5/10 to 2/8/10)
Pre-2022, the framework was two years for high-risk, five years for medium-risk, and ten years for low-risk. The current 2/8/10 framework extended the medium-risk frequency to reduce the compliance workload in the mid-risk segment without compromising the high-risk cadence. Content that still cites the 2/5/10 framework is outdated; all current practice follows 2/8/10.
Event Triggers That Override Periodic Timelines
The periodic calendar is not the only reason re-KYC happens. Three categories of event trigger a re-KYC outside the scheduled cadence.
Document Expiry or Material Change in Profile
Passport expiry, driving licence expiry, or a change of address all trigger a document-level re-KYC. The regulated entity is expected to refresh the specific document that has changed or expired rather than run a full re-KYC if nothing else has moved. Customer-initiated changes (a name change after marriage, for example) also trigger a partial re-KYC.
Risk Escalation
Sanctions list additions, PEP status changes, adverse media hits, or unusual transaction patterns can escalate a customer’s risk rating. When the rating changes, the customer moves to the appropriate cadence for the new rating, and an immediate re-KYC may be triggered if the risk escalation is significant. For NBFC onboarding programmes at scale, this is a primary driver of unscheduled re-KYC volume.
Regulatory or Enforcement Escalation
Regulatory actions, law enforcement enquiries, or FIU-IND notices on a specific customer can trigger an immediate re-KYC including Enhanced Due Diligence. These are rare in absolute terms but impactful when they happen, because they often come with tight timelines for response.
The Re-KYC Process: Step by Step
Well-run re-KYC follows a predictable four-step loop, whether the cadence is periodic or event-driven.
Step 1: Identification and Notification
The regulated entity flags the customer record as due for re-KYC, either from the calendar (periodic) or from a trigger (event-driven). The August 2025 Amendment requires three advance intimations (at least one by letter) before the due date, and after the due date, at least three reminders including one by letter. The intimation must be recorded against the customer record for audit trail purposes.
Step 2: Customer Submission Paths
The customer has four paths to complete re-KYC. A branch visit (traditional, still the default for some segments). A self-service portal or mobile app (the fastest path for digitally-active customers). Video KYC or V-CIP (permitted for non-face-to-face cases, often via a dedicated video KYC API). And fully digital re-KYC with live photo, geo-tag, and officer certification, which a June 2025 circular permits across all risk categories.
Step 3: Verification and Update
Once documents are submitted, the regulated entity verifies them (OCR, document authenticity, cross-reference with the existing record), updates the internal record, and pushes the refreshed record to the CKYC registry. The risk rating is re-assessed based on the refreshed data, which can move the customer into a different cadence for the next cycle.
Step 4: Exception Handling
Not every re-KYC completes cleanly. The customer may not respond to outreach. Documents may be incomplete or inconsistent. The risk rating may change in a way that requires escalation. A well-designed programme has a defined exception workflow: escalate to manual review, then to compliance, then to account restriction if the customer remains non-responsive after all reminders.
Re-KYC for High-Risk Customers: The EDD Overlay
High-risk re-KYC is not just a faster version of standard re-KYC. It carries a different obligation stack.
What Enhanced Due Diligence Adds
EDD at re-KYC includes deeper source-of-funds analysis (what inflows have happened since the last review, are they consistent with the stated source), adverse media review (periodic check of negative news coverage), and updated beneficial ownership verification for legal entities. These are on top of the standard CIP and CDD steps.
Senior Management Approval for Continued Relationship
RBI guidance expects senior management approval to continue relationships with high-risk customers after each re-KYC. The approval is documented, with named approver and rationale, and sits in the audit file. This is one of the most commonly missing artefacts at a KYC audit.
Ongoing Monitoring Intensity
High-risk customers are under tighter transaction-monitoring thresholds between re-KYC cycles. Re-KYC refreshes those thresholds based on the newly verified profile. If the re-KYC reveals a change (new occupation, new geography, new source of funds), the monitoring thresholds re-calibrate accordingly.
Building a Re-KYC Programme: Operational Steps for Regulated Entities
For compliance teams and ops leaders, re-KYC at scale is an engineering problem as much as a compliance one.
Due-Pipeline Management and Customer Outreach
The programme starts with a trigger engine that knows which customers are approaching their re-KYC due date and moves them into the outreach pipeline 90-120 days ahead. Communication runs across email, SMS, in-app notification, and physical letter (now required by the August 2025 Amendment). Tracking each intimation against the customer record gives the audit trail that inspectors expect.
Technology Stack for Digital Re-KYC
A production re-KYC stack has three layers: capture (document upload, video KYC, DigiLocker fetch), verification (OCR, authenticity, CKYC reconciliation), and case management (manual review queue, audit log, CKYCR push). The integration with existing onboarding infrastructure is what determines cost. For regulated entities that already run DigiLocker-enabled onboarding, the re-KYC path can reuse 70-80% of the same stack.
Governance and Audit Trail
Every re-KYC action needs to be auditable: what triggered it, when it was scheduled, how many intimations went out, what the customer submitted, what verification ran, what the outcome was, and who approved any exceptions. The audit log is where KYC audits spend most of their time, and gaps here are what convert a clean process into a finding at inspection.
Consequences of Missing Re-KYC Deadlines
Missed re-KYC has defined consequences for both the customer and the regulated entity.
Account Restrictions and Transaction Freeze
After the due date and after the required reminders have gone unanswered, the regulated entity is expected to restrict the customer’s account. Restrictions typically start with disabling outbound transactions and escalate to a full freeze if the customer remains non-responsive. Some transaction types (refunds, pension credits, government payments) may be permitted even in a restricted state, depending on the regulator and the product.
Reinstating a Frozen Account
Reinstatement requires completing the pending re-KYC. The customer submits documents, the regulated entity processes them as a fresh re-KYC, and the account is unfrozen once the update is recorded. There is no separate reactivation fee, but the process takes the standard re-KYC turnaround time (three to ten working days depending on method).
Re-KYC Without Friction
A modern re-KYC programme has four characteristics: trigger-based rather than calendar-only, digital-by-default for low and medium risk, specialist workflows for high-risk EDD, and a clean audit trail that survives inspection. Institutions that build towards this state find that re-KYC stops being a compliance fire drill and starts being a predictable operational rhythm.
To see how HyperVerge helps regulated entities run re-KYC at scale with Aadhaar eKYC, V-CIP, DigiLocker, CKYCR integration, and full audit logging in one stack, sign up for a product walkthrough.
