HyperVerge Identity Verification Platform
Book a demo

What is KYC? A Complete Guide to Know Your Customer (with India Focus)

KYC explained. Definition, 3 components, types, process, documents, challenges, and India rules (RBI, Aadhaar eKYC, Video KYC, CKYC)

ID Verification & KYC Compliance Fraud Prevention Product Industry Company
what is kyc

Know Your Customer (KYC) is the regulated process a financial institution uses to verify a customer’s identity, assess their risk, and monitor their activity for the life of the relationship. It sits at the front door of every bank account, loan, insurance policy, brokerage, and crypto wallet, which is why getting it right matters to the regulator, the business, and the customer in equal measure.

This comprehensive guide pulls together everything a practitioner or decision-maker needs to understand KYC. It covers the global framework (definition, the three components, KYC vs Anti-Money Laundering (AML), documents, and process), then goes deeper on India, where the Reserve Bank of India (RBI), the Prevention of Money Laundering Act (PMLA), Aadhaar eKYC, Video KYC, and the Central KYC (CKYC) Registry shape what onboarding actually looks like on the ground.

If you are evaluating a KYC stack or building one in-house, you can start with HyperVerge’s identity suite and use this guide as the backdrop.

What is KYC? (Definition)

KYC is the mandatory process of verifying who a customer is before a financial relationship begins, and then continuing to verify them as long as the relationship lasts. It is a compliance obligation, not a marketing step. Regulators treat weak KYC as a regulatory breach with real consequences, which is why every onboarding flow you see at a bank, NBFC, or fintech is shaped by it.

KYC Full Form and Meaning

KYC stands for Know Your Customer. Some regulators and older documents use Know Your Client, but the acronym is the same. At its simplest, KYC answers three questions for every customer a regulated business serves: who are you, what is the purpose of this relationship, and does your activity match what you told us at the start.

This is why KYC is never a one-time form. It is a programme that begins at onboarding, is refreshed at intervals set by risk, and is re-triggered whenever something changes. Treating it as a checkbox is how regulatory findings happen.

A Short History of KYC

Modern KYC grew out of anti-money laundering law. The Financial Action Task Force (FATF), formed in 1989, set the global baseline for customer identification through its 40 Recommendations. After 2001, the USA PATRIOT Act introduced Section 326, which requires US banks, broker-dealers, mutual funds, and credit unions to run a formal Customer Identification Program, and similar obligations spread worldwide.

In India, the Prevention of Money Laundering Act, 2002 (PMLA) and the subordinate Prevention of Money Laundering (Maintenance of Records) Rules set the statutory basis for KYC. The RBI then issues the operational rulebook through its KYC Master Direction, which is updated regularly to keep pace with digital onboarding. This section gives you the “why does KYC exist at all” framing you need before the rest of this guide makes sense.

Why KYC Matters

Weak KYC is not a paperwork problem. It is how criminal money enters the financial system, how synthetic identities open credit lines, and how regulators end up issuing penalties. The business case for strong KYC is therefore defensive and offensive at once: it reduces losses and it builds the trust that lets a bank or fintech grow safely.

Preventing Money Laundering, Terrorist Financing, and Fraud

KYC is the first line of defence in an AML and Combating the Financing of Terrorism (CFT) programme. If you do not know who the customer is, you cannot screen them against sanctions lists, identify Politically Exposed Persons (PEPs), or surface the real ultimate beneficial owner (UBO) behind a corporate account. Those checks rely entirely on the identity you captured at onboarding. Get identity wrong, and every downstream control is built on sand.

The Cost of Weak KYC

Regulators issue AML and KYC-related fines every year against banks and fintechs globally, and large enforcement actions regularly run into significant sums. The direct cost is one thing. The indirect cost (reputational damage, enforced monitorships, slower product launches) is usually larger. For smaller fintechs, a single major finding can threaten a licence.

Benefits of a Strong KYC Programme

A well-run KYC programme is a growth asset, not just a cost centre. Teams that automate identity, liveness, and document checks report faster onboarding, lower fraud losses, and better conversion on high-intent customers. A defensible audit trail also makes it easier to enter new products, new sectors, and new countries, because the compliance team can evidence what was done and when.

Why KYC Is Accelerating in India

India is living through a uniquely fast shift to digital onboarding. Account opening, insurance purchase, mutual fund investment, and lending have all moved online at scale, and the RBI’s Video-based Customer Identification Process (V-CIP) circular opened the door to fully remote KYC. The next sections explain the structure that sits under all of this.

Types of KYC

KYC is not one process. It is a family of processes chosen based on the channel, the regulator, and the risk of the customer. Understanding the types is useful because it tells you which method applies to which product, and where the regulatory limits sit.

In-Person (Paper-Based) KYC

In-person KYC is the original form: the customer walks into a branch, a staff member sees the original identity documents, takes copies, and signs off. It is slow and costly, but still required for certain high-value or high-risk account types in many jurisdictions. In India, some corporate onboarding flows still involve at least one in-person step, even where digital options exist.

Digital / eKYC

Electronic KYC (eKYC) moves the whole flow online. The customer uploads or authenticates documents digitally, the system extracts data using Optical Character Recognition (OCR), and the identity is matched against an authoritative source. In India, Aadhaar-based eKYC (OTP or biometric) and DigiLocker-based document retrieval are the two most common digital flows.

Video KYC (V-CIP)

Video KYC is a live, recorded video interaction between an agent and a customer that satisfies full KYC under RBI rules. The agent validates the live face against the document photo, confirms geolocation, and records the session for concurrent audit. It is the fastest fully remote method that is legally equivalent to in-person KYC in India.

CKYC (Central KYC)

The Central KYC Registry stores a customer’s KYC record once and lets every regulated entity re-use it with consent. Instead of uploading documents to every new bank or mutual fund, the customer shares a KYC Identifier (KIN), and the new entity pulls the record from CERSAI. This cuts onboarding friction and standardises the KYC data set across the financial system.

With the types mapped, we can look at what every KYC programme, regardless of type, must contain.

The 3 Core Components of a KYC Programme

A KYC programme has three mandatory components. They are sequential at onboarding and then overlapping for the life of the relationship. If any one of them is weak, the whole programme is weak. This is the structure regulators inspect against, and it is the structure that AI overviews and snippets tend to extract, so we will lay it out clearly.

Customer Identification Program (CIP)

CIP is the first mile: collect enough information to identify the customer and verify it against reliable, independent sources. The minimum data set is name, date of birth, address, and a government-issued identification number, supported by a valid document. For individuals this is usually a photo ID and a proof of address. For businesses it extends to the certificate of incorporation, directors’ identity, and the beneficial ownership structure.

Customer Due Diligence (CDD)

Customer Due Diligence is where identity becomes risk. CDD asks who the customer really is, what they intend to use the account for, whether that intent is plausible given what you know, and whether they are on a sanctions or PEP list. It comes in three tiers:

  • Simplified Due Diligence (SDD) for low-risk customers and products
  • Standard CDD as the default
  • Enhanced Due Diligence (EDD) for high-risk customers, including PEPs, customers from high-risk jurisdictions, and complex ownership structures

The tier is not static. A customer can move from Standard to EDD if their behaviour changes.

Continuous / Ongoing Monitoring

KYC does not end at onboarding. Continuous monitoring is the set of controls that keep the customer’s risk picture current: periodic review of the KYC file, transaction monitoring against expected patterns, re-screening against updated sanctions and PEP lists, and trigger-based re-KYC when something changes (address, ownership, product use, jurisdiction). Done well, this is how fraud and AML surface before they become enforcement events.

These three components are the scaffolding. The next distinction people often blur is where KYC ends and where AML begins.

KYC vs AML: What’s the Difference?

KYC and AML get used interchangeably, but they are not the same thing. Getting the relationship right matters because it shapes who owns what inside a financial institution.

KYC as the Identity Layer of AML

AML is the umbrella regulatory framework: the laws, rules, and controls a financial institution must operate to prevent money laundering and terrorist financing. KYC is the identity and onboarding layer inside AML. Every AML programme must have KYC, but KYC alone is not a complete AML programme. You also need transaction monitoring, sanctions screening, suspicious activity reporting, and governance.

Side-by-Side Comparison

DimensionKYCAML
ScopeIdentify and risk-rate customersPrevent money laundering and terrorist financing end to end
Primary triggerOnboarding and periodic reviewContinuous across customer life cycle
Typical outputVerified customer file, risk ratingAlerts, Suspicious Transaction Reports (STRs), controls evidence
Regulatory basisCDD and CIP rules (e.g., RBI Master Direction)PMLA, FATF 40 Recommendations, sectoral rules
Usual ownerOperations plus complianceCompliance and financial crime function

The short version: KYC is a subset of AML, focused on identity. The next question is who has to do it.

Who Needs to Do KYC? (Regulatory Obligations)

KYC obligations have widened. The list now includes businesses that many founders assume are outside financial regulation, which is usually where enforcement surprises come from.

Regulated Financial Sectors

The core list is long and familiar: banks, Non-Banking Financial Companies (NBFCs), insurers, mutual funds, stockbrokers, depository participants, and payment aggregators and payment system providers. Globally, all of these have KYC obligations derived from the FATF 40 Recommendations and translated into local rules by the domestic regulator.

Emerging Obligated Sectors

The newer entrants include Virtual Asset Service Providers (VASPs), Designated Non-Financial Businesses and Professions (DNFBPs) such as real estate agents, precious metals dealers, and certain legal and accounting services. In India, Virtual Digital Asset Service Providers (VDA SPs) were brought under the PMLA framework in March 2023, which means crypto exchanges, custodians, and transfer services now register with FIU-IND as reporting entities and run full KYC and AML programmes.

Core KYC Compliance Requirements

Across obligated entities, the common denominators are:

  • A board-approved KYC policy and a named Principal Officer
  • A documented risk categorisation method for customers
  • Record retention for the period required by local law
  • Periodic re-KYC at a cadence tied to risk tier
  • Reporting of suspicious and threshold transactions to the national Financial Intelligence Unit (in India, FIU-IND)

Under Section 12 of the PMLA and the PML (Maintenance of Records) Rules, reporting entities must retain transaction records for five years from the date of each transaction, and identity and account records for five years after the relationship ends or the account is closed, whichever is later.

The point is simple: if your business creates, holds, or transfers value for customers, the default assumption should be that KYC applies. With the “who” settled, the next question is “what does the customer actually hand over.”

KYC Documents: What Customers Need to Submit

The document list varies by country and by customer type, but the categories are consistent. A good KYC flow collects the minimum necessary to verify identity and address, then captures additional information based on risk.

Standard Global KYC Documents

For individuals, regulators typically accept a government-issued photo identity document (passport, national ID card, driving licence) and a separate proof of current address (utility bill, bank statement, government correspondence). For higher-risk products, proof of income or source of funds is added.

For businesses, the standard corporate KYC pack includes the certificate of incorporation, the memorandum and articles of association (or equivalent), a board resolution authorising the relationship, director identity documents, and UBO declarations naming natural persons behind the entity.

India-Specific KYC Documents

India defines an Officially Valid Document (OVD) list under the PMLA rules and the RBI KYC Master Direction. The accepted OVDs are the passport, driving licence, proof of possession of Aadhaar number, Voter’s Identity Card issued by the Election Commission of India, NREGA job card signed by a State Government officer, and the letter issued by the National Population Register containing name and address. PAN is separately required for tax identification.

Aadhaar can also be shared offline as an Aadhaar XML or paperless offline KYC, which lets the customer prove identity without exposing the raw number. This matters for entities that are not permitted to conduct Aadhaar authentication under UIDAI rules.

Once you know what to collect, the next question is how the end-to-end flow runs.

How the KYC Process Works (Step by Step)

A digital KYC flow is a series of checks that get progressively more strict as the customer moves deeper into the relationship. Here is the sequence most regulated businesses run.

Step 1: Customer Information Capture

The customer enters core personally identifiable information (PII), contact details, and the declared purpose of the account. This is the form layer, and it is also where fraud signals first appear (device, geolocation, mismatched data, suspicious email patterns).

Step 2: Identity and Address Verification

The customer uploads or shares identity and address documents. The system runs OCR to extract structured data, checks document authenticity, and cross-references against independent sources: the Aadhaar database, DigiLocker, government registries, or credit bureau data depending on the market.

Step 3: Biometric and Liveness Checks

A live face is captured and matched against the document photograph. Liveness detection confirms that the face belongs to a real person who is physically present, not a photograph, a replayed video, or a deepfake. For Video KYC, this step is done during the live agent interaction.

Step 4: Risk Scoring and Due Diligence Level

The verified data is scored against the risk model. Low-risk customers take the SDD path. Most take the Standard CDD path. High-risk customers (PEPs, high-risk geographies, complex UBO structures) are routed to EDD, which collects additional documentation and triggers senior management sign-off.

Step 5: Ongoing Monitoring and Periodic Review

Once live, the customer is subject to transaction monitoring and periodic review. The cadence depends on the risk tier. Triggers (a change in address, a spike in transaction value, an adverse media hit) can pull the review forward. Any material finding loops back into the KYC file and the risk rating.

That flow is the global shape. India adds a specific regulatory overlay that is worth its own section.

KYC in India: The RBI, PMLA, and Digital Framework

India’s KYC framework is one of the most elaborate in the world, and also one of the most digitised. The combination of PMLA, RBI rules, and the Aadhaar stack means a practitioner can run fully remote KYC that would be impossible in most other markets. This section is the differentiator of this guide because most global KYC content skips it.

RBI KYC Master Direction and PMLA

The Prevention of Money Laundering Act, 2002 is the parent statute. The subordinate PML Rules set the statutory KYC obligations. The RBI KYC Master Direction operationalises those rules for banks, NBFCs, payment system operators, and other regulated entities under RBI jurisdiction. Sectoral regulators layer their own rules on top: the Securities and Exchange Board of India (SEBI) for capital markets, the Insurance Regulatory and Development Authority of India (IRDAI) for insurance, and the Pension Fund Regulatory and Development Authority (PFRDA) for pensions.

Aadhaar eKYC (OTP and Biometric)

Aadhaar eKYC lets a customer authenticate identity against the UIDAI database in seconds, either via One-Time Password (OTP) to the registered mobile number or via a biometric (fingerprint or iris) scan. Following the Supreme Court’s 2018 judgment in K.S. Puttaswamy v. Union of India, which struck down the contractual-use provision of Section 57 of the Aadhaar Act, and the subsequent Aadhaar and Other Laws (Amendment) Act, 2019, Aadhaar authentication is permitted only for specific categories of entities and use cases. Other entities use Aadhaar XML or offline KYC instead.

Video KYC Under RBI Guidelines

Video-based Customer Identification Process was formalised by RBI’s V-CIP guidance. The rules require a live, randomised interaction, geotagging inside India, PAN verification (via the Income Tax Department’s database or an OVD), concurrent audit of a sample of sessions, and full session recording. Done well, V-CIP matches in-person KYC for assurance at a fraction of the cost and time.

CKYC: The Central KYC Registry

CKYC, operated by the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), stores a customer’s full KYC record in a single place. When the customer onboards with a new regulated entity, that entity pulls the record using the KYC Identifier (KIN), subject to customer consent. The result: the customer does not resubmit documents, and the receiving entity gets a standardised record that shortens onboarding from days to minutes.

This India stack solves a lot, but it does not solve everything. Operational challenges still eat budget and conversion.

Common KYC Challenges and How to Solve Them

Even with regulation and technology in place, KYC runs into the same four problems across most institutions. Naming them clearly is the first step to fixing them.

Drop-Off During Onboarding

The single biggest operational cost of KYC is not the verification itself. It is the customers who abandon halfway through. Long forms, repeated document uploads, unclear error messages, and failed selfie captures all push conversion down. A well-designed digital flow keeps the time-to-verified under a few minutes, shows progress clearly, and recovers gracefully from a failed step.

Fraud and Synthetic Identities

Document forgery, face spoofing, and deepfakes are now mainstream threats. Synthetic identities (where real attributes are combined into a fake person) are harder to detect than classic stolen-identity fraud because there is no real victim to complain. The countermeasures are document forensics (checking templates, fonts, security features, and tamper signals), strong liveness and deepfake detection, and device-level fraud signals correlated across the customer base.

Data Quality and Document Variance

India alone has hundreds of valid ID variants across states, languages, and issuing authorities. Add blurry photos, glare, and partial captures, and OCR accuracy becomes a core operational metric. Good KYC systems handle variance gracefully: they catch bad captures at the point of upload, offer guidance to the customer, and route hard exceptions to human review instead of rejecting outright.

Scaling KYC Without Scaling Cost

Manual review scales linearly with volume, which is fatal for fast-growing fintechs. The fix is automation at the high-confidence cases and human review concentrated on the ambiguous ones. API-driven KYC lets product teams embed verification where it fits the customer journey, and real-time decisioning keeps cost per verified customer flat as volume grows.

Solving these problems is easier when your go-live checklist is complete. The next section gives you that checklist.

KYC Checklist: What Every Team Needs Before Go-Live

Use this as a pre-launch self-audit for a new product, a new geography, or a new sector. Every item is non-optional for a regulated rollout.

Policy and Governance Checklist

  • Board-approved KYC policy covering customer acceptance, identification, risk categorisation, monitoring, and reporting
  • Designated Principal Officer and a Money Laundering Reporting Officer with clear reporting lines
  • Documented risk categorisation methodology, reviewed at least annually
  • Training plan for frontline, operations, and compliance staff

Process and Workflow Checklist

  • Onboarding flow defined separately for each risk tier, with documented exception paths
  • SDD, Standard CDD, and EDD gates with clear escalation criteria
  • Re-KYC cadence mapped to risk tier, with automated triggers for material changes
  • UBO identification process for corporate customers, including thresholds and evidence standards

Technology and Vendor Checklist

  • Identity verification, document authentication, OCR, and liveness vendors selected and contracted
  • Sanctions, PEP, and adverse media screening with defined match-rate and review SLAs
  • Audit logs for every KYC decision, retained per the relevant law
  • Data residency, encryption, and breach notification SLAs in the vendor contract

Audit and Reporting Checklist

  • Suspicious Transaction Report (STR) and Cash Transaction Report (CTR) filing workflows with FIU-IND
  • Record retention configured to the required legal period
  • Internal audit plan covering KYC sampling, and concurrent audit for V-CIP where applicable
  • Management Information System (MIS) dashboards for exceptions, drop-off, and review backlog

Treat this as your starting point, not your end state. Your regulator’s latest circular takes precedence over any generic checklist, including this one.

Ready to Build a Stronger KYC Programme?

A strong KYC programme reduces regulatory risk, cuts onboarding time, and protects the customer experience. HyperVerge’s identity suite covers the full stack: document verification, OCR, face match, liveness, Video KYC compliant with RBI rules, Aadhaar eKYC, and CKYC lookup. Sign up to see the platform in action and talk to our team about mapping it to your onboarding flow.

KYC FAQ

What is the full form of KYC?

KYC stands for Know Your Customer (sometimes Know Your Client). It is the mandatory process a regulated financial institution uses to verify a customer’s identity, assess their risk, and monitor activity for the life of the relationship. It is required under anti-money laundering laws in most major jurisdictions.


What is the difference between KYC and AML?

AML is the full regulatory framework to prevent money laundering and terrorist financing. KYC is the identity and onboarding layer inside that framework. Every AML programme must include KYC, but AML also covers transaction monitoring, sanctions screening, and suspicious activity reporting that sit beyond the KYC file itself.


What are the 3 main components of a KYC program?

A KYC programme has three components: the Customer Identification Program (CIP), which verifies who the customer is; Customer Due Diligence (CDD), which assesses their risk and purpose; and Ongoing Monitoring, which keeps the customer’s risk picture current through periodic review, transaction monitoring, and trigger-based re-KYC.


Who is required to comply with KYC regulations?

Banks, NBFCs, insurers, mutual funds, stockbrokers, payment aggregators, and similar financial institutions are all obligated. In recent years, crypto and virtual digital asset service providers, real estate dealers, precious metals dealers, and some professional services have also been brought under KYC and AML obligations in many jurisdictions, including India.


What documents are needed for KYC verification?

For individuals, the standard set is a government-issued photo identity document and a separate proof of address. In India, an Officially Valid Document (OVD) such as Aadhaar, passport, voter ID, or driving licence is accepted, with PAN for tax identification. Businesses provide incorporation documents, director identity, and UBO declarations.


What is eKYC and how does it differ from regular KYC?

eKYC is electronic KYC, where the customer verifies identity digitally instead of in a branch. In India, Aadhaar-based OTP and biometric eKYC, DigiLocker retrieval, and Video KYC are all forms of eKYC. The standards and regulatory intent are the same as paper KYC, but the channel and the experience are fully remote.


What is Enhanced Due Diligence (EDD) in KYC?

Enhanced Due Diligence is the highest tier of Customer Due Diligence, applied to customers who present higher money laundering or terrorism financing risk. Typical EDD triggers include Politically Exposed Persons, customers from high-risk jurisdictions, and complex beneficial ownership structures. EDD requires more documentation, deeper source-of-funds checks, and senior management approval.


Can KYC be done online?

Yes. In India, Aadhaar eKYC, DigiLocker-based KYC, and RBI-regulated Video KYC (V-CIP) let a customer complete full KYC online without visiting a branch. Globally, digital identity verification combining document authentication, face match, and liveness is accepted by most regulators for standard-risk customers, with in-person or EDD steps reserved for higher risk.


Nupura Ughade

Nupura Ughade

Content Marketing Lead

LinedIn
With a strong background B2B tech marketing, Nupura brings a dynamic blend of creativity and expertise. She enjoys crafting engaging narratives for HyperVerge's global customer onboarding platform.

Related Blogs

what is kyc

What is KYC? A Complete Guide to Know Your Customer (with India Focus)

KYC explained. Definition, 3 components, types, process, documents, challenges, and India rules...
ID Verification & KYC
22 min read
The End of the Manual CAM: How AI Is Redefining Credit Decisioning

The End of the Manual CAM: How AI Is Redefining Credit Decisioning

Behind every delayed credit decision is a manual process few talk about:...
Product
6 min read
MCC code

MCC Code (Merchant Category Code): How It’s Assigned and Why It Matters for Your Business

Learn what merchant category codes are, how they affect fees and fraud...
Compliance
12 min read