Amendment to the Master Direction (MD) on KYC - ଆରବିଆଇ - Reserve Bank of India
Amendment to the Master Direction (MD) on KYC
RBI/2021-22/35 May 10, 2021 The Chairpersons/ CEOs of all the Regulated Entities Madam/Sir, Amendment to the Master Direction (MD) on KYC Please refer to the Master Direction (MD) on KYC dated February 25, 2016, as amended from time to time, in terms of which Regulated Entities (REs) have to undertake Customer Due Diligence (CDD) while dealing with the customers as per the process laid out therein. 2. In this regard, on a review, it has been decided to amend the MD on KYC to further leverage the Video based Customer Identification Process (V-CIP) and to simplify and rationalise the process of periodic updation of KYC. The amended provisions read as under: I. V-CIP: Clause (xx) of Section 3: Amended Definition of V-CIP:
Clause (v) of Section 17:
Amended Section 18 on V-CIP: REs may undertake V-CIP to carry out:
REs opting to undertake V-CIP, shall adhere to the following minimum standards: (a) V-CIP Infrastructure (i) The RE should have complied with the RBI guidelines on minimum baseline cyber security and resilience framework for banks, as updated from time to time as well as other general guidelines on IT risks. The technology infrastructure should be housed in own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines. (ii) The RE shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner. (iii) The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses. (iv) The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt. (v) The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with the RE. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust. (vi) Based on experience of detected / attempted / ‘near-miss’ cases of forged identity, the technology infrastructure including application software as well as work flows shall be regularly upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber security event under extant regulatory guidelines. (vii) The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted by suitably accredited agencies as prescribed by RBI. Such tests should also be carried out periodically in conformance to internal / regulatory guidelines. (viii) The V-CIP application software and relevant APIs / webservices shall also undergo appropriate testing of functional, performance, maintenance strength before being used in live environment. Only after closure of any critical gap found during such tests, the application should be rolled out. Such tests shall also be carried out periodically in conformity with internal/ regulatory guidelines. (b) V-CIP Procedure (i) Each RE shall formulate a clear work flow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process shall be operated only by officials of the RE specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it. (ii) If there is a disruption in the V-CIP procedure, the same should be aborted and a fresh session initiated. (iii) The sequence and/or type of questions, including those indicating the liveness of the interaction, during video interactions shall be varied in order to establish that the interactions are real-time and not pre-recorded. (iv) Any prompting, observed at end of customer shall lead to rejection of the account opening process. (v) The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factored in at appropriate stage of work flow. (vi) The authorised official of the RE performing the V-CIP shall record audio-video as well as capture photograph of the customer present for identification and obtain the identification information using any one of the following:
RE shall ensure to redact or blackout the Aadhaar number in terms of Section 16. In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be ensured that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP. Further, in line with the prescribed period of three days for usage of Aadhaar XML file / Aadhaar QR code, REs shall ensure that the video process of the V-CIP is undertaken within three days of downloading / obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document, if in the rare cases, the entire process cannot be completed at one go or seamlessly. However, REs shall ensure that no incremental risk is added due to this. (vii) If the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured, as per the existing requirement. It shall be ensured that the economic and financial profile/information submitted by the customer is also confirmed from the customer undertaking the V-CIP in a suitable manner. (viii) RE shall capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority including through DigiLocker. (ix) Use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP. (x) The authorised official of the RE shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer. (xi) Assisted V-CIP shall be permissible when banks take help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank. (xii) All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of process and its acceptability of the outcome. (xiii) All matters not specified under the paragraph but required under other statutes such as the Information Technology (IT) Act shall be appropriately complied with by the RE. (c) V-CIP Records and Data Management (i) The entire data and recordings of V-CIP shall be stored in a system / systems located in India. REs shall ensure that the video recording is stored in a safe and secure manner and bears the date and time stamp that affords easy historical data search. The extant instructions on record management, as stipulated in this MD, shall also be applicable for V-CIP. (ii) The activity log along with the credentials of the official performing the V-CIP shall be preserved. II. Periodic updation of KYC: Amended Section 38: REs shall adopt a risk-based approach for periodic updation of KYC. However, periodic updation shall be carried out at least once in every two years for high risk customers, once in every eight years for medium risk customers and once in every ten years for low risk customers from the date of opening of the account / last KYC updation. Policy in this regard shall be documented as part of REs’ internal KYC policy duly approved by the Board of Directors of REs or any committee of the Board to which power has been delegated. i. Individual Customers:
ii. Customers other than individuals:
iii. Additional measures: In addition to the above, REs shall ensure that -
3. Accordingly, the relevant Sections of the MD on KYC are hereby amended to reflect the aforementioned changes. The amended provisions shall come into force with immediate effect. Yours faithfully, (Prakash Baliarsingh) |