RBI KYC Compliance for Indian Businesses: The 2026 Complete Guide

What Is RBI KYC Compliance in India?

RBI KYC compliance refers to the obligations placed on all Reserve Bank of India-regulated entities under the RBI KYC Master Direction (2016, amended August 2025) — India's consolidated regulatory framework for Know Your Customer norms. It mandates how banks, NBFCs, payment banks, and fintechs must verify customer identities, classify risk, conduct due diligence, file suspicious transaction reports, and maintain records.

At its core, the Master Direction brings India in line with global Financial Action Task Force (FATF) standards on anti-money laundering (AML) and counter-terrorism financing (CFT), while layering on India-specific provisions such as Aadhaar-based eKYC, CKYC registration with CERSAI, and the Video KYC (V-CIP) framework.

This guide covers everything regulated entities need to know about RBI KYC compliance in 2026 — from CDD tiers and Video KYC rules to CKYC mandates, AML obligations, and the August 2025 amendments.

For a quick-reference checklist, see our complete RBI KYC compliance India guide →

Who Must Comply with RBI KYC Rules?

The KYC Master Direction applies to all entities regulated by the Reserve Bank of India:

• Scheduled commercial banks (public, private, foreign)
• Cooperative banks
• Non-Banking Financial Companies (NBFCs) — including deposit-taking and non-deposit-taking
• Payment banks and small finance banks
• Prepaid Payment Instrument (PPI) issuers
• Account aggregators

Beyond RBI, parallel KYC obligations exist for SEBI-registered entities (mutual funds, brokers), IRDAI-regulated insurers, and PFRDA-regulated pension funds — all broadly aligned with the same Master Direction principles.

Unregulated fintechs must comply through their regulated banking partner's KYC programme or by obtaining their own regulatory licence.

The Three Customer Due Diligence Tiers

The Master Direction establishes a risk-based approach to KYC, with three levels of due diligence depending on customer risk classification:

1. Simplified Due Diligence (SDD)

Applies to demonstrably low-risk customers and products — Jan Dhan accounts, small-value insurance policies, and Basic Savings Bank Deposit Accounts (BSBDAs). Reduced documentation requirements, no photo mandatory in some cases. Threshold: deposits capped at ₹50,000/year and credits capped at ₹1 lakh/year.

2. Customer Due Diligence (CDD — Standard)

The default tier for all regular retail accounts. Requires: identity proof (Aadhaar / PAN / passport / voter ID / driving licence), address proof, PAN (mandatory for transactions above ₹50,000), and photograph. Can be completed digitally via Offline Aadhaar eKYC or Video KYC (V-CIP).

3. Enhanced Due Diligence (EDD)

Mandatory for high-risk customers: Politically Exposed Persons (PEPs) and their immediate family, non-resident customers, foreign nationals, customers from FATF-designated high-risk jurisdictions, and accounts flagged by AML screening. EDD requires senior management approval, enhanced ongoing monitoring, and more frequent periodic re-KYC.

OTP-based Aadhaar eKYC automatically triggers EDD classification because it is non-face-to-face. To achieve standard CDD, entities must use Video KYC (V-CIP).

eKYC Methods and Their RBI Classification

India offers five primary eKYC methods under the UIDAI and RBI frameworks, each with different compliance implications:

• Aadhaar OTP eKYC: Real-time UIDAI authentication. Non-face-to-face. ₹1 lakh/year transaction cap. EDD classification.
• Offline Aadhaar eKYC: UIDAI-signed XML file, no Aadhaar number shared. Non-face-to-face. Same ₹1 lakh/year cap.
• Video KYC (V-CIP): Live video session with trained bank official. Face-to-face equivalent. No transaction cap. Standard CDD. Mandated under RBI Para 19.
• DigiLocker eKYC: Consent-based fetch of govt-verified OVDs (PAN, Aadhaar, DL, passport). Standard CDD.
• PAN-based KYC: Real-time NSDL/ITD verification. Supplementary — does not satisfy full CDD alone.

For a detailed breakdown of all five types and their use cases, see the eKYC India complete guide →

Video KYC (V-CIP) — The Most Important Compliance Unlock

Introduced in January 2020 under RBI Para 19 and significantly strengthened in the August 2025 amendment, Video KYC is the pivotal compliance tool for any regulated entity offering high-value products digitally.

Why it matters: it is the only digital eKYC method that achieves face-to-face equivalent status, removing the ₹1 lakh/year transaction cap and EDD classification that apply to all OTP-based methods. For lending, wealth management, insurance above ₹1L, and full-feature current accounts, Video KYC is effectively the only compliant digital onboarding path.

RBI Para 19 mandatory requirements:

• Live video connection between customer and trained bank official
• Real-time face match between live video and OVD (Aadhaar / PAN photo)
• PAN verification during session
• Geo-tagging confirming customer is in India
• End-to-end encryption (TLS 1.3 minimum)
• 5-year encrypted session recording storage
• Deepfake and presentation attack detection (added August 2025)

The August 2025 addition of deepfake detection is significant — basic liveness prompts are no longer sufficient. V-CIP sessions must actively detect AI-generated faces, video replays, and 3D mask attacks.

See eKYCNow's Video KYC India product →

Periodic KYC Re-Verification Requirements

RBI mandates risk-based periodic KYC reviews for all customer accounts. Since the June 2025 circular, this can be completed via digital channels:

• High-risk customers: Re-KYC every 2 years
• Medium-risk customers: Re-KYC every 8 years
• Low-risk customers: Re-KYC every 10 years

Accounts past their review date must be made inoperable until re-KYC is completed. Digital re-KYC can be done via net banking, mobile app, or a new Video KYC session — no branch visit required as of June 2025.

This change has significant operational implications: entities must maintain automated triggers for periodic re-KYC and be able to deliver the full verification flow digitally.

CKYC and the CERSAI Mandate

The Central KYC Registry (CKYC), operated by the Central Registry of Securitisation Asset Reconstruction and Security Interest (CERSAI), is India's portable, centralised KYC repository. Every regulated financial entity must:

• Upload KYC records to CERSAI within 3 working days of account opening
• Search CKYC before onboarding any new customer (to check if a CKYC number already exists)
• Update records when customer details change

A customer's 14-digit CKYC number is then portable — they can onboard at any regulated institution without repeating the full KYC process.

Missing CKYC uploads constitute a continuing violation under PMLA and attract penalties of up to ₹1 lakh per day. eKYCNow automates CKYC uploads as part of every verification, ensuring the 3-day window is never missed.

AML, PEP Screening, and STR Filing

RBI KYC compliance extends beyond identity verification into ongoing transaction monitoring and AML obligations:

• PEP screening: All customers must be screened against domestic and international Politically Exposed Person databases at onboarding and periodically thereafter.
• Sanctions screening: Real-time screening against UNSC, OFAC, EU, and UK sanctions lists is required, with a maximum of 24 hours between list updates.
• Suspicious Transaction Reports (STRs): Must be filed with the Financial Intelligence Unit India (FIU-IND) within 7 days of suspicion arising. Failure to file is a criminal offence under PMLA.
• Cash Transaction Reports (CTRs): All cash transactions above ₹10 lakh/month must be reported.

According to the Financial Intelligence Unit India (FIU-IND), STR filings have grown over 40% year-on-year, reflecting increased regulatory scrutiny across India's financial sector.

August 2025 RBI KYC Amendment: What Changed

The August 2025 amendment to the KYC Master Direction was the most significant update since the original 2016 direction. Four key changes:

1. Expanded OVD list: New digital identity credentials added as Officially Valid Documents, broadening the range of acceptable identity proofs for CDD.
2. Offline Aadhaar XML clarification: Explicitly confirmed that Offline Aadhaar XML satisfies standard CDD without triggering UIDAI's non-face-to-face classification — though the ₹1L cap still applies unless combined with V-CIP.
3. Deepfake requirements for V-CIP: Entities must implement presentation attack detection in all Video KYC sessions. Basic face movement prompts are no longer sufficient.
4. FATF 2023 alignment: India's framework now formally aligned with the FATF 2023 updated 40 Recommendations, bringing it in line with EU AMLD6 and UK/US AML standards.

These changes have compliance implications for any entity using Video KYC — if your V-CIP provider does not have explicit deepfake detection, your sessions may no longer satisfy Para 19.

Penalties for RBI KYC Non-Compliance

Non-compliance with the KYC Master Direction carries serious consequences:

• PMLA penalties: Up to ₹1 lakh per day for continuing violations (e.g., missed CKYC uploads, delayed STRs)
• RBI monetary penalties: Typically ₹1–5 crore for systematic KYC failures, published on the RBI website
• Business activity restrictions: RBI can direct entities to stop onboarding new customers pending compliance remediation
• Licence cancellation: Extreme or repeat violations can result in banking licence or NBFC registration cancellation

RBI publishes all monetary penalties on its official website. According to the Reserve Bank of India, KYC-related enforcement actions have increased significantly since 2023, with several major banks and NBFCs receiving penalties for inadequate periodic KYC and CKYC non-compliance.

How eKYCNow Automates Full RBI KYC Compliance

eKYCNow by Message Central is India's most complete eKYC platform — covering every item in the RBI compliance checklist via a single REST API:

• Aadhaar OTP eKYC — real-time UIDAI authentication
• Offline Aadhaar XML — UIDAI signature validation, photo extraction
• Video KYC V-CIP — deepfake-proof liveness, Para 19 certified
• PAN verification — real-time NSDL/ITD query
• DigiLocker document fetch — 8+ OVD types
• AML/PEP screening — 1,200+ global watchlists in real-time
• CKYC upload — auto-submitted to CERSAI within 3 working days

Pricing starts at ₹10/verification with no setup fee. 5 free checks on signup — no credit card required. Full API documentation →

Certified: RBI compliant, UIDAI AUA/KUA registered, SOC2 Type II, ISO 27001.

RBI KYC Compliance Checklist for 2026

Use this as a quick reference before your next internal audit or RBI inspection:

• ✅ Board-approved KYC/AML policy in place
• ✅ CDD tier classification documented for all customer segments
• ✅ Aadhaar-based eKYC (OTP or Offline XML) for standard onboarding
• ✅ Video KYC (V-CIP, Para 19) for products above ₹1 lakh/year
• ✅ Deepfake detection in V-CIP sessions (August 2025 requirement)
• ✅ PAN verification for all transactions above ₹50,000
• ✅ CKYC search before onboarding; upload within 3 working days
• ✅ PEP and sanctions screening at onboarding and periodically
• ✅ STR filing within 7 days of suspicion; CTR for cash above ₹10L/month
• ✅ Periodic KYC: 2yr high-risk, 8yr medium-risk, 10yr low-risk
• ✅ 5-year record retention for all KYC documents and V-CIP recordings
• ✅ Designated Principal Officer (PO) for PMLA compliance

Conclusion

RBI KYC compliance in 2026 is more demanding than ever — the August 2025 amendment added deepfake requirements, expanded OVDs, and tightened FATF alignment. But it is also more tractable than ever: digital channels now cover the full compliance lifecycle, from onboarding to periodic re-KYC to CKYC upload, without a single branch visit.

The entities that will face enforcement risk are those still relying on manual processes, incomplete AML screening, or Video KYC providers that have not updated to the August 2025 deepfake requirements.

For banks, NBFCs, and fintechs ready to automate the entire compliance stack, eKYCNow provides a certified, single-API path to full RBI compliance from ₹10/verification.