Home
eKYCNow India
RBI KYC Compliane India
UPDATED MARCH 2026
INDIA COMPLIANCE GUIDE

RBI KYC Compliance India 2026: The Complete Master Direction Guide

Everything regulated banks, NBFCs and fintechs need to meet RBI's KYC Master Direction, including CDD, Video KYC V-CIP, periodic KYC risk tiers, AML/PEP, CKYC, and the August 2025 digital amendments. Implemented by eKYCNow from ₹10/verification.

₹1L/day
Max PMLA penalty
3 tiers
CDD risk classification
Aug 2025
Latest RBI amendment
₹10
Per check via eKYCNow
RBI Master Direction
PMLA 2002
UIDAI Guidelines
CERSAI CKYC
FATF Standards
Start Free
Learn More
Verify Now API
Section 01

Who Must Comply with RBI KYC Norms in India?

Quick Answer
All entities regulated by the Reserve Bank of India must comply with the RBI KYC Master Direction. This includes all scheduled commercial banks, cooperative banks, NBFCs, payment banks, small finance banks, prepaid payment instrument issuers, and account aggregators operating in India.

The RBI KYC Master Direction (formally Master Direction – Know Your Customer (KYC) Direction, 2016, last amended August 2025) is the authoritative KYC regulation for every entity the Reserve Bank of India oversees. It implements India's obligations under the Prevention of Money Laundering Act, 2002 (PMLA) and aligns with the Financial Action Task Force (FATF) 40 Recommendations.

Entity Type
Regulator
KYC Framework
Key Obligation
Scheduled Commercial Banks
RBI
RBI Master Direction (full)
CDD, V-CIP, CKYC, periodic KYC
NBFCs
RBI
RBI Master Direction (full)
CDD, V-CIP, CKYC, AML
Payment Banks & SFBs
RBI
RBI Master Direction (full)
CDD, CKYC (mandatory)
Prepaid Payment Instruments (PPI)
RBI
RBI Master Direction + PPI Guidelines
Min-KYC → Full-KYC upgrade path
Account Aggregators
RBI
RBI Master Direction
CDD for FIU onboarding
Insurance Companies
IRDAI
IRDAI KYC norms (aligned with RBI)
Policyholder KYC, CKYC upload
Stockbrokers / AMCs
SEBI
SEBI KYC norms (aligned with RBI)
Investor KYC, CKYC upload
Crypto / VDA Exchanges
FIU-IND
PMLA Rules (KYC equivalent)
CDD, AML, STR reporting

Non-bank entities (fintechs, lending platforms, payment aggregators) without a direct RBI licence must comply through their banking partner's KYC programme or by becoming a KYC Registration Agency (KRA) under SEBI rules. See the full eKYC India guide for how digital verification fits into this framework.

Section 02

Customer Due Diligence (CDD) Framework: SDD, CDD & EDD

Quick Answer
RBI mandates three tiers of due diligence: Simplified Due Diligence (SDD) for low-risk products, standard Customer Due Diligence (CDD) for all customers, and Enhanced Due Diligence (EDD) for high-risk customers such as Politically Exposed Persons (PEPs) and cross-border transactions.

The RBI KYC Master Direction establishes a risk-based approach (RBA) to customer identification. Regulated entities must classify every customer and product into a risk tier and apply the corresponding level of diligence. The August 2025 amendment expanded the definition of acceptable Officially Valid Documents (OVDs) and clarified digital CDD equivalence.

The Three CDD Tiers

Simplified Due Diligence (SDD)
LOW RISK

Applies to: Jan Dhan accounts, small-value insurance (<₹50,000 premium), basic savings accounts, government welfare scheme accounts.

Key relaxations: No address proof required for low-balance accounts; self-declaration acceptable; reduced document requirements for rural populations.

Standard Customer Due Diligence (CDD)
STANDARD

Applies to: All retail customers, standard bank accounts, loan accounts, mutual fund investors, insurance policies above ₹50,000.

Requirements: Identity verification (Aadhaar / passport / voter ID / driving licence), address proof, PAN (mandatory for financial transactions >₹50,000), photograph. Can be done digitally via Offline Aadhaar eKYC or Video KYC (V-CIP).

Enhanced Due Diligence (EDD)
HIGH RISK

Applies to: All retail customers, standard bank accounts, loan accounts, mutual fund investors, insurance policies above ₹50,000.

Requirements: Identity verification (Aadhaar / passport / voter ID / driving licence), address proof, PAN (mandatory for financial transactions >₹50,000), photograph. Can be done digitally via Offline Aadhaar eKYC or Video KYC (V-CIP).

RBI Master Direction — Para 40
Customers onboarded via OTP-based Aadhaar eKYC (online, non-face-to-face) are classified as non-face-to-face customers and subject to enhanced due diligence. Their accounts carry a ₹1 lakh/year cumulative debit cap until the customer completes face-to-face or Video KYC (V-CIP) verification.
Section 03

Video KYC (V-CIP) — RBI Para 19 Requirements

Quick Answer
Video Customer Identification Process (V-CIP) under RBI Para 19 is treated as the equivalent of face-to-face KYC. V-CIP customers have no transaction caps, no EDD classification, and satisfy full CDD. Requirements include real-time video, live face match with OVD, PAN verification, randomised question response, and a trained official on the call.

Video KYC (V-CIP) was introduced by RBI in January 2020 (Para 19 of the Master Direction) and significantly expanded in the August 2025 amendment. It allows regulated entities to conduct fully compliant KYC without any physical interaction — while being treated as face-to-face equivalent, removing the ₹1 lakh transaction cap that applies to OTP eKYC.

V-CIP Mandatory Requirements (RBI Para 19)

Live video call
with trained bank official — pre-recorded video not permitted
Face match
against Officially Valid Document (OVD) photo — Aadhaar, passport, or driving licence
PAN card
verification — customer must display original PAN on call
Liveness check
— randomised question or action to confirm live presence (not a photo/deepfake)
Geolocation capture
— customer's live location must be recorded at time of call
Encrypted video recording
stored for minimum 5 years, retrievable for audit
End-to-end encryption
— call must use secure channel; no third-party recording
Customer consent
— explicit, recorded consent for KYC via video before call begins

OTP eKYC vs Video KYC: Transaction Limits

Parameter OTP eKYC (Non-face-to-face) Video KYC (V-CIP) In-Person KYC
RBI classification Non-face-to-face (EDD) Face-to-face equivalent Face-to-face
Transaction cap ₹1 lakh/year cumulative debit No cap No cap
EDD obligation Yes (Para 40) No EDD No EDD
AUA/KUA licence needed Yes (for online Aadhaar) No No
Physical branch visit Not required Not required Required
Deepfake fraud risk Medium Low (with liveness) Low
Suitable for high-value accounts Restricted Yes Yes
Section 04

Periodic KYC: Risk-Based Review Schedule

Quick Answer
RBI requires periodic KYC reviews on a risk-tiered schedule: every 2 years for high-risk customers, every 8 years for medium-risk, and every 10 years for low-risk. Since June 2025, periodic KYC updation may be completed digitally without requiring physical branch visits.

Periodic KYC is not optional. Failure to conduct reviews on schedule can result in accounts being made inoperable. The June 2025 RBI circular significantly relaxed the process: customers can now complete KYC updation via net banking, mobile banking, or Video KYC without visiting a branch.

Risk Category Review Frequency Triggers for Reclassification Action if Overdue
HIGH RISK Every 2 years PEP status, STR filed, adverse media, sanctions list match, complex transaction patterns Account operations suspended; enhanced monitoring triggered
MEDIUM RISK Every 8 years New high-value transactions, change in address/occupation, new BO identified Reminder notices; account restricted after 90-day grace period
LOW RISK Every 10 years Account dormancy, significant transaction pattern change Account made inoperable; reactivation requires fresh KYC
June 2025 RBI Amendment
RBI's June 2025 circular explicitly permits periodic KYC updation via digital channels, including net banking portals, mobile apps, and Video KYC, without requiring in-person branch visits. Regulated entities must implement this digital pathway by December 2025. eKYCNow's API supports automated periodic KYC reminders and digital re-verification flows.
Section 05

AML, PEP Screening & STR Obligations

India's Anti-Money Laundering (AML) framework operates under the Prevention of Money Laundering Act, 2002 (PMLA) and the RBI KYC Master Direction. All regulated entities must screen customers against PEP lists, UNSC sanctions, and domestic watchlists, and file Suspicious Transaction Reports (STRs) with the Financial Intelligence Unit — India (FIU-IND) within prescribed timelines.

Key AML Obligations Under RBI Master Direction

PEP Screening
Screen all customers against domestic and international PEP lists at onboarding and periodically thereafter
UNSC Sanctions
Real-time screening against UN Security Council consolidated list; freeze assets within 24 hours of designation
STR Filing
File Suspicious Transaction Report with FIU-IND within 7 days of suspicion arising
CTR Filing
Cash Transaction Reports for all cash transactions ≥ ₹10 lakh (or equivalent in foreign currency)
Beneficial Ownership
Identify UBO for all legal entities (threshold: >25% ownership or control)
Record Retention
Retain all KYC records, transaction records, and STR copies for minimum 5 years from relationship end

eKYCNow's AML Screening India product screens against 1,200+ global watchlists, PEP databases, and sanctions lists in real-time, integrated directly into your onboarding API call.

Section 06

CKYC & CERSAI: Mandatory Central KYC Registry

Quick Answer
CKYC (Central KYC) records must be uploaded to the CERSAI registry within 3 working days of account opening. All regulated financial entities (banks, NBFCs, insurance, securities) must participate. A customer with an existing CKYC number can onboard at any new institution without repeating the full KYC process.
Parameter eKYC (Entity-level) CKYC (Central KYC)
Scope Single institution All regulated financial entities nationwide
Storage Institution's own systems CERSAI central registry
Upload deadline N/A 3 working days from account opening
Re-use at other institutions Not possible Customer presents 14-digit CKYC number
Updates Within institution only Propagated to all institutions that downloaded the record
Penalty for non-upload N/A PMLA penalty — up to ₹1L/day for continuing violation
Section 07

Aadhaar Vault & Tokenisation Requirements

Under UIDAI's Aadhaar Data Vault specification, every entity that receives an Aadhaar number, even temporarily during eKYC, must tokenise it into a Reference Key and store only the token, never the raw 12-digit number. The Aadhaar number itself must be stored in a UIDAI-compliant encrypted vault and must not appear in application databases, logs, or audit trails.

Aadhaar Vault
Encrypted vault using AES-256 with keys stored in HSM (Hardware Security Module)
Reference Key (RK)
All internal systems use RK; Aadhaar number is never stored in application layer
VID support
Accept Virtual ID (16-digit revocable number) in lieu of Aadhaar number for authentication
Masking
Display only last 4 digits of Aadhaar in any UI, document, or printed output

eKYCNow handles Aadhaar Vault and tokenisation automatically; your application only ever receives a Reference Key, never the raw Aadhaar number. This ensures your stack is compliant without any vault infrastructure of your own.

Section 08

Penalties & Enforcement Timeline

PMLA Penalty — Continuing Violation

Up to ₹1 lakh per day for each day a KYC violation continues (e.g., failure to upload CKYC records, failure to file STR). Can accumulate to crores before detection.

RBI Monetary Penalty

RBI has imposed penalties of ₹1–5 crore on several major private banks and NBFCs for systematic KYC failures. Penalties are published on the RBI website — a significant reputational risk.

Account Restriction

Accounts with lapsed periodic KYC (past due date) must be made inoperable — no debits, no credits until re-KYC is completed. This directly affects customer experience and creates churn risk.

Business Activity Restrictions

RBI can prohibit an entity from onboarding new customers, launching new products, or opening new branches until KYC deficiencies are remediated. Applied to cooperative banks in 2024.

Licence Cancellation

Extreme cases — particularly repeated violations or AML failures — can result in cancellation of banking licence or NBFC registration. Applied in multiple cooperative bank cases.

Section 09

Full RBI KYC Compliance Checklist for 2026

Use this checklist to audit your institution's compliance posture before the next RBI inspection or internal audit:

# Compliance Item Regulation Frequency eKYCNow?
1 Customer identity verification at onboarding (CDD) Para 16–18 Every new customer
2 Video KYC V-CIP for high-value / remote customers Para 19 Every new remote customer
3 PAN verification for transactions >₹50,000 Para 16(f) Per transaction threshold
4 AML / PEP / UNSC sanctions screening PMLA Rule 9 Onboarding + ongoing
5 CKYC upload to CERSAI PMLA Rule 9(1B) Within 3 working days
6 Aadhaar tokenisation & Vault implementation UIDAI Circular 2019 Always (technical)
7 Periodic KYC review — High Risk (every 2 years) Para 38 Every 2 years
8 Periodic KYC review — Medium Risk (every 8 years) Para 38 Every 8 years
9 Periodic KYC review — Low Risk (every 10 years) Para 38 Every 10 years
10 STR filing with FIU-IND (within 7 days) PMLA Rule 5 On suspicion arising Manual
11 CTR filing for cash ≥₹10 lakh PMLA Rule 5 Per qualifying transaction Manual
12 Beneficial ownership identification (>25%) Para 21 All legal entity customers Partial
13 KYC records retention — 5 years post-relationship PMLA Section 12 Ongoing (archival)
14 Digital KYC updation channel (June 2025 mandate) RBI Jun 2025 circular By Dec 2025
AUTOMATE YOUR RBI KYC COMPLIANCE
One API. Every Compliance Requirement.

eKYCNow covers every item in the checklist above — Video KYC V-CIP, Aadhaar eKYC, AML/PEP screening, CKYC upload, and periodic KYC flows — in a single RBI & UIDAI compliant API. From ₹10/verification.

Start Free
View Pricing
Know More
Section 10

Frequently Asked Questions

What is the RBI KYC Master Direction?

The RBI KYC Master Direction is the Reserve Bank of India's consolidated regulation for Know Your Customer norms across all RBI-regulated entities — banks, NBFCs, payment banks, and fintechs. Last significantly amended in August 2025, it mandates Customer Due Diligence (CDD),

Who must comply with RBI KYC norms?

All RBI-regulated entities must comply: scheduled commercial banks, cooperative banks, NBFCs, payment banks, small finance banks, prepaid payment instrument issuers, and account aggregators. SEBI (securities), IRDAI (insurance), and PFRDA (pensions) entities follow parallel frameworks aligned with the same Master Direction principles. Unregulated fintechs must comply through their regulated banking partner's KYC programme.

Is Video KYC mandatory under RBI rules?

Video KYC (V-CIP) is not mandatory for all customers, but it is the only digital method that achieves face-to-face equivalent status under RBI Para 19 — removing the ₹1 lakh/year transaction cap and EDD classification that apply to OTP eKYC. For high-value accounts or remote customers, V-CIP is the only practical fully-compliant option. See the Video KYC India product →

What is the penalty for KYC non-compliance in India?

PMLA penalties can reach ₹1 lakh per day for continuing violations (e.g., failure to upload CKYC records, missed STR filings). RBI has additionally imposed monetary penalties of ₹1–5 crore on banks and NBFCs for systematic KYC failures — published on the RBI website, creating significant reputational risk. Severe or repeated violations can result in licence cancellation.

Is CKYC upload to CERSAI mandatory?

Yes. CKYC upload to CERSAI is mandatory for all regulated financial entities in India — banks, NBFCs, insurance companies, and securities intermediaries — within 3 working days of account opening. A customer's 14-digit CKYC number is then portable: they can onboard at any other regulated institution without repeating the full KYC process.

Can eKYCNow automate RBI KYC compliance?

Yes. eKYCNow by Message Central provides a single API covering every item in the RBI checklist: Aadhaar XML (offline eKYC), Video KYC V-CIP, PAN verification, DigiLocker document fetch, face liveness detection, AML/PEP screening, and CKYC support. Pricing from ₹10/verification 5 free checks — no credit card required →

What changed in the August 2025 RBI KYC amendment?

The August 2025 amendment made four key changes: (1) expanded the list of Officially Valid Documents (OVDs) to include new digital identity credentials; (2) clarified that Offline Aadhaar XML satisfies standard CDD; (3) strengthened deepfake-prevention requirements for V-CIP sessions; and (4) aligned India's AML/KYC framework with the FATF 2023 updated 40 Recommendations, bringing India in line with global standards.

What is the difference between eKYC and CKYC?

eKYC is the digital process of verifying a customer's identity at onboarding for a specific institution (Aadhaar-based, Video KYC, PAN-based etc.). CKYC is the portable, standardised KYC record stored in the CERSAI central registry — reusable across all regulated financial institutions nationwide. eKYC is how you collect the data; CKYC is how that data is shared and reused. See the complete eKYC India guide →