RBI Video KYC - Where Institutions Fail

Every year, India's financial institutions spend crores on digital transformation campaigns. Slick onboarding demos. AI-powered liveness checks. Promises of "zero-friction KYC in under 5 minutes." 

And every year, the Reserve Bank of India shows up with a penalty order. 

In FY 2024-25, the RBI imposed penalties totalling over ₹54.78 crore across 353 regulated entities - banks, NBFCs, cooperative banks, and payment aggregators. A significant chunk of those violations traced back to one thing: broken or non-compliant Video KYC (V-CIP) processes. 

The problem is not that institutions lack technology. The problem is that they do not understand - or choose not to follow - what RBI actually demands. 

This article breaks down exactly where the system breaks down, who is getting penalised, and what institutions must do right now to avoid becoming the next line in an RBI enforcement order.

What Is RBI Video KYC - And Why It Matters 

Video KYC, formally known as the Video-based Customer Identification Process (V-CIP), is a live, audio-visual interaction between a customer and an authorised officer of a regulated entity. It was introduced by RBI in 2020 as a way to enable remote customer onboarding without sacrificing the rigour of face-to-face verification. 

V-CIP is not a feature. It is a regulatory framework with teeth. 

Under RBI's Master Direction on KYC (most recently updated in 2025), V-CIP is treated on par with in-person identification. That means institutions cannot treat it as a checkbox. Every interaction must be live, recorded, geotagged, and reviewed through a maker-checker workflow. Any deviation is a compliance breach. 

The framework applies to: 

• Commercial banks and small finance banks 

• Non-Banking Financial Companies (NBFCs) 

• Payment aggregators (newly brought under scope via the KYC MD 2025) 

• Cooperative banks 

The stakes are real. Between 2023 and 2025, the RBI penalised 62 NBFCs for regulatory non-compliance, many specifically for KYC-related failures. Add commercial banks to that picture and the enforcement landscape gets significantly more expensive. 

The Six Failure Modes That Keep Showing Up in Inspections 

1. No Documented Exception Protocol 

RBI's framework requires every regulated entity to maintain a written exception protocol covering each type of V-CIP failure - failed liveness checks, geo-tag errors, document capture issues, and connection drops. 

The inspection finding that appears again and again: "rejection without reason." 

When a Video KYC session is rejected, the institution must route the customer through a documented alternative - re-attempt with corrected inputs, escalation to a senior officer, redirection to branch-based offline KYC, or a request for additional documents. Generic system rejections with no audit trail are a direct violation of the framework. 

Many institutions have built the rejection button. Very few have built the protocol that follows it.

2. Officer Training Is Treated as a Formality 

RBI requires that V-CIP sessions be conducted by trained, authorised officers. It also mandates that officers use randomised questions during the interaction to prevent script-reading fraud. 

In practice, institutions often assign Video KYC sessions to undertrained staff, skip randomised question protocols, and fail to maintain training records that can be reviewed during an inspection. 

The 2025 updates to the KYC Master Direction explicitly tightened the audit and documentation expectations around officer training. Compliance teams should now expect inspection focus specifically on training records and randomised-question variation logs. 

3. Geo-Tag Failures Are Ignored 

Every V-CIP session must be geotagged. The latitude and longitude of the customer's location at the time of the session must be captured, stored, and available for audit. 

High geo-tag failure rates are flagged in RBI inspections. Institutions that do not monitor their failure rates - or that allow sessions to proceed despite geo-tag errors - are creating a paper trail that works against them. 

This is a fixable problem. It requires a combination of front-end prompts, fallback protocols, and session-level monitoring. Most institutions either do not monitor this data at all or only review it when an inspection is announced.

4. Maker-Checker Reviews Are Rubber Stamps 

RBI requires a two-person review process for V-CIP decisions. The maker conducts the session. The checker independently reviews the recorded session, the captured documents, and the liveness match before the account is approved. 

In too many institutions, the checker review is a formality completed within seconds of the maker submission. There is no documented rationale for approvals. Rejection rationale is missing or generic. 

When inspectors pull the audit logs, they want to see the decision logic for every approval and every rejection. "Approved" with no supporting commentary is not compliant. It is a liability. 

5. Third-Party Vendor Risk Is Underestimated  

A recurring finding in RBI's 2024 penalty wave involved institutions that had effectively outsourced their KYC decision-making to third-party vendors without maintaining oversight. One case documented by Chambers and Partners involved a microfinance company that delegated KYC processes to agents with no fraud monitoring backup. 

The RBI is clear on this: outsourcing V-CIP execution to a vendor does not outsource the compliance obligation. The regulated entity remains fully accountable. Vendor agreements must include audit and inspection clauses. Vendor performance must be independently monitored. 

Institutions that cannot produce vendor audit records on demand are now, per the 2025 updates, a compliance risk in their own right.

6. Periodic KYC Updation Is Neglected 

Video KYC is not a one-time event. For high-risk customers, KYC records must be updated periodically - and V-CIP is one of the permitted methods for that updation. 

The penalty history reveals a consistent failure here. A southern-based NBFC was penalised for failing to perform periodic KYC updates for high-risk customers. Multiple institutions have been fined for not maintaining current risk categorisation. 

The 2025 KYC Master Direction requires that periodic updation use a documented method - V-CIP, BC-facilitated verification, or self-declaration where permitted. Ad-hoc or undocumented checks are not acceptable.

The Penalty Record Is Getting More Expensive  

Before the November 6, 2024 amendment, UCIC management was a compliance good practice. After it, it is a specific regulatory obligation with an explicit paragraph reference in the Master Direction. 

Paragraph 10(f) now reads: Regulated entities shall apply the CDD procedure at the UCIC level. If an existing KYC-compliant customer desires to open another account or avail any other product or service from the same RE, there shall be no need for a fresh CDD exercise as far as identification of the customer is concerned (as reported by Business Standard, November 6, 2024 

The intent is clear. The RBI wants one unified identity record per customer, not a fresh verification every time they interact with your institution. But that intent creates an obligation: you must have a system that can find an existing UCIC before creating a new one. If your system cannot do that reliably, you will keep generating duplicates. 

And when the RBI inspection finds those duplicates, the November 2024 amendment is now the paragraph they will cite. 

The CKYC Registry Connection 

The numbers deserve attention.

In FY 2024-25, RBI imposed ₹54.78 crore in penalties across 353 regulated entities. ICICI Bank, Deutsche Bank India, and Yes Bank were among the high-profile cases. Cooperative banks alone accounted for ₹15.63 crore of that total. 

Individual institution fines have been escalating: 

• Kotak Mahindra Bank: ₹61.40 lakh for KYC lapses 

• IDFC First Bank: ₹38.60 lakh for due diligence shortfalls at account opening 

• RBL Bank: ₹61.40 lakh in November 2024 for failing to adhere to KYC procedures 

• ICICI Bank: ₹75 lakh in August 2025 for operational compliance breaches 

• Four public sector banks (PNB, Allahabad Bank, UCO Bank, Corporation Bank): ₹1.75 crore combined for KYC/AML non-compliance 

For NBFCs, the ceiling has been lower but the frequency is rising. Between 2023 and 2025, 62 NBFCs faced enforcement action - with violations including failure to assign unique customer identification codes, failure to implement suspicious transaction monitoring software, and non-updation of customer KYC profiles. 

The RBI has been explicit: these penalties are imposed to enforce institutional discipline and risk containment - not to wait for fraud or customer loss to occur first. 

What the KYC MD 2025 Changes for V-CIP  

The KYC Master Direction updated in 2025 does not require institutions to redesign their Video KYC systems. It tightens what must be documented, auditable, and defensible. 

Key implications for V-CIP operations: 

Payment aggregators are now in scope. Entities that were previously outside the V-CIP framework must now implement V-CIP-equivalent controls for direct customer onboarding where applicable. This is a meaningful expansion that catches many fintech companies off-guard. 

Audit trails must be regulator-ready. Documentation of decision logic for every approval and rejection must be maintained and available for inspection on demand. 

Periodic updation methods must be documented. Ad-hoc verification is not acceptable. Institutions must designate and document the method used - V-CIP, BC-facilitated, or self-declaration - for each updation event. 

Protections for differently-abled individuals are mandatory. The 2025 updates introduced specific requirements for accessible V-CIP processes, acknowledging that standard liveness and document capture flows may not work for all customers. 

The Compliance Gaps Most Institutions Do Not Know They Have  

RBI inspections are not random. They follow patterns and focus areas that have been consistent across the 2024 and 2025 enforcement cycles. 

Compliance teams should conduct an immediate internal audit across five areas: 

Session recording completeness. Every V-CIP session must be fully recorded and archived. Partial recordings, sessions where the video cut out and was not flagged, or archived files that cannot be retrieved are all inspection failures. 

Geo-tag failure rate monitoring. Pull the last 90 days of geo-tag failure data. If you do not have this data, that is itself the problem. If the failure rate is above 5%, it will be flagged. 

Maker-checker rejection rationale. Review a random sample of checker decisions from the last quarter. Each rejection must have documented rationale. Each approval on a borderline session should have a note. 

Vendor audit documentation. If you use a third-party V-CIP vendor, confirm that your agreement includes audit and inspection clauses. Confirm that you have conducted and documented at least one vendor audit in the last 12 months. 

Officer training records. Confirm that every officer conducting V-CIP sessions has completed documented training. Confirm that randomised question protocols are in use and that variation logs exist.

The Larger Problem: Compliance Is Still Treated as a Cost Centre 

The pattern across hundreds of RBI enforcement actions over the last three years is consistent. Institutions know the rules. They have read the Master Direction. They have built systems that technically satisfy the framework during good conditions. 

What they have not done is build compliance into the daily operations of every person who touches the Video KYC workflow. 

Training is completed once at onboarding and never refreshed. Geo-tag failures are logged as system errors and never escalated. Maker-checker reviews are performed in batches at end-of-day with no real scrutiny. Vendor contracts are signed and filed. 

The RBI's inspection findings do not describe technology failures. They describe institutional failures - the gap between what a compliance policy says and what actually happens at 3 PM on a Tuesday when the queue is long and the checker is trying to clear 40 sessions before close. 

Closing that gap is not a technology project. It is an operations project, a training project, and a culture project. The institutions that are not appearing in enforcement orders have built systems that are defensible at 3 PM on a Tuesday, not just on the day of an inspection. 

Key Takeaways for Risk and Compliance Officers 

• RBI's V-CIP framework requires documented exception protocols, not just rejection buttons. If your system rejects a session, there must be a paper trail showing what happened next. 

• Officer training records and randomised-question variation logs are inspection targets under the 2025 KYC MD. If you cannot produce them, treat this as an urgent gap. 

• Geo-tag failure rates above acceptable thresholds are a recurring finding. Monitor this metric continuously, not retrospectively. 

• Maker-checker reviews must include documented decision logic. Timestamped approvals with no rationale are a liability. 

• Outsourcing V-CIP to a vendor does not outsource the compliance obligation. Your vendor's gaps are your gaps. 

• Payment aggregators and fintechs brought under V-CIP scope by the 2025 updates should treat this as a new compliance build, not a minor extension of existing KYC processes. 

Frequently Asked Questions 

Q: What is V-CIP?

A: RBI's live video verification process, legally equal to in-person KYC.

Q: Can NBFCs outsource Video KYC? 

A: Yes, but compliance responsibility stays with the NBFC, not the vendor.

Q: Why do institutions get penalised for Video KYC? 

A: Missing audit trails, undertrained officers, geo-tag gaps, and weak maker-checker reviews.

Q: Does the 2025 KYC MD require a full V-CIP rebuild?

A: No, it only tightens documentation and audit requirements around existing systems.

Q: How much has RBI fined for KYC violations?

A: ₹54.78 crore across 353 entities in FY 2024-25 alone. 

This article is for informational purposes and does not constitute legal or compliance advice. Regulated entities should consult their compliance counsel and refer directly to RBI's Master Direction on KYC for authoritative guidance.