What is KYC?
KYC — Know Your Customer — is the regulator-mandated process of verifying who's at the other end of a financial account before they can move money through it. Every regulated entity in India runs KYC: banks, NBFCs, fintechs, brokerages, payment apps, even some PPI wallets.
India's version is distinct. The Aadhaar-led eKYC rails turn what's a paper-and-PDF exercise elsewhere into a 30-second API call. UIDAI's authentication stack, the Central KYC Records Registry (CKYC), DigiLocker's consent-mediated document fetch, and the regulated set of Officially Valid Documents (OVDs) give you four overlapping ways to prove the same identity. Pick wrong and you're either over-collecting (and losing customers at the OTP screen) or under-verifying (and getting flagged by the auditor).
For a fintech shipping in 2026, KYC isn't one decision — it's a stack of them: which document, which auth method, which refresh cycle, which failure path when the customer's mobile is offline. The rest of this guide walks the stack in the order you'll meet it in production.
India regulatory map
Five regulators set the rules. Knowing which one binds your product matters more than the rules themselves — the same act of "verifying a customer" is governed by different bodies depending on whether you take deposits, give loans, route payments, or sell securities.
The Reserve Bank of India is the primary regulator for banks, NBFCs, payment system operators, and most fintechs. The RBI Master Direction on KYC, 2016 (last amended 2024) is the load-bearing document — risk categorisation, periodic update cycles, V-CIP procedure, and penalties all live there. The Aadhaar Act, 2016 and UIDAI's amended regulations govern how Aadhaar-based eKYC may be used; private entities need a specific authorisation route via Section 11A. The Ministry of Finance and the Department of Revenue notify the Prevention of Money Laundering Act (PMLA) rules, which expand from "verify" to "monitor for suspicious activity" and feed FIU-IND.
Two further bodies shape the surface area. The Financial Action Task Force (FATF) sets the international AML/CFT recommendations India translates into PMLA rules; FATF's 2024 Mutual Evaluation of India set new expectations on beneficial-ownership transparency that will land as domestic rules through 2026–27. The Ministry of Electronics & IT (MeitY) issued the 2023 Aadhaar masking notification — the 12-digit number must be redacted at the storage layer for most use cases.
The practical takeaway: build to the strictest regulator that touches your product. A neo-bank serving deposits and loans answers to RBI, UIDAI, and FIU simultaneously. A pure payments app can scope to RBI Master Direction + PMLA. Get the regulator map wrong on day one and the audit catches it on day 365.
The 6 KYC types in India
There isn't one KYC. There are six commonly-used variants — each with a different cost, latency profile, and legal status. Pick by use case, not by familiarity.
1. Aadhaar eKYC via OTP
Customer enters their Aadhaar number, UIDAI sends an OTP to the registered mobile, customer keys it back. The Aadhaar OTP API returns demographic data and a digital signature. Cost: about ₹2–5 per transaction. Latency: 8–15 seconds end to end. Legal status: full eKYC, accepted for most retail banking and lending. Ships only via UIDAI-authorised channels (KUA/Sub-KUA) or licensed AUAs.
2. Aadhaar eKYC via biometric (fingerprint or iris)
Same flow, biometric authentication instead of OTP. Used in branch and assisted channels (BC agents, regulated points-of-presence). Latency the same; failure rates higher in field conditions because of dirty sensors and thumb wear. Costs slightly more because of the certified biometric device. Best for offline-first segments and low-trust mobile journeys.
3. Video-based Customer Identification Process (V-CIP)
A live agent (or AI agent + human supervisor) on a recorded video call verifies a customer holding their PAN and reading a one-time code. RBI Master Direction introduced V-CIP as a paperless alternative to in-person KYC for full account opening. Costs more (≈₹40–120 per completed call) and takes 3–5 minutes; non-negotiable for high-value onboarding where Aadhaar is unavailable or refused.
4. CKYC (Central KYC Records Registry)
CERSAI's centralised store. Once a customer has a 14-digit CKYC number, any regulated entity can fetch their record and skip re-collecting OVDs. Cost: under ₹1 per fetch. Latency: 2–6 seconds. Best as a first lookup — if the customer's already KYC'd at another institution, you can onboard without repeating the work.
5. PAN-only verification
Verifies the PAN against NSDL/Protean records with name match. Not full KYC by itself — PAN-only suffices for tax reporting, KYC tier-0 limits, and as a name-match cross-check on top of Aadhaar. Cost: ₹0.30–1 per call. Latency: under 2 seconds.
6. Offline Aadhaar XML / DigiLocker
Customer downloads a signed XML from UIDAI (or pulls Aadhaar/PAN/DL via DigiLocker) and shares it with you. Crypto-verifiable, works without Aadhaar API access, and gives you a tamper-evident document trail. Latency depends on the customer's upload speed; cost is your DigiLocker partner fee. Increasingly the default for fintechs that can't get a KUA license.
KYC vs AML — not the same thing
Engineers conflate KYC and AML; auditors don't. KYC is the identity check at onboarding and at refresh cycles. AML is the ongoing surveillance of how that identified customer behaves. You can pass KYC and fail AML the same week.
| Dimension | KYC | AML |
|---|---|---|
| Question it answers | Who is this customer? | What is this customer doing? |
| Primary mandate | RBI Master Direction on KYC, 2016 | PMLA, 2002 + FIU-IND notifications |
| Cadence | Onboarding + 2/8/10-year refresh | Continuous — transaction by transaction |
| Signals used | Aadhaar, PAN, OVDs, face match, liveness | Sanctions/PEP lists, MNRL, device, network, velocity |
| Owner team | Onboarding / compliance ops | FRM / FIU reporting / risk ops |
| Failure cost | Customer drops off, audit observation | Regulatory penalty, license risk |
Build them as one stack, not one team — identity signals collected at KYC feed AML scoring later. The same Aadhaar, the same device, the same mobile that cleared onboarding becomes the baseline you compare every transaction against.
Decision framework — pick the right method, not all of them
Most fintech onboarding flows over-engineer KYC. They run Aadhaar OTP, then PAN lookup, then face match, then liveness, then bank verification — on every customer, regardless of risk. That's the wrong default.
Use a tiered approach. The risk tier of the product (and the customer) determines what verification is mandatory; everything else is optional.
Tier-0 (low value, low risk): PAN-only or Aadhaar OTP. Examples: PPI wallets up to small monthly limits, watchlist accounts, sandbox demos. One check, sub-second decision.
Tier-1 (deposit and lending under ₹5L): Aadhaar eKYC OTP + PAN cross-check + face match + liveness. The standard fintech onboarding pattern. See the API catalog below for the four endpoints that fuse into a single decision.
Tier-2 (deposit and lending above ₹5L, high-value FX, securities): Tier-1 plus V-CIP plus address proof plus PEP/sanctions screening. The video step is the load-bearing one for audit defensibility.
Tier-3 (corporate / KYB, beneficial ownership): Out of scope for this guide — see the business-verification topic.
The framework that holds: every tier you skip costs you defensibility; every check you add to a lower tier costs you completion rate. The point of decisioning infrastructure is to let the same stack serve all four tiers without four integrations.
Re-KYC cadence — the 2/8/10 rule
RBI's risk-categorisation rule sets three refresh windows. High-risk customers refresh every 2 years. Medium-risk every 8 years. Low-risk every 10. The clock starts at the last successful KYC, not at account opening.
The operational pain isn't the cadence — it's the customer experience. A customer who hasn't logged in for 18 months gets a "verify yourself again" prompt and bounces 30–50% of the time. Two patterns help.
Re-KYC inside the existing flow: trigger refresh on the next meaningful interaction (a high-value transaction, a credit limit increase, a product upgrade) rather than as a standalone email blast. Customers who are already engaged complete refresh at 4–6× the rate of customers pulled out of dormancy.
Risk-tier downgrade before refresh: if a low-risk customer's profile hasn't moved in 9 years, the data you collect at re-KYC won't move it either. Quietly tier them down to the lightest possible refresh path (PAN + Aadhaar OTP) and reserve the full dossier for customers whose risk has actually changed.
Whatever you do, refresh has to ship as infrastructure — not a project. A 500–5,000-customer batch a week, automated.
Implementation pitfalls — the 5 things that bite
Every team hits the same five.
1. Storing the unmasked Aadhaar. MeitY's 2023 notification requires the 12-digit Aadhaar to be redacted before storage for most use cases. Teams that pull Aadhaar via OCR or DigiLocker and skip the masking step fail the next compliance audit. Mask at upload, never store the full value.
2. Treating PAN match as KYC. A PAN that returns "valid" from NSDL means the PAN exists; it doesn't mean the customer holding it is the customer you onboarded. Always cross-match the name returned by NSDL against the name on Aadhaar or the OVD. Single-source PAN verification is the leading cause of synthetic identity fraud in Indian onboarding.
3. Letting the customer pick the document. "Upload any OVD" produces a Driving Licence from one customer, a passport from the next, a Voter ID from a third — and three different OCR pipelines downstream. Constrain to two or three accepted OVDs and route them all through one extraction layer.
4. Running V-CIP at peak hours without queueing. The video operation is human-loop bound. A 9pm spike crashes throughput, and the customers you wanted most (the high-value ones) wait the longest. Queue with deferred callbacks; show an honest wait time.
5. Forgetting MNRL on re-KYC. The Mobile Number Revocation List catches numbers that have been ported, surrendered, or reissued. A re-KYC that only re-validates the document (not the mobile attached to the account) misses the most common takeover vector. Run MNRL at every refresh.
How Deepvue ships KYC
Every API in the catalog below sits on the same auth, the same SLA, the same monitoring. One contract for Aadhaar OTP, PAN, DigiLocker, face match, liveness, V-CIP, CKYC, MNRL, masking, and bank verification — routed through a single decisioning layer. Risk tiering, audit logs, and refresh triggers come built in.
Sub-200ms latency on the verify-only path. RBI Master Direction-aligned out of the box. Live across 60+ businesses processing 15M+ identity decisions.
