← Industry Insights
KYC India

KYC in India: Rules, Types & Compliance Guide for Businesses

Updated Jun 2026 · 10 min read
SHAREinXf
What is Know Your Customer in India? [KYC India]

KYC in India is the regulatory process that financial firms use to verify who their customers are before opening an account or offering a service. It sits at the core of the Prevention of Money Laundering Act, 2002, and the operating rules come from the Reserve Bank of India. Get it right and onboarding stays clean. Get it wrong and the account can end up frozen.

This guide is written for compliance and onboarding teams. It is not for individuals checking their own status. What follows is the rulebook in plain terms: the customer due diligence tiers, the re-KYC timelines, the Central KYC Registry, and the verification methods. Those are the pieces that keep banks, NBFCs, fintechs and payment players on the right side of the regulator.

What is KYC in India?

KYC in India is a mandatory due diligence process for verifying a customer's identity and address in regulated financial services. The framework is anchored in the Prevention of Money Laundering Act, 2002 and the PML (Maintenance of Records) Rules, 2005, with operating rules set by the Reserve Bank of India and the Securities and Exchange Board of India. In practice, it means collecting and validating documents such as Aadhaar, PAN, passport and voter ID, then risk-rating the customer.

The point is simple. Banks, NBFCs and other reporting entities have to know who they are dealing with, where the money comes from, and whether the relationship carries a higher risk of money laundering or terrorist financing. India layers modern tools like Aadhaar eKYC and video verification on top of that legal base, which lets firms onboard at scale without losing the audit trail that regulators expect.

Is KYC mandatory in India?

Yes. KYC is mandatory for every reporting entity under the PMLA, and the RBI enforces it through its Master Direction on KYC. The duty falls on banks, NBFCs, cooperative banks, payment banks, and now payment aggregators, all of which must identify the customer, verify the details, and keep records.

Skipping it carries real consequences. The RBI can freeze accounts where KYC is not completed within the stated window, and continuing violations under the PMLA, such as failing to upload records to the central registry, can attract penalties of up to one lakh rupees per day. A back-office gap becomes a board-level problem fast.

Know Your Customer vs Know Your Client

People use "Know Your Customer" and "Know Your Client" almost interchangeably. Both shorten to KYC, and the legal obligation behind them is the same. The emphasis shifts by sector, and that shift is worth understanding when you build an onboarding flow.

Banks and retail-facing institutions tend to say "Know Your Customer," where the focus is identity, address and transaction monitoring. Securities firms, brokers and wealth platforms lean toward "Know Your Client," because regulation there also asks them to assess suitability, the investor's risk appetite, and whether a given product actually fits. A brokerage running KYC compliance is verifying identity and judging fit at the same time. Same root process, different downstream questions.

Importance of KYC for regulated businesses in India

For institutions operating in India's financial sector, KYC is the control that lets them assess who their clients are and gauge the chance of criminal activity such as fraud or money laundering. Given the size of the population and the speed of digital adoption, it protects credit risk for the business and the wider system. It also feeds three things every compliance function cares about.

First, it manages risk. Customers get sorted into low, medium and high-risk bands. The high-risk relationships then get checked more often and watched more closely. Second, it protects revenue. A clean onboarding pipeline keeps genuine customers moving while filtering out bad actors. Third, it underpins trust. A firm that handles personal data carefully, and can prove it, keeps customers and regulators on side.

Types of KYC in India

Financial institutions in India run several KYC methods, matched to the channel and the risk level. Some are legacy in-branch processes; others are fully digital. Here are the main ones a compliance team will work with.

Physical KYC / in-person KYC

Traditional KYC has the customer visit a branch to complete the process. They submit Aadhaar, PAN, passport copies and photographs, and staff verify the paperwork in person. It is thorough. It is also slow and inconvenient, particularly for customers far from a branch, which is why most firms now reserve it for edge cases.

Aadhaar eKYC

Paperless Aadhaar-based eKYC verifies identity against the UIDAI database with the customer's consent. Because demographic and, where permitted, biometric data are available instantly, onboarding drops from days to minutes. The speed and simplicity made it the default for opening accounts and activating wallets, though firms must handle Aadhaar data within the limits set by law.

Digital KYC

With Digital KYC, the customer uploads identity and address documents to an app or portal. OCR then reads and checks them. It is faster than a branch visit and cheaper to run, which is why digital-first banks and lenders lean on it. The paperwork shrinks and operational cost drops, and the verification standard holds.

Video KYC (V-CIP)

Video-based Customer Identification Process, or V-CIP, blends a live video call with regulated controls. A trained officer verifies identity and address over an encrypted session using liveness checks, face match, geo-tagging and a maker-checker review by a second officer. The RBI's November 2025 Master Direction tightened the audit-trail expectations here and brought payment aggregators into scope. Done right, video KYC counts as equivalent to in-person verification, and all session data must be stored on systems located in India.

Central KYC (CKYC)

Central KYC, run by CERSAI, lets a customer complete KYC once and reuse it across the financial system. The verified record sits in the Central KYC Records Registry, so a second institution can pull it instead of starting from scratch. The 2025 framework made CKYCR use mandatory for onboarding in several segments, which makes Central KYC less of an option and more of a baseline.

Re-KYC (periodic updation)

Re-KYC keeps customer records current over the life of the relationship. The RBI sets the cadence by risk band, and we cover the exact intervals below. It can run online, in person, or over video, and for low-risk customers a simple self-declaration of no change is often enough.

Customer due diligence tiers in India

Indian KYC is risk-based, and the RBI framework recognises three levels of customer due diligence. Matching the depth of checking to the risk is the whole idea.

Simplified Due Diligence (SDD) applies to low-risk customers and lighter products, where a reduced set of checks is acceptable. Standard Customer Due Diligence (CDD) is the default for the bulk of customers. Enhanced Due Diligence (EDD) kicks in for high-risk relationships, such as politically exposed persons or complex ownership structures, and brings deeper verification, source-of-funds checks and closer ongoing monitoring. A practical customer risk rating model is what tells you which tier a given customer belongs in.

Book a demo to see how risk scoring and the right CDD tier can be applied automatically at onboarding.

Re-KYC requirements and periodicity by risk band

Re-KYC is not optional, and the timeline depends on how the customer is classified. The RBI sets a minimum frequency for periodic updation.

High-risk customers

Periodic updation at least once every two years. These relationships get the tightest cadence and the closest monitoring between cycles.

Medium-risk customers

Periodic updation at least once every eight years, with ongoing transaction monitoring in between.

Low-risk customers

Periodic updation at least once every ten years. In June 2025 the RBI eased the process for this band: where no information has changed, a self-declaration can suffice, business correspondents can help collect updates, and entities must send at least three advance intimations before the due date. The regulator also extended the deadline for pending low-risk updations to 30 June 2026, or within one year of the update falling due, whichever is later.

Documents required for KYC in India

The documents needed for KYC depend on who the customer is. The RBI works off a defined list of Officially Valid Documents.

For individuals: an identity and address proof from the OVD set, which includes the passport, driving licence, proof of possession of an Aadhaar number, voter ID, and NREGA job card, plus PAN for financial transactions.

For businesses: the registration certificate and PAN of the entity, GST and CIN where applicable, and documents identifying the partners or directors, such as a partnership deed or board resolution. Beneficial ownership has to be established too.

For Non-Resident Indians (NRIs): passport, residence visa, and proof of the overseas address.

Know your supplier: due diligence beyond the customer

KYC does not stop at the customer. Indian businesses increasingly run "know your supplier" checks, a third-party due diligence process that vets vendors and partners before onboarding them. The goal is the same: confirm the entity is real, compliant and not a back door for risk.

A basic supplier check verifies the legal entity, its PAN, GST registration and Corporate Identification Number, then screens for sanctions and adverse media. It matters because exposure flows through the supply chain, and laws such as the Companies Act, 2013 and global rules like the FCPA can reach an Indian firm through its third parties. Supplier due diligence is not a one-time gate. Repeat it the way you repeat customer KYC. The same identity and screening checks extend to the corporate entities you transact with, not just retail customers.

Regulatory authorities and guidelines for KYC in India

The framework pulls together several regulators and statutes, each covering a slice of the financial system.

Reserve Bank of India (RBI)

The Reserve Bank of India owns KYC rules for banking and the wider financial sector. Its Master Direction on KYC, first issued in 2016 and consolidated again in November 2025 into sector-specific directions across ten institution types, is the operating manual. It mandates the customer identification procedure, risk categorisation, and periodic updation for every bank, NBFC and payment service provider it regulates.

Securities and Exchange Board of India (SEBI)

SEBI sets KYC for stock exchanges, mutual funds and broking firms, and has standardised investor KYC to keep checks consistent across the market. Its rules tie into the anti-money laundering standards under the PMLA, with a focus on identifying clients, verifying beneficial ownership, and curbing market abuse.

Insurance Regulatory and Development Authority of India (IRDAI)

The IRDAI governs KYC for insurers, who must confirm policyholders and guard against fraud at the point of sale and at claim. KYC here checks identity, address and, where relevant, source of wealth to meet AML obligations, and the regulator encourages Aadhaar-based eKYC to speed up onboarding.

Prevention of Money Laundering Act (PMLA)

The PMLA is the legal backbone of India's KYC and AML architecture. It requires reporting entities to run effective KYC, report suspicious transactions, and retain customer records for at least five years. The Act is amended periodically to keep pace with new risks and align India with international standards.

Importance of KYC across sectors

KYC obligations look different depending on the industry, even though the underlying rules are shared.

Banks and financial institutions

For banks, KYC is foundational. It guards against fraud, money laundering and misuse of accounts during onboarding, and proper records support credit assessment and statutory compliance under the PMLA. It also builds the institutional trust that a deposit relationship depends on.

Investment platforms

Mutual funds, brokers and investment platforms use KYC to authenticate investors and meet SEBI norms. It keeps money flows traceable, confirms investment legitimacy, and helps match products to an investor's risk profile and goals.

Insurance

Insurers rely on KYC to confirm policyholders and meet AML rules. Verifying identity and address helps weed out fraudulent policies and claims, and supports product fit based on the customer's profile. The IRDAI mandates it to lift transparency and protect the integrity of the business.

Telecom

Telecom operators verify subscribers before issuing a SIM, which closes off identity theft and communication fraud and meets national-security obligations. Confirmed customer details also let operators deliver and bill services more reliably.

Challenges in implementing KYC in India

KYC is necessary, but rolling it out at India's scale is not friction-free. A few obstacles come up repeatedly.

Digital access is uneven. Patchy connectivity in rural areas limits how far eKYC can reach. Data security is a constant concern too. Firms are holding sensitive identity records that have to be protected. Cost is the third pressure: legacy, paper-heavy KYC is slow and expensive, and manual review does not scale with onboarding volume.

How KYC Hub supports KYC compliance in India

KYC Hub offers a Digital KYC solution built for India that turns these rules into a working onboarding flow. The platform leads with identity verifications, financial verifications, corporate verifications and employee verifications, plus a defined set of identification documents it can validate. It pairs Aadhaar OKYC, PAN authentication, video KYC and biometric checks so a regulated entity can verify individuals and the businesses behind them in one place.

The aim is accurate, fast onboarding that holds up to RBI scrutiny. Automated verification replaces manual document review. Risk scoring routes customers to the right due diligence tier, and the audit trail stays intact for periodic updation and reporting. Built-in screening flags sanctions and adverse media, so high-risk cases surface early instead of slipping through. And it works alongside existing systems rather than demanding a rebuild.

If KYC in India is a compliance and onboarding cost you want to cut without weakening controls, the fastest way to judge fit is to see it run. Book an India KYC demo and we will walk through the verification flow with your use case.

Conclusion

KYC is the foundation of financial security in India, and the framework keeps tightening as the RBI consolidates its rules and pushes more of the process digital. For regulated entities, the work comes down to three habits. Stay current with the Master Direction. Classify customers correctly, and keep records clean across the relationship lifecycle. Get that right and onboarding stops being a bottleneck. It becomes a competitive edge.

[ FREQUENTLY ASKED QUESTIONS ]

Any questions? We got you.

Is KYC mandatory for businesses in India?

Yes. KYC is mandatory for all reporting entities under the Prevention of Money Laundering Act, 2002, including banks, NBFCs, payment banks and payment aggregators. The RBI enforces it through its Master Direction on KYC, and non-compliance can lead to frozen accounts and PMLA penalties.

What is the RBI Master Direction on KYC?

The RBI Master Direction on KYC is the operating rulebook for customer due diligence in India's financial sector. First issued in 2016, it was consolidated again in November 2025 into sector-specific directions covering ten institution types. It sets out customer identification, risk categorisation and periodic updation requirements for regulated entities.

How often is re-KYC required in India?

The RBI sets a minimum re-KYC frequency by risk band: at least once every two years for high-risk customers, eight years for medium-risk, and ten years for low-risk. For low-risk customers, the deadline for pending updations was extended to 30 June 2026, and a self-declaration can suffice where nothing has changed.

What are the customer due diligence tiers in India?

India's KYC framework recognises three tiers. Simplified Due Diligence applies to low-risk customers, Standard Customer Due Diligence is the default for most customers, and Enhanced Due Diligence applies to high-risk relationships such as politically exposed persons. The depth of verification scales with the assessed risk.

What is the difference between KYC and CKYC?

KYC is the verification process a financial institution runs on its customer. CKYC, or Central KYC, is the registry maintained by CERSAI that stores a customer's verified KYC record so it can be reused across institutions. Using the Central KYC Records Registry is now mandatory for onboarding in several segments.

Is Video KYC legally valid in India?

Yes. Video-based Customer Identification Process (V-CIP) is RBI-approved and, when the required controls are followed, counts as equivalent to in-person verification. Those controls include a live trained officer, liveness and face-match checks, geo-tagging, a maker-checker review, and storage of all session data within India.

What documents are required for KYC in India?

For individuals, the RBI accepts Officially Valid Documents such as the passport, driving licence, proof of possession of Aadhaar, voter ID and NREGA job card, plus PAN for financial transactions. Businesses additionally provide entity registration, PAN, GST and CIN where applicable, and documents establishing beneficial ownership.

What is a know your supplier check?

Know your supplier is a third-party due diligence process that vets vendors and business partners before onboarding them. It verifies the legal entity, its PAN, GST and Corporate Identification Number, and screens for sanctions and adverse media. Like customer KYC, it should be repeated periodically rather than treated as a one-time check.

[ KYC HUB ]

Automate your compliance operations

Replace manual checks and spreadsheets with automated screening, workflows and audit-ready records.

Explore the compliance automationBook a demo
[ RELATED READING ]
VCIP Remote Verification vs Aadhaar OTP vs Offline eKYC: Which Method Is Right for Your Business?
[ Video KYC ]

VCIP Remote Verification: How It Works, RBI Rules, and How to Choose a Method

A practical guide to VCIP remote verification for banks, NBFCs, and fintechs: what it is, the RBI requirements in 2026, how it stacks up against Aadhaar OTP and offline eKYC, and how to match a method to your customer base.

Mar 2026 · 9 min read
KYC vs eKYC: Which Method Should Your Institution Use in 2026?
[ KYC ]

KYC vs eKYC: Which Method Should Your Institution Use in 2026?

KYC vs eKYC isn't just a compliance choice, it's a cost and risk decision. Learn which method fits your product under RBI's 2025 guidelines.

Mar 2026 · 7 min read
Video KYC in India: The 2026 Complete Guide for Banks, NBFCs and Fintechs
[ Video KYC ]

Video KYC in India: The 2026 Complete Guide for Banks, NBFCs and Fintechs

Learn how Video KYC in India works, RBI guidelines, the onboarding process for banks and NBFCs, & how to implement compliant digital KYC.

Mar 2026 · 8 min read