For any NBFC operating in India, KYC and AML are no longer limited to onboarding paperwork. Regulators now see them as a core risk control system that decides whether an NBFC is fit to operate in a digital lending environment.
As lending becomes faster and more remote, regulators have tightened rules around digital identity checks, transaction monitoring, and audit records. NBFCs that treat KYC and AML as a back-office task often find gaps only during inspections, penalties, or when business growth is restricted.
This blog explains what the Reserve Bank of India actually expects, how digital KYC and AML are structured under law, and how NBFCs should build systems that work in real operations, not just on paper.
Who Should Use This Guide
This guide is designed for NBFC founders, board members, compliance heads, risk managers, internal auditors, and operations teams responsible for customer onboarding, lending decisions, and regulatory reporting. It is especially relevant for NBFCs using digital or hybrid onboarding models, working with fintech partners, or scaling unsecured and high-volume lending.
It is also useful for NBFCs preparing for RBI inspections, statutory audits, investor due diligence, or expansion into new products or geographies. Anyone involved in designing, reviewing, or supervising KYC, Video KYC, and AML systems will find this guide helpful in understanding what regulators expect in real-world operations, not just in written policies.
Regulatory Foundation: Why RBI Treats KYC/AML as Critical
KYC and AML compliance for NBFCs is governed by the RBI and backed by the Prevention of Money Laundering Act (PMLA), 2002.
RBI’s position is clear: financial inclusion cannot come at the cost of financial integrity.
This is why RBI issues binding instructions through its Master Direction on Know Your Customer (KYC). These directions apply equally to:
- Banks
- NBFCs
- Payment system participants
- Digital lenders operating through NBFC structures
The current RBI KYC Master Direction is available here: https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566
These are not guidelines. They are enforceable rules and are updated regularly.
Legal Backing: PMLA and Reporting Entity Duties
Under the Prevention of Money-Laundering Act, 2002, NBFCs are classified as Reporting Entities. This creates legal obligations beyond RBI circulars.
NBFCs must:
- Verify customer identity before onboarding
- Maintain KYC and transaction records
- Report suspicious transactions to FIU-IND
- Identify beneficial owners and controlling persons
- Preserve records for at least five years after account closure
These requirements are detailed in the PMLA (Maintenance of Records) Rules, 2005.
Official FIU-IND framework: https://fiuindia.gov.in/legislation.html
Non-compliance can lead to regulatory as well as legal consequences.
Digital KYC: RBI’s Move Away from Physical Processes
RBI formally introduced digital KYC to address two issues:
- Physical, paper-based onboarding does not scale for mass financial inclusion and high-volume digital products
- Digital lending without strong identity checks increases risk
Digital KYC enables NBFCs to verify customers without physical presence, subject to controls ensuring:
- Authenticity
- Liveness
- Traceability
- Audit readiness
Under RBI norms, digital KYC includes:
- Electronic identity verification
- Live photograph capture
- Authentication of Officially Valid Documents (OVDs)
- Secure storage with timestamps and geo-tags
RBI clarification on digital KYC: https://www.rbi.org.in/commonman/English/Scripts/FAQs.aspx?Id=3782
Digital KYC changes the medium, not the standard.
Video KYC (V-CIP): The Most Scrutinised Area
Video KYC, formally called Video-based Customer Identification Process (V-CIP), receives close attention during RBI inspections.
RBI allows full KYC through video, but only if strict conditions are met.
A compliant Video KYC process must include:
- Live, one-to-one video interaction
- Real-time capture of the customer’s image
- Verification of original identity documents
- Liveness checks to prevent impersonation
- Geo-tagging of the session
- Secure recording and storage
- Trained and authorised NBFC staff
RBI guidance on Video KYC: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12071
Common failures include:
- Outsourced agents without control
- Pre-recorded or low-quality videos
- Missing geo-location or audit logs
These issues are frequently flagged during inspections.
CKYCR: Convenience Without Loss of Responsibility
The Central KYC Records Registry (CKYCR) was introduced to avoid repeated KYC across financial institutions.
Once a customer completes KYC, a CKYC number is generated and records are stored centrally.
- For NBFCs, this helps with:
- Faster onboarding
- Less document collection
- Lower friction
However, RBI is clear that CKYC does not transfer responsibility.
NBFCs must still:
- Verify CKYC data
- Assess customer risk
- Update records if errors are found
RBI notification on CKYC: https://www.rbi.org.in/commonman/English/scripts/Notification.aspx?id=2607
CKYC simplifies the process but does not reduce accountability.
AML Framework: Monitoring After Onboarding
AML obligations start after the customer is onboarded.
NBFCs must continuously monitor transactions to detect:
- Unusual activity
- Sudden changes in repayment or disbursal
- Structuring or layering patterns
- High-risk geographies or profiles
Suspicious Transaction Reports (STRs) must be filed with FIU-IND within set timelines.
FIU-IND STR reporting: https://fiuindia.gov.in/STR.html
Recent RBI updates have also reduced the beneficial ownership threshold to 10%, increasing due diligence for corporate and partnership borrowers.
Expert analysis on AML changes: https://vinodkothari.com/2023/10/aml-cft-compliances-expand-rbi-further-amends-kyc-master-directions/
Risk-Based KYC: Not All Customers Are the Same
RBI requires NBFCs to follow a risk-based KYC approach.
Customers must be classified as:
- Low risk
- Medium risk
- High risk
Risk factors include:
- Type of business or employment
- Secured vs unsecured lending
- Digital-only onboarding
- Geography
- Transaction behaviour
High-risk customers need enhanced checks, frequent KYC updates, and closer monitoring.
Applying the same KYC process to all customers is considered non-compliant.
Periodic KYC and Re-KYC
One of the most common RBI inspection findings is failure to update KYC.
RBI requires NBFCs to:
- Review customer records periodically
- Conduct re-KYC at prescribed intervals
- Update records when customer details change
Automated systems are expected. Manual tracking is rarely accepted during audits.
Data Governance and Audit Trails
Digital KYC creates digital risk.
NBFCs must ensure:
- Secure data storage
- Role-based access
- Tamper-proof audit logs
- Documented customer consent
- Record retention as per PMLA
Inspectors often test how quickly and accurately records can be retrieved.
Weak data controls can invalidate compliant onboarding.
Consequences of Weak KYC/AML Systems
Regulatory consequences may include:
- Monetary penalties
- Restrictions on onboarding new customers
- Increased regulatory scrutiny
- Reputational damage
- Difficulty in raising capital or partnerships
For growing NBFCs, weak compliance becomes a major business risk.
Closing Perspective
Digital KYC and AML are not temporary rules. They reflect a permanent shift in financial regulation.
For an NBFC, strong digital verification systems protect asset quality, improve trust, and support long-term growth.
If your NBFC has not reviewed its digital KYC, Video KYC, and AML monitoring framework against the latest RBI directions, now is the time. Strong compliance today avoids regulatory disruptions tomorrow and sets your NBFC up for confident, scalable growth.
If you want to review, strengthen, or audit your digital KYC, Video KYC, and AML framework as per current RBI expectations, connect with NBFC Advisory for clear guidance and end-to-end compliance support.
Connect with an Expert for any inquiry.
📞 Call NBFC Advisory: +91 93287 18979
🌐 Visit: nbfcadvisory.com
