RBI Master Direction on KYC: What It Is and Who Must Follow It
You hand over your Aadhaar and PAN at a bank counter for the fifth time this year — not because the bank lost your papers, but because a rulebook called the Master Direction on KYC says someone, somewhere, has to keep checking who you really are. That rulebook is bigger, older, and stricter than most customers realise.
- RBI's Master Direction on Know Your Customer (KYC) was first issued on February 25, 2016, and has been amended several times since — confirm the latest amendment date on the official RBI source.
- It is issued under Section 35A of the Banking Regulation Act, 1949, and Rule 9(14) of the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005.
- It applies to every 'Regulated Entity' (RE): banks, NBFCs, payments banks, small finance banks, co-operative banks, and credit information companies.
- Customers are re-verified on a fixed schedule based on risk category — every 2 years for high-risk, 8 years for medium-risk, and 10 years for low-risk customers.
- A January 2020 amendment allowed banks to verify identity through Video-based Customer Identification Process (V-CIP) instead of an in-person visit.
- RBI's KYC Master Direction, first issued February 25, 2016, applies to banks, NBFCs, payments banks, small finance banks, co-operative banks, and credit information companies.
- Update frequency depends on your hidden risk bucket: high-risk every 2 years, medium every 8, low every 10 — you're never told which bucket you're in.
- V-CIP (video KYC, from 2020) and the CKYCR central registry exist to cut repeat paperwork, but in practice many banks still ask customers to resubmit documents.
- KYC and fraud-liability rules are connected: knowing the customer properly is the first line of defence before RBI's newer fraud-liability rules for co-operative and rural banks even come into play.
What exactly is the RBI Master Direction on KYC?
Think of it as one master rulebook that tells every bank and lender in India: ask these questions before you let someone open an account, take a loan, or move money. Instead of scattered circulars, RBI compiled everything into a single 'Master Direction' on KYC, first put out on February 25, 2016. It is not a law by itself — it is RBI using its power under Section 35A of the Banking Regulation Act, 1949, and it also enforces obligations that come from India's anti-money-laundering rules (Rule 9(14) of the PML Maintenance of Records Rules, 2005).
Why does this rulebook exist at all?
KYC stands for 'Know Your Customer.' The plain-language reason: banks are gateways for money, and criminals love gateways. If a bank doesn't know who really owns an account, that account can quietly launder stolen money, fund terrorism, or hide black income. So RBI forces every regulated entity to identify customers properly, watch their transactions, and report anything suspicious — before the money moves, not after.
Who exactly must comply?
The direction uses one umbrella term — Regulated Entity (RE) — and it is a long list. It covers:
- Commercial banks, public and private
- Small finance banks and payments banks
- Co-operative banks, including urban and rural co-operative banks
- NBFCs (non-banking financial companies)
- Credit information companies
That reach matters more than most readers assume. Even smaller, local institutions — the co-operative and rural banks that customers often think of as 'informal' — are on the hook. That's the same universe of entities RBI has been separately tightening on fraud-liability rules for co-operative bank customers and on new fraud protection deadlines for rural bank customers. KYC and fraud liability are two sides of the same coin: know the customer first, then decide who pays when something goes wrong.
What do banks actually have to check?
Strip away the legal language and it comes down to four simple things, known as Customer Due Diligence (CDD):
- Who are you — proof of identity (Aadhaar, PAN, passport, etc.)
- Where do you live — proof of address
- What do you do — your occupation and expected transaction pattern, so unusual activity stands out later
- Who is behind the money — for companies and trusts, banks must identify the real human 'beneficial owner,' not just the entity's name
Riskier customers — politically exposed persons, large cash businesses, entities in high-risk countries — get deeper checks, called Enhanced Due Diligence.
How often does your KYC actually get updated?
This is the part almost no one explains clearly. RBI doesn't ask banks to re-check every customer at the same pace. It sorts customers into three risk buckets, and each bucket has its own update clock:
- High risk — updated every 2 years
- Medium risk — updated every 8 years
- Low risk — updated every 10 years
So if your bank suddenly asks for fresh documents, it isn't random — you've likely been placed in a shorter update cycle, often because of how you use your account, not because of anything you did wrong.
What changed with video KYC and the central registry?
Two features make modern KYC less painful than it used to be. First, V-CIP (Video-based Customer Identification Process), permitted from a January 2020 amendment, lets you complete KYC over a live video call instead of visiting a branch. Second, the Central KYC Records Registry (CKYCR), run by CERSAI, is meant to store your verified KYC once so any bank or NBFC can pull it up later — in theory, ending the 'submit your documents again' cycle for good.
Questions people ask
Every 'Regulated Entity' — commercial banks, NBFCs, payments banks, small finance banks, co-operative banks, and credit information companies. If an institution takes deposits or lends money under RBI's watch, it must follow this direction.
Officially valid documents include Aadhaar, PAN, passport, voter ID, and driving licence, used together to prove identity and address. For companies, banks must also identify the real human owner behind the business, not just the company name.
It depends on your risk category: every 2 years if you're flagged high-risk, every 8 years for medium-risk, and every 10 years for low-risk customers. Most retail customers fall in the low or medium bucket.
CKYCR is the Central KYC Records Registry, run by CERSAI, meant to hold your verified KYC so other banks can reuse it. In practice, many banks still ask for fresh documents, so the paperless promise isn't fully delivered yet.
V-CIP, or Video-based Customer Identification Process, lets you complete KYC through a live video call with a bank official instead of an in-person branch visit. It was permitted through a January 2020 amendment to the Master Direction.
Banks can restrict your account operations — for example, freezing debit transactions — until your KYC is updated. This isn't a penalty for wrongdoing; it's a compliance requirement banks must enforce under the Master Direction.