Insurance Regulatory and Development Authority of India
All Life and General Insurers (Including Standalone Health Insurers)
In order to simplify the process of Know Your Customer (KYC), it is proposed to leverage the various electronic platforms to make it customer friendly.
2. The Insurers are hereby permitted to use the “Video Based Identification Process (VBIP)” as described below:
3. “Video Based Identification Process (VBIP)”is an alternative (optional)electronic process of Identification / KYC in paperless form, carriedoutby the insurer/authorised person (person authorised by the insurer and specifically trained for face-to-face VBIP) by undertaking seamless, secure, real-time, consent based audio-visual interaction with the customer/beneficiary to obtain identification information including the necessary KYC documents required for the purpose of client due diligence and to ascertain the veracity of the information furnished by the customer/ beneficiary.
4. Insurers may undertake live VBIP by developing an application which facilitates KYC process either online or face-to-face in-person verification through video. This may be used for establishment/continuation/ verification of an account based relationship or for any other services with an individual customer/beneficiary, as the case may be, after obtaining his/her informed consent and shall adhere to the following stipulations:
a) The Insurer/authorised person while performing the VBIP for KYC shall record clear live video of the customer/beneficiary present for identification and obtain the identification information in the form as below:
i. Aadhaar Authentication if voluntarily submitted by the Customer/ beneficiary, subject to notification by the government under Section 11 A of Prevention of Money-Laundering Act (PMLA)
ii. Offline Verification of Aadhaar for identification, if voluntarily submitted by the Customer/beneficiary
iii. OVD (As defined in rule 2(d) under PML Rules 2005) provided in the following manner –
iii(1) As digitally signed document of the OVD, issued to the DigiLocker by the issuing authority
iii(2) As a clear photograph or scanned copy of the original OVD, through the eSign mechanism.
b) The insurer/authorised person shall ensure that the online video is clear and the customer/beneficiary along with the authorised person in the video shall be easily recognisable and shall not be covering their face in any manner.
c) Live location of the customer/beneficiary (Geotagging) shall be captured (both for online/ face-to-face VBIP) to ensure that customer/beneficiary is physically present in India.
d) The authorised person/ Insurer shall ensure that the photograph and other necessary details of the customer/beneficiary in the Aadhaar/ OVD matches with the customer/beneficiary present for the VBIP.
e) The authorised person/ Insurer shall ensure that the sequence and/or type of questions during video interactions are varied in order to establish that the interactions are real-time and not pre-recorded.
f) In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, if voluntarily submitted by the Customer/ beneficiary, it shall be ensured that the generation of XML file or QR code is recent and not older than 3 days from the date of carrying out VBIP.
g) All accounts opened or any service provided based on VBIP shall be activated only after being subject to proper verification by the insurer to ensure that the integrity of process is maintained and is beyond doubt.
h) Insurers shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio-visual interaction with the customer/beneficiary and the quality of the communication is adequate to allow identification of the customer/ beneficiary beyond doubt. Insurers shall carry out the liveliness check in order to guard against spoofing and such other fraudulent manipulations.
i) To ensure security, robustness and end to end encryption, the insurers shall carry out software and security audit and validation of the VBIP application as per extant norms before rolling it out and thereafter from time to time.
j) The audio-visual interaction shall be triggered from the domain of the insurers itself, and not from third party service provider. The VBIP process shall be operated by the Insurer/authorized persons. The activity log along with the credentials of the official performing the VBIP shall be preserved.
k) Insurers shall ensure that the video recording bears the GPS coordinates, date (DD:MM:YY) and time stamp (HH:MM:SS) along with other necessary details, which shall be stored in a safe and secure manner as per Prevention of Money-Laundering (PML) Rules.
While exercising Online VBIP, the Insurer shall exercise extra caution and the additional necessary details viz. IP address etc. shall be preserved by the insurer to substantiate the evidence at the time of need.
l) Insurers are encouraged to take assistance of the latest available technology (including Artificial Intelligence (AI) and face matching technologies etc.) to strengthen and ensure the integrity of the process as well as the confidentiality of the information furnished by the customer/beneficiary. However, the responsibility of identification shall rest with the insurer.
m) Authorized person of the insurer shall facilitate face to face VBIP process only at the customer/beneficiary end.
However, the ultimate responsibility for client due diligence will be with the insurer.
n) Insurer shall maintain the details of the concerned Authorised person, who is facilitating the VBIP.
o) Insurers shall ensure to redact or blackout the Aadhaar number as per extant PML Rules.
p) Insurer will adhere to the IRDAI Cyber security guidelines as amended from time-to-time along with the necessary security features and standard as mentioned in Annexure – I
It is emphasized once again that it shall be the responsibility of the insurers that the above guideline is followed scrupulously.
Any matter not specifically mentioned herein, but mandated under the extant PMLA/ Aadhaar Act / Information Technology Act etc. and Rules framed there under by the Central Government of India shall be complied with accordingly.
1. The Video KYC application and related APIs/Web Services shall undergo application security testing (both gray box and white box) through an CERT-In empanelled vendor and all reported vulnerabilities shall be mitigated before moving into production.
2. The infrastructure components used for hosting Video KYC application shall undergo vulnerability assessment and secure configuration review through an CERT-In empanelled vendor and all reported vulnerabilities shall be mitigated before moving into production.
3. There shall be an end-to-end encryption from the customer/beneficiary to the hosting point of the Video KYC application. The minimum encryption standards and key lengths like AES 256 for encryption should be used.
4. If the Video KYC application and video recordings are located at a third party location and/or in Cloud then the third party location and/or cloud hosting location shall be in India.