For many customers today, the first encounter with a bank or financial institution is no longer a branch visit – it is a video call, a document upload and a selfie. Digital onboarding has become the industry’s new front door, and in India it is a door that millions walk through: cumulative e-KYC transactions crossed 2,457 crore in June 2026, a scale of remote inclusion unmatched in other markets. That achievement carries an uncomfortable corollary.
The same channel that admits the deserving at speed also presents the largest attack, surface financial crime has ever enjoyed. Onboarding, therefore, is a discipline of calibration – verify too lightly and criminals stroll in; verify too heavily and genuine customers abandon the journey. Seven friction points decide where that balance is won or lost.
The regulatory backdrop
The Indian regulatory perimeter is deliberately plural. The RBI first recognised the Video-based Customer Identification Process (V-CIP) in January 2020 and folded it into the KYC Master Direction; its June 2025 amendments tightened periodic updation, enabled business correspondent assisted re-KYC, and reaffirmed that all V-CIP data must reside on systems located in India. The consolidated KYC Master Direction notified in late November 2025 went further, drawing payment aggregators squarely into KYC scope. SEBI runs its KYC Registration Agency ecosystem for market intermediaries; IRDAI maintains its own AML/CFT master guidelines for insurers. The most striking recent movement, however, is at IFSCA. Building on its 2022 AML/CFT/KYC Guidelines, IFSCA’s October 2025 circular modernised V-CIP introducing a structured path for resident Indians and a pilot for eligible NRIs while its January 2026 circular lowered the beneficial-ownership threshold to 10% (except for unincorporated bodies where the threshold is 15%), recognised IFSC KRAs under the 2025 KRA Regulations, mandated CKYCR integration for specified entities, and accepted equivalent e-documents. GIFT City, in short, is being engineered as a compliant remote-onboarding gateway for global capital.
Seven friction points in customer onboarding and how teams are solving them
- The assurance-versus-abandonment trade-off
Every additional check improves identity assurance and erodes conversion; drop-off is the silent tax on compliance. Leading teams answer with risk-based, progressive onboarding admitting low-risk customers through a light Aadhaar-eKYC path while reserving full V-CIP and enhanced due diligence for higher-risk products and profiles – orchestrated through a configurable rules layer rather than a single rigid flow.
- Liveness no longer proves a live person
V-CIP’s founding assumption that a live video feed evidences a real, present human is breaking under generative AI (examined in detail below). Teams are layering passive liveness, injection-attack detection, device-integrity signals and behavioural analytics, because any single check now fails, rather can fail against a determined attacker.
- Multi-regulator fragmentation and data residency
A group operating across banking, securities, insurance and the IFSC must reconcile four overlapping rulebooks, two KYC registries (CKYCR and the IFSC KRA) and a hard localisation mandate for V-CIP records. The answer is jurisdiction-aware onboarding engines that apply the correct rule-set, registry and retention policy by entity and customer type rather than bolting exceptions onto one template.
- Beneficial ownership and entity onboarding
The hardest CDD problem is not the individual but the layered corporate – nominee directors, multi-tier holding structures and opaque ultimate beneficial owners. IFSCA’s shift to a 10% BO threshold raises the bar further. Compliance teams increasingly automate corporate KYC through registry and CKYCR look-ups and apply network analysis to surface control relationships that document review alone would miss.
- The re-KYC “debt”
The RBI has repeatedly flagged large pendency in periodic KYC updation – a stock problem, not merely a flow one. The emerging answer is perpetual KYC: event-driven re-verification triggered by risk-relevant changes, self-declaration for unchanged low-risk customers, and BC-facilitated re-KYC for the financially excluded, replacing the calendar-driven scramble.
- Document authenticity and synthetic identity
Forged and AI-generated officially valid documents, and synthetic identities that splice real and fabricated data to seed mule accounts, defeat naive validation. Defences combine document forensics, corroboration against independent sources such as DigiLocker and CKYCR, and device and behavioural signals that expose the orchestration behind a fraud ring.
- Screening noise
Sanctions, PEP and adverse-media screening at onboarding generates false positives at volumes that breed alert fatigue – the very failure mode the FCA penalised at Starling Bank, where customers were screened only after they had already been onboarded. Teams are deploying sharper matching logic, secondary identifiers and AI-assisted alert disposition, and moving from point-in-time to continuous screening so that a name added to a list after onboarding does not sit undetected on the books.
V-CIP and the deepfake threat: risks and suggested actions
Of all these pressures, the deepfake threat to V-CIP is the one regulators now name explicitly. The FATF Horizon Scan of December 2025 identified deepfakes as a direct threat to AML and CDD controls worldwide. The economics are stark: deepfake fraud incidents rose roughly tenfold through 2025, more than half of surveyed financial professionals report encountering such attempts, and threat-intelligence researchers logged thousands of biometric injection attempts against a single institution’s liveness checks in 2025 alone. The decisive shift is from presentation attacks – a photo or mask held to the camera – to injection attacks that feed synthetic video directly into the verification pipeline through a virtual camera, bypassing the lens entirely. The table below maps the principal risks to mitigating actions.
| Risk | Suggested mitigating action |
| Injection attacks via a virtual camera feed | Deploy injection-attack detection, plus device-integrity and API-tamper checks; never rely on camera-layer liveness alone. |
| Real-time face-swaps defeating passive liveness | Combine passive and active liveness with dedicated deepfake-detection models, and randomise in-session challenges. |
| AI-generated officially valid documents | Apply document forensics and cross-verify against authoritative sources (DigiLocker, CKYCR) rather than visual inspection. |
| Biometric-harvesting malware (GoldPickaxe-type trojans) | Enforce app attestation, jailbreak/root detection and secure capture; monitor for replayed biometric sessions. |
| Deepfake impersonation during re-KYC or agent calls | Bind biometrics to a verified reference and require step-up authentication for high-risk changes. |
| Opaque vendor accuracy claims | Demand empirical detection rates, independent testing and injection-attack detection; retain full audit trails for examination. |
How advanced economies are approaching it
Advanced markets are converging from different starting points. The United States anchors onboarding in the Bank Secrecy Act’s Customer Identification Programme and CDD rule, with FinCEN and OFAC setting the screening baseline. The United Kingdom relies on the FCA and JMLSG guidance, increasingly underpinned by certified digital-identity providers. The European Union has centralised supervision under its new Anti-Money Laundering Authority in Frankfurt and a single rulebook, while the EU AI Act classifies remote biometric identification as high-risk, imposing documentation and transparency duties. Singapore’s Myinfo and Singpass, built on its National Digital Identity programme, let institutions verify residents against authoritative government data – the model India’s DigiLocker and CKYCR increasingly emulate and MAS has accepted video verification since 2019. Hong Kong’s HKMA permits non-face-to-face onboarding under defined controls. Australia is the live case study: from 2026 it replaced its “2+2 safe harbour” with genuinely risk-based CDD, and from 1 July 2026 extended AML/CTF obligations to “Tranche 2” professions and to virtual-asset service providers.
What the penalties are telling us
Regulators are translating expectation into penalty. In FY 2024-25 the RBI imposed 353 penalties totalling roughly ₹54.78 crore led by actions against some large banks, with about ₹15.63 crore falling on co-operative banks. A representative recent example is the ₹1 lakh penalty on a cooperative bank, in June 2025, for failures in periodic KYC updation and for allotting multiple identification codes instead of a unique customer identifier. Internationally, the FCA’s 2024 action against Starling Bank roughly £29 million for CDD failures, sanctions screening weakness and onboarding customers – it was restricted from accepting accounts for high or higher-risk customers and TD Bank’s landmark US AML resolution the same year illustrate the scale at stake; one analysis found KYC-related fines doubling between 2023 and HY2026. The throughline is unambiguous: regulators no longer credit policies on paper, only demonstrable execution.
Horizon scanning
Three risks sit just over the horizon.
First, offensive AI industrialises: deepfake-as-a-service and agentic fraud will let a single actor run thousands of synthetic onboardings, while reusable and decentralised digital identity raises fresh questions of liability and revocation. Second, the cryptographic floor may shift – “harvest-now, decrypt-later” attacks threaten the encrypted V-CIP recordings institutions must retain for years, a concern the RBI’s own Q-SAFE quantum-security committee now reflects. Third, governance tightens: expect standards for injection-attack detection to harden into examination criteria, and a growing tension between biometric retention and the data-minimisation principles of the DPDP regime. A fourth, quieter shift is cross-border: as the IFSC’s NRI V-CIP pilot scales, onboarding will increasingly straddle jurisdictions, forcing institutions to reconcile Indian localisation rules with the expectations of the customer’s home regulator. The institutions that thrive will treat onboarding not as a one-time gate but as a continuously calibrated control – proportionate, evidenced, and built to be examined.
Digital onboarding rewards neither the maximalist nor the minimalist. The front door must open quickly for the many and stay shut for the few who would abuse it – and in 2026, the few increasingly arrive wearing a synthetically generated face. Calibration, not caution, is the competence that now separates the resilient from the exposed.