KYC gets a lot of attention when onboarding. Re-KYC, the periodic updation of that same information, gets far less — until an account is frozen, a compliance audit surfaces a gap, or the regulator issues a fresh circular reminding banks of obligations that were always there.
For compliance teams and product managers building verification infrastructure, re-KYC in banks is one of those processes that looks straightforward on paper and turns complicated at scale. The regulatory framework is clear enough. The operational challenge is what happens when you apply it across hundreds of thousands of customers with different risk profiles, different contact addresses, and different levels of responsiveness to outreach.
This piece is about what re-KYC actually requires, what it should cover, and what the automation layer needs to do to make it operationally viable.
What Triggers Re-KYC and When It’s Due
Re-KYC is not discretionary. The RBI’s KYC Master Directions — updated most recently in June 2025 — mandate periodic updation of customer KYC information on a risk-based schedule. The frequency depends on the customer’s risk classification.
High-risk customers must be re-verified at least once every two years. Medium-risk customers, once every eight years. Low-risk customers, once every ten years from the date of account opening or the last KYC update.
These timelines apply across the customer base, which means any bank with a large retail or MSME book is running re-KYC processes continuously, not as a one-off exercise. At any given point, a portion of the customer base is approaching its re-KYC due date, another portion is overdue, and the compliance team needs visibility across all of it.
Beyond the scheduled cycle, re-KYC is also triggered by specific events: a significant change in transaction patterns that suggests the customer’s risk profile has shifted, a change in the customer’s personal or business details, or a specific regulatory directive. The June 2025 RBI circular introduced structured notice requirements — banks are now required to issue at least three advance intimations before the due date and three reminders after, with at least one in each set sent by physical letter. That notification obligation alone adds operational complexity that most banks haven’t fully built into their workflows.
The same circular extended the updation window for low-risk individual customers, allowing them to complete re-KYC up to one year after the due date, or until June 2026, whichever is later. This is a relief measure, not a waiver — the obligation remains, and accounts are still subject to regular monitoring during the extension period.
What Re-KYC Actually Covers
This is where re-KYC in banks often gets misunderstood — both by customers who treat it as a formality and by banks that treat it as a document collection exercise.
Re-KYC is a fresh verification of the information the bank holds on the customer. Depending on whether anything has changed, it can look very different for different customers.
For a customer where nothing has changed — same address, same occupation, same contact details — the process can be as light as a self-declaration confirming that the information on file is still current. RBI explicitly permits this for low-risk customers, and the June 2025 circular extended the permission for self-declarations to be collected through authorised Business Correspondents, not just at the branch.
Where something has changed — a new address, a change in occupation, a new beneficial owner for a business account — the re-KYC needs to capture and verify the updated information. That means fresh document collection, verification of those documents against live government sources, and updating the customer record to reflect the current state.
For high-risk customers, re-KYC goes further. Enhanced due diligence requirements mean that the bank isn’t just confirming existing information or collecting updates — it’s reassessing the customer’s risk profile against current transaction behaviour, any watchlist changes, and any new information about the customer’s business or financial activity. The two-year cycle for high-risk customers isn’t just an administrative refresh; it’s a substantive risk assessment exercise.
This distinction matters for anyone building re-KYC infrastructure. A workflow designed only for simple self-declarations won’t handle the document collection and verification requirements for customers who have moved. A workflow designed only for enhanced due diligence will be operationally disproportionate for the bulk of a bank’s low-risk retail customers. The automation layer needs to branch based on customer risk classification and the nature of the update required.
Where Manual Re-KYC Breaks Down
The failure mode of manual re-KYC is predictable and well-documented. It tends to appear first in high-volume retail books where the combination of volume, geographic spread, and customer responsiveness creates a processing backlog that the operations team can’t clear through branch-based or paper-based processes.
When customers don’t respond to re-KYC notices — which is common, because the notices often don’t make the urgency clear — accounts eventually become inoperative. The RBI has noted significant pendency in periodic KYC updation, particularly for accounts linked to Direct Benefit Transfers and Jan Dhan accounts where customers may not have a clear path to completing the process. That pendency has a direct human cost: benefit transfers get stuck, and account holders in underserved areas have no easy way to resolve the situation.
For the bank, the cost shows up in compliance risk and in customer experience. A branch-centric re-KYC process concentrates the burden on the customer, many of whom find the requirement inconvenient or confusing, and on branch staff who are handling re-KYC alongside every other customer interaction.
The practical solution isn’t a better paper process. It’s a re-KYC workflow that meets the customer where they are.
What Re-KYC Automation Actually Needs to Do
Automated re-KYC isn’t about removing the compliance requirement — it’s about executing it accurately and at scale without creating a bottleneck at the branch.
The architecture has a few distinct components.
Customer segmentation and scheduling. The system needs to know which customers are due for re-KYC and when, segmented by risk category. That scheduling drives the notification calendar, the workflow type assigned to each customer, and the escalation path if the customer doesn’t respond.
Structured notification management. The June 2025 RBI directions specify the minimum notification cadence — three advance notices, three reminders, with physical letters included. An automated system needs to manage this sequence, track which notifications have been sent and through which channel, and log that activity for audit purposes.
Differentiated verification workflows. A low-risk customer with no changes to their information needs a self-declaration pathway. A customer who has changed address needs document collection and address verification. A high-risk customer needs enhanced due diligence. The automation layer needs to route each customer to the appropriate workflow based on their profile, not run everyone through the same process.
Real-time document verification. When a customer submits updated documents as part of re-KYC, those documents need to be verified against live government sources — Aadhaar, PAN, driving licence, passport — rather than reviewed manually. API-based verification at this stage ensures that the re-KYC record is built on confirmed data, not just submitted documents, and that forged or outdated documents are flagged automatically.
Audit trail generation. Every step in the re-KYC process — notification sent, response received, document verified, record updated — needs to be logged with timestamps. RBI’s documentation requirements for periodic KYC are specific, and the audit trail needs to be structured well enough to survive regulatory scrutiny.
V-CIP and digital channels. For customers who need to update their KYC but cannot or will not come to a branch, Video-based Customer Identification Process is RBI-accepted as equivalent to face-to-face verification. Building V-CIP into the re-KYC workflow extends the reach of the process to customers who would otherwise become overdue.
The Operational Payoff
The case for automating re-KYC in banks is not just about compliance hygiene. It’s about what the compliance burden actually costs when it runs manually.
Every account that becomes inoperative due to incomplete re-KYC represents a customer service failure and, for certain account types, a regulatory risk. Every re-KYC event processed at the branch consumes staff time that could be spent on higher-value customer interactions. Every manually reviewed document is a verification event that may or may not catch a discrepancy that an API call would catch in seconds.
The regulatory environment around re-KYC has tightened in the past two years, and the June 2025 amendments signal that RBI expects the process to be both more structured and more accessible to customers. Banks and NBFCs that build the automation infrastructure to meet those expectations aren’t just reducing compliance risk — they’re building a customer data layer that stays accurate over time rather than degrading between re-KYC cycles.
That’s the actual value of getting re-KYC right. Not checking a box, but knowing that your customer records reflect the current reality of who your customers are.
Leave a Reply